Log4Shell Strategic Response: 5 Practices for Vulnerability Management at Scale

 

Description

This post is co-authored by Blake Cifelli, Senior Advisory Services Consultant.

In today’s cybersecurity world, risks evolve faster than we can remediate them. To meet our goals and become resilient to these fast changes, we need the right balance of automation and human interaction. Enabling rapid response for protecting information systems is paramount, but how does a business reach this level of reaction?

How can organizations maintain a standard of excellence to their responses in high-risk situations?

Where do you even begin to respond to a critical vulnerability like the one in Apache’s Log4j Java library (a.k.a. Log4Shell)?

Most importantly, how do we transform the tactical actions that need to take place into an effective strategy to scale?

1. Empower personnel

The personnel with the knowledge about your various solutions must be empowered to make the decisions necessary to address your company’s information technology needs. If those team members don’t feel they can make those decisions, then they will defer to management — but managers may not know the intricacies of the solutions and could create a natural bottleneck, since there are going to be more decision points than managers to make decisions. Providing personnel with policy documents with uniform criteria for evaluating the risk these new vulnerabilities present, the ways to respond, and the time expectations is paramount for a timely resolution.

In a typical risk resolution process, there are many gates to safeguard our systems. This helps ensure that whatever change happens increases the solution’s confidentiality, integrity, or availability rather than diminishing it. However, a situation like Log4Shell needs to be treated like an incident response activity to quickly address the risk. Create a task force to effectively answer the important questions like:

• How do we find vulnerable systems?
• Which systems are vulnerable?
• What options are there for a fix? One size may not fit all.
• Who is going to track changes?
• Who is going to validate the fix is in place?

Utilizing a strong incident response procedure to answer all these questions will assist with prioritization and remediation to an acceptable level of risk.

2. Promote visibility

Any standard vulnerability management lifecycle process begins with identifying affected systems to assess and evaluate the scope of a vulnerability’s presence on the network. The approach should utilize both proactive and reactive efforts through a combination of tools and well-documented processes to streamline and scale the response effectively.

A proactive process would first involve having well-documented use of any such library versions internally in an inventory, so that discoverability and traceability are much more narrowly focused efforts. If you conduct authenticated vulnerability scans continuously on pre-scheduled frequencies, this will also help with identification of third-party software utilizing this library over time. Classifying system criticality within the vulnerability management tool will help you more effectively scale future remediation processes.

These proactive processes help jumpstart an initial response, but you’ll still need reactive efforts to help ensure effective and timely remediation. Vulnerability scanning tools will receive signature updates regarding this newly discovered vulnerability, which will require updating your vulnerability management tool and initiating one-off alternative scans that may deviate from pre-scheduled rotations. These alternative scans should include tiered phases, so the most critical systems receive scan priority, and then remaining systems are scanned in order of criticality. Leveraging the pre-existing system criticality classification will significantly expedite this process.

A security incident and event management (SIEM) tool can also assist with identifying, tracking, and alerting for any suspicious activity that may be tied to exploitation of this vulnerability. Host agents and network detection systems that report back to the SIEM should be closely monitored, and any activity or traffic that deviates from baselines should receive an active response. You may need to adjust logging and alerting rules and thresholds to ensure your efforts are strategically focused.

Tactical processes help you achieve this continuous identification, but you still need to orchestrate and execute them through strategic planning to remain timely, efficient, and effective. Well-documented asset inventories and appropriate system criticality classifications help you prioritize your efforts, while continuous vulnerability scans and leveraging vulnerability management and SIEM tools help to identify, track, and manage vulnerability exposure. Leadership should provide the direction to guide these activities from inception to implementation through effective communication and allocation of resources. Lay out a short-term roadmap for tracking objectives and quick wins as part of the remediation process, so you can quickly and concisely show how you’re tracking toward goals.

3. Implement prioritization and mitigation

Now that your team has successfully identified all affected systems, you’ll need to roll out patches to those systems on a continuous basis during the next phase to mitigate risk. Current enterprise-wide patching timelines may require adjustment due to the urgency associated with such critical vulnerabilities. Patch testing and rollout phases must be expedited to support a more timely and effective response.

Much like conducting our vulnerability scans in terms of system criticality prioritization, our patch management response should follow a similar approach, with the caveat that a pilot group or pilot system deemed non-critical should be patched first for testing purposes to ensure no adverse effects prior to rolling out patches in order of system criticality. If you’ve configured a full test environment is configured, you can test patches on critical systems first within that environment and then roll them out in production according to criticality. The testing timeline itself should be reduced throughout all standard phases of a testing cycle — you may even need to eliminate certain testing phases altogether. The rollout timelines for patches across all systems will need to be expedited as well to ensure as timely coverage as possible. If your environment has widespread use of the vulnerable library, you may require reductions in timelines of anywhere from 25% to 50%.

Emergency patching procedures should provide for timely testing and production rollouts within roughly half the time of a normal patching cycle, or 5 to 10 days at a maximum for critical systems to minimize breach potential as quickly as possible. Also keep in mind that some vulnerabilities may involve more than just application of a simple patch — configuration changes may also be necessary to further mitigate potential exploitation by an adversary.

4. Validate remediation

Now, you’ve deployed patches to all affected systems, so the mitigation efforts are complete, right? While you may want to shift your focus back to other tasks, it’s essential to maintain continuous identification processes to ensure that no stone remains unturned.

The vulnerability management validation phase leverages those reactive identification processes, in addition to patch management processes, to assist in efficient and effective vulnerability remediation for affected systems. This stage involves re-scanning initially identified vulnerable systems to assess successful patch application and performing additional open scans of the network to ensure that there are no lingering systems that may still be affected by the vulnerability but weren’t originally identified — or perhaps weren’t successfully patched as part of the patch management process. This cycle of continuous validation will remain in effect until “clean” scans are reported across the enterprise regarding this vulnerability.

Since the Log4j logging library is widely used throughout many enterprise applications and even unknowingly embedded in so many others, continuous validation will become crucial in ensuring your organization remains vigilant and can mitigate the vulnerability quickly and effectively as you continue to discover affected systems.

5. Regularly review risks

A vulnerability management lifecycle rarely ever comes to a true end. As adversaries and security evangelists further evaluate a specific vulnerability over time, new methods of exploitation are identified, affected versions increase in scope and scale, and recent patches and fixes are found to be ineffective. This leaves organizations potentially open to exposure and at a loss for the best path forward. Continuous review of the trends surrounding an ongoing critical vulnerability will help organizations ensure they remain both aware of the impact and the current mitigating measures that have been most successful. Additionally, leveraging other solutions can help further identify and launch a coordinated defense-in-depth response to any potential malicious activity that may be associated with such vulnerabilities.

Working to continuously identify, mitigate, validate, and review vulnerabilities throughout their inevitable course will require commitment and fortitude to achieve the best results, but once the tides have subsided with Log4Shell and you’ve successfully and securely endured one of the worst security vulnerability exposures in a decade by following these processes, you can rest assured that your incident response processes were well-tested during this endeavor — and your IT security budget should be more than solidified for the next few years to come.

Check out our additional resources for further insight of this vulnerability, mitigating measures, and tools available to assist.

• Log4Shell Resource Hub
• Log4Shell Resources for Rapid7 Customers
• Widespread Exploitation of Critical Remote Code Execution in Apache Log4j
• Update on Log4Shell’s Impact on Rapid7 Solutions and Systems
• Using InsightVM to Find Apache Log4j CVE-2021-44228
• InsightVM Docs page for Log4j
• Rapid7 analysis of Log4Shell on AttackerKB

NEVER MISS A BLOG

Read More

Metasploit Wrap-Up

 

Description

Dump Windows secrets from Active Directory

This week, our very own Christophe De La Fuente added an important update to the existing Windows Secret Dump module. It is now able to dump secrets from Active Directory, which will be very useful for Metasploit users. This new feature uses the Directory Replication Service through RPC to retrieve data such as SIDs, password history, Domain user NTLM hashes and Kerberos keys, etc. This replicates the behavior of the famous impacket secretsdump.py, with the benefit of being fully integrated with Metasploit Framework. For example, it is possible to pivot on a compromised host and run the Windows Secret Dump module against an internal Domain Controller directly from msfconsole. Furthermore, the secrets are stored in the internal database, which lets other modules access this information easily.

This update also brings another big improvement to the ruby_smb library. This adds a new DCERPC client and many ready-to-use RPC queries from Directory Replication Service (DRS) Remote Protocol, Security Account Manager (SAM) Remote Protocol and Workstation Service Remote Protocol. These will greatly simplify the process of writing modules that use DCERPC against Windows systems.

Authenticated Catch Themes Demo Import Remote Code Execution

Thank you to Ron Jost, Thinkland Security Team, and h00die for their community contribution of a Remote Code Execution exploit module against versions 1.8 and earlier of the Catch Themes Demo Import Wordpress Plugin.

New module content (6)

• Grafana Plugin Path Traversal by h00die and jordyv, which exploits CVE-2021-43798 - This aAdds a module to exploit Grafana file read vulnerability CVE-2021-43798.
• Native LDAP Server (Example) by RageLtMan and Spencer McIntyre - This adds the initial implementation of an LDAP server implemented in Rex and updates the existing log4shell scanner module to use it as well as provides a new example module.
• Wordpress Plugin Catch Themes Demo Import RCE by Ron Jost, Thinkland Security Team, and h00die, which exploits CVE-2021-39352 - This adds an exploit for the Catch Themes Demo Import Wordpress plugin for versions below 1.8. The functionality for importing a theme does not properly sanitize file formats, allowing an authenticated user to upload a php payload. Requesting the uploaded file achieves code execution as the user running the web server.
• Wordpress Popular Posts Authenticated RCE by Jerome Bruandet, Simone Cristofaro, and h00die, which exploits CVE-2021-42362 - This PR adds a new exploit for wp_popular_posts <=5.3.2.
• ManageEngine ServiceDesk Plus CVE-2021-44077 by wvu and Y4er, which exploits CVE-2021-44077
• Dell DBUtilDrv2.sys Memory Protection Modifier by Jacob Baines, Kasif Dekel, Red Cursor, and SentinelLabs - This module leverages a write-what-where condition in DBUtilDrv2.sys version 2.5 or 2.7 to disable or enable LSA protect on a given PID (assuming the system is configured for LSA Protection). The drivers must be provided by the user.

Enhancements and features

• #15831 from zeroSteiner - Established SSH connections can now leverage the pivoting capabilities of the SshCommandShellBind session type.
• #15882 from smashery - An update has been made which will prevent exploits from running a payload if the exploit drops files onto the target, but the payload doesn’t have the capability to clean those dropped files up from the target. Users can still override this setting by specifying set AllowNoCleanup true if they wish to bypass this protection.
• #15924 from cdelafuente-r7 - This adds the NTDS technique to the Windows Secrets Dump module, enabling it to be used against Domain Controllers. It also pulls in RubySMB changes that include many DCERPC related improvements and features.
• #15986 from bcoles - Module notes added to bash_profile_persistence now describe impacts of utilizing the module in a target environment.

Bugs fixed

• #15982 from 3V3RYONE - This fixes a bug where modules using the SMB client would crash when the SMBUser datastore option had been explicitly unset.
• #15984 from h00die - This PR fixes a bug in the snmp library which caused it to ignore version 1, despite specifically set options.
• #16003 from jmartin-r7 - This fixes an issue with GitHub actions where the Ruby 3.1.0 version string is not yet being parsed correctly leading to automation failures.
• #16015 from zeroSteiner - This fixes a regression in tab completion for the RHOSTS datastore option.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.20…6.1.23
• Full diff 6.1.20…6.1.23

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Read More

Log4J-Related RCE Flaw in H2 Database Earns Critical Warning

 

Description

Researchers discovered a bug related to the Log4J logging library vulnerability, which in this case opens the door for an adversary to execute remote code on vulnerable systems. However, this flaw does not pose the same risk as the previously identified in Log4Shell, they said.

JFrog security discovered the flaw and rated critical in the context of the H2 Java database console, a popular open-source database, according to a Thursday blog post by researchers.

H2 is attractive to developers for its lightweight in-memory solution–which precludes the requirement for data to be stored on disk—and is used in web platforms such as Spring Boot and IoT platforms such as ThingWorks.

However, the flaw (CVE-2021-42392) is similar to Log4Shell. “[I]t should not be as widespread” due to a few conditions and factors, JFrog researchers Andrey Polkovnychenko and Shachar Menashe wrote in their post.

Log4Shell (CVE-2021-44228) was tied to the Apache Log4j logging library in early December and immediately exploited by attackers. It spawned 60 variants of the original exploit created for the flaw in a 24-hour period as well as a faulty fix that could cause DoS attacks when it was first released.

How is the H2 Bug Similar to Log4J?

The root cause of the H2 flaw is based in JNDI remote class loading, making it similar to Log4Shell in that it allows several code paths in the H2 database framework pass unfiltered attacker-controlled URLs to the javax.naming.Context.lookup function. This allows for remote codebase loading, also known as Java code injection or remote code execution, researchers said.

“Specifically, the org.h2.util.JdbcUtils.getConnection method takes a driver class name and database URL as parameters,” they explained in the post. “If the driver’s class is assignable to the javax.naming.Context class, the method instantiates an object from it and calls its lookup method.”

Reasons to Be Wary, but Not Panic

However, unlike Log4Shell, the H2 flaw has a “direct” scope of impact, meaning that typically the server that processes the initial request—that is, the H2 console—will feel the direct brunt of the remote code execution (RCE) bug, researchers wrote in a post published Thursday.

“This is less severe compared to Log4Shell since the vulnerable servers should be easier to find,” researchers wrote.

Secondly, by default on vanilla distributions of the H2 database, the H2 console only listens to localhost connections, thus making the default setting safe, they noted.

“This is unlike Log4Shell which was exploitable in the default configuration of Log4j,” researchers wrote. Still, the H2 console can easily be modified to listen to remote connections as well, which would widen the risk, researchers added.

Indeed, this aspect of the execution of the flaw definitely lessens its severity in comparison to the Log4j issue, noted one security professional.

“Log4j was unique in that any number of attack-manipulated strings, from headers to URL paths, could result in exploitation of the victim depending on how the application was set up to utilize logging with Log4j,” Matthew Warner, CTO and co-founder at automated threat detection and response technology provider Blumira, wrote in an email to Threatpost. “In this case, the H2 database console must be purposefully exposed to the internet by changing the configuration.”

Thirdly, while many vendors may be running the H2 database, they may not run the H2 console with it, JFrog researchers said. There are other attack vectors that can exploit the H2 flaw; however, they are “context-dependent and less likely to be exposed to remote attackers,” researchers observed.

Who Is At Risk?

If the H2 flaw doesn’t deserve the same alarm as Log4Shell, why is it worth noting, one may ask. The JFrog team said that it can be extremely critical and allow for unauthenticated RCE to those running an H2 console exposed to a local area network (LAN) or, even worse, a wide area network (WAN). Indeed, attacking the H2 console directly is the most severe attack vector, researchers said.

Blumira’s Warner said that according to open-source intelligence (OSINT), there are likely less than 100 servers on the internet impacted by the H2 flaw, “so only a very limited number of organizations” are directly affected, he said.

“This vulnerability is a good reminder that it is important to ensure that sensitive services are only internally exposed to mitigate potential future risks,” Warner added.

Still, JFrog researchers said that many developer tools rely on the H2 database and specifically expose the H2 console. This is worrying due to the “recent trend of supply chain attacks targeting developers, such as malicious packages in popular repositories.”

These attacks emphasize “the importance of developer tools being made secure for all reasonable use cases,” researchers wrote, which is why they hope many H2-dependent tools will be safer after applying their recommended fix.

On that point, the JFrog team recommends that all users of the H2 database to upgrade to version 2.0.206, which fixes CVE-2021-42392 by limiting JNDI URLs to use the local java protocol only, denying any remote LDAP/RMI queries, researchers explained.

“This is similar to the fix applied in Log4j 2.17.0,” they wrote.

Even those not directly using the H2 console should update “due to the fact that other attack vectors exist, and their exploitability may be difficult to ascertain,” researchers added.

Password****Reset: ****On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken.Register & stream this FREE session today – sponsored by Specops Software.

Read More

Log4Shell-like Critical RCE Flaw Discovered in H2 Database Console

 

Description

Researchers have disclosed a security flaw affecting H2 database consoles that could result in remote code execution in a manner that echoes the Log4j “Log4Shell” vulnerability that came to light last month.

The issue, tracked as CVE-2021-42392, is the “first critical issue published since Log4Shell, on a component other than Log4j, that exploits the same root cause of the Log4Shell vulnerability, namely JNDI remote class loading,” JFrog researchers Andrey Polkovnychenko and Shachar Menashe said.

H2 is an open-source relational database management system written in Java that can be embedded within applications or run in a client-server mode. According to the Maven Repository, the H2 database engine is used by 6,807 artifacts.

JNDI, short for Java Naming and Directory Interface, refers to an API that provides naming and directory functionality for Java applications, which can use the API in conjunction with LDAP to locate a specific resource that it might need.

In the case of Log4Shell, this feature enables runtime lookups to servers, both inside and outside the network, which, in turn, can be weaponized to allow unauthenticated remote code execution and implant malware on the server by crafting a malicious JNDI lookup as input to any Java application that uses vulnerable versions of the Log4j library to log it.

“Similar to the Log4Shell vulnerability uncovered in early December, attacker-controlled URLs that propagate into JNDI lookups can allow unauthenticated remote code execution, giving attackers sole control over the operation of another person or organization’s systems,” Menashe, senior director of JFrog security research, explained.

The flaw affects H2 database versions 1.1.100 to 2.0.204 and has been addressed in version 2.0.206 shipped on January 5, 2022.

“The H2 database is used by many third-party frameworks, including Spring Boot, Play Framework and JHipster,” Menashe added. “While this vulnerability is not as widespread as Log4Shell, it can still have a dramatic impact on developers and production systems if not addressed accordingly.”

Read More

What's New in InsightIDR: Q4 2021 in Review

 

Description

****More context and customization around detections and investigations, expanded dashboard capabilities, and more.****

This post offers a closer look at some of the recent releases in InsightIDR, our extended detection and response (XDR) solution, from Q4 2021. Over the past quarter, we delivered updates to help you make more informed decisions, accelerate your time to respond, and customize your detections and investigations. Here’s a rundown of the highlights.

More customization options for your detection rules

InsightIDR provides a highly curated detections library, vetted by the security and operations center (SOC) experts on our managed detection and response (MDR) team — but we know some teams may want the ability to fine tune these even further. In our Q3 wrap-up, we highlighted our new detection rules management experience. This quarter, we’ve made even more strides in leveling up our capabilities around detections to help you make more informed decisions and accelerate your time to respond.

Attacker Behavior Analytics Detection Rules viewed and sorted by rule priority

• New detection rules management interface: With this new interface, you can see a priority field for each detection provided by InsightIDR with new actions available.
  • Change priority of detections and exceptions that are set to Creates Investigation as the Rule Action.
  • View and sort on priority from the main detection management screen.
  • More details on our detection rules experience can be found in our help docs, here.
• ****Customizable priorities for UBA detection rules and custom alerts:****Customers can now associate a rule priority (Critical, High, Medium, or Low) for all of their UBA and custom alert detection rules. The priority is subsequently applied to investigations created by a detection rule.
• ****A simplified way to create exceptions:**** We added a new section to detection rule details within “create exception” to better inform on which data to write exceptions against. This will show up to the 5 most recent matches associated with that said detection rule — so now, when you go to write exceptions, you have all the information you may need all within one window.

MITRE ATT&CK Matrix for detection rules

This new view maps detection rules to MITRE tactics and techniques commonly used by attackers. The view lets you see where you have coverage with Rapid7’s out-of-the-box detection rules for common attacker use cases and dig into each rule to understand the nature of that detection.

MITRE ATT&CK Matrix within Detection Rules

Investigation Management reimagined

At Rapid7, we know how limited a security analyst’s time is, so we reconfigured our Investigation Management experience to help our users improve the speed and quality of their decision-making when it comes to investigations. Here’s what you can expect:

• A revamped user interface with expandable cards displaying investigation information
• The ability to view, set, and update the priority, status, or disposition of an investigation
• Filtering by the following fields: date range, assignee, status, priority level
  New investigations interface

We also introduced MITRE-driven insights in Investigations. Now, you can click into the new MITRE ATT&CK tab of the Evidence panel in Investigation to see descriptions of each tactic, technique, and sub-technique curated by MITRE and link out to attack.mitre.org for more information.

MITRE ATT&CK tab within Investigations Evidence panel

Rapid7’s ongoing emergent threat response to Log4Shell

Like the rest of the security community, we have been internally responding to the critical remote code execution vulnerability in Apache’s Log4j Java library (a.k.a. Log4Shell).

Through continuous collaboration and ongoing threat landscape monitoring, our Incident Response, Threat Intelligence and Detection Engineering, and MDR teams are working together to provide product coverage for the latest techniques being used by malicious actors. You can see updates on our InsightIDR and MDR detection coverage here and in-product.

Stay up to date with the latest on Log4Shell:

• View Log4Shell AttackerKB for our analysis
• Check out The Everyperson’s Guide to Log4Shell
• Head to our Log4Shell Resource Center for up-to-date information for customers

A continually expanding library of pre-built dashboards

InsightIDR’s Dashboard Library has a growing repository of pre-built dashboards to save you time and eliminate the need for you to build them from scratch. In Q4, we released 15 new pre-built dashboards covering:

• Compliance (PCI, HIPAA, ISO)
• General Security (Firewall, Asset Authentication)
• Security Tools (Okta, Palo Alto, Crowdstrike)
• Enhanced Network Traffic Analysis
• Cloud Security
  Dashboard Library in InsightIDR

Additional dashboard and reporting updates

• ****Updates to dashboard filtering:**** Dashboard Filtering gives users the ability to further query LEQL statements and the data across all the cards in their dashboard. Customers can now populate the dashboard filter with Saved Queries from Log Search, as well as save a filter to a dashboard, eliminating the need to rebuild it every session.
• ****Chart captions:**** We’ve added the ability for users to write plain text captions on charts to provide extra context about a visualization.
• ****Multi-group-by queries and drill-in functionality:**** We’ve enabled Multi-group-by queries (already being used in Log search) so that customers can leverage these in their dashboards and create cards with layered data that they can drill in and out of.

Updates to Log Search and Event Sources

We recently introduced Rapid7 Resource Names (RRN), which are unique identifiers added to users, assets, and accounts in log search. An RRN serves as a unique identifier for platform resources at Rapid7. This unique identifier will stay consistent with the resource regardless of any number of names/labels associated with the resource.

In log search, an “R7_context" object has been added for log sets that have an attributed user, asset, account, or local accounts. Within the “R7_context" object, you will see any applicable RRNs appended. You can utilize the RRN as a search in log search or in the global search (which will link to users and accounts or assets and endpoints pages) to assist with more reliable searches for investigation processes.

New “r7_context" Rapid7 Resource Name (RRN) data in Log Search

****Event source updates****

• ****Log Line Attribution for Palo Alto Firewall & VPN, Proofpoint TAP, Fortinet Fortigate****: When setting up an event source you now have an option to leverage information directly present in source log lines, rather than relying solely on InsightIDR’s traditional attribution engine.
• ****Cylance Protect Cloud event source****: You can configure CylancePROTECT cloud to send detection events to InsightIDR to generate virus infection and third-party alerts.
• ****InsightIDR Event Source listings available in the********Rapid7 Extensions Hub****: Easily access all InsightIDR event source related content in a centralized location.

Updates to Network Traffic Analysis capabilities

****Insight Network Sensor optimized for 10Gbs+ deployments****: We have introduced a range of performance upgrades that make high-speed traffic analysis more accessible using off-the-shelf hardware, so you’re able to gain east-west and north-south traffic visibility within physical, virtual and cloud based networks. If you want to take full advantage of these updates check out the updated sensor requirements here.

****InsightIDR Asset Page Updates****: We have introduced additional data elements and visuals to the Assets page. This delivers greater context for investigations and enables faster troubleshooting, as assets and user information is in one location. All customers have access to:

• Top IDS events triggered by asset
• Top DNS queries

For customers with Insight Network Sensors and ENTA, these additional elements are available:

• Top Applications
• Countries by Asset Location
• Top Destination IP Addresses
  

Stay tuned!

Read More

FTC to Go After Companies that Ignore Log4j

 

Description

The Federal Trade Commission (FTC) will muster its legal muscle to pursue companies and vendors that fail to protect consumer data from the risks of the Log4j vulnerabilities, it warned on Tuesday.

“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” according to the warning.

Those companies that bungle consumer data, leaving vulnerabilities unpatched and thus opening the door to exploits and the resulting possible “loss or breach of personal information, financial loss and other irreversible harms,” are risking consequences tied to weighty laws that have resulted in fat fines, the FTC said.

It mentioned, among others, the Federal Trade Commission Act and the Gramm-Leach-Bliley Act. The FTC Act, the commission’s primary statute, enables it to seek monetary redress and other relief for conduct injurious to consumers. Gramm-Leach-Bliley requires financial institutions to safeguard sensitive data.

“ It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action,” the FTC urged.

The FTC means it: Its warning included a reference to the complaints against Equifax, which agreed to pay $700 million to settle actions by the FTC, the Consumer Financial Protection Bureau, and all fifty states over its infamous 2017 data leak (consumers’ reaction at the time: Make it hurt more).

According to the Equifax complaint, its failure to patch a known vulnerability “irreversibly exposed the personal information of 147 million consumers.” Expect more of the same if your company fails to protect consumer data from exposure as a result of Log4Shell or whatever similar, known vulnerabilities crop up, it said.

The FTC advised companies to use guidance from the Cybersecurity and Infrastructure Security Agency (CISA) to check if they’re using Apache’s Log4j logging library, which is at the heart of the cluster of vulnerabilities known as Log4Shell.

Companies that find that they are using Log4j should do the following, CISA recommended:

• Update your Log4j software package to the most current version.
• Consult CISA guidance to mitigate this vulnerability.
• Ensure remedial steps are taken to ensure that your company’s practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act.
• Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.

On Dec. 17, CISA issued an emergency directive mandating federal civilian departments and agencies to immediately patch their internet-facing systems for the Log4j vulnerabilities by Thursday, Dec. 23. Federal agencies were given five more days – until Dec. 28 – to report Log4Shell-affected products, including vendor and app names and versions, along with what actions have been taken – e.g. updated, mitigated, removed from agency network – to block exploitation attempts.

CISA provides a dedicated page for the Log4Shell flaws with patching information and has released a Log4j scanner to hunt down potentially vulnerable web services.

The Log4j Fire Rages Unabated

The initial flaw – CVE-2021-44228 – was discovered on Dec. 9 and came under attack within hours. As of Dec. 15, more than 1.8 million attacks, against half of all corporate networks, using at least 70 distinct malware families, had already been launched to exploit what became a trio of bugs:

1. The Log4Shell remote-code execution (RCE) bug that spawned even nastier mutations and which led to …
2. The potential for denial-of-service (DoS) in Apache’s initial patch. Plus, there was …
3. A third bug, a DoS flaw similar to Log4Shell in that it also affected the logging library. It differed in that it concerned Context Map lookups, not the Java Naming and Directory Interface (JNDI) lookups to an LDAP server involved in CVE-2021-44228: lookups that allow attackers to execute any code that’s returned in the Log4Shell vulnerability.

At this point, the Conti ransomware gang has had a full attack chain in place for weeks.

In a Monday update, Microsoft said that the end of December brought no relief: The company observed state-sponsored and cyber-criminal attackers probing systems for the Log4Shell flaw through month’s end. “Microsoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities,” Microsoft security researchers warned.

“Exploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” the researchers said.

Hunting Down Log4j

One of the most challenging aspects of responding to the Log4j vulnerability is simply identifying the devices in an organization where Log4j is used. The word “ubiquitous” has applied since the get-go.

“Since it is a cross-platform, widely used software library, there is incredible diversity in where and how it is deployed: it can be an application package installed by itself, bundled with another application package as just another file on disk or embedded in another application with no visible artifact,” J.J. Guy, co-founder and CEO at Sevco Security, told Threatpost on Wednesday.

He added, “Even worse, it is used in everything from cloud-managed services to server applications and even fixed-function, embedded devices. That internet-connected toaster is very likely vulnerable to Log4Shell.”

We’re just in the middle of the triage phase now, Guy said, where basic tools like systems-management or software-management tools to check for the file on disk can provide initial triage.

One question: What’s the inventory of equipment that still needs to be triaged?

“For organizational leaders, such as the board, CEO, CIO or CISO, to have confidence in those triage results requires they report not only the machines that have been triaged but also how many are pending triage,” Guy remarked. “Reporting the ‘pending triage’ statistic requires a complete asset inventory, including which machines have been successfully triaged.”

He called this “one of the larger hidden challenges” in every organization’s response, given that so few have a comprehensive asset inventory, “despite the fact it has been a top requirement in every security compliance program for decades.”

Read More

Microsoft Warns of Continued Attacks Exploiting Apache Log4j Vulnerabilities

 

Description

Microsoft is warning of continuing attempts by nation-state adversaries and commodity attackers to take advantage of security vulnerabilities uncovered in the Log4j open-source logging framework to deploy malware on vulnerable systems.

“Exploitation attempts and testing have remained high during the last weeks of December,” Microsoft Threat Intelligence Center (MSTIC) said in revised guidance published earlier this week. “We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks.”

Publicly disclosed by the Apache Software Foundation on December 10, 2021, the remote code execution (RCE) vulnerability in Apache Log4j 2, aka Log4Shell, has emerged as a new attack vector for widespread exploitation by a variety of threat actors.

In the subsequent weeks, four more weaknesses in the utility have come to light — CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, and CVE-2021-44832 — providing opportunistic bad actors with persistent control over the compromised machines and mount an evolving array of attacks ranging from cryptocurrency miners to ransomware.

Even as the mass scanning attempts are showing no signs of letting up, efforts are underway to evade string-matching detections by obfuscating the malicious HTTP requests orchestrated to generate a web request log using Log4j that leverages JNDI to perform a request to the attacker-controlled site.

In addition, Microsoft said it observed “rapid uptake of the vulnerability into existing botnets like Mirai, existing campaigns previously targeting vulnerable Elasticsearch systems to deploy cryptocurrency miners, and activity deploying the Tsunami backdoor to Linux systems.”

On top of that, the Log4Shell vulnerability has also been put to use to drop additional remote access toolkits and reverse shells such as Meterpreter, Bladabindi (aka NjRAT), and HabitsRAT.

“At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments,” MSTIC noted. “Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.”

The development also comes as the U.S. Federal Trade Commission (FTC) issued a warning that it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”

Read More