Severity: Medium TLP: Green Log4j Highlights Need for Better Handle on Software Dependencies

Summary:
Security experts learned a lot from the fallout of Log4Shell. Most importantly, the incident highlighted the need for organizations to “understand and manage” what code is running within their software environments. Software dependencies exist in just about every enterprise product, when flaws emerge in these dependencies, organizations are left scrambling for fixes.

Third party dependencies are essential in creating modern day programs as programmers do not have to reinvent the wheel every time a new product or application is developed. By mixing and matching existing libraries and packages, software developers can build new applications more efficiently.

“According to the "2021 Sonatype State of Software Supply Chain Report," last year developers around the world pulled more than 2.2 trillion open source packages from online repositories to use in their work, representing a 73% year-over-year growth in developer downloads of open source components” (Dark Reading, 2022).

Using third party libraries is important, but it creates disaster situations when an underlying component is found vulnerable. Many prefabricated libraries are dependent on one another, which can create problems several layers deep. This can make locating and patching vulnerable libraries more difficult.

“According to the latest studies by Google's Open Source Insights Team, 80% of Java packages affected by the vulnerability in the Apache Log4j library cannot be updated directly and will require coordination between different project teams to address the flaw. This spells years of work for application security and development professionals to stamp out the risk from this widespread software weakness” (Dark Reading, 2022).

Analyst Comments:
Software Bill or Materials (SBOM) needs widespread adoption to ensure future Log4Shell like incidents can be managed more effectively.

SBOMs can be thought of like a manufacturing list that car manufactures use. They show all the “ingredients” of the car, including the third parties who made said part. When a part is found defective, they can immediately know who developed the part and which cars are impacted. The same open source components can be tracked with software through the use of a SBOM.

"The key value is the ability to create a software inventory so that when an attack or vulnerability happens you have a place where you can ask 'Where is it located?,' 'Where can I get an update?,' [and] 'What do I have to take offline?' Of course, the devil is in the details. Many SBoMs are still manually created and managed. Given the frequency of software changes and the quantity of applications, it can be difficult for individuals to maintain and keep SBoMs up to date" (Dark Reading, 2022).

Source:
https://www.darkreading.com/applica...ed-for-better-handle-on-software-dependencies
 
  • Like
Reactions: Ron Culler
FTC to fine companies who fail to take reasonable steps to protect customer data from Log4Shell

Summary:
“The US Federal Trade Commission (FTC) has warned today that it will go after any US company that fails to protect its customers' data against ongoing Log4J attacks."The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," the US government agency said” (Bleeping Computer, 2022).

The FTC is asking organizations to take reasonable steps to mitigate known software vulnerabilities. They are leveraging the Federal Trade Commission Act and the Gramm Leach Bliley Act to enforce these requirements. "It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action” (Bleeping Computer, 2022).

The FTC advises companies to follow CISA's guidance on mitigating the Log4j flaws and:
  • Update your Log4j software package to the most current version found here: https://logging.apache.org/log4j/2.x/security.html
  • Consult CISA guidance to mitigate this vulnerability.
  • Ensure remedial steps are taken to ensure that your company's practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act.
  • Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.
  • Under active exploitation since early December
Analyst Comments:
“The warning follows an emergency directive issued by CISA that ordered US Federal Civilian Executive Branch agencies to patch the actively exploited Log4Shell bug until December 23. Federal agencies were also given five more days until December 28 to report Log4Shell-impacted products in their environments, including app and vendor names, the apps' versions, as well as the actions taken to block attack attempts’ (Bleeping Computer, 2022).

CISA provides a dedicated page for the Log4Shell flaws with patching information and has released a Log4j scanner to find vulnerable Java-based apps.

NCSC Scanning Tools: https://github.com/NCSC-NL/log4shell/blob/main/scanning/README.md

Source:
https://www.bleepingcomputer.com/ne...s-to-secure-consumer-data-from-log4j-attacks/
 

Severity: Medium TLP: Green NHS Warns of Hackers Exploiting Log4shell in VMware Horizon​

Tags
  1. Critical CVE
  2. Cybercriminal Attack
NHS Warns of Hackers Exploiting Log4shell in VMware Horizon

Summary:

VMware Horizon supports local, hybrid (local but managed in the cloud) and multi-cloud deployment strategies. End users can access custom virtual desktops or remote RDSH applications from company laptops, home PCs, Mac computers, thin clients, or mobile devices.

“According to the NHS notice, the actor is leveraging the Log4shell exploit to achieve remote code execution on vulnerable VMware Horizon deployments on public infrastructure. The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4J Shell payloads to call back malicious infrastructure," explains the alert.

Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.

Analyst Comments:
This is not the first time we have observed threat actors leveraging vulnerabilities to deploy web shells on systems. Web shells can be difficult to identify and stop once deployed. They are often used to facilitate remote administration. When weaponized, a web shell could allow threat actors to modify files and even access the root directory of the targeted webs server and systems. The Chinese state-sponsored group Hafnium leveraged Microsoft vulnerabilities to deploy web shells on Exchange servers in widespread attacks previously. In a controversial effort, the FBI removed the shells from company systems.

Mitigation:
Likely, organizations are still in the process of identifying products and services that utilize Log4j. Patching and applying mitigation measures will be an ongoing effort for some time.

Source:
https://www.bleepingcomputer.com/ne...ckers-exploiting-log4shell-in-vmware-horizon/
https://digital.nhs.uk/cyber-alerts/2022/cc-4002
 
  • Like
Reactions: Ron Culler

TLP: Green If Hackers Are Exploiting the Log4j Flaw, CISA Says We Might Not Know Yet​

Tags
  1. Critical CVE
  2. Cybercriminal Attack
  3. Nation State Attack
  4. Ransomware Attack
Federal officials cautioned Monday that, while the widespread Log4j vulnerability hasn’t led to any major known intrusions in the U.S., there could be a “lag” between when the flaw became known, and when attackers exploit it.

Cybersecurity and Infrastructure Security Agency Director Jen Easterly said that there were months between the discovery of the vulnerability that led to the 2017 Equifax breach, which exposed the personal information of nearly 150 million Americans, and word of the breach itself, invoking one of the most notable hacks in history.

“We do expect Log4j to be used in intrusions well into the future,” Easterly said on a call with reporters. “There may be a lag between when this vulnerability is being used and when it is being actively deployed.”

Apache Struts, an open-source tool, was at the center of the Equifax breach, and Apache’s Log4j is a ubiquitous open-source logging tool. Easterly said that CISA, a division of the Homeland Security Department, has catalogued Log4j’s presence in more than 2,800 distinct commercial products. That means it’s likely present in hundreds of millions of tech assets, she said. Further, exploiting the so-called Log4Shell vulnerability — which Easterly has deemed the most severe she’s seen in her career — “is pretty trivial,” she said.

“A threat actor can use the vulnerability to compromise the target system by typing only 12 characters into a text message, email subject line or chat window,” she said.

Easterly credited the work of her agency, industry, international governments and the research community for leading a patching effort that also might have stymied the influx of Log4j-related intrusions. That doesn’t mean everyone has remained unscathed since its uncovering one month ago. Attackers took down the Belgian Defense Ministry using the exploit, and an unnamed “large academic institution” is among the victims, reportedly at the hands of Chinese hackers. U.S. government agencies appear to have been spared so far, said Eric Goldstein, executive assistant director for cybersecurity at CISA. While CISA says that unspecified “large” agencies have met CISA’s patching deadlines, Goldstein didn’t say when smaller agencies that haven’t met the deadline would be up to speed.

Additionally, Goldstein said, “We have no confirmed ransomware intrusions where we can authoritatively say the Log4Shell was used at the originating vulnerability for the intrusion.” Security researchers have said ransomware gangs are using the vulnerability in ransomware attacks. Researchers say a second family of ransomware has been growing in usage for attack attempts that exploit the critical vulnerability in Apache Log4j, including in the U.S. and Europe.

Sophos detected attempts to deliver TellYouThePass payloads by utilizing the Log4j vulnerability on December 17 and December 18, Gallagher said. TellYouThePass has versions that run on either Linux or Windows, “and has a history of exploiting high-profile vulnerabilities like EternalBlue,” said Andrew Brandt, a threat researcher at Sophos, in an email.

The Linux version is capable of stealing Secure Socket Shell (SSH) keys and can perform lateral movement, Brandt said. Sophos initially disclosed its detection of TellYouThePass ransomware in a December 20 blog post.

Shifting from crypto mining
Even before the discovery of the widespread and trivial-to-exploit vulnerability in Log4j, Veeam chief technology officer Danny Allan expected that 2022 would see a greater shift from cryptocurrency mining to ransomware as the predominant activity for malicious actors.

Ransomware attacks, which by some estimates surged by 148% during the first three quarters of 2021, just offer “a much faster path to ROI for the threat actor” than crypto mining, Allan told VentureBeat.

And if that shift was likely even prior to the disclosure of Log4Shell, it’s definitely true now, he said. Allan expects that exploits for Log4j will be pre-built into “ransomware-as-a-service” packages, which threat actors are able to acquire in order to make it easier to carry out attacks.

Researchers say a significant amount of the Log4j exploitation activity so far has involved mining operations for cryptocurrencies such as Bitcoin. But that also doesn’t preclude the possibility of ransomware operators later using the crypto miners’ initial access to launch an attack.

Sources:
https://venturebeat.com/2021/12/21/second-ransomware-family-exploiting-log4j-spotted-in-u-s-europe/
 

Severity: Low TLP: Green Four Million Outdated log4j Downloads Were Served from Apache Maven Central​

Tags
  1. Critical CVE
Four Million Outdated log4j Downloads Were Served from Apache Maven Central Alone despite Vuln Publicity Blitz

Summary:

There have been millions of downloads of outdated, vulnerable Log4j versions despite the emergence of a serious security hole in December 2021, according to figures compiled by the firm that runs Apache Maven's Central Repository.

That company, Sonatype, said it had seen four million downloads of exploitable Log4j versions from the repository alone between 10 December and the present day, out of a total of more than 10 million downloads over those past four weeks.

Analyst Comments:
Sonatype's field CTO Ilkka Turunen told The Register the number of downloads of pre-2.15 versions of Log4j from the Maven central repository was oddly high. Around 40 per cent of downloads initiated from the UK alone over the past couple of days were of outdated versions.

"Now, it's not entirely clear to us whether or not it's legacy software, whether or not it is testing versions, and things like this, but what it seems to suggest is that there is a population of users that are downloading it," Turunen told The Register, adding that these people are probably "completely unaware" that their version is outdated.

Mitigation:
Interestingly enough, Sonatype said about 42 per cent of total downloads of Log4j over the weekend were of the very latest versions, 2.17 and 2.17.1 – the main Log4shell vulnerabilities were addressed by 2.16 – which suggests that at least some organisations are not just installing the patched versions of 2.15 or 2.16 but picking up the very latest.

As for the cause of the outdated downloads, "There's this sort of long tail of software where it's still being built... not necessarily as a direct dependency."

Source:
https://www.theregister.com/2022/01/11/outdated_log4j_downloads/
 

ACTIONABLE Severity: Medium TLP: Green SolarWinds Serv-U Bug Exploited for Log4j Attacks​

Tags
  1. Critical CVE
While exploitation of this vulnerability remains highly limited, it could be adopted by other threat actors. While I would normally rank this as a low severity incident, the popularity of Serv-U should be taken into consideration, hence, I would treat this as Medium. There is still some disagreement about the exploitation Microsoft observed, we will continue to update on the situation.

--

Summary:
“SolarWinds has addressed a vulnerability in Serv-U product that threat actors actively exploited to propagate Log4j attacks to internal devices on a network” (Bleeping Computer, 2022).

The vulnerability is tracked as CVE-2021-35247 and was discovered by Microsoft security researchers who were monitoring the Log4Shell vulnerabilities. The CVE relates to an input validation vulnerability and allows a threat actor to query input over the network without sanitation.

According to the advisory published by SolarWinds, the Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized.

Analyst Comments:
SolarWinds claims the LDAP servers will ignore improper characters, but Microsoft claims they have seen successful exploitation of the vulnerability.

This is not the first time Serv-U has been abused by threat actors. Back in November, Clop ransomware used CVE-2021-35211 in Serv-U to deploy ransomware. In July, the same vulnerability was abused by Chinese threat actors tracked as DEV-0322.

While exploitation of this vulnerability seems limited, organizations should ensure they are on Serv-U version 15.3 to prevent future exploitation.

Mitigation:
SolarWinds released Serv-U 15.3 that addresses the vulnerability by performing additional validation and sanitization.

Source:
https://securityaffairs.co/wordpress/126933/security/solarwinds-serv-u-flaw.html
 
  • Like
Reactions: Ron Culler
  • Like
Reactions: Ron Culler
Interesting read on the impacts of Log4j to MSPs published on MSSP Alert by longtime CompTIA member and vice-chair of the CompTIA Board of Directors, Scott Barlow, Global VP of MSP and Cloud Alliances at Sophos.

Biggest MSP Takeaways from the Apache Log4j Vulnerability

"Patching alone isn't the solution to the Apache Log4j vulnerability. Sophos explains how MSPs can mitigate the Log4j and Log4Shell security risks."
Scott's right in that this type of vulnerability spans so many platforms and systems, I really see companies starting to require a "Software bill of materials" so they have a better insight when these things occur. As a MSP or MSSP this should be something they are asking of their vendors, as well as for their customers. The more insight you have into your customers as well as your own environments the better prepared you are to address these issues.
 

ACTIONABLE Severity: High TLP: Green VMware Urges Customers to Patch VMware Horizon Servers Against Log4j Attacks

Summary:
“VMware urges customers to patch critical Log4j security vulnerabilities impacting Internet-exposed VMware Horizon servers targeted in ongoing attacks” (Security Affairs, 2022).

There are currently tens of thousands of VMware Horizon servers exposed to attacks according to Shodan scans.

Most recently, the Night Sky ransomware group has been exploiting Log4Shell (CVE-2021-44228) in vulnerable VMware Horizon systems. VMware has addressed their Log4Shell vulnerabilities with the release of 2111, 7.13.1, and 7.10.3, but many systems remain unpatched.

Analyst Comments:
“Recently, Microsoft posted a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the internet, and deploy Night Sky ransomware. The security team at the UK National Health Service (NHS) also announced to have spotted threat actors exploiting the Log4Shell vulnerability to hack VMWare Horizon servers and install webshells” (Security Affairs, 2022).

These webshell are quite dangerous, allowing threat actors to exfiltrate data from systems and even deploy ransomware. By using VM Blast Secure Gateway, threat actors can move laterally through the target organizations network, which is important for ransomware distribution.

Mitigation:
VMware is strongly urging customers to patch their Horizon servers to defend against these active attacks. Multiple VMWare products, including VMware Horizon products, are impacted by remote code execution vulnerabilities via Apache Log4j (CVE-2021-44228, CVE-2021-45046).

The risk that cybercriminal groups and nation-state actors could exploit Log4j vulnerabilities in future attacks is still high.

Customers should examine VMSA-2021-0028 and apply the guidance for Horizon.

Source:
https://securityaffairs.co/wordpress/127214/security/vmware-horizon-patches-log4j-flaws.html
 
  • Like
Reactions: Ron Culler