Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for What is Log4Shell an ...

 Business

A year ago, in December 2021, the Log4Shell vulnerability (CVE-2021-44228) in the Apache Log4j library caused a sensation. Although by the spring it was no longer on the front pages of IT media outlets, in November 2022 it reemerged when it was reported that cybercriminals had exploited the vulnerability to attack a   show more ...

US federal agency and install a cryptocurrency miner in its systems. Thats a good reason to explain what Log4Shell actually is, why its too early to write it off, and how to protect your infrastructure. What is the Apache Log4j library? Because the Java SDK did not initially support logging, developers had to write their own solutions, and by the time the official Java Logging API appeared, there were already quite a few of them. One is Apache Log4j, a popular open-source Java library in development since 2001. Its by no means the only logging solution in Java, but certainly one of the most popular. Many alternative solutions are essentially offshoots of Log4j that appeared at different stages of the librarys development. What is the Log4Shell vulnerability? The Log4j library allows to log all system events automatically. It uses a standard set of interfaces for accessing Java Naming and Directory Interface (JNDI) data. In November 2021, it turned out that during logging its able to run JNDI commands passed to it by an event, for example, in the Header field of a request, in a chat message, or in the description of a 404 error on a web page. The vulnerability allows cybercriminals, at least theoretically, to do whatever they like on the victims system (if no additional security measures kick in). In practice, most often attackers used Log4Shell to install illegal miners and carry out ransomware attacks. But there have been more exotic uses for it too, including targeted attacks, spreading the Mirai botnet, and even RickRolling — playing the (annoyingly addictive) Never Gonna Give You Up hit by 80s crooner Rick Astley. Why is it so dangerous and still a threat? Java is one of the main programming languages; its used for many backend systems — from small corporate servers to industrial automation systems and IoT devices. Most of these systems implement logging in one way or another. For years, the easiest way to do this was to use the Log4j library. When, in December 2021, it was reported to contain a vulnerability, experts declared it would be a huge problem for many years to come. Heres why: Log4j is used in a vast array of Java applications. At the time of discovery, the vulnerability was present in more than 35,000 packages (artifacts) in Maven Central (the largest Java package repository), which represents 8% of their total number. According to experts, around 40% of networks worldwide were at risk from Log4Shell. Besides conventional computers and servers, Java is also used in industrial, medical, and other specialized equipment. That equipment, too, is known to make use of the Log4j library. End users of solutions with Log4j inside, if blissfully unaware that the software contains a vulnerability, may put off updating it. Developers of solutions that use the Log4j library could well have gone bust long ago, left the market, or otherwise pulled support for their programs. Even if end users wanted to update, that option might no longer be there, while switching to other software may not be so easy. Log4j is an open-source library, which means that programmers can copy, modify, and use it in their projects. Unfortunately, not all developers strictly adhere to licensing rules, and do not always indicate code authorship. So, in theory, the same vulnerability could be found in a third-party project where officially theres no Log4j. Log4Shell was a zero-day vulnerability, meaning that cybercriminals exploited it before information about it was published. Theres evidence to suggest that attackers first tried it out at least nine days before it was made public. Among the affected programs were VMware products, in particular the popular virtual desktop infrastructure solution VMware Horizon. Many registered attacks penetrated the system through this very software. Program updates will have little effect in the event that intruders are already inside the system. By no means all attacks begin immediately after penetration, and its quite possible that many systems contain backdoors to this day. Actual damage In fairness, we should note that so far no catastrophic consequences of Log4Shell exploitation have been recorded — or, at least none that the general public has been made aware of. All the same, the vulnerability caused a major headache for developers and security experts, including ruined Christmas holidays for thousands of IT staff worldwide. Companies that are serious about security (both theirs and their clients) have had to fork out considerable sums to locate the vulnerability in their systems and software, and eliminate it. Below, we spotlight some of the most notable Log4Shell incidents known: On December 20, 2021, the Belgian Ministry of Defense confirmed an attack on its infrastructure using the vulnerability. Understandably, the details were not disclosed. On December 29, 2021, media reports said that a certain scientific institution in the United States had been attacked through Log4Shell. According to CrowdStrike, the APT group, Aquatic Panda, exploited an unpatched VMware Horizon. The suspicious activity was stopped in time, but the incident itself indicates that serious hacker groups have embraced the vulnerability. Also in December 2021, news broke about a Log4Shell exploitation on the servers of Minecraft: Java Edition, hosted not by the game publisher (Microsoft). The company confirmed the report and drew attention to the simplicity of the attacks implementation: the cybercriminals transmitted malicious code in a regular in-game chat, which was enough to run it both on the server side and on the vulnerable client. This case is of interest less from the victims perspective and more in terms of the technical implementation: under certain conditions, an attack can be carried out simply through an internal chat. This is worrying, since chats now reach far beyond the world of gaming: for many companies, they are the preferred method of communicating with customers. In many fintech and other applications, this is how customer support is delivered. In June 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) and the US Coast Guard Cyber Command (CGCYBER) issued an alert that the vulnerability was still being actively exploited. The advisory stated that cybercriminals used a loophole in the same VMware Horizon to penetrate the internal networks of two unnamed government agencies. On top of that, the attackers were said to have gained access to 130GB of sensitive data related to law enforcement. In November 2022, CISA, jointly with the FBI, issued another advisory about a Log4Shell attack on one more government agency. The attackers penetrated the system back in February, were detected in April, and remained active in June–July. During this period, they created an account with administrator privileges, changed a legitimate administrators password, and uploaded mining software to the server. The attack is believed to be the work of Iranian government-sponsored hackers, so some experts consider the mining to be just a smokescreen to hide their real motives. How to protect your infrastructure Any company can fall victim to Log4Shell, often simply due to not knowing about vulnerabilities in their systems and software. If youre unsure whether your systems, tools, products, or services use the Log4j library, it makes sense to conduct a [security assessment services placeholder]thorough security audit[/security assessment services placeholder]. Other than that, to stay safe, follow these tips from our experts. If Log4j features in your software you make, use the latest version of the library available on the project page. Read the official guide from Apache Logging Services and follow it where necessary. If Log4j is used in third-party products, update all vulnerable software. Use robust security solutions able to detect attempts to exploit vulnerabilities on servers and workstations. Monitor suspicious activity inside the corporate perimeter using [EDREDR-class[/KEDR placeholder]] solutions or external services like managed detection and response. This will allow you to find and kill attacks in the early stages.

image for New Ransom Payment S ...

 Ransomware

Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical   show more ...

records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading. Alex Holden is founder of Hold Security, a Milwaukee-based cybersecurity firm. Holden’s team gained visibility into discussions among members of two different ransom groups: CLOP (a.k.a. “Cl0p” a.k.a. “TA505“), and a newer ransom group known as Venus. Last month, the U.S. Department of Health and Human Services (HHS) warned that Venus ransomware attacks were targeting a number of U.S. healthcare organizations. First spotted in mid-August 2022, Venus is known for hacking into victims’ publicly-exposed Remote Desktop services to encrypt Windows devices. Holden said the internal discussions among the Venus group members indicate this gang has no problem gaining access to victim organizations. “The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.” Which might explain why their latest scheme centers on trying to frame executives at public companies for insider trading charges. Venus indicated it recently had success with a method that involves carefully editing one or more email inbox files at a victim firm — to insert messages discussing plans to trade large volumes of the company’s stock based on non-public information. “We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison,” one Venus member wrote to an underling. “You need to create this file and inject into the machine(s) like this so that metadata would say that they were created on his computer,” they continued. “One of my clients did it, I don’t know how. In addition to pst, you need to decompose several files into different places, so that metadata says the files are native from a certain date and time rather than created yesterday on an unknown machine.” Holden said it’s not easy to plant emails into an inbox, but it can be done with Microsoft Outlook .pst files, which the attackers may also have access to if they’d already compromised a victim network. “It’s not going to be forensically solid, but that’s not what they care about,” he said. “It still has the potential to be a huge scandal — at least for a while — when a victim is being threatened with the publication or release of these records.” The Venus ransom group’s extortion note. Image: Tripwire.com Holden said the CLOP ransomware gang has a different problem of late: Not enough victims. The intercepted CLOP communication seen by KrebsOnSecurity shows the group bragged about twice having success infiltrating new victims in the healthcare industry by sending them infected files disguised as ultrasound images or other medical documents for a patient seeking a remote consultation. The CLOP members said one tried-and-true method of infecting healthcare providers involved gathering healthcare insurance and payment data to use in submitting requests for a remote consultation on a patient who has cirrhosis of the liver. “Basically, they’re counting on doctors or nurses reviewing the patient’s chart and scans just before the appointment,” Holden said. “They initially discussed going in with cardiovascular issues, but decided cirrhosis or fibrosis of the liver would be more likely to be diagnosable remotely from existing test results and scans.” While CLOP as a money making collective is a fairly young organization, security experts say CLOP members hail from a group of Threat Actors (TA) known as “TA505,” which MITRE’s ATT&CK database says is a financially motivated cybercrime group that has been active since at least 2014. “This group is known for frequently changing malware and driving global trends in criminal malware distribution,” MITRE assessed. In April, 2021, KrebsOnSecurity detailed how CLOP helped pioneer another innovation aimed at pushing more victims into paying an extortion demand: Emailing the ransomware victim’s customers and partners directly and warning that their data would be leaked to the dark web unless they can convince the victim firm to pay up. Security firm Tripwire points out that the HHS advisory on Venus says multiple threat actor groups are likely distributing the Venus ransomware. Tripwire’s tips for all organizations on avoiding ransomware attacks include: Making secure offsite backups. Running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities. Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication. Encrypting sensitive data wherever possible. Continuously educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data. While the above tips are important and useful, one critical area of ransomware preparedness overlooked by too many organizations is the need to develop — and then periodically rehearse — a plan for how everyone in the organization should respond in the event of a ransomware or data ransom incident. Drilling this breach response plan is key because it helps expose weaknesses in those plans that could be exploited by the intruders. As noted in last year’s story Don’t Wanna Pay Ransom Gangs? Test Your Backups, experts say the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups of their systems and data is that nobody at the victim organization bothered to test in advance how long this data restoration process might take. “Suddenly the victim notices they have a couple of petabytes of data to restore over the Internet, and they realize that even with their fast connections it’s going to take three months to download all these backup files,” said Fabian Wosar, chief technology officer at Emsisoft. “A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective.”

 Expert Blogs and Opinion

Created and maintained by MITRE, MITRE D3FEND is a framework that provides a library of defensive cybersecurity countermeasures and technical components to help organizations improve their defensive cybersecurity posture.

 Malware and Vulnerabilities

Researchers from FortiGuard Labs disclosed a unique botnet that abuses IoT vulnerabilities. Dubbed Zerobot, the malware contains several modules, such as self-replication and self-propagation. The malware, written in the Go language, can also communicate to its C2 server using the WebSocket protocol. The campaign allegedly began sometime post-mid-November.

 Breaches and Incidents

An advanced cyberespionage campaign by Iranian APT42 was found targeting journalists, diplomats, politicians, and human rights activists working in the Middle East. Attackers gained access to the targets’ emails, cloud storage drives, calendars, and contacts, almost immediately after the compromise. This section of people needs to take extra security measures to safeguard against surveillance threats.

 Companies to Watch

Rezonate emerged from stealth with $8.7 million in funding for its cloud identity protection platform that prevents access risk and stops attackers’ actions to breach cloud infrastructure, where modern organizations’ critical data resides.

 Trends, Reports, Analysis

A vast number of common vulnerabilities and exposures (CVEs), default passwords, and other security risks have been found in millions of extended internet of things (XIoT) devices.

 Malware and Vulnerabilities

Attackers used a new Babuk strain to target a multibillion-dollar manufacturing company with more than 10,000 workstations and server devices. The attackers had network access for two weeks of full reconnaissance prior to launching their attack.

 Malware and Vulnerabilities

Trustwave SpiderLabs’ researchers uncovered threat actors using a OneNote document to move Formbook malware, an information stealing trojan sold on an underground hacking forum since mid-2016 as malware-as-a-service.

 Identity Theft, Fraud, Scams

Though this happens all the time, the fact that we're seeing an influx around the holiday is an interesting trend. It means that hackers are actively targeting people when they are likely to spend their money the most.

 Feed

Ubuntu Security Notice 5768-1 - Jan Engelhardt, Tavis Ormandy, and others discovered that the GNU C Library iconv feature incorrectly handled certain input sequences. An attacker could possibly use this issue to cause the GNU C Library to hang or crash, resulting in a denial of service. It was discovered that the GNU   show more ...

C Library did not properly handled DNS responses when ENDS0 is enabled. An attacker could possibly use this issue to cause fragmentation-based attacks.

 Feed

Red Hat Security Advisory 2022-8857-01 - Erlang is a general-purpose programming language and runtime environment. Erlang has built-in support for concurrency, distribution and fault tolerance. Erlang is used in several large telecommunication systems from Ericsson. Issues addressed include a bypass vulnerability.

 Feed

Red Hat Security Advisory 2022-8848-01 - An update for python-XStatic-Bootstrap-SCSS is now available for Red Hat OpenStack Platform 16.2.4 (Train). Issues addressed include a cross site scripting vulnerability.

 Feed

Red Hat Security Advisory 2022-8865-01 - An update for python-XStatic-Bootstrap-SCSS is now available for Red Hat OpenStack Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2. Issues addressed include a cross site scripting vulnerability.

 Feed

Red Hat Security Advisory 2022-8851-01 - An update for rabbitmq-server is now available for Red Hat OpenStack Platform 16.2.4 (Train) for Red Hat Enterprise Linux (RHEL) 8.4. Issues addressed include cross site scripting and improper neutralization vulnerabilities.

 Feed

Red Hat Security Advisory 2022-8853-01 - An update for python-django20 is now available for Red Hat OpenStack Platform 16.2.4 (Train) for Red Hat Enterprise Linux (RHEL) 8.4. Issues addressed include cross site scripting and denial of service vulnerabilities.

 Feed

Red Hat Security Advisory 2022-8867-01 - An update for rabbitmq-server is now available for Red Hat OpenStack Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2. Issues addressed include cross site scripting and improper neutralization vulnerabilities.

 Feed

Red Hat Security Advisory 2022-8872-01 - An update for python-django20 is now available for Red Hat OpenStack Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2. Issues addressed include cross site scripting, denial of service, remote shell upload, and remote SQL injection vulnerabilities.

 Feed

Red Hat Security Advisory 2022-8863-01 - Paramiko is a module for python 2.3 or greater that implements the SSH2 protocol for secure connections to remote machines. Unlike SSL, the SSH2 protocol does not require heirarchical certificates signed by a powerful central authority. You may know SSH2 as the protocol that   show more ...

replaced telnet and rsh for secure access to remote shells, but the protocol also includes the ability to open arbitrary channels to remote services across an encrypted tunnel.

 Feed

Red Hat Security Advisory 2022-8855-01 - OpenStack Networking is a virtual network service for OpenStack. Just as OpenStack Compute provides an API to dynamically request and configure virtual servers, OpenStack Networking provides an API to dynamically request and configure virtual networks. These networks connect   show more ...

'interfaces' from other OpenStack services. The OpenStack Networking API supports extensions to provide advanced network capabilities.

 Feed

Ubuntu Security Notice 5770-1 - Todd Eisenberger discovered that certain versions of GNU Compiler Collection could be made to clobber the status flag of RDRAND and RDSEED with specially crafted input. This could potentially lead to less randomness in random number generation.

 Feed

Ubuntu Security Notice 5769-1 - It was discovered that protobuf did not properly manage memory when serializing large messages. An attacker could possibly use this issue to cause applications using protobuf to crash, resulting in a denial of service, or possibly execute arbitrary code. It was discovered that protobuf   show more ...

did not properly manage memory when parsing specifically crafted messages. An attacker could possibly use this issue to cause applications using protobuf to crash, resulting in a denial of service.

 Feed

Red Hat Security Advisory 2022-8902-01 - This release of Camel for Spring Boot 3.18.3 serves as a replacement for Camel for Spring Boot 3.14.2 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include a denial of service vulnerability.

 Feed

Red Hat Security Advisory 2022-8900-01 - The grub2 packages provide version 2 of the Grand Unified Boot Loader, a highly configurable and customizable boot loader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices.

 Feed

Red Hat Security Advisory 2022-8840-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution   show more ...

of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.51, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include buffer overflow, bypass, code execution, denial of service, double free, and out of bounds read vulnerabilities.

 Feed

Red Hat Security Advisory 2022-8841-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution   show more ...

of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.51, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include buffer over-read, buffer overflow, bypass, code execution, denial of service, double free, integer overflow, out of bounds read, and use-after-free vulnerabilities.

 Feed

Ubuntu Security Notice 5767-1 - Nicky Mouha discovered that Python incorrectly handled certain SHA-3 internals. An attacker could possibly use this issue to cause a crash or execute arbitrary code. It was discovered that Python incorrectly handled certain IDNA inputs. An attacker could possibly use this issue to expose sensitive information denial of service, or cause a crash.

 Feed

An Internet Explorer zero-day vulnerability was actively exploited by a North Korean threat actor to target South Korean users by capitalizing on the recent Itaewon Halloween crowd crush to trick users into downloading malware. The discovery, reported by Google Threat Analysis Group researchers Benoît Sevens and Clément Lecigne, is the latest set of attacks perpetrated by ScarCruft, which is

 Feed

An Iranian advanced persistent threat (APT) actor known as Agrius has been attributed as behind a set of data wiper attacks aimed at diamond industries in South Africa, Israel, and Hong Kong. The wiper, referred to as Fantasy by ESET, is believed to have been delivered via a supply-chain attack targeting an Israeli software suite developer as part of a campaign that began in February 2022.

 Feed

An unconventional data exfiltration method leverages a previously undocumented covert channel to leak sensitive information from air-gapped systems. "The information emanates from the air-gapped computer over the air to a distance of 2 m and more and can be picked up by a nearby insider or spy with a mobile phone or laptop," Dr. Mordechai Guri, the head of R&D in the Cyber Security Research

 Feed

Apple on Wednesday announced a raft of security measures, including an Advanced Data Protection setting that enables end-to-end encrypted (E2EE) data backups in its iCloud service. The headlining feature, when turned on, is expected to secure 23 data categories using E2EE, including device and message backups, iCloud Drive, Notes, Photos, Reminders, Voice Memos, Safari Bookmarks, Siri Shortcuts,

 Feed

Looking to up your cybersecurity game in the new year? Do not just buy electronics this vacation season, improve your cybersecurity! The end of the year is a great time to re-evaluate your cybersecurity strategy and make some important investments in protecting your personal and professional data. Cyber threats are constantly evolving and becoming more sophisticated, so it's important to stay on

 Feed

Researchers have shed light on a new hybrid malware campaign targeting both Android and Windows operating systems in a bid to expand its pool of victims. The attacks entail the use of different malware such as ERMAC, Erbium, Aurora, and Laplas, according to a ThreatFabric report shared with The Hacker News. "This campaign resulted in thousands of victims," the Dutch cybersecurity company said,

 Phishing

An AI chatbot is causing a stir - both impressing and terrifying users in equal measure. A security researcher discovers that a "smart" cam that doesn't use the internet is err.. using the internet. And university students revolt over under-the-belt surveillance. All this and much more is discussed in the   show more ...

latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Host Unknown's Thom Langford.

2022-12
Aggregator history
Thursday, December 08
THU
FRI
SAT
SUN
MON
TUE
WED
DecemberJanuaryFebruary