This posting is here to collect cyber security news in January 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in January 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
439 Comments
Tomi Engdahl says:
TrickBot Bolsters Layered Defenses to Prevent Injection Research https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/
The cyber crime gang that operates the TrickBot Trojan, as well as other malware and ransomware attacks, has been escalating activity. As part of that escalation, malware injections have been fitted with added protection to keep researchers out and get through security controls. In most cases, these extra protections have been applied to injections used in the process of online banking fraud TrickBot’s main activity since its inception after the Dyre Trojan’s demise. IBM Trusteer researchers analyzed TrickBot’s most recent injections and the anti-analysis techniques used to conceal their activity. The information is provided in detail in this post.
Tomi Engdahl says:
Dark Souls servers taken down to prevent hacks using critical bug https://www.bleepingcomputer.com/news/security/dark-souls-servers-taken-down-to-prevent-hacks-using-critical-bug/
Bandai Namco has deactivated the online PvP mode for the Dark Souls role-playing game, taking its servers offline to investigate reports about a severe security issue that may pose a risk to players.
Tomi Engdahl says:
Analysis and Impact of LockBit Ransomware’s First Linux and VMware ESXi Variant https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
LockBit ransomware’s operators announced the release of its first Linux and ESXi variant in October. With samples also spotted in the wild, we discuss the impact and analysis of this variant.
Tomi Engdahl says:
Log4j: Mirai botnet found targeting ZyXEL networking devices https://www.zdnet.com/article/log4j-mirai-ddos-botnet-targeting-zyxel-networking-devices/
A report explained that the Log4j vulnerability is being used to “infect and assist in the proliferation of malware used by the Mirai botnet.”
Tomi Engdahl says:
WordPress-laajennoksista paljastui takaovia näin turvaat sivustosi
https://www.tivi.fi/uutiset/tv/34fba91e-e721-4556-8843-f8ec4220065e
JetPack on listannut kaikki haavoittuvaiset tuotteet ja niiden versiot.
Jetpack Discovers Backdoor in Popular WordPress Themes, Plug-Ins
The developer that created these add-ons, AccessPress Themes, is believed to have been compromised.
https://uk.pcmag.com/security/138304/jetpack-discovers-backdoor-in-popular-wordpress-themes-plug-ins
AccessPress Themes customers should be on the lookout for updated versions of the company’s WordPress themes and plug-ins, because according to Jetpack, older versions of the popular add-ons were compromised to distribute backdoors as part of a supply chain attack.
Jetpack says it discovered the backdoored versions of these add-ons in September 2021. It disclosed the problem to AccessPress Themes a few days later, but it didn’t receive a response until it escalated the issue to the WordPress.org plug-ins team in October 2021.
AccessPress Themes then “immediately removed the offending extensions from their website,” Jetpack says, and by January the company had released updated versions of most of the plug-ins. But it still hasn’t updated any of the affected themes, according to Jetpack’s advisory.
Backdoor Found in Themes and Plugins from AccessPress Themes
https://jetpack.com/2022/01/18/backdoor-found-in-themes-and-plugins-from-accesspress-themes/
Tomi Engdahl says:
HACKERS TRYING TO PREVENT WAR BY DISRUPTING RAILWAY USED BY RUSSIAN MILITARY
https://doctorow.medium.com/a-bug-in-early-creative-commons-licenses-has-enabled-a-new-breed-of-superpredator-5f6360713299
Tomi Engdahl says:
Details emerge on hack of Belarusian Railways and the group behind it
https://www.cyberscoop.com/cyber-partisans-belarus-ukraine-russia/
In the days after a group of Belarusian hackers announced they’d breached the network of the country’s railway system, encrypted data and demanded the expulsion of Russian troops and the release of political prisoners, a lot remains unclear.
But the Belarusian Cyber Partisans, the hacktivist group behind the attacks, posted a series of screenshots to Twitter Monday afternoon showing what they say show “internal assets and docs” from the hack. The group also seemed to troll Belarusian Railways with a screenshot claiming that the agency’s employees “frequently used pirated software. Do you think it’s connected to how they got hacked?” the group asked.
It’s unclear the the extent to which the group’s hack did any lasting damage to the railway agency, or succeeded in its goals. Train service may have temporarily been affected, a local news report suggests, as well as online ticketing systems. Some of those systems were back online Wednesday morning, Belarusian Railways said in a statement posted to its website, but some work “continues.”
The group wants all political prisoners released, the spokesperson said, but “especially those whose medical condition [has] deteriorated and who can simply die if they are not treated properly and on time.”
The group has previously hacked and leaked documents purporting to show the corruption of the regime, sharing the data with journalists or posting it themselves. The data has included apparent corrupt business dealings involving Lukashenko and data showing inaccurate public statements about COVID-19 deaths.
Tomi Engdahl says:
Millions of Routers, IoT Devices at Risk as Malware Source Code Surfaces on GitHub
https://informatech.co/3g2AlnY via @jaivijayan #GitHub #IoT #Mirai
https://www.darkreading.com/vulnerabilities-threats/source-code-for-malware-targeting-millions-of-routers-iot-devices-uploaded-to-github
Tomi Engdahl says:
Millions of Routers, IoT Devices at Risk as Malware Source Code Surfaces on GitHub
“BotenaGo” contains exploits for more than 30 vulnerabilities in multiple vendor products and is being used to spread Mirai botnet malware, security vendor says.
https://www.darkreading.com/vulnerabilities-threats/source-code-for-malware-targeting-millions-of-routers-iot-devices-uploaded-to-github
BotenaGo is designed to execute remote shell commands on systems where it has successfully exploited a vulnerability. An analysis that Alien Labs conducted last year when it first spotted the malware showed BotenaGo using two different methods to receive commands for targeting victims. One of them involved two backdoor ports for listening to and receiving the IP addresses of target devices, and the other involved setting a listener to system I/O user input and receiving target information through it.
AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits
https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits
Tomi Engdahl says:
Russian APT29 hackers’ stealthy malware undetected for years https://www.bleepingcomputer.com/news/security/russian-apt29-hackers-stealthy-malware-undetected-for-years/
Hackers associated with the Russian Federation Foreign Intelligence Service (SVR) continued their incursions on networks of multiple organizations after the SolarWinds supply-chain compromise using two recently discovered sophisticated threats.
Tomi Engdahl says:
North Koreas Lazarus APT leverages Windows Update client, GitHub in latest campaign https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
In this blog post, we provide technical analysis of this latest attack including a clever use of Windows Update to execute the malicious payload and GitHub as a command and control server. We have reported the rogue GitHub account for harmful content.
Tomi Engdahl says:
Financially Motivated Mobile Scamware Exceeds 100M Installations https://blog.zimperium.com/dark-herring-android-scamware-exceeds-100m-installations/
zLabs researchers have discovered another premium service abuse campaign with upwards of 105 million victims globally, which we have named Dark Herring. The total amount of money scammed out of unsuspecting users could once again be well into the hundreds of millions of dollars.. These malicious Android applications appear harmless when looking at the store description and requested permissions, but this false sense of confidence changes when users get charged month over month for premium service they are not receiving via direct carrier billing.
Tomi Engdahl says:
Shipment-Delivery Scams Become the Favored Way to Spread Malware
https://threatpost.com/shipment-delivery-scams-a-fav-way-to-spread-malware/178050/
Attackers increasingly are spoofing the courier DHL and using socially engineered messages related to packages to trick users into downloading Trickbot and other malicious payloads.
Tomi Engdahl says:
Conti ransomware hits Apple, Tesla supplier https://therecord.media/conti-ransomware-hits-apple-tesla-supplier/
The Conti ransomware gang has been linked to an attack on Delta Electronics, a Taiwanese electronics manufacturing company and a major supplier of power components to companies like Apple and Tesla.
Tomi Engdahl says:
Amazonin maksuja käsittelevässä yhtiössä valtava tietovuoto yli 100 miljoonan tiedot rikollisten hallussa
https://www.tivi.fi/uutiset/tv/32183e9b-fc46-472e-a59c-1acbf8035764
Amazonin, Swiggyn ja useiden muiden yritysten maksuliikennettä hoitavaan Juspayhin on kohdistunut tietomurto ja yli 100 miljoonan
maksu- ja luottokorttien käyttäjien tiedot ovat vuotaneet pimeään verkkoon.
Tomi Engdahl says:
DDoS attacks on Andorras internet linked to Squid Game Minecraft tournament
https://therecord.media/ddos-attacks-on-andorras-internet-linked-to-squid-game-minecraft-tournament/
A high-stakes Minecraft tournament is believed to be the cause of a series of DDoS attacks that have hit Andorras only internet provider for the last four days in what experts believe has been an attempt to prevent local gamers from participating.
Tomi Engdahl says:
N.Korean internet downed by suspected cyber attacks -researchers https://www.reuters.com/world/asia-pacific/nkorean-internet-downed-by-suspected-cyber-attacks-researchers-2022-01-26/
Junade Ali, a cybersecurity researcher in Britain who monitors a range of different North Korean web and email servers, said that at the height of the apparent attack, all traffic to and from North Korea was taken down.
Tomi Engdahl says:
Microsoft mitigated a record 3.47 Tbps DDoS attack on Azure users https://www.bleepingcomputer.com/news/security/microsoft-mitigated-a-record-347-tbps-ddos-attack-on-azure-users/
Microsoft says its Azure DDoS protection platform mitigated a massive
3.47 terabits per second (Tbps) distributed denial of service (DDoS) attack targeting an Azure customer from Asia in November.
Tomi Engdahl says:
Myanmar’s military junta seeks ban on VPNs and digital currency https://www.theregister.com/2022/01/24/myanmar_military_junta_bans_vpns_crypto/
For many in Myanmar, Facebook is synonymous with the internet. As the country faced a military coup in February 2021, the newly installed Tatmadaw banned Facebook, Instagram, and Twitter, prompting users in the country to rely on VPNs to retain access to their preferred online communication services.
Tomi Engdahl says:
Alert: Let’s Encrypt to revoke about 2 million HTTPS certificates in two days https://www.theregister.com/2022/01/26/lets_encrypt_certificates/
Relatively small number of certs issued using verification method that doesn’t comply with policy
Tomi Engdahl says:
Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
Browser cookie theft and Microsoft Service Principal manipulation are two of the novel techniques and tools leveraged in the StellarParticle campaign and are discussed in this blog.
Tomi Engdahl says:
Defending the Supply Chain: Why the DDS Protocol is Critical in Industrial and Software Systems https://www.trendmicro.com/en_us/research/22/a/defending-the-supply-chain-why-dds-is-critical-in-industrial-and-software-systems.html
DDS drives railways, autonomous cars, airports, spacecrafts, diagnostic imaging machines, luggage handling, industrial robots, military tanks, and frigates for about a decade, with its adoption increasing steadily. [...] Given this technology’s ubiquity, we decided to investigate further and discovered multiple security vulnerabilities, resulting in 13 new CVE IDs for the six most common DDS . implementations.
Tomi Engdahl says:
Millions of Routers, IoT Devices at Risk as Malware Source Code Surfaces on GitHub https://www.darkreading.com/vulnerabilities-threats/source-code-for-malware-targeting-millions-of-routers-iot-devices-uploaded-to-github
The authors of a dangerous malware sample targeting millions of routers and Internet of Things (IoT) devices have uploaded its source code to GitHub, meaning other criminals can now quickly spin up new variants of the tool or use it as is, in their own attack campaigns.
Tomi Engdahl says:
Initial Access Broker Involved in Log4Shell Attacks Against VMware Horizon Servers https://thehackernews.com/2022/01/initial-access-broker-involved-in.html
“Prophet Spider primarily gains access to victims by compromising vulnerable web servers, and uses a variety of low-prevalence tools to achieve operational objectives,” CrowdStrike noted in August 2021, when the group was spotted actively exploiting flaws in Oracle WebLogic servers to gain initial access to target environments.
Tomi Engdahl says:
Nobel Foundation site hit by DDoS attack on award day
https://www.bleepingcomputer.com/news/security/nobel-foundation-site-hit-by-ddos-attack-on-award-day/
The cyberattack subjected the websites to extremely high loads and was designed to try to prevent our ability to update and publish new information about the Nobel Prize and the achievements of the Nobel Laureates, details the official announcement.
Tomi Engdahl says:
Outlook Security Feature Bypass Allowed Sending Malicious Links
https://www.securityweek.com/outlook-security-feature-bypass-allowed-sending-malicious-links
A Trustwave researcher has discovered a new technique to completely bypass a security feature of Microsoft Outlook and deliver a malicious link to the recipient.
The new technique, Trustwave SpiderLabs lead threat architect Reegun Richard Jayapaul explains, is a variation of a vulnerability that was initially addressed in February 2020.
Tracked as CVE-2020-0696, the initial Outlook security feature bypass would allow an attacker who uses Outlook for Mac to send specially crafted malicious links to a victim on Outlook for Windows and bypass the email delivery system’s URL protection feature.
Described as the improper handling of URI format parsing, the bug allowed an attacker on Outlook for Mac to create a legitimate link that is hyperlinked with something like file:///malciouslink (and variations such as file:/, file:, \\, ///, //, or /) and send it to the victim.
If the victim clicked on the link in Outlook for Windows, the email client automatically translated it to http://malciouslink, resulting in a successful attack. The attack was tested successfully in Outlook with the Safelinks feature enabled, as well as with other email security systems.
Tomi Engdahl says:
French Ministry of Justice Targeted in Ransomware Attack
https://www.securityweek.com/french-ministry-justice-targeted-ransomware-attack
Cybercriminals claim to have breached systems belonging to France’s Ministry of Justice and they are threatening to make public the files stolen from the government organization.
Threat actors who are using the ransomware named LockBit 2.0 have posted a message on their Tor-based leak website claiming to have stolen files from the Ministry of Justice’s systems.
The ministry’s press office told SecurityWeek that an investigation has been launched.
Tomi Engdahl says:
Microsoft Saw Record-Breaking DDoS Attacks Exceeding 3 Tbps
https://www.securityweek.com/microsoft-saw-record-breaking-ddos-attacks-exceeding-3-tbps
Microsoft this week reported mitigating several massive distributed denial-of-service (DDoS) attacks aimed at its customers last year.
In October, the tech giant said one of its Azure customers had been hit in a DDoS attack that peaked at 2.4 terabits per second (Tbps), which at the time had been one of the largest attacks ever reported.
However, in November and December 2021, the company’s Azure DDoS Protection team saw even bigger attacks, including one that peaked at 3.47 Tbps and a packet rate of 340 million packets per second (pps).
This attack, aimed at one of Microsoft’s Azure customers in Asia, is believed to be the largest seen to date. The record-breaking attack was powered by 10,000 sources from around the world.
Tomi Engdahl says:
REvil Ransomware Operations Apparently Unaffected by Recent Arrests
https://www.securityweek.com/revil-ransomware-operations-apparently-unaffected-recent-arrests
The REvil (Sodinokibi) ransomware cooperative’s activity has not slowed down following Russia’s recent move to arrest several alleged members of the group, according to threat intelligence company ReversingLabs.
Two weeks have passed since Russia’s law enforcement agency FSB announced the takedown of the REvil group “at the request of US authorities,” but the ransomware-as-a-service (RaaS) enterprise remains as active as before.
Tomi Engdahl says:
Major Bug Grants Root For All Major Linux Distributions
https://hackaday.com/2022/01/26/major-bug-grants-root-for-all-major-linux-distributions/
One of the major reasons behind choosing Linux as an operating system is that it’s much more secure than Windows. There are plenty of reasons for this including appropriate user permissions, installing software from trusted sources and, of course, the fact that most software for Linux including the Linux kernel itself is open source which allows anyone to review the code for vulnerabilities. This doesn’t mean that Linux is perfectly secure though, as researchers recently found a major bug found in most major Linux distributions that allows anyone to run code as the root user.
The exploit is a memory corruption vulnerability in Polkit, a framework that handles the privilege level of various system processes. It specifically impacts the program pkexec. With the proof-of-concept exploit (file download warning) in hand, all an attacker needs to do to escalate themselves to root is to compile the program on the computer and run it as the default user. An example is shown by [Jim MacDonald] on Twitter for those not willing to try this on their own machines.
As bad as this sounds, it seems as though all of the major distributions that this impacts have already released updates that patch the issue, including Debian, Ubuntu, Red Hat, Fedora, open SUSE, and Arch. There is also a temporary workaround that removes read/write permission from the pkexec program so it can’t run at all.
Linux system service bug gives root on all major distros, exploit released
https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/
Tomi Engdahl says:
“MY NAME ‘IS’ MY PASSWORD…” — The app, which is fully functional as a 2FA authenticator, comes loaded with the Vultur stealer malware that targets and swoops down on financial data. Users with the malicious application, straightforwardly called “2FA Authenticator,” are advised by researchers at Pradeo to delete it from their device immediately since they still remain at risk — both from banking-login theft and other attacks made possible by the app’s extensive overpermissions.
2FA App Loaded with Banking Trojan Infests 10K Victims via Google Play
https://threatpost.com/2fa-app-banking-trojan-google-play/178077/
The Vultur trojan steals bank credentials but asks for permissions to do far more damage down the line.
After remaining available for more than two weeks, a malicious two-factor authentication (2FA) application has been removed from Google Play — but not before it was downloaded more than 10,000 times. The app, which is fully functional as a 2FA authenticator, comes loaded with the Vultur stealer malware that targets and swoops down on financial data.
Users with the malicious application, straightforwardly called “2FA Authenticator,”
Tomi Engdahl says:
CWP bugs allow code execution as root on Linux servers, patch now
https://www.bleepingcomputer.com/news/security/cwp-bugs-allow-code-execution-as-root-on-linux-servers-patch-now/
Two security vulnerabilities that impact the Control Web Panel (CWP) software can be chained by unauthenticated attackers to gain remote code execution (RCE) as root on vulnerable Linux servers.
CWP, previously known as CentOS Web Panel, is a free Linux control panel for managing dedicated web hosting servers and virtual private servers.
The two security flaws found by Octagon Networks’ Paulos Yibelo are a file inclusion vulnerability (CVE-2021-45467) and a file write (CVE-2021-45466) bug that lead to RCE when chained together.
Tomi Engdahl says:
https://thehackernews.com/2022/01/hackers-using-new-malware-packer.html?m=1
Tomi Engdahl says:
Diplomaattikännyköitä vakoiltiin
https://www.uusiteknologia.fi/2022/01/28/diplomaattikannykoita-vakoiltiin/
Suomalaisiin diplomaatteihin on kohdistettu ulkoministeriön mukaan kybervakoilua tunnetulla NSO Groupin Pegasus -vakoiluhaittaohjelmalla. Kyseessä on haittaohjelma, joka on pystytty siirtämään käyttäjän Apple- tai Android-puhelimeen ilman käyttäjän omia toimenpiteitä.
Vakoiluohjelma on voinut mahdollistaa hyvin laajasti puhelimessa olevan tiedon ja sen ominaisuuksien hyväksikäytön. Ulkoministeriö on selvittänyt tapausta eri viranomaisten ja sidosryhmien kanssa syksyn ja talven 2021–2022 aikana.
Ulkoministeriön väki käsittelee eri turvaluokkien tietoa erilaisilla menetelmillä. Puhelimella käsiteltävä tieto on julkista tai korkeimmillaan turvallisuusluokka 4 tason tietoa, joka on alin turvaluokittelun aste.
Tomi Engdahl says:
Lazarus hackers use Windows Update to deploy malware
https://www.bleepingcomputer.com/news/security/lazarus-hackers-use-windows-update-to-deploy-malware/
North Korean-backed hacking group Lazarus has added the Windows Update client to its list of living-off-the-land binaries (LoLBins) and is now actively using it to execute malicious code on Windows systems.
The new malware deployment method was discovered by the Malwarebytes Threat Intelligence team while analyzing a January spearphishing campaign impersonating the American security and aerospace company Lockheed Martin.
After the victims open the malicious attachments and enable macro execution, an embedded macro drops a WindowsUpdateConf.lnk file in the startup folder and a DLL file (wuaueng.dll) in a hidden Windows/System32 folder.
In the next stage, the LNK file is used to launch the WSUS / Windows Update client (wuauclt.exe) to execute a command that loads the attackers’ malicious DLL.
Tomi Engdahl says:
McAfee Corporation will be bought by banks
Banks Ready Sale of $10 Billion Debt for McAfee Buyout
https://finance.yahoo.com/news/banks-ready-sale-10-billion-163010080.html
Banks are preparing to launch a $10 billion jumbo financing backing the leveraged buyout of cybersecurity software maker McAfee Corp., according to people with knowledge of the transaction.
An investor group led by Advent International Corp., Permira Advisers and others agreed in November to buy out McAfee in a deal valuing the company at more than $14 billion including debt. Banks are now having early conversations with investors in the U.S. about pricing on loans and bonds to finance the deal and will soon officially launch the debt sale, said the sources, who asked not to be identified because the discussions are private.
Tomi Engdahl says:
https://hackaday.com/2022/01/26/major-bug-grants-root-for-all-major-linux-distributions/
Tomi Engdahl says:
PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)
https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
Tomi Engdahl says:
https://security-tracker.debian.org/tracker/CVE-2021-4034
Tomi Engdahl says:
Initial Access Broker Involved in Log4Shell Attacks Against VMware Horizon Servers
https://thehackernews.com/2022/01/initial-access-broker-involved-in.html
Tomi Engdahl says:
Tässä on perusteellinen
tuore artikkeli Pegasos-ohjelman taustoista.
https://www.nytimes.com/2022/01/28/magazine/nso-group-israel-spyware.html
Tomi Engdahl says:
What We Learned About Pegasus, the Smartphone Cracker
https://news.yahoo.com/learned-pegasus-smartphone-cracker-133036366.html
It is widely regarded as the world’s most potent spyware, capable of reliably cracking the encrypted communications of iPhone and Android smartphones.
The software, Pegasus, made by an Israeli company, NSO Group, has been able to track terrorists and drug cartels. It has also been used against human rights activists, journalists and dissidents.
Tomi Engdahl says:
Elon Musk says social-media accounts that track his travel movements are ‘becoming a security issue’
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.businessinsider.com%2Felon-musk-social-media-accounts-tracking-travel-movements-security-issue-2022-1&h=AT1hrDKvzJybIHaSCBPLX4nBEPvdJoY8rjpawF0vdk1kcFOTJVga–usRzazk4mINc-HqeHd6Hr5rS6QX0n14y7hUQ8kPUxy8WaWR6ffM4VeSM620mw9xwyjSFAozWZWLg
Elon Musk said social-media accounts tracking his movements were “becoming a security issue.”
“Yeah, unfortunately this is becoming a security issue,” Musk said, without providing details.
The Tesla CEO on Monday responded to a tweet discussing the risk posed to Musk and his family in publicly posting details about his travel plans.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/
Tomi Engdahl says:
Log4j Proved Public Disclosure Still Helps Attackers
Disclosure also puts organizations in the awkward position of trying to mitigate a vulnerability without something like a vendor patch to do the job.
https://www.darkreading.com/attacks-breaches/log4j-proved-public-disclosure-still-helps-attackers
At 2:25 p.m. on Dec. 9, 2021, an infamous tweet (now deleted) linking a zero-day proof-of-concept exploit for the vulnerability that came to be known as Log4Shell on GitHub (also now deleted) set the Internet on fire and sent companies scrambling to mitigate, patch, and then patch some more as further and further proofs of concept (PoCs) appeared on the different iterations of this vulnerability, which was present in pretty much everything that used Log4j.
Known as public disclosure, the act of telling the world something is vulnerable with an accompanying PoC is not new, and happens quite frequently for all sorts of software
Over time, however, research and experience have consistently shown us that the only benefit to the release of zero-day PoCs is for threat actors, as the disclosures suddenly put companies in an awkward position of having to mitigate without necessarily having anything to mitigate with (i.e., a vendor patch).
How Does Disclosure Usually Work?
There are all kinds of disclosure mechanisms that exist today, whether companies have a vulnerability disclosure program that’s officially sanctioned (think of Google and Microsoft) or those that are run via crowdsourced platforms that are often referred to as bug bounties. Disclosures in these scenarios often go through a specific process and have adequate timelines where the vendor patch is released and given ample time for take-up by the users of the software in question (90 days is the accepted standard here),
it usually works like this if it goes smoothly:
Researcher informs vendor about vulnerability with accompanying PoC.
Vendor confirms vulnerability and works on a fix with approximate timeline.
Once the fix is in place, vendor asks researcher to confirm fix works.
After researcher confirms the fix, vendor implements patch.
A certain time after the patch release, details of the vulnerability can be published if vendor agrees to it (anything up to 90 days is normal).
Returning to the Log4j vulnerability, there was actually a disclosure process already underway as shown by the pull request on GitHub that appeared on Nov. 30.
Tomi Engdahl says:
https://www.darkreading.com/attacks-breaches/log4j-proved-public-disclosure-still-helps-attackers
Nothing gets press coverage faster than a PoC for a common piece of software that everyone uses but has no patch yet, and this is unfortunately a mainstay of a lot of security research today.
The evidence against releasing a PoC is now robust and overwhelming. A study completed by Kenna Security effectively showed that the only benefit to PoC exploits was to the attackers that leveraged them. Even several years ago, a presentation at Black Hat, “Zero Days and Thousands of Nights,” walked through the life cycle of zero days and how they were released and exploited. It also showed that if PoC exploits were not disclosed publicly, they weren’t discovered, on average, for seven years by anyone, threat actors included.
Sadly, this was realized a bit too late during the Log4j scramble. While all the initial disclosures were promptly walked back and deleted, even the most recent 2.17.1 disclosure ran into the same trouble, receiving a lot of flak to the point where the researcher issued a public apology for the poor timing of the disclosure.
It’s good to see that attitudes toward public disclosure of PoC exploits has shifted, and the criticism of researchers who decide to jump the gun is deserved.
Tomi Engdahl says:
Microsoft Outlook RCE zero-day exploits now selling for $400,000
https://www.bleepingcomputer.com/news/security/microsoft-outlook-rce-zero-day-exploits-now-selling-for-400-000/
Tomi Engdahl says:
https://hothardware.com/news/delete-authenticator-android-app-banking-malware
Tomi Engdahl says:
Russia will hit US with cyberattack if sanctioned, cyber expert warns: ‘We are already in warfare state’
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.foxnews.com%2Fworld%2Frussia-cyberattack-sanctioned-cyber-expert-warns&h=AT0SnPEM2GXGC69DiU9Y-cdiqPDGBh_wGPhEEbv3MjY5vqTsV7601ABqohnwJlNlWTUaxhJPgr27Fs2NJ5Nui-dW20Y0-LN-bZjq450YSn-R0AlEWM4lgSmHhLzVo0mxJA
A top cybersecurity official Saturday warned that the U.S. is “already in a warfare state” with Russia and said it should prepare for cyberattacks coming out of Moscow.
The U.S. and its NATO allies have promised to hit Russia with swift and severe economic sanctions should the Kremlin violate Ukraine’s sovereignty with a military-led incursion.
“If Russia does indeed go into the Donbas region and wave a flag…the United States has already promised a series of responses,” R.P. Eddy, CEO of cybersecurity firm Ergo, told a bipartisan group of governors. “What is Russia’s next move?
“[Its] very likely is to increase cyberattacks. It’s an easy move for them,” he added. “That means U.S. states and U.S. private companies need to be taking this very seriously.ä
Tomi Engdahl says:
Booby-trapped sites delivered potent new backdoor trojan to macOS users
Written from scratch, DazzleSpy is the latest advanced piece of Mac malware.
https://arstechnica.com/information-technology/2022/01/booby-trapped-sites-delivered-potent-new-backdoor-trojan-to-macos-users/?utm_medium=social&utm_social-type=owned&utm_source=facebook&utm_brand=ars