Cyber Pulse: Edition 169 | 4 January 2022

QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

Log4j 2.17.1 out now, fixes new remote code execution bug

Apache has released another Log4j version, 2.17.1 fixing a newly discovered remote code execution (RCE) vulnerability in 2.17.0, tracked as CVE-2021-44832.

2.17.0 was the most recent version of Log4j and deemed the safest release to upgrade to, but that advice has now evolved. Mass exploitation of the original Log4Shell vulnerability (CVE-2021-44228) by threat actors began around 9 December, when a PoC exploit for it surfaced on GitHub.

Given Log4j's vast usage in the majority of Java applications, Log4Shell soon turned into a nightmare for enterprises and governments worldwide. While the critical risk posed by the original Log4Shell exploit is paramount, milder variants of the vulnerability emerged in Log4j versions, including 2.15 and 2.16 – previously believed to be fully patched. But now a fifth vulnerabilit – an RCE flaw, tracked as CVE-2021-44832 – has been discovered in 2.17.0, with a patch applied to the newest release 2.17.1, which is out.

Rated 'Moderate' in severity and assigned a 6.6 score on the CVSS scale, the vulnerability stems from the lack of additional controls on JDNI access in log4j. Checkmarx security researcher Yaniv Nizry claimed credit for reporting the vulnerability to Apache. Log4j users should immediately upgrade to the latest release 2.17.1 (for Java 8). Backported versions 2.12.4 (Java 7) and 2.3.2 (Java 6) containing the fix are also expected to be released shortly.

Malware exploits passwords saved in multiple browsers

RedLine, an information-stealing malware, has been targeting popular web browsers such as Microsoft Edge, Opera, Naver Whale, and Google Chrome. The commodity stealer targets passwords saved in these web browsers. A report from AhnLab ASEC warns against the auto-login feature that is available in popular web browsers available in the market.

The RedLine stealer is a commodity malware that can be purchased at an affordable price of just $200 on cybercrime forums. Hackers use the malware to target login data files saved on Chromium-based web browsers and SQLite databases storing usernames and passwords. Experts warn that it is a serious security threat impacting both organisations as well as individual users.

If a user refuses to store credentials on the browser, the password management system on the infected machine still makes an entry to show that the specific website is blacklisted. If the attacker fails to procure the passwords for this blacklisted account, they will know that the account exists and this allows them to carry out attacks such as credential stuffing, social engineering, or phishing.

After stealing the credentials, the attackers either use them for future attacks or sell them on dark web marketplaces. The recent report on RedLine highlights the danger of using the auto-login feature to store login information in web-browsers.

Uber email vulnerability

A vulnerability in Uber's email system allows just about anyone to send emails on behalf of Uber. Security researcher and bug bounty hunter Seif Elsallamy discovered a flaw in Uber's systems that enables anyone to send emails on behalf of Uber. These emails, sent from Uber's servers, would appear legitimate to an email provider (because technically they are) and make it past any spam filters. On New Year's Eve of 2021, the researcher responsibly reported the vulnerability to Uber via their HackerOne bug bounty program.

However, his report was rejected for being "out-of-scope" on the erroneous assumption that exploitation of the technical flaw itself required some form of social engineering. The vulnerability is "an HTML injection in one of Uber's email endpoints," says Elsallamy, drawing comparison to a similar flaw discovered in 2019 on Meta's (Facebook's) servers by pen-tester Youssef Sammouda. Understandably, for security reasons, the researcher did not disclose the vulnerable Uber endpoint.

Uber users, staff, drivers, and associates should watch out for any phishing emails sent from Uber that appear to be legitimate as exploitation of this flaw by threat actors remains a possibility.

One in five aged domains is malicious, risky or unsafe

The number of malicious dormant domains is on the rise, and as researchers warn, roughly 22.3% of strategically aged domains pose some form of danger. This was a realisation that struck analysts when it was revealed that the SolarWinds threat actors relied on domains registered years before their malicious activities began. Based on that, efforts in detecting strategically aged domains before they get the chance to launch attacks and support malicious activities have picked up pace.

A report from Palo Alto Networks' Unit42 reveals their researchers' findings after looking at tens of thousands of domains each day throughout September 2021. They concluded that approximately 3.8% are straight-out malicious, 19% are suspicious, and 2% are unsafe for work environments. An obvious sign of a malicious domain is the sudden spike in its traffic. Legitimate services that registered their domains and launched services months or years later exhibit gradual traffic growth.

The domains that weren’t destined for legitimate use generally have incomplete, cloned, or generally questionable content. As expected, WHOIS registrant details are missing too. DGA (domain generation algorithm) is an established method of generating unique domain names and IP addresses to serve as new C2 communication points. The goal is to evade detection and blocklists.

Other real-world examples detected by the researchers include phishing campaigns that used DGA subdomains as cloaking layers that will direct ineligible visitors and crawlers to legitimate sites while pushing victims to the phishing pages. In most cases, strategically aged domains are used by sophisticated actors who operate in a more organised context and have long-term plans. They're used for leveraging DGA to exfiltrate data through DNS traffic, serve as proxy layers, or mimic the domains of well-known brands (cybersquatting). Although detecting DGA activity is still challenging, defenders can achieve a lot by monitoring DNS data like queries, responses, and IP addresses and focusing on identifying patterns.

Another T-Mobile cyberattack reported

T-Mobile has suffered another cyberattack after being rocked by a massive data breach in August. This time around, attackers accessed “a small number of” customers’ accounts, according to documents posted by The T-Mo Report.

According to the report, customers either fell victim to a SIM swapping attack, which could allow someone to bypass SMS-powered two-factor authentication, had personal plan information exposed, or both. The document shows that the customer proprietary network information that was viewed could’ve included customers’ billing account name, phone and account number, and info about their plan, including how many lines were attached to their account.

In the summer of 2021, the carrier confirmed that a data breach exposed almost 50 million customers’ data, with the attacker accessing social security numbers, names, and dates of birth. A person who claimed to be the hacker went on to call the company’s security practices “awful".

The information reportedly exposed in December’s breach is less sensitive and the documents say the customers who had their SIMs swapped have regained access, and is likely not as large in scope. T-Mobile’s support account has seemingly confirmed that there was a breach, responding to people on Twitter to say that it’s taking “immediate action” to help individuals who were put at risk by the attack.

Norway’s largest media companies shuts down presses due to cyber attack

Amedia, the largest local news publisher in Norway, announced last week that several of its central computer systems were shut down in what it is calling an apparent “serious” cyberattack. The attack is preventing the company from printing Wednesday’s edition of physical newspapers, and presses will continue to be halted until the issue is resolved, Amedia executive vice president of technology Pål Nedregotten said in a statement. The hack also impacts the company’s advertising and subscription systems, preventing advertisers from purchasing new ads and stopping subscribers from ordering or cancelling subscriptions.

“We are in the process of gaining an overview of the situation, but do not yet know the full potential for damage. We have already implemented comprehensive measures to limit the damage and to restore normal operations as quickly as possible,” said Executive Vice President of Technology, Pål Nedregotten, in a translated statement on the company’s website.

The company said it is unclear whether personal information has been compromised – the subscription system affected by the attack contains names, addresses, phone numbers, and subscription history of customers. Data such as passwords, read history, and financial information are not affected, the company said. Amedia publishes more than 90 newspapers and other publications that reach more than 2.5 million Norwegians, according to the company’s website.

UK Defence Academy breach revealed

A sophisticated cyberattack that hit the UK's Defence Academy last year caused "significant" damage, a retired high-level official has revealed. Air Marshal Edward Stringer, who was officer in charge at the time, told Sky News that the Academy uncovered the incident in March 2021, following which it decided to rebuild its network. The attack has still not been attributed to an organisation or state. 

Contractors working for outsourcing firm Serco were the first to notice unusual activity on the Academy's network in March. The Academy's IT staff soon identified the presence of external agents on the network, who it appeared were there for "nefarious reasons." While the cyberattack did not succeed, Stringer said it still had "costs to ... operational output" and "opportunity costs in what our staff could have been doing when they were having to repair this damage."

The Ministry of Defence's digital branch launched an investigation into the incident after it was discovered, and the National Cyber Security Centre was also made aware of the hack. According to Sky News, no sensitive data was stored on the compromised systems, and there were no breaches beyond the Academy, although there were some concerns that the attackers could have used the academy's network as a backdoor to other MoD systems.

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.