Cyber Pulse: Edition 168 | 21 December 2021

QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

Sources of trusted guidance for the Log4j vulnerability

Apart from the first vulnerability, CVE-2021-44228, two more flaws have emerged. The second vulnerability in Log4j is tracked as CVE-2021-45046 and is related to denial-of-service (DoS). It is rated 3.7 out of 10 on the CVSS scale and impacts all Log4j versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0. Security firm Praetorian uncovered another vulnerability in version 2.15.0 and can allow for exfiltration of confidential information in specific circumstances. No identifier to the flaw has yet been issued. Cybercriminals are using this window of opportunity to gain access to whatever they can right now to capitalise on it later. Users requiring Java 8 or later are recommended to update to Log4j version 2.16.0, and users requiring Java 7 are recommended to update to version 2.12.2 when it becomes available. Defenders are advised to minimise exposure by patching and mitigating every aspect of the organisational network and carefully examining exposed and potentially infected systems.

Sources of trusted guidance can be found here:

• NCSC – Apache Log4j vulnerabilities
• NCSC – Log4j - What should boards be asking?
• US CISA – Apache Log4j Vulnerability Guidance
• Microsoft – Guidance for preventing, detecting and hunting for CVE-2021-44228 Log4j 2 exploitation
• Google – Understanding the impact of Apache Log4J
• Google Cloud recommendations for investigating and responding to the Apache Log4j 2 vulnerability
• Amazon – Using AWS security services to protect against, detect and respond to the Log4j vulnerability
• Apache – Apache Log4j Security Vulnerabilities

Apache releases new 2.17.0 patch for Log4j

The Apache Software Foundation published a new Log4j patch late on Friday after discovering issues with 2.16. Apache has released version 2.17.0 of the patch for Log4j after discovering issues with their previous release, which came out on Tuesday. Apache said version 2.16 "does not always protect from infinite recursion in lookup evaluation" and explained that it is vulnerable to CVE-2021-45105, a denial of service vulnerability. They said the severity is "high" and gave it a CVSS score of 7.5.

When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a denial of service (DOS) attack," Apache explained. 

They added that the latest issue was discovered by Akamai Technologies' Hideki Okamoto and an anonymous vulnerability researcher. They noted that only the Log4j-core JAR file is impacted by CVE-2021-45105. Security researchers online began tweeting about potential issues with 2.16.0, with some identifying the denial of service vulnerability. 

Security company Blumira claims to have found a new Log4j attack vector that can be exploited through the path of a listening server on a machine or local network, potentially putting an end to the assumption that the problem was limited to exposed vulnerable servers. So far, nearly 5,000 artifacts have been patched, leaving more than 30,000 more. But the two noted that it will be difficult to address the issue because of how deep Log4j is embedded in some products. 

Log4shell is a critical vulnerability in the widely-used logging tool Log4j, which is used by millions of computers worldwide running online services. A wide range of people, including organisations, governments and individuals are likely to be affected by it. Although fixes have been issued, they will still need to be implemented.

Ransomware actor uses Log4j bug to hack VMware vCenter servers

Conti ransomware operation is using the critical Log4Shell exploit to gain rapid access to internal VMware vCenter Server instances and encrypt virtual machines. The gang did not waste much time adopting the new attack vector and is the first "top-tier" operation known to weaponize the Log4j vulnerability. A proof-of-concept (PoC) exploit for CVE-2021-44228 — otherwise known as Log4Shell — emerged in the public space on December 9. A day later, mass scanning of the internet started, with multiple actors looking for vulnerable systems. Among the first to leverage the bug were cryptocurrency miners, botnets, and a new ransomware strain called Khonsari.

Dozens of vendors have been affected by Log4Shell and rushed to patch their products or provide workarounds and mitigations for customers. VMware is one of them, listing 40 vulnerable products. While the company provided mitigations or fixes, a patch for vCenter versions impacted has yet to become available. vCenter servers are not normally exposed to the public internet, there are scenarios where an attacker could exploit the issue:

“A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system and/or perform a denial of service attack” - VMware

AdvIntel says that Conti ransomware gang members showed interest in leveraging Log4Shell for their operations using the public exploit.

“The current exploitation led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J exploit” - AdvIntel

While most defenders are focused on blocking Log4Shell attacks on Internet-exposed devices, the Conti ransomware operation shows how the vulnerability can be used to target internal devices that may not receive as much attention. The researchers confirmed that Conti ransomware affiliates had already compromised the target networks and exploited vulnerable Log4j machines to gain access to vCenter servers. This means that Conti ransomware members relied on a different initial access vector (RDP, VPN, email phishing) to compromise a network and are currently using Log4Shell to move laterally on the network.

The NCA shares 585 million passwords with Have I Been Pwned

The UK National Crime Agency (NCA) has shared a collection of more than 585 million compromised passwords it found during an investigation with Have I Been Pwned, a website that indexes data from security breaches. In a blog post today, HIBP creator Troy Hunt said that 225 million of the compromised passwords found by the NCA were new and unique. These passwords have been added to a section of the HIBP website called Pwned Passwords. This section allows companies and system administrators to check and see if their current passwords have been compromised in hacks and if they are likely to be part of public lists used by threat actors in brute-force and password-spraying attacks.

Currently, the HIBP Pwned Passwords collection includes 5.5 billion entries, of which 847 million are unique. All these passwords are also available as a free download, so companies can check their passwords against the data set locally without connecting to Hunt’s service.

In a statement shared by Hunt, the NCA said it found the compromised passwords, paired with email accounts, in an account at a UK cloud storage facility. “Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown,” the NCA told Hunt.

The NCA said they weren’t able to determine or attribute the compromised email and password combos to any specific platform or company.

Attacks on UK firms surged five-fold during the pandemic

Attacks on UK firms surged five-fold during the pandemic and now cost way more than the global average, according to Accenture. The global consultancy polled 500 UK executives to compile its State of Cybersecurity Resilience 2021 study.

It found that large organisations experienced 885 attempted cyber-attacks in 2020 – up from 156 the previous year and more than triple the global average of 270. They’re also more expensive than elsewhere. Accenture calculated that incidents and breaches cost over £1.3m a year – £350,000 more than the global average. Over 80% of respondents said the cost of staying ahead of cyber-criminals is unsustainable, a fifth more than the previous year, and a quarter said they’ve been forced to increase cybersecurity budgets by 10% or more. Worryingly, supply chain attacks accounted for 64% of breaches in the UK last year, up by a quarter (26%) from the previous year. The report claimed that nearly half (49%) of large businesses lost over 100,000 customer records over the course of the past year, an increase of 28% from the previous year.

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.