Information Technology

The Apache Software Foundation has released an update to address a critical flaw in its hugely popular web server that allows remote attackers to take control of a vulnerable system. The foundation has released version 2.4.52 of the Apache HTTP Server (web server) that addresses two flaws tracked as CVE-2021-44790 and CVE-2021-44224, which have respective CVSS severity scores of 9.8 (critical) and 8.2 (high) out of a possible 10. A score of 9.8 is very bad, and in recent weeks has only been topped by the Log4j vulnerability known as Log4Shell, which had a severity score of 10 out of 10.    

ZDNet Recommends

The first Apache web server flaw is a memory-related buffer overflow affecting Apache HTTP Server 2.4.51 and earlier. The Cybersecurity and Infrastructure Security Agency (CISA) warns it “may allow a remote attacker to take control of an affected system”. The less serious flaw allows for server side request forgery in Apache HTTP Server 2.4.7 up to 2.4.51.  SEE: A winning strategy for cybersecurity (ZDNet special report)This release of Apache HTTP Server is the latest generally available release of the new generation 2.4.x branch of Apache HTTPD from Apache’s 26-year-old HTTP Server Project, which maintains an important and modern open-source HTTP server for Unix and Windows platforms. Apache HTTP Server is the second most widely used web server on the internet behind Nginx, according to W3Techs, which estimates it’s used by 31.4% of the world’s websites. UK security firm Netcraft estimates 283 million websites used Apache HTTP Server in December 2021, representing 24% of all web servers. The critical bug is apparently not under attack yet but the HTTPD team believes it has the potential to be weaponized.  

“The Apache httpd team is not aware of an exploit for the vulnerability though it might be possible to craft one,” the Apache HTTPD team said.”A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts),” Apache Foundation’s Steffan Eissing explained on a mailing list .As Netcraft notes, Apache HTTP Server wasn’t directly impacted by the Java-based Log4j error messaging library as it was written in C. However, even web servers written in non-Java languages may still have integrated the vulnerable Log4j library in a technology stack. IBM’s web server, WebSphere, integrates Log4j and was vulnerable, but Netcraft found only 3,778 sites using it. The Apache Software Foundation has released three updates in the past week in the wake of the widespread Log4Shell vulnerability in Log4j version 2 branch. Cybersecurity agencies from the US, Australia, Canada, New Zealand and the United Kingdom yesterday released guidance for organizations to address the bug. The bug is expected to take months to resolve because the Log4j library has been integrated as a component into hundreds of software products from major vendors, including IBM, Cisco, VMware, RedHat and Oracle. The library also ships with important frameworks, such as Apache’s Struts2.   More

AvosLocker, a newcomer to the ransomware service scene, is ramping up attacks while using some new techniques to try and evade security software.Security firm Sophos warns that AvosLocker, a human-operated ransomware gang that emerged this summer, is on the hunt for partners – such as ‘access brokers’ who sell access to already-hacked machines – in the hope of filling the gap left by REvil’s withdrawal.  

ZDNet Recommends

One of the key features of AvosLocker is using the AnyDesk remote IT administration tool and running it Windows Safe Mode. The latter option was used by REvil, Snatch and BlackMatter as a way to disable a target’s intended security and IT admin tools. As Sophos points out, many endpoint security products do not run in Safe Mode – a special diagnostic configuration in which Windows disables most third-party drivers and software, and can render otherwise protected machines unsafe.SEE: A winning strategy for cybersecurity (ZDNet special report)AnyDesk, a legitimate remote admin tool, has become a popular alternative among criminals to TeamViewer, which offered the same functionality. Running AnyDesk in Safe Mode while connected to the network allows the attacker to maintain control of infected machines. While AvosLocker merely repackages techniques from other gangs, Peter Mackenzie, director of incident response at Sophos, described their use as “simple, but very clever”.    Mackenzie says that while Avos copied the Safe Mode technique, installing AnyDesk for command and control of machines while in Safe Mode is a first. 

The AvosLocker attackers reboot the machines into Safe Mode for the final stages of the attack, but also modify the Safe Mode boot configuration to allow AnyDesk to be installed and run.Sophos notes in a blogpost that legitimate owners might not be able to remotely manage a computer if it is configured to run AnyDesk in Safe Mode. An admin might need physical access to the infected computer to manage it, which could pose problems for a large network of Windows PCs and servers. Sophos has detected several more curious techniques used by AvosLocker. A Linux component, for example, targets VMware ESXi hypervisor servers by killing any virtual machines (VMs), then encrypting the VM files. Sophos is investigating how the attackers obtained the admin credentials needed to enable the ESX Shell or access the server. SEE: Hackers are turning to this simple technique to install their malware on PCsThe attackers also used the IT management tool PDQ Deploy to push several Windows batch scripts to intended target machines, including Love.bat, update.bat, and lock.bat. As Sophos explains, in about five seconds, these scripts disable security products that can run in Safe Mode, disable Windows Defender, and allow the attacker’s AnyDesk tool to run in Safe Mode. They also set up a new account with automatic login details and then connects to the target’s domain controller to remotely access and run the ransomware executable, update.exe.      Sophos warns: “Ransomware, especially when it has been hand-delivered (as has been the case in these Avos Locker instances), is a tricky problem to solve because one needs to deal not only with the ransomware itself, but with any mechanisms the threat actors have set up as a back door into the targeted network. No alert should be treated as “low priority” in these circumstances, no matter how benign it might seem.”  More

Chinese media outlets have reported that Alibaba Cloud is facing backlash from government regulators after they reported the Log4J vulnerability to Apache before the Ministry of Industry and Information Technology (MIIT).21st Century Business Herald said local reporters were informed on Wednesday that the Cyber Security Administration of the MIIT was suspending its information-sharing partnership with Alibaba Cloud for six months, specifically citing the failure to report Log4J as the reason why. 

more Log4j

Chen Zhaojun, a security engineer at Alibaba Cloud, was identified by Bloomberg News as the first person to discover the Log4J vulnerability and report it to Apache. Zhaojun told Apache on November 24 and a third party later informed the MIIT in a report on December 9, according to Reuters. “Recently, after discovering serious security vulnerabilities in the Apache Log4j2 component, Alibaba Cloud failed to report to the telecommunications authorities in a timely manner and did not effectively support the Ministry of Industry and Information Technology to carry out cyber security threats and vulnerability management,” the local media report said. The Protocol noted that China recently put into effect a new law that makes it mandatory for all companies to report vulnerabilities to state regulators within two days.   The Chinese government has sought to get a better handle on cybersecurity and privacy in recent months, passing multiple laws and issuing warnings to major companies about the need to protect data shared outside of China. Alibaba was hit with a record 18.2 billion yuan fine and 33 other mobile apps have faced criticism from Beijing for their data collection policies. Didi has faced a major cybersecurity review, while Alibaba and Tencent have come under government scrutiny in recent months as well.  

In November, the Cyberspace Administration of China unveiled a new set of laws that reclassified data and laid out multiple sets of fines for violations of cybersecurity policy. More

A hospital system in West Virginia has suffered a data breach resulting from a phishing attack, which gave hackers access to several email accounts. Monongalia Health System — which runs Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company — said that hackers had access to several email accounts from May 10 to August 15. These accounts contained sensitive information from patients, providers, employees, and contractors. The company concluded its investigation into the incident on October 29, finding that the attack resulted from an email phishing incident.”Mon Health first became aware of the incident after a vendor reported not receiving a payment from Mon Health on July 28, 2021. In response, Mon Health promptly launched an investigation, through which it determined that unauthorized individuals had gained access to a Mon Health contractor’s email account and sent emails from the account in an attempt to obtain funds from Mon Health through fraudulent wire transfers,” the company explained. “Upon learning of this, Mon Health secured the contractor’s email account and reset the password, notified law enforcement, and a third-party forensic firm was engaged to assist with the investigation.”The attack did not include information from their other hospitals, including Mon Health Preston Memorial Hospital and Mon Health Marion Neighborhood Hospital. The company claims that “the purpose of the unauthorized access to the email accounts was to obtain funds from Mon Health through fraudulent wire transfers and to perpetrate an email phishing scheme, not to access personal information.”

Mon Health started sending breach notification letters to victims on December 21 and said a toll free call center was created for those with questions. Dozens of healthcare organizations have had to send out breach notification letters to patients due to cyberattacks or ransomware incidents that exposed sensitive data.  More

Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly and Homeland Security Secretary Alejandro Mayorkas announced the expansion of the “Hack DHS” bug bounty program, noting on Twitter that it will now include vulnerabilities related to Log4J. “We opened our HackDHS bug bounty program to find and patch Log4j-related vulnerabilities in our systems,” Easterly said. “Huge thanks to the researcher community taking part in this program. Log4j is a global threat and it’s great to have some of the world’s best helping us keep orgs safe.”

more Log4j

On December 14, the Homeland Security Department announced the bug bounty program as a way to identify cybersecurity gaps and vulnerabilities in their systems. They gave “vetted” cybersecurity researchers access to “select external DHS systems” and asked them to find bugs. Secretary Alejandro Mayorkas called DHS the “federal government’s cybersecurity quarterback” and said the program “incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors.”  “This program is one example of how the Department is partnering with the community to help protect our Nation’s cybersecurity,” Mayorkas said. In the original outline of the program, DHS planned for the bug bounty effort to occur in three different phases in 2022. Once the hackers finished conducting a virtual assessment of DHS external systems, they will be invited to take part in a live, in-person hacking event.The last phase involved DHS taking the recommendations and planning for the next bug bounty programs. DHS intends to make the program something any government agency could do. 

“Hack DHS, which will leverage a platform created by the Department’s Cybersecurity and Infrastructure Security Agency (CISA), will be governed by several rules of engagement and monitored by the DHS Office of the Chief Information Officer.  Hackers will disclose their findings to DHS system owners and leadership, including what the vulnerability is, how they exploited it, and how it might allow other actors to access information,” DHS explained.  “The bounty for identifying each bug is determined by using a sliding scale, with hackers earning the highest bounties for identifying the most severe bugs. Hack DHS builds on the best practices learned from similar, widely implemented initiatives across the private sector and the federal government, such as the Department of Defense’s ‘Hack the Pentagon’ program.”  This won’t be the first bug bounty program run by DHS. They ran a pilot program of the effort in 2019 after legislation was passed thanks to the bipartisan coalition behind the SECURE Technology Act. DHS explained that the law allows them to pay people chosen to evaluate DHS systems by mimicking hacker behavior. More

A new informational Log4J advisory has been issued by cybersecurity leaders from the US, Australia, Canada, New Zealand and the United Kingdom. The guide includes technical details, mitigations and resources to address known vulnerabilities in the Apache Log4j software library.

more Log4j

The project is a joint effort by the US’ Cybersecurity and Infrastructure Security Agency (CISA), FBI and NSA, as well as the Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Computer Emergency Response Team New Zealand (CERT NZ), New Zealand National Cyber Secure Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK). The organizations said they issued the advisory in response to “active, worldwide exploitation by numerous threat actors, including malicious cyber threat actors.” Numerous groups from North Korea, Iran, Turkey and China have been seen exploiting the vulnerability alongside a slate of ransomware groups and cybercriminal organizations. CISA Director Jen Easterly said Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world”We implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks,” Easterly said. “These vulnerabilities are the most severe that I’ve seen in my career, and it’s imperative that we work together to keep our networks safe.” Cybersecurity company Sonatype has tracked the number of total Log4j downloads since the vulnerability was discovered on Dec. 10, also noting the number of vulnerable versions of Log4j being downloaded in the last hour. Even with the massive mobilization effort around the issue, 43% of the Log4j downloads in the last hour are of vulnerable versions. 
Sonatype
Jessica Hunter, acting head of the Australian Cyber Security Centre, said malicious cyber actors are already scanning and exploiting some of the many thousands of vulnerable systems around the world, prompting the need for world governments to be proactive in their efforts to patch, partner and monitor.  

The FBI’s Bryan Vorndran urged organizations attacked through the vulnerability to contact them or CISA about the issue. CISA built a Log4J web page with information, guidance and resources for network defenders, as well as a community-sourced GitHub repository of affected devices and services. NSA cybersecurity director Rob Joyce said everyone should inventory their assets so they can stay on top of patches coming out. “Start with internet exposed assets, but mitigate and update everything. Monitor and follow up. Malicious actors have been observed patching software they compromise to help retain control of the assets,” Joyce said. CISA ordered all federal civilian agencies to address the issue before Christmas and published an open sourced log4j-scanner derived from scanners created by other open source community members. The tool is intended to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.”We cannot stress enough how important it is for everyone to patch this vulnerability as soon as possible. We know that malicious actors are constantly scanning for a way into systems worldwide, using the Log4j vulnerability,” said CERT NZ Director Rob Pope. “It is only through collective actions that we can effectively address these types of attacks, which is why we’re proud to be part of an international effort to keep organizations safe and secure.”  More

The relatively new Pysa ransomware was the dominant strain behind file-encrypting attacks in November and saw a 400% rise in attacks on government organizations, according to analysis by security company NCC Group. Pysa is one of the ransomware gangs utilizing double extortion to pressure victims to pay an extortion demand and dumped leaks from 50 previously compromised organizations last month. Overall in November, the number of Pysa attacks increased 50%, which means it overtook Conti to the join Lockbit in the top two most common versions of the malware. Conti and Lockbit have been the dominant strains since August, according to NCC Group. 

Inexplicably, Pysa leaks data from targets weeks or months after attempting to extort them. The large-scale data dump follows joint US and EU law enforcement action against some members of the REvil ransomware gang, who were behind the attack on IT vendor Kaseya.     SEE: Ransomware: Industrial services top the hit list – but cyber criminals are diversifyingAlso known as Mespinoza, the Pysa gang seeks out evidence of crime among targets to use as leverage during typically multi-million dollar extortion negotiations. The FBI started tracking Pysa activity in March 2020 in ransomware attacks against government, institutions, private, and healthcare sectors. The group often employs phishing techniques for credentials to compromise Remote Desktop Protocol (RDP) connections. Pysa targets high-value finance, government and healthcare organizations, notes NCC Group. 

Across all ransomware gangs, victims from North America reached the total 154 during the month, of which 140 were US organizations, while European victims numbered 96 in November. The industrials sector was the most targeted, while attacks on the technology sector decreased 38%. NCC Group also spotlights a Russian-speaking ransomware gang called Everest Group that’s pushing new boundaries in double-extortion by not only threatening to leak files but providing their customers with access to victims’ IT infrastructure. Instead of pursuing a ransom, the group sells third-party access to the target’s network, creating a new way to monetize a compromised target. If it proves lucrative, this could become a trend next year, NCC Group warns. “In November, the group offered paid access to the IT infrastructure of their victims, as well as threatening to release stolen data if the victim refused to pay a ransom,” it notes. “While selling ransomware-as-a-service has seen a surge in popularity over the last year, this is a rare instance of a group forgoing a request for a ransom and offering access to IT infrastructure – but we may see copycat attacks in 2022 and beyond.” More

Gaming giant Ubisoft has confirmed a cyberattack on its IT infrastructure targeting the popular game Just Dance. The company explained that the incident “was the result of a misconfiguration, that once identified, was quickly fixed, but made it possible for unauthorized individuals to access and possibly copy some personal player data.” 

Ubisoft did not respond to requests for comment about how many people were affected by the incident.”The data in question was limited to ‘technical identifiers’ which include GamerTags, profile IDs, and Device IDs as well as Just Dance videos that were recorded and uploaded to be shared publicly with the in-game community and/or on your social media profiles,” the Just Dance team explained in a note on Ubisoft’s message board.  “Our investigation has not shown that any Ubisoft account information has been compromised as a result of this incident.”Anyone affected by the breach will receive an email from Ubisoft and will be given more information through the company’s support team. The team urged players to enable two-factor authentication and to reset any passwords.Ubisoft added that it took “all the proactive measures necessary” to secure its infrastructure from future cyberattacks. 

Axios reported on Monday that Ubisoft has faced a wave of departures over the last 18 months due to low pay, organizational dysfunction, and a stream of scandals. A developer who left recently told Axios that they were contacted by a co-worker for help in fixing a game because no one left at the company knew what to do.Employees have called it the “great exodus” and explained that the loss of talent was damaging their ability to push out games. Several hundred current and former employees signed an open letter earlier this year, criticizing Ubisoft for not doing enough to address problems within the company. In October 2020, the Egregor ransomware gang said it breached the Ubisoft network and stole data, leaking about 20 MBs on its leak site. Ubisoft never commented on the breach. The company was also attacked in 2013. According to the BBC, the accounts of 58 million people were accessed.Ubisoft has sold millions of copies of Just Dance since it debuted in 2009.  More