The holiday season is shaping up to be busy for those patching systems affected by the critical flaw in the Log4j Java application error logging library. IBM has confirmed several of its major enterprise products are affected by the Log4j bug. On Thursday, the company confirmed that the IBM Db2 Warehouse, which uses Log4j, allowed a remote attacker to execute arbitrary code on the system. Log4j is used in the Db2 Federation feature. IBM has released a special fix pack and mitigation notes for Db2 version 11.5 systems that are vulnerable if certain Federation features are configured. Since Wednesday, IBM has released Log4j fixes for over a dozen cloud products, spanning security and identity, analytics, databases, managed VMware services, and Watson AI products. It has also released fixes for 20 on-premises IBM products for Cognos business intelligence, Power hardware, WebSphere, Watson, and more. LOG4J FLAW COVERAGE – WHAT YOU NEED TO KNOW NOW IBM is continually updating the list of products affected by the flaw and those it has confirmed are not impacted.  Dozens of Cisco products are affected by Log4j, too. On Friday, Cisco will release numerous firmware and hotfix updates that address the flaw, followed by more updates scheduled over the weekend and over the following week through to 24 December.  Products scheduled for updates on Friday include Cisco Identity Services Engine, DNA Spaces Connector, Cisco BroadWorks, and Cisco Finesee. On Saturday, it will release updates for several more products including Cisco Contact Center Domain Manager (CCDM), Cisco IOx Fog Director, Cisco Contact Center Management Portal (CCMP), Cisco Unified Communications Manager / Cisco Unified Communications Manager Session Management Edition, Cisco Video Surveillance Operations Manager, and Cisco Connected Mobile Experiences (CMX).   VMware is also updating its list of affected products, most of which are badged as ‘critical’ with a CVSS severity score of 10 out of 10, and currently marked as ‘patch pending’. Where patches are not available, VMware is updating its recommended mitigations to factor in updates addressed by Apache Foundation’s Log4j version 2.16 release, which addressed the incomplete patch it initially released last week.

VMware had over 100 products affected by the bug popularly known as Log4Shell, and tracked as CVE 2021-44228. But the virtualisation giant has also released a patch to address a critical non-Log4j Server Side Request Forgery (SSRF) vulnerability in its Workspace ONE Unified Endpoint Management (UEM) console. Tracked as CVE-2021-22054, this flaw would allow an attacker with network access to UEM to “send their requests without authentication and may exploit this issue to gain access to sensitive information”, according to VMware’s advisory.  LOG4J FLAW COVERAGE – WHAT YOU NEED TO KNOW NOW  The vulnerability got a CVSS score of 9.1 out of 10, and so should be added to the list of priorities for patching before the Christmas break. The bug affects the 2105, 2012, 2011, and 2008 versions of the Workspace ONE UEM console.  The Cybersecurity and Infrastructure Security Agency and the White House yesterday warned organisations in the US to beware of cyberattacks during the holiday season. Cyber criminals frequently launch major ransomware attacks on public holidays to take advantage of skeleton staffing. CISA has instructed federal agencies to identify all applications affected by the Log4j flaw by 24 December.  CISA has published a list of vendors and products affected by the Log4Shell flaw. The Netherlands cybersecurity agency is also updating a list of affected products and vendors, which it published earlier this week. More

Microsoft is warning customers about the LemonDuck crypto mining malware which is targeting both Windows and Linux systems and is spreading via phishing emails, exploits, USB devices, and brute force attacks, as well as attacks targeting critical on-premise Exchange Server vulnerabilities uncovered in March. 

ZDNet Recommends

Also: The 25 most dangerous software vulnerabilities to watch out forThe group was discovered to be using Exchange bugs to mine for cryptocurrency in May, two years after it first emerged.         Notably, the group behind LemonDuck is taking advantage of high-profile security bugs by exploiting older vulnerabilities during periods where security teams are focussed on patching critical flaws, and even removing rival malware.  “[LemonDuck] continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise,” the Microsoft 365 Defender Threat Intelligence Team note.  “Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.” Cisco’s Talos malware researchers have been scoping out the group’s Exchange activities too. It found LemonDuck was using automated tools to scan, detect, and exploit servers before loading payloads such as the Cobalt Strike pen-testing kit — a favored tool for lateraled movement — and web shells, allowing malware to install additional modules. 

According to Microsoft, LemonDuck initially hit China heavily, but it has now expanded to the US, Russia, Germany, the UK, India, Korea, Canada, France, and Vietnam. It focuses on the manufacturing and IoT sectors. This year, the group ramped up hands-on-keyboard or manual hacking after an initial breach. The group is selective with its targets.  It also crafted automated tasks to exploit the Eternal Blue SMB exploit from the NSA that was leaked by Kremlin-backed hackers and used in the 2017 WannCry ransomware attack. “The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today,” Microsoft’s security team notes.  LemonDuck got its name from the variable “Lemon_Duck” in a PowerShell script that’s acts as the user agent to track infected devices.  The vulnerabilities it targets for initial compromise include CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon). “Once inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts,” Microsoft notes.  More

Amazon’s crusade against counterfeit product sellers on the firm’s platform continues with two million products seized and destroyed in 2020. 

The e-commerce giant, known for shopping events such as Prime Day, allows third-party sellers across the globe to tout their wares on the Amazon platform. However, it takes only a brief glance at some products to know there are issues. Fake, counterfeit products, poor quality, misleading photos, and more are all noted in buyer reviews and there are vast numbers of counterfeit operations that Amazon is attempting to detect and remove.  While some sellers abuse the platform in colorful ways — such as the case of an Instagram influencer who was shut down after allegedly selling dupes with pictures of generic products in the marketplace — others continue to trade without detection.  However, Amazon wants to bring down “counterfeit to zero” on the platform and to benchmark the firm’s progress has released its first Brand Protection Report (.PDF) to the public.  According to the report, which documents anti-counterfeit activities during 2020, there have been “increased attempts by bad actors to commit fraud and offer counterfeit products,” leading to the seizure of millions of products sent to fulfillment centers which were then destroyed.  “Amazon destroyed those products to prevent them from being resold elsewhere in the supply chain,” the company says. 

The e-commerce giant added that over 10 billion “suspect” listings were blocked before being published, and over six million attempts to create seller accounts suspected of being involved in counterfeit operations were prevented.  When it comes to brands being impersonated by counterfeit sellers, Amazon says that less than 0.01% of products sold received an allegation from a customer of being fake, and in these cases, over 7,000 SMBs were connected via Amazon’s Counterfeit Crimes Unit to legal teams in the US and Europe.  Over $700 million was invested in 2020 to combat counterfeit product operations.  “Amazon continues to innovate on its robust proactive controls and powerful tools for brands, and won’t rest until there are zero counterfeits in its store,” Amazon commented. “However, this is an escalating battle with criminals that continue to look for ways to sell counterfeits, and the only way to permanently stop these counterfeiters is to hold them accountable through the court system and criminal prosecution.” Another problem that likely gives Amazon a headache is the custom of unscrupulous sellers who pay customers to leave five-star reviews. A data leak earlier this month implicated approximately 200,000 individuals in a review scam — potentially originating from China — in which sellers ‘refund’ a product’s price once a glowing review is left on the item’s Amazon listing.  In response, the company said, “we suspend, ban, and take legal action against those who violate [community and review] policies.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Scammers phoned guests to “confirm” their credit card details for reservations. More

An hacking group which conducts cyber espionage campaigns and ransomware attacks is targeting organisations in Europe and the United States. Cybersecurity researchers at Secureworks have detailed a string of cyber attacks involving ransomware and data theft which took place in early 2022 to an Iranian hacking group they refer to as Cobalt Mirage – also known as APT35, Charming Kitten, Phosphorus and TA453 by other research groups. Among the attacks is an incident targeting a US local government network in March 2022, which Secureworks researchers have attributed to Cobalt Mirage due to hallmarks of previously uncovered attacks by the group.  These include exploiting the ProxyShell vulnerabilities to deploy Fast Reverse Proxy client (FRPC) and enable remote access to vulnerable systems, along with use of infrastructure that matches patterns associated with the threat group. While the initial means of compromise in this attack is still unclear, researchers note how the attackers likely exploited unpatched Log4j vulnerabilities despite a patch being available. There’s evidence that this initial exploitation may have occurred as early as January 2022. Most of the intrusion activity spanned a four-day period in March, with the key aim of the activity based around scanning the network and stealing data – researchers note that this is strange, as like other attacks detected during the period, the targets had no strategic or political value to Iran. SEE: A winning strategy for cybersecurity (ZDNet special report)After the March 2022 intrusion was detected and disrupted, no further malicious activity was observed. Researchers suggest that the main motivation behind this attack, and others is financial gain, but it’s unclear how exactly the attackers would look to profit from it. “While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited,” Secureworks Counter Threat Unit (CTU) researchers wrote in a blog post. No ransomware was deployed in the attack against the undisclosed US local government victim, but researchers note that Cobalt Mirage does engage in ransomware attacks – as another victim discovered in January described as a ‘a U.S. philanthropic organization’. According to Secureworks researchers who investigated the incident, attackers used ProxyShell and Microsoft Exhange vulnerabilities to move around the network and remotely gain access to accounts, before eventually triggering a BitLocker ransomware attack. Unusually, the ransom note was sent to a printer on the network and printed out on paper, detailing an email address and contact details. While Cobalt Mirage has links to state-backed hacking operations, in this case, the ransomware is being deployed as a purely financially motivated attack. Ransomware ransom notes are more typically left either on screens or on servers.”The threat actors completed the attack with an unusual tactic of sending a ransom note to a local printer. The note includes a contact email address and Telegram account to discuss decryption and recovery. This approach suggests a small operation that relies on manual processes to map victims to the encryption keys used to lock their data,” the security researchers said. In both incidents detailed by researchers, attackers were able to gain access to networks by exploiting unpatched critical cybersecurity vulnerabilities. In order to protect networks against cyber attacks, it’s recommended that security patches are applied as quickly as possible in order to prevent potential intruders exploiting known vulnerabilities. Researchers also recommend implementing multi-factor authentication, and monitoring for unauthorised or suspicious use of tools and file-sharing services  which could indicate attackers are in the network. MORE ON CYBERSECURITY More