Eliana Willis

The Cybersecurity and Infrastructure Security Agency and the White House have released warnings to companies and organizations across the country, urging them to be on alert for cyberattacks ahead of the Christmas holiday. 

more coverage

CISA has released “CISA Insights: Preparing For and Mitigating Potential Cyber Threats” to provide critical infrastructure leaders with steps to proactively strengthen their organization’s operational resiliency against sophisticated threat actors.In a letter sent out on Thursday, White House Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger and National Cyber Director Chris Inglis said there are typically breaches around national holidays because cybercriminals know that security operations centers are often short-staffed.Cyber officials released a similar message earlier this year after major attacks on Colonial Pipeline and Kaseya took place on Memorial Day Weekend and July 4 Weekend respectively. “Beyond the holidays, though, we’ve experienced numerous recent events that highlight the strategic risks we all face because of the fragility of digital infrastructure and the ever-present threat of those who would use it for malicious purposes,” Neuberger and Inglis said. “There are specific steps that you, as leaders, can initiate now to reduce the risk of your organizations during this time of heightened risk and into the New Year. In many cases, criminals plan and actually begin an intrusion before the holiday itself — they infiltrate a network and lie in wait for the optimal time to launch an attack. It is therefore essential that you convene your leadership team now to make your organization a harder target for criminals.”The two urged organizations to make sure all patches are up-to-date, enable logs, back up data, investigate incidents quickly, change passwords, mandate multi-factor authentication, manage IT security schedules and make employees aware of phishing.

CISA’s warning focused on critical infrastructure owners and operators, telling them that security personnel coverage needs to be sketched out now in light of the coming Christmas holiday, and incident response plans need to be updated. Organizations should also make sure all the cybersecurity best practices are being followed and that the current cybersecurity threats and malicious techniques are being monitored. CISA even said the threshold for information sharing should be lowered, and any cybersecurity incidents and anomalous activity should be reported to CISA or the FBI Immediately. The FBI sent out its own notice on Wednesday notifying potential victims of the Log4j vulnerability that they “may be unable to respond to each victim individually, but all information we receive will be useful in countering this threat.”While some cybersecurity experts have said cybercriminal interest in Log4j is waning, Microsoft said nation states and other groups are exploiting the bug, including Chinese government-linked group Hafnium as well as groups from North Korea, Turkey and Iran. VMware head of cybersecurity strategy Tom Kellermann told ZDNet that he was very concerned about the organizations that haven’t followed the “very specific and holistic advice” given by CISA and the Joint Cyber Defense Collaborative (JCDC).As a member of the JCDC, VMware has worked alongside Google, Microsoft, Verizon to help address the threat posed by Log4j. “Ever since the first proof of concept exploit was made available, attackers around the world — from cybercrime cartels to rogue nation states — have been actively exploiting the vulnerability, and that’s been going on for days. Everyone uses Apache in some form and it’s really a question of them updating immediately,” Kellermann said. “But in addition to that, I think people should apply outbound micro-segmentation rules to prohibit new connections from being established from workloads. They should be scanning their environment and code bases for vulnerable systems employing Log4j. They should be monitoring their workloads for abnormal traffic flow, and they should be reviewing their log files to look for unauthorized configuration changes.”Kellermann added that if an organization doesn’t know where Apache ends and begins in their environment, they need to “dramatically expand their threat hunt game” because, more than likely, they’ve already been compromised given the level of scanning and exploitation occurring. More

Following major cyberattacks against central government bodies in Brazil, initial investigations have found that malicious actors have used civil servant credentials to access systems.

The finding is among a series of warnings and recommendations issued by the presidency’s Institutional Security Office (GSI). Initially released last Wednesday (December 8) and edited yesterday (December 14), the alert is aimed at security managers across the federal government. “Some intrusions have occurred using legitimate administrator [credentials],” the document noted, adding this meant attackers didn’t have to perform any actions to access system privileges. The publication and subsequent editing of GSI’s alert emerge as Brazil’s Ministry of Health (MoH) struggles to re-establish its systems following a major ransomware attack last Friday. Systems such as ConecteSUS, which holds COVID-19 vaccination data and certificates, remain unavailable. GSI recommended a series of security measures to be adopted by departments in the event of “malicious actions or improper use of credentials”. As well as notifying the government’s cyberattack prevention and response center, instructions included strengthening the use of multi-factor authentication tools for all cloud system administrators. The security office also recommended the re-evaluation of backup policies, as well as requesting cloud providers to change master passwords and implement additional security layers to mitigate the risk that malicious actors utilize high-privilege passwords.

Security managers should control metadata access settings in cloud environments, the GSI document noted, and start internal campaigns to get staff to change their passwords for stronger alternatives. In addition, the document suggests reducing the level of network privileges as a means to limit the number of staff able to make major system changes. Recommendations also include blocking access to systems for public servants away from work for reasons such as vacation.The Ministry of Health is still working to bring systems back online after a second cyberattack “caused turmoil” at Datasus, the department’s IT function. On Wednesday (December 15), the MoH said in a statement teams were working on re-establishing the system for vaccine certification as soon as possible but did not provide an estimate of when that would happen. In addition, the MoH alerted the population about false emails about a supposed service whereby vaccine certificates would be emailed to the population. The department reiterated the only way to get the certificates is via the ConecteSUS app or online. Members of the Lapsus$ group, who has claimed responsibility for the cyberattacks against the Ministry of Health over the last few days, started to dump files online that were allegedly extracted from the MoH’s systems, according to Brazilian security website CISO Advisor. So far, 293MB worth of data has already been dumped, and the package is composed mainly of data tables, Javascript code and apparently no citizen data. In an exchange with CISO Advisor, the perpetrators said they will dump an additional 10MB online soon but did not say when. More

If there ever was any doubt over the severity of the Log4j vulnerability, director of US cybersecurity and infrastructure agency CISA, Jen Easterly, immediately quashed those doubts when she described it as “one of the most serious that I’ve seen in my entire career, if not the most serious”. On Friday 9 December, the information security world was rocked by the disclosure of Log4j (CVE-2021-44228), a zero-day vulnerability in the widely used Java logging library Apache Log4j, which allows attackers to remotely execute code and gain access to machines.Not only is the vulnerability relatively simple to take advantage of, the ubiquitous nature of Log4j means that it’s embedded in a vast array of applications, services and enterprise software tools that are written in Java – and used by organisations and individuals around the world.LOG4J FLAW COVERAGE – WHAT YOU NEED TO KNOW NOW That means after a long and exhausting year, tech staff find themselves scrambling to fix yet another critical vulnerability.Even worse, in the case of Log4j, it may be extremely hard for even security professionals to understand whether this code is part of their applications and thus a potential risk. Like much open-source software, it is built-in down the supply chain. Many vendors are still attempting to find out if their products are affected.That’s why some have likened Log4j to Heartbleed, a vulnerability in SSL that affected many major websites and services, but was also difficult to detect and manage. Like Heartbleed, the consequences of which have continued to unfurl for years, there’s already the fear that Log4j vulnerabilities could be a long-term problem.Not that hackers have waited a moment before attempting to take advantage of a newly disclosed vulnerability, of course.

Within just a few hours, there were already a vast number of attempts at exploiting Log4j vulnerabilities. What’s more, the malicious activity being tracked has only continued to rise – one cybersecurity company says it took just days for attackers to target almost half of corporate networks. Some of the first payloads dropped were cryptominers – malware that uses the processing power of the infected device to mine for cryptocurrency. But much more dangerous threats soon followed. These included instances of penetration-testing tool Cobalt Strike being installed – something commonly used by attackers to steal usernames and passwords that are necessary to move around networks.That was followed by reports of ransomware that is exploiting Log4j. Take Khonsari, which is an incredibly basic form of ransomware, but ransomware groups are quick to adopt any techniques that increase the chances of compromising networks and successfully demanding a ransom, meaning more ransomware attacks leveraging Log4j are likely to follow.Then came the nation state-backed hacking groups looking to exploit the vulnerability – like they had with SolarWinds and Microsoft Exchange. Hacking operations working out of China, Iran, North Korea and Turkey were spotted attempting to leverage Log4j – and they’ll continue to make these moves for as long as they can.Work has already begun to repair the damage. CISA has mandated that federal agencies must patch the Log4j vulnerability within days. But for everyone else, the process could take years and there will be plenty of instances where, despite the critical vulnerabilities, some systems will never get the patch.Just look at EternalBlue, the catalyst behind WannaCry and NotPetya in 2017, which still regularly features among the most commonly exploited vulnerabilities and, years later, is still used by cyber criminals to launch attacks.Ultimately, as long as there are systems that are at risk from the Log4j vulnerability, there will be cyber criminals or nation state-backed hackers out there who will look to take advantage.And even if a high-profile organisation is under the impression that it’s protected against the vulnerability, there’s the possibility that attackers could compromise a supplier that doesn’t manage its IT as thoroughly. Criminals could then exploit that gap as a gateway to the larger, more lucrative target.LOG4J FLAW COVERAGE – HOW TO KEEP YOUR COMPANY SAFE It’s ultimately a quirk of how the internet works that so much harm could potentially come from an open-source project, operated and managed on a voluntary basis. The internet is a crucial part of our everyday lives, but instances like this Log4j vulnerability demonstrate how vulnerable it can be.Some experts will call for more rules and regulations over how the internet and computers ultimately work and fit together. That would be a difficult conversation, particularly given how so much of the infrastructure that helped make the internet what it is today is ultimately built from passion projects and volunteer schemes.Cybersecurity professionals were already burned out after a difficult few years. Another major cybersecurity event in the run up to Christmas won’t have helped anything.Unfortunately, Log4j will likely remain an issue through 2022 and beyond – we’re probably only scratching the surface of the risk and the hacking campaigns that will attempt to exploit this vulnerability.The best thing organisations can do, for now, is to follow the expert advice and apply updates to mitigate the potential damage – and then hope that similar vulnerabilities don’t emerge elsewhere any time soon to cause more damage and more burnout. More

Google has explained how surveillance company NSO Group developed an exploit that would allow users of its software to gain access to an iPhone and install spyware – without a target ever even clicking a link. Last month, the US Department of Commerce added NSO Group to its “entity list”, largely banning it from US markets due to evidence it supplied spyware to foreign governments that used it to target government officials, journalists, business people, activists, academics, and embassy workers. In late November, Apple filed for a permanent injunction banning NSO from using any of its software, services or devices. 

Now Google’s Project Zero (GPZ) has analyzed a relatively new NSO ‘zero-click’ exploit for iOS 14.7.1 and earlier, and deemed it “one of the most technically sophisticated exploits we’ve ever seen”.SEE: This mysterious malware could threaten millions of routers and IoT devicesGPZ’s Ian Beer and Samuel Groß described the NSO’s exploit as both “incredible” and “terrifying”. The exploit creates a “weird” emulated computer environment within a component of iOS that handles GIFs but doesn’t normally support scripting capabilities. This exploit, however, allows an attacker to run JavaScript-like code in that component in order write to arbitrary memory locations – and remotely hack an iPhone.   Security researchers at Canada-based Citizen Lab reported the bug to Apple as part of its joint research with Amnesty International into NSO’s Pegasus mobile spyware package, which can be installed after using an exploit that jailbreaks an iPhone.Apple patched the memory corruption bug, tracked as CVE-2021-30860, in the CoreGraphics component in iOS 14.8 this September. 

Citizen Lab also shared a sample of NSO’s iMessage-based zero-click exploit for GPZ researchers to analyze. The attack exploits the code iMessage uses to support GIF images. GPZ’s Beer and Groß said it showed “the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states”. The initial entry point for Pegasus on iPhone is iMessage. This means that a victim can be targeted just using their phone number or AppleID username, the report notes. Even advanced users who know not to click links can be compromised.The weakness iMessage exposed comes via extra features Apple enabled for GIF images. Apple uses a ‘fake gif’ trick” in iOS’s ImageIO library to make normal GIF images loop endlessly. That trick also happens to introduce over 20 additional image codecs, giving attackers a much larger surface to attack. “NSO uses the “fake gif” trick to target a vulnerability in the CoreGraphics PDF parser,” Beer and Groß explain. The PDF parser is an interesting target. PDF historically was a popular target for exploitation because it was complex software and everyone used it. Also, Javascript in PDFs made it easier to exploit, they explain. As the GPZ researchers note: “The CoreGraphics PDF parser doesn’t seem to interpret javascript, but NSO managed to find something equally powerful inside the CoreGraphics PDF parser…”NSO found that powerful tool in Apple’s use of the JBIG2 standard for compressing and decompressing images. The standard was originally used in old Xerox scanners to efficiently transform images from paper into PDF files of just a few kilobytes in size.SEE: A winning strategy for cybersecurity (ZDNet special report)Among several crafty tricks NSO developed was the emulated computer architecture that relied on the JBIG2 portion of Apple’s CoreGraphics PDF parser. That emulated computer environment allowed them to write to arbitrary memory addresses with a scripting language not unlike JavaScript, despite JBIG2 lacking scripting capabilities. “JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory,” explain Beer and Groß.”So why not just use that to build your own computer architecture and script that!? That’s exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It’s not as fast as Javascript, but it’s fundamentally computationally equivalent.”The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It’s pretty incredible, and at the same time, pretty terrifying.” More

A suspected, state-sponsored Iranian threat group has attacked an airline with a never-before-seen backdoor. 

On Wednesday, cybersecurity researchers from IBM Security X-Force said an Asian airline was the subject of the attack, which likely began in October 2019 until 2021.  The advanced persistent threat (APT) group ITG17, also known as MuddyWater, leveraged a free workspace channel on Slack to harbor malicious content and to obfuscate communications made between malicious command-and-control (C2) servers.  “It is unclear if the adversary was able to successfully exfiltrate data from the victim environment, though files found on the threat actor’s C2 server suggest the possibility that they may have accessed reservation data,” IBM says.  The Slack messaging Application Program Interface (API) was abused by a new backdoor deployed by the APT named “Aclop.” Aclip is able to harness the API to both send data and receive commands – with system data, screenshots, and files sent to an attacker-controlled Slack channel.  Overall, three separate channels were used by the backdoor to quietly exfiltrate information. Once installed and executed, the backdoor collected basic system data including hostnames, usernames, and IP addresses which were then sent to the first Slack channel after encryption.  The second channel was utilized to check for commands to execute, and the results of these commands – such as file uploads – were then sent to the third Slack workspace. 

While a new backdoor, Aclip is not the only malware known to abuse Slack – which should be of note to enterprise teams as the tool is valuable for those now often working from home or in hybrid setups. Golang-based Slack C2bot also leverages the Slack API to facilitate C2 communications, and the SLUB backdoor uses authorized tokens to talk to its C2 infrastructure. In a statement, Slack said, “We investigated and immediately shut down the reported Slack Workspaces as a violation of our terms of service.” “We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk. We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Check Point Research has discovered new attacks targeting cryptocurrency users in Ethiopia, Nigeria, India and 93 other countries. The cybercriminals behind the attacks are using a variant of the Phorpiex botnet — which Check Point called “Twizt” — to steal cryptocurrency through a process called “crypto clipping.” 

Because of the length of wallet addresses, most systems copy a wallet address and allow you to paste it in during transactions simply. With Twizt, cybercriminals have been able to substitute the intended wallet address with the threat actor’s wallet address. Researchers with Check Point said they have seen 969 transactions intercepted, noting that Twizt “can operate without active command and control servers, enabling it to evade security mechanisms,” meaning each computer that it infects can widen the botnet.In the last year, they have seen 3.64 Bitcoin, 55.87 Ether, and $55,000 in ERC20 tokens stolen by Twizt operators, amounting to about $500,000. In one instance alone, 26 ETG was taken. Between April 2016 to November 2021, Phorpiex bots hijacked about 3,000 transactions worth nearly 38 Bitcoin and 133 Ether. The cybersecurity company noted that this was only a portion of the attacks taking place. Phorpiex was originally known as a botnet used for sextortion and crypto-jacking but evolved to include ransomware. Check Point said Phorpiex has been operating since at least 2016 and was initially known as a botnet that operated using IRC protocol. “In 2018-2019, Phorpiex switched to modular architecture and the IRC bot was replaced with Tldr — a loader controlled through HTTP that became a key part of the Phorpiex botnet infrastructure. In our 2019 Phorpiex Breakdown research report, we estimated over 1,000,000 computers were infected with Tldr,” Check Point explained. In May, Microsoft’s Defender Threat Intelligence Team released a lengthy blog post warning that Phorpiex “began diversifying its infrastructure in recent years to become more resilient and to deliver more dangerous payloads.”

In August, the activity of Phorpiex command and control servers dropped sharply, and one of the people behind the botnet posted an ad on the darknet offering the source code for sale. Check Point’s Alexey Bukhteyev told The Record that even though the command and control servers were down, any buyer of the source code could set up a new botnet using all of the previously infected systems. It is unclear if the botnet was actually sold, but Check Point said the command and control servers were back online at another IP address within weeks. When the command and control servers were restarted after their hiatus in August, they began distributing Twizt, which enables the botnet “to operate successfully without active command and control servers, since it can operate in peer-to-peer mode.””This means that each of the infected computers can act as a server and send commands to other bots in a chain. As a really large number of computers are connected to the Internet through NAT routers and don’t have an external IP address, the Twizt bot reconfigures home routers that support UPnP and sets up port mapping to receive incoming connections,” Check Point explained.”The new bot uses its own binary protocol over TCP or UDP with two layers of RC4-encryption. It also verifies data integrity using RSA and RC6-256 hash function.”Now, Check Point said the new features to Twizt make them believe the botnet “may become even more stable and, therefore, more dangerous.” Check Point has seen attacks stay consistent even when the command and control servers are inactive. Over the last two months, there has been an uptick in attacks, with incidents hitting 96 different countries. Alexander Chailytko, cybersecurity research & innovation manager at Check Point Software, said two main risks are involved with the new variant of Phorpiex. “First, Tiwzt is able to operate without any communication with C&C; therefore, it is easier to evade security mechanisms, such as firewalls, in order to do damage. Second, Twizt supports more than 30 different cryptocurrency wallets from different blockchains, including major ones such as Bitcoin, Ethereum, Dash, Monero,” Chailytko said. “This makes for a huge attack surface, and basically anyone who is utilizing crypto could be affected. I strongly urge all cryptocurrency users to double-check the wallet addresses they copy and paste, as you could very well be inadvertently sending your crypto into the wrong hands.”Check Point urged cryptocurrency owners always to double-check the original and pasted addresses to make sure they match. People should also send test transactions before any large trades. Researchers said the Phorpiex crypto-clipper supports more than 30 wallets for different blockchains in the report. They also noted that the botnet operators may be in Ukraine because evidence indicates that the bot does not execute if the user’s default locale abbreviation is “UKR.”Even though it served a variety of purposes, Check Point’s report says Phorpiex was originally not considered a sophisticated botnet. “All of its modules were simple and performed the minimal number of functions. Earlier versions of the Tldr module did not use encryption for the payloads. However, this did not prevent the botnet from successfully achieving its goals. Malware with the functionality of a worm or a virus can continue to spread autonomously for a long time without any further involvement by its creators,” Check Point explained.”We showed that a cryptocurrency clipping technique for a botnet of this scale can generate significant profits (hundreds of thousands US dollars annually) and does not require any kind of management through command and control servers. In the past year, Phorpiex received a significant update that transformed it into a peer-to-peer botnet, allowing it to be managed without having a centralized infrastructure. The command and control servers can now change their IP addresses and issue commands, hiding among the botnet victims.” More