Information Technology

Open source software is everywhere now, but the Log4j flaw that affects Java enterprise applications is a reminder of what can go wrong in the complicated modern software supply chain.

more Log4j

The challenge with the Log4j flaw (also known as Log4Shell) is not only that admins need to patch the flaw — which got a ‘critical’ rating of 10 out of 10 — but that IT folk can’t easily discover whether a product or system is affected by the vulnerability in the component. Google has calculated that approximately 17,000 Java packages in the Maven Central repository – the most significant Java package repository – were found to contain the vulnerable log4j-core library as a direct or transitive dependency. And now security firm JFrog has found more by identifying additional packages containing the Log4j vulnerability that would not be detected through dependency scanning — that is, packages containing vulnerable Log4j code within the artefact itself.It found that overall, direct inclusion of Log4j code in artefacts is not as common as the use of Log4j through dependencies. However, it still adds up to hundreds of packages – around 400 – which directly include Log4j code, opening these packages to Log4j vulnerabilities. “In more than half of all cases (~65%), Log4j code is included as classes directly (i.e. direct inclusion / shading), in contrast to including complete Log4j .jar files (i.e. fat jar), which is typically how it is presented in the remainder of cases. These numbers indicate that tools looking for complete .jar files only will miss most of the cases where Log4j is included directly,” it said.The bug is a reminder why Microsoft and Google are ploughing dollars into projects that bolster the security of open source software projects, which are the backbone today’s internet infrastructure. Previous research shows that the vast majority of software flaws are found in software libraries or dependencies.  

The severity of the bug means admins could be well-served by investigating all Java applications that may include Log4j code. Microsoft has released scanning tools to detect vulnerable WIndows and Linux systems, applications and devices, and JFrog offers one more option.  JFrog emphasizes its scanning reaches the add-on code rather than just the fact a version of the software library is present. “The reason that scanning the full dependencies list may miss instances of included Log4j code is because dependencies only specify external packages needed to build or run the current artefact. If the vulnerable code is inserted directly into the codebase, it is not a dependency. Therefore, for more precise detection of vulnerable Log4j code, we need to inspect the code itself,” the company notes in a blogpost. The research highlights how vulnerable today’s IT systems are to attacks on the software supply chain.The importance of the Java programming language can’t be underestimated. It remains one the world’s most widely-used languages and is the go-to language for enterprise, and includes in its ecosystem projects like Microsoft’s implementation of OpenJDK. Microsoft uses Java in Azure, SQL Server, Yammer, Minecraft, and LinkedIn. More

A highly organised and stealthy cyber-criminal operation is stealing millions of dollars from financial organisations in attacks that have been active for at least two years. The campaign has been detailed by researchers at Israeli cybersecurity company Sygnia, who have dubbed the organised financial theft operation behind the attacks as ‘Elephant Beetle’. 

ZDNet Recommends

These attacks are predominantly focused on financial organisations in Latin America, although researchers warned that the campaign could shift towards targets in other parts of the world. Researchers note that one of the breaches they uncovered when analysing Elephant Beetle campaigns was against the Latin American arm of an undisclosed US-based company. SEE: A winning strategy for cybersecurity (ZDNet special report) Elephant Beetle campaigns take place over a long period, with those behind the attacks taking time to examine the financial systems of compromised victims in order to create fraudulent transactions hidden among regular activity, which adds up to millions of dollars being stolen.  The entry point of the attacks is a focus on legacy Java applications running on Linux-based machines and web servers. The legacy nature of these systems means they’re likely to contain unpatched vulnerabilities that can be exploited. Among these vulnerabilities are Primefaces Application Expression Language Injection (CVE-2017-1000486), WebSphere Application Server SOAP Deserialization Exploit (CVE-2015-7450), SAP NetWeaver Invoker Servlet Exploit (CVE-2010-5326), and SAP NetWeaver ConfigServlet Remote Code Execution (EDB-ID-24963). 

In each case, the initial payload is a simple obfuscated web shell-enabling remote code execution, or a series of exploitations running different commands on the target machine. In total, the threat group uses an arsenal of over 80 unique tools and scripts to conduct the campaigns and identify additional security flaws while remaining undetected. To help stay under the radar, the attackers stick to smaller transactions that don’t look suspicious on an individual basis, but when all the transactions against victims are added together, millions of dollars are being stolen. If an attempt at a transaction is detected and blocked, the attackers will lay low while remaining on the network for a few months, only to resume activity again once they feel the coast is clear. “Elephant Beetle is a significant threat due to its highly organised nature and the stealthy pattern with which it intelligently learns victims’ internal financial systems and operations,” said Arie Zilberstein, VP of incident response at Sygnia “Even after initial detection, our experts have found that Elephant Beetle is able to lay low, but remain deeply embedded in a compromised organization’s infrastructures, enabling it to reactivate and continue stealing funds at any moment,” he added. Analysis of incidents involving Elephant Beetle – along with phrases and keywords used in code, including ‘Elephante’ – suggests that the cyber criminals behind the attacks are Spanish-speaking. Researchers also note that many of the command and control servers used by Elephant Beetle appear to be located in Mexico. In addition to this, Sygnia’s incident response team notes that the tools and techniques deployed by Elephant Beetle strongly resemble what cybersecurity company Mandiant tracks as FIN13, a cyber-criminal group focused on Mexico. SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worse It’s strongly believed Elephant Beetle is still actively compromising targets, but there are steps that organisations can take to avoid falling victim. Key to this is applying patches and security updates to prevent attackers from exploiting known vulnerabilities in order to gain a foothold in networks. If legacy applications can’t be patched, they should be isolated from the rest of the network when possible. “Particularly in the wake of widespread vulnerabilities like Log4j that are dominating the industry conversation, organizations need to be apprised of this latest threat group and ensure their systems are prepared to prevent an attack,” said Zilberstein. MORE ON CYBERSECURITY More

Brave, the Chromium-based and privacy-focused browser, now has 50 million monthly active users. That total means user numbers have more than doubled from the 24 million it had at the end of 2020. To put Brave’s milestone in perspective, Google has billions of active users on Chrome, Android, iOS and Windows. Nonetheless, Brave has grown from a user base of 1.2 million in 2017 after launching in 2016: version 1.0 of the browser was released in November 2019.Its main pitch to people is that doesn’t sell targeted ads but rather trades attention via cryptocurrency. Brave offers users the choice of viewing ads in exchange for its cryptocurrency, the Basic Attention Token (BAT).  See also: Hackers are turning to this simple technique to install their malware on PCs.Brave argues that people want private browsers with tools that let them unshackle from the ad-sponsored internet that funds Amazon, Apple, Google, Facebook and Microsoft.

Privacy has become a competitive differentiator amongst browser makers, most of whom use Google’s open-source Chromium project for their products, including Opera, Microsoft Edge and Vivaldi. Brave launched a new search engine while privacy-focused search engine DuckDuckGo recently launched its own browser. Brave claims it had 2.3 billion queries on its search engine between June to December 2021. Brave doesn’t share revenue details but claims its BAT revenues have grown by a factor of four in the past 12 months and that it now has 8 million uses who earn BAT via Brave Rewards. It also boasts its commercial success, naming household brand customers including Ford, PayPal, Toyota, Mastercard, Intel, Crocs, BMW, Keurig, American Express, Budweiser, Walmart, Amazon, and The Home Depot, as well as major crypto clients Binance, Coinbase, Crypto.com, eToro, Gemini, and Solana. “Passing 50 million users is a tremendous milestone for our company. It is also a powerful confirmation of the global movement underway led by users seeking alternatives to the surveillance economy,” said Brendan Eich, chef and co-founder of Brave. “We’ve spent a successful year expanding our product range and our ecosystem, engaging with partners who share our vision for a Web free from Big Tech’s shackles. We have seen an incredible response among our users, creators, and community. We aim to double this growth again in 2022 and engage with even more users who seek a privacy-conscious way to browse the Web that rewards them instead of punishes them with tracking, and helps them directly support creators.” More

ZDNet Recommends

The threat of cyberattacks is growing and much more needs to be done to educate businesses and users about risks in order to prevent widespread damage and disruption as a result of cyber incidents.  Events like ransomware attacks against utilities and infrastructure providers, production facilities and hospitals have demonstrated that cyberattacks can have very real consequences for people, restricting access to vital goods and services for days, weeks and even months.  But despite the risk posed by cyberattacks, many businesses and their boardrooms still don’t fully understand the threats they’re facing from cybercriminals and how to best defend their networks against them.  See also: A winning strategy for cybersecurity (ZDNet special report).Part of the problem is that, for many businesses, cybersecurity isn’t ingrained into everyday operations and employees are only asked to think about it when doing annual cybersecurity training — leaving companies at risk from cyberattacks the rest of the year. “I think one of the most important things to realise is most of the education and training done, it’s not very effective,” Stuart E. Madnick, professor of information technology and engineering systems at MIT Sloan Executive Education told ZDNet Security Update.  “The 30-minute video you’re obligated to watch once a year doesn’t do the job”. 

According to Madnick — who has been at M.I.T. since 1972 and has served as the head of MIT’s Information Technologies Group for more than 20 years — organisations need to build a culture of cybersecurity that actively involves everyone.  If people have a greater understanding of how their organisation falling victim to a cyberattack could affect them, it could lead to everyone being more careful when it comes to cybersecurity. “If somehow you think you play a role in defending your company, it’s important, but that’s not something we’ve been used to in the past, so you have to help people understand that,” said Madnick. Many people associate cyberattacks or being hacked with having their personal information or bank details stolen. But the reality is that cyberattacks are becoming much more damaging and costly. Incidents, from ransomware attacks to data breaches or business email compromise (BEC) scams can cost organisations millions. And as critical infrastructure and vital services become increasingly connected to the internet, there’s the additional risk of cyberattacks causing widespread disruption. “One thing we’re just beginning to see now are attacks on the cyber infrastructure of organisations, like hospitals and power grids,” said Madnick. “Imagine the electricity of London going out, not for an hour-and-a-half, not for a day, but for three weeks. That could be pretty serious,” he added, noting this isn’t just a fictional scenario, as Ukraine has previously seen power outages in the dead of winter because of cyberattacks, suspected to come from Russia. That’s far from the only time hostile hackers have entered networks of critical infrastructure, with attackers detected inside the networks of American utilities providers. There’s the risk that it’s only a matter of time before attackers take advantage of vulnerabilities in industrial networks to cause damage and disruption.  If we don’t take this seriously we’re going to suffer serious consequences, he argues. “That’s why it’s so important to educate broadly on the implications of cybercrime,” said Madnick. “The worst is yet to come,” he adds, noting how more and more of life now depends on technology.See also: Ransomware: Industrial services top the hit list — but cybercriminals are diversifying.For example, the rise of the Internet of Things (IoT) means basic appliances and sensors are connected to the internet — but, if they’re not properly secured, they’re just another avenue that attackers can use as a gateway to wider networks.  Madnick cited how something as simple as a toothbrush can be IoT-connected. While the app might give a user feedback on how well they’re brushing their teeth, a toothbrush that’s not secured properly could potentially carry cybersecurity risks. And more and more devices are being added to networks that won’t have been designed with IoT devices in mind. “Almost every product, except a brick, will have a computer in it, so the number of devices that can be cyber-attacked is increasing exponentially,” said Madnick. “The attack surfaces are multiplying all over the place and the consequences of these attacks are hard to imagine yet,” he added. MORE ON CYBERSECURITY More

Google rolled out an update for Chrome this week on Windows, Mac and Linux that included 37 security fixes, one of which was rated critical. Google Chrome’s Prudhvikumar Bommana thanked dozens of security researchers for helping them find bugs, many of which were given a high severity rating. Chrome 97.0.4692.71 includes fixes for CVE-2022-0096 — a critical use-after-free (UAF) vulnerability — as well as other UAFs like CVE-2022-0098, CVE-2022-0099, CVE-2022-0103, CVE-2022-0105 and CVE-2022-0106. There are also three heap buffer overflow issues rated high severity. Google did not say if exploits exist for any of the vulnerabilities but BreachQuest CTO Jake Williams said he was not aware that any of these vulnerabilities are being actively exploited in the wild. Most home users will receive updates automatically, Williams noted. But he explained that enterprise users who lack administrative permissions on their machines will rely on systems administrators to push an update. In October, Google fixed two previously unknown, high-severity zero-day flaws in a Chrome update for for Windows, Mac and Linux. Exploits for both were found in the wild, according to Google. Google patched at least 14 zero-days in 2021. 

Viakoo CEO Bud Broomhead said it is notable that stable channel releases are now focused on fixing cyber vulnerabilities more than delivering new functionality.  “Stable is now becoming ‘cyber safe to use’ as opposed to ‘won’t crash your machine,’ a meaningful difference with the onslaught of cyber vulnerabilities,” Broomhead said.  More

Internet service in Kazakhstan was disrupted this week as thousands took to the streets in protest over a rise in energy prices. The internet was partially restored on Wednesday but there is still evidence of significant disruption. Both Netblocks and Cloudflare reported significant internet shutdowns in the country on Tuesday evening after protests began in the western town of Zhanaozen. Alp Toker, director of NetBlocks, told ZDNet that they have been tracking the disruptions since their onset on Tuesday. NetBlocks found that initially, mobile services and some fixed lines were affected before there was a country-wide blackout around 5 pm on Wednesday affecting all connectivity in the country. “What’s striking here is the rapid deployment of internet restrictions at national scale, effectively resulting in an information vacuum both inside and outside the country. This has made it difficult to get a clear picture of what is happening on the ground in Kazakhstan as political instability spirals,” Toker said.
NetBlocks
“In [the] past we’ve document[ed] internet disruptions in Kazakhstan during elections and protests, but the severity here is markedly on a different scale,” Toker added. NetBlocks released multiple graphs showing that internet service through mobile providers like Kcell, Beeline, and Tele2 was still significantly disrupted on Wednesday as the government responded forcefully to the protests. Cloudflare found that the largest telecommunication company in the country, Kaz Telecom, was also affected. Many noted that an internet blackout of this scale would mean banks, businesses, and many other daily functions would struggle to continue. Cloudflare explained that Kazakhstan is a country where mobile “represents something like 75% of Internet traffic.” 

NetBlocks said this kind of internet disruption “affects connectivity at the network layer and cannot always be worked around with the use of circumvention software or VPNs.” The blackouts caused everyone outside of Kazakhstan to lose access to any websites and services hosted in Kazakhstan, including government and news websites.The internet watchdog added that Kazakhstan’s leaders have a history of using internet restrictions to control protests. NetBlocks tracked Kazakhstan internet blackouts during elections and during certain holidays.The Associated Press reported on Wednesday that protesters set both the presidential residence and the Almaty mayor’s office on fire as unrest evolved from protests about the price of liquefied petroleum gas to nationwide demonstrations against the ruling party, which has been in power since the country gained independence in 1991. The government resigned on Wednesday but President Kassym-Jomart Tokayev said all officials would remain in their roles until replacements are found. Cloudflare noted that it is becoming increasingly common for dictators facing protests to shut down the entire country’s internet as a way to quell outrage and limit the ability of protesters in different towns to communicate. This was done most recently by the leaders of Sudan and Myanmar as they faced mass protests.  More

Seventeen companies have been informed of cyberattacks that compromised user information by New York Attorney General Letitia James following an investigation into credential stuffing. More than 1 million customer accounts were compromised due to the attacks, which James said were previously undetected. 

James said her office was releasing a guide for businesses on how they can deal with credential stuffing attacks, noting that the practice has “quickly become one of the top attack vectors online.” The 17 businesses affected include well-known online retailers, restaurant chains, and food delivery services.The FBI said last year that credential stuffing attacks — which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services — have been used to compromise 50,000 online bank accounts since 2017. Akamai released a report last year that found over 193 billion credential stuffing attacks occurred globally in 2020. “Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” said James. “Businesses have the responsibility to take appropriate action to protect their customers’ online accounts, and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.”The Office of the Attorney General (OAG) monitored online communities dedicated to credential stuffing and found thousands of posts containing customer login credentials that attackers had tested in a credential stuffing attack and confirmed could be used to access customer accounts at websites or websites on apps.After contacting the companies, all 17 investigated the OAG’s findings and took steps to protect users. OAG said, “nearly” all of the companies “implemented, or made plans to implement additional safeguards.”These safeguards include bot detection services, multi-factor authentication and password-less authentication. They also urged companies to monitor customer traffic for signs of credential stuffing attacks like spikes in traffic volume of failed login attempts.

James also said businesses need to institute re-authentication for customer payment information as a way to prevent attackers from gaining access to sensitive information. “It is critically important that re-authentication be required for every method of payment that a business accepts. The OAG encountered many cases in which attackers were able to exploit gaps in fraud protection by making a purchase using a payment method that did not require re-authentication,” the OAG said. “Businesses should have a written incident response plan that includes processes for responding to credential stuffing attacks. The processes should include investigation and notice.”Two weeks ago, the UK National Crime Agency and National Cyber Crime Unit discovered a 225 million cache of stolen emails and passwords, eventually handing it over to HaveIBeenPwned, which tracks credentials stolen and/or leaked through past data breaches.  More

A security researcher has publicly disclosed a bug present in iOS 15.2 (and going back to iOS 14.7 and possibly earlier) relating to HomeKit that could be used to permanently crash an iPhone.Trevor Spiniolas found that by changing the name of a HomeKit device to a large string (Spiniolas used 500,000 characters for the testing), this would crash the associated iPhone. To make matters worse, because the device name would be backed up to the user’s iCloud account, restoring an iPhone and signing back into the iCloud account linked to the HomeKit device would once again trigger the bug.

According to Spiniolas, “[t]his bug poses a significant risk to the data of iOS users, but the public can protect themselves from the worst of its effects by disabling Home devices in control center in order to protect local data.”Spiniolas decided to make this bug public after initially reporting the bug to Apple on August 10, and Apple promising a fix “before 2022.” December 10, Apple then informed Spiniolas that the fix would come “early 2022,” which is when he decided to make the bug public on January 1, 2022.”The public should be aware of this vulnerability and how to prevent it from being exploited,” writes Spiniolas, “rather than being kept in the dark.”Think you might be affected by this bug? Spiniolas has outlined the process to get the iPhone working again.Restore the affected device from Recovery or DFU ModeSet up the device as normal, but do NOT sign back into the iCloud accountAfter setup is finished, sign into iCloud from settings. Immediately after doing so, disable the switch labeled “Home.” The device and iCloud should now function again without access to Home data. More