Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="MJ Shoer" data-source="post: 2666" data-attributes="member: 3"><p><h3><span style="color: rgb(0, 168, 133)">TLP: Green</span> If Hackers Are Exploiting the Log4j Flaw, CISA Says We Might Not Know Yet</h3><p><strong>Tags</strong></p><ol> <li data-xf-list-type="ol"><strong>Critical CVE</strong></li> <li data-xf-list-type="ol"><strong>Cybercriminal Attack</strong></li> <li data-xf-list-type="ol"><strong>Nation State Attack</strong></li> <li data-xf-list-type="ol"><strong>Ransomware Attack</strong></li> </ol><p>Federal officials cautioned Monday that, while the widespread Log4j vulnerability hasn’t led to any major known intrusions in the U.S., there could be a “lag” between when the flaw became known, and when attackers exploit it.</p><p></p><p>Cybersecurity and Infrastructure Security Agency Director Jen Easterly said that there were months between the discovery of the vulnerability that led to the 2017 Equifax breach, which exposed the personal information of nearly 150 million Americans, and word of the breach itself, invoking one of the most notable hacks in history.</p><p></p><p>“We do expect Log4j to be used in intrusions well into the future,” Easterly said on a call with reporters. “There may be a lag between when this vulnerability is being used and when it is being actively deployed.”</p><p></p><p>Apache Struts, an open-source tool, was at the center of the Equifax breach, and Apache’s Log4j is a ubiquitous open-source logging tool. Easterly said that CISA, a division of the Homeland Security Department, has catalogued Log4j’s presence in more than 2,800 distinct commercial products. That means it’s likely present in hundreds of millions of tech assets, she said. Further, exploiting the so-called Log4Shell vulnerability — which Easterly has deemed the most severe she’s seen in her career — “is pretty trivial,” she said.</p><p></p><p>“A threat actor can use the vulnerability to compromise the target system by typing only 12 characters into a text message, email subject line or chat window,” she said.</p><p></p><p>Easterly credited the work of her agency, industry, international governments and the research community for leading a patching effort that also might have stymied the influx of Log4j-related intrusions. That doesn’t mean everyone has remained unscathed since its uncovering one month ago. Attackers took down the Belgian Defense Ministry using the exploit, and an unnamed “large academic institution” is among the victims, reportedly at the hands of Chinese hackers. U.S. government agencies appear to have been spared so far, said Eric Goldstein, executive assistant director for cybersecurity at CISA. While CISA says that unspecified “large” agencies have met CISA’s patching deadlines, Goldstein didn’t say when smaller agencies that haven’t met the deadline would be up to speed.</p><p></p><p>Additionally, Goldstein said, “We have no confirmed ransomware intrusions where we can authoritatively say the Log4Shell was used at the originating vulnerability for the intrusion.” Security researchers have said ransomware gangs are using the vulnerability in ransomware attacks. Researchers say a second family of ransomware has been growing in usage for attack attempts that exploit the critical vulnerability in Apache Log4j, including in the U.S. and Europe.</p><p></p><p>Sophos detected attempts to deliver TellYouThePass payloads by utilizing the Log4j vulnerability on December 17 and December 18, Gallagher said. TellYouThePass has versions that run on either Linux or Windows, “and has a history of exploiting high-profile vulnerabilities like EternalBlue,” said Andrew Brandt, a threat researcher at Sophos, in an email.</p><p></p><p>The Linux version is capable of stealing Secure Socket Shell (SSH) keys and can perform lateral movement, Brandt said. Sophos initially disclosed its detection of TellYouThePass ransomware in a December 20 blog post.</p><p></p><p><strong>Shifting from crypto mining</strong></p><p>Even before the discovery of the widespread and trivial-to-exploit vulnerability in Log4j, Veeam chief technology officer Danny Allan expected that 2022 would see a greater shift from cryptocurrency mining to ransomware as the predominant activity for malicious actors.</p><p></p><p>Ransomware attacks, which by some estimates surged by 148% during the first three quarters of 2021, just offer “a much faster path to ROI for the threat actor” than crypto mining, Allan told VentureBeat.</p><p></p><p>And if that shift was likely even prior to the disclosure of Log4Shell, it’s definitely true now, he said. Allan expects that exploits for Log4j will be pre-built into “ransomware-as-a-service” packages, which threat actors are able to acquire in order to make it easier to carry out attacks.</p><p></p><p>Researchers say a significant amount of the Log4j exploitation activity so far has involved mining operations for cryptocurrencies such as Bitcoin. But that also doesn’t preclude the possibility of ransomware operators later using the crypto miners’ initial access to launch an attack.</p><p></p><p>Sources:</p><p><a href="https://venturebeat.com/2021/12/21/second-ransomware-family-exploiting-log4j-spotted-in-u-s-europe/" target="_blank">https://venturebeat.com/2021/12/21/second-ransomware-family-exploiting-log4j-spotted-in-u-s-europe/</a></p></blockquote><p></p>
[QUOTE="MJ Shoer, post: 2666, member: 3"] [HEADING=2][COLOR=rgb(0, 168, 133)]TLP: Green[/COLOR] If Hackers Are Exploiting the Log4j Flaw, CISA Says We Might Not Know Yet[/HEADING] [B]Tags[/B] [LIST=1] [*][B]Critical CVE[/B] [*][B]Cybercriminal Attack[/B] [*][B]Nation State Attack[/B] [*][B]Ransomware Attack[/B] [/LIST] Federal officials cautioned Monday that, while the widespread Log4j vulnerability hasn’t led to any major known intrusions in the U.S., there could be a “lag” between when the flaw became known, and when attackers exploit it. Cybersecurity and Infrastructure Security Agency Director Jen Easterly said that there were months between the discovery of the vulnerability that led to the 2017 Equifax breach, which exposed the personal information of nearly 150 million Americans, and word of the breach itself, invoking one of the most notable hacks in history. “We do expect Log4j to be used in intrusions well into the future,” Easterly said on a call with reporters. “There may be a lag between when this vulnerability is being used and when it is being actively deployed.” Apache Struts, an open-source tool, was at the center of the Equifax breach, and Apache’s Log4j is a ubiquitous open-source logging tool. Easterly said that CISA, a division of the Homeland Security Department, has catalogued Log4j’s presence in more than 2,800 distinct commercial products. That means it’s likely present in hundreds of millions of tech assets, she said. Further, exploiting the so-called Log4Shell vulnerability — which Easterly has deemed the most severe she’s seen in her career — “is pretty trivial,” she said. “A threat actor can use the vulnerability to compromise the target system by typing only 12 characters into a text message, email subject line or chat window,” she said. Easterly credited the work of her agency, industry, international governments and the research community for leading a patching effort that also might have stymied the influx of Log4j-related intrusions. That doesn’t mean everyone has remained unscathed since its uncovering one month ago. Attackers took down the Belgian Defense Ministry using the exploit, and an unnamed “large academic institution” is among the victims, reportedly at the hands of Chinese hackers. U.S. government agencies appear to have been spared so far, said Eric Goldstein, executive assistant director for cybersecurity at CISA. While CISA says that unspecified “large” agencies have met CISA’s patching deadlines, Goldstein didn’t say when smaller agencies that haven’t met the deadline would be up to speed. Additionally, Goldstein said, “We have no confirmed ransomware intrusions where we can authoritatively say the Log4Shell was used at the originating vulnerability for the intrusion.” Security researchers have said ransomware gangs are using the vulnerability in ransomware attacks. Researchers say a second family of ransomware has been growing in usage for attack attempts that exploit the critical vulnerability in Apache Log4j, including in the U.S. and Europe. Sophos detected attempts to deliver TellYouThePass payloads by utilizing the Log4j vulnerability on December 17 and December 18, Gallagher said. TellYouThePass has versions that run on either Linux or Windows, “and has a history of exploiting high-profile vulnerabilities like EternalBlue,” said Andrew Brandt, a threat researcher at Sophos, in an email. The Linux version is capable of stealing Secure Socket Shell (SSH) keys and can perform lateral movement, Brandt said. Sophos initially disclosed its detection of TellYouThePass ransomware in a December 20 blog post. [B]Shifting from crypto mining[/B] Even before the discovery of the widespread and trivial-to-exploit vulnerability in Log4j, Veeam chief technology officer Danny Allan expected that 2022 would see a greater shift from cryptocurrency mining to ransomware as the predominant activity for malicious actors. Ransomware attacks, which by some estimates surged by 148% during the first three quarters of 2021, just offer “a much faster path to ROI for the threat actor” than crypto mining, Allan told VentureBeat. And if that shift was likely even prior to the disclosure of Log4Shell, it’s definitely true now, he said. Allan expects that exploits for Log4j will be pre-built into “ransomware-as-a-service” packages, which threat actors are able to acquire in order to make it easier to carry out attacks. Researchers say a significant amount of the Log4j exploitation activity so far has involved mining operations for cryptocurrencies such as Bitcoin. But that also doesn’t preclude the possibility of ransomware operators later using the crypto miners’ initial access to launch an attack. Sources: [URL]https://venturebeat.com/2021/12/21/second-ransomware-family-exploiting-log4j-spotted-in-u-s-europe/[/URL] [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu