IT NEWS

Logistics giant warns of scams following ransomware attack

German logistics giant Hellmann Worldwide Logistics has issued a warning that data was stolen from the company when it was hit with a ransomware attack on December 9, 2021. It is not entirely clear what type of data was extracted, but the company says it is warning partners and customers to double check their communications with it, as a precaution. Criminals could use the leaked data to make social engineering attacks more believable, so Hellmann is asking people that do business with it to look out for fraudulent mails and calls.

…the forensic investigation has meanwhile confirmed that data was extracted from our servers before our systems were taken offline on December 9. We are currently investigating what type of data was extracted and will proactively provide further information as soon as possible. We are in regular contact with relevant government authorities.

Please note that the number of so-called fraudulent calls and mails has generally increased. Whilst communication with Hellmann staff via email and telephone remains safe (inbound and outbound), please make sure that you are actually communicating with a Hellmann employee and beware of fraudulent mails/ calls from suspicious sources, in particular regarding payment transfers, change bank account details or the like.

Hellmann is one of the largest international logistics providers. Founded in 1871, it handles 16 million shipments per year by air, sea, road, and rail, and is active in 173 countries.

Stolen data

On December 9 it became obvious that there were problems at Hellmann Worldwide Logistics.

By the time the firm’s IT team responded, the threat actors had already exfiltrated sensitive files from the compromised servers. Many ransomware operators use the threat of leaking stolen data for extra leverage during the ransom negotiation stage. While companies can use backups to recover from data encryption without paying the ransom, they can’t use them to contain leaks.

And indeed, when the negotiations between Hellmann and the threat actor fell apart, the RansomExx group published some 70 GB of stolen documents on its leak site. The data reportedly included business agreements, intra-company emails, and more.

Free to download

The stolen data can be downloaded by anyone, including other criminals, who may use it to add insider knowledge to business email compromise (BEC) attacks and phishing attempts, to give them more credibility.

RansomExx

While RansomExx is not one of the ransomware operators that you see in the news often, they do have a reputation for going after big targets. In the past the group has attacked Konica Minolta, Gigabyte, and the Lazio region in Italy (including its COVID-19 vaccination registration portal).

The RansomExx ransomware is a rebranded Defray777 ransomware, which has become a lot more active since June 2020. The ransomware itself is highly targeted. Each sample contains a hardcoded name of the victim organization.

The group uses different methods to gain entry into a target’s network. In earlier cases the threat actors established an initial foothold through common banking trojans such as IcedID or Trickbot. From there, they deployed the Vatet loader, the PyXie RAT, and Cobalt Strike, before executing the ransomware entirely in memory.

And, similar to other ransomware operations, RansomEXX has also been known to breach networks using vulnerabilities or stolen credentials.

In February, the group was found abusing vulnerabilities in the VMWare ESXi product, allowing them to take over virtual machines deployed in enterprise environments and encrypt their virtual hard drives. Malwarebytes blocks RansomExx as Malware.Ransom.Agent.Generic.

RansomX block
Malwarebytes blocks RansomExx

Stay safe, everyone!

The post Logistics giant warns of scams following ransomware attack appeared first on Malwarebytes Labs.

FBI traces and grabs back $150 million theft that was turned into bitcoins

On December 1, 2021, the Tokyo police arrested an employee of Sony Life Insurance on suspicion of fraudulently obtaining 17 billion yen through an illegal money transfer from an overseas unit.

On the same day 3,879 bitcoins, worth about $150 million, were seized by law enforcement, and on the December 20 the US government took action in federal court to return it back to Sony.

The theft

The funds were embezzled by Sony employee Rei Ishii, who pretending to conduct a legal fund transfer in May 2021. He allegedly transferred the money from SA Reinsurance Ltd’s bank account to a different bank account overseas, by falsifying transaction instructions, which caused the funds to be transferred to an account that Ishii controlled at a bank in La Jolla, California. He then quickly converted the funds to bitcoins, as criminals do.

Although Sony had a double authentication process set up for international money transfers, requiring both Ishii and his supervisor to sign them off, Ishii is said to have instructed the company’s bank to change the contact email address for his boss, which enabled him to initiate and sign-off money transfers.

Sony Life Insurance discovered the unapproved money transfer in August, and US law enforcement were able to trace the bitcoin transfers to a specific Bitcoin address, and then to an offline cryptocurrency cold wallet.

The recovery

The FBI—in cooperation with Japan’s National Police Agency, the Tokyo Metropolitan Police Department, Tokyo District Public Prosecutors Office, the Japan Prosecutors unit on Emerging Crimes (JPEC), and with assistance from Sony and Citibank—then obtained the private key needed to control the Bitcoin address. This allowed them to recover all the bitcoins that could be traced back to the theft.

An FBI press release on the matter spells out how long the long arm of the law is when agencies in different countries cooperate:

Second, the FBI’s footprint internationally through our Legal Attaché offices and the pre-existing relationships we have established in foreign countries—in this instance with Japan—enabled law enforcement to coordinate and identify the subject. The FBI’s technical expertise was able to trace the money to the subject’s crypto wallet and seize those funds … Criminals should take note: You cannot rely on cryptocurrency to hide your ill-gotten gains from law enforcement.

The end?

The FBI intends to return the stolen funds to the victim, and Ishii has been charged in Japan. However, the FBI continues to investigate the crime. The Major Frauds and Public Corruption Section and Asset Recovery Section of the US Attorney’s Office for the Southern District of California is handling the proceedings, with significant assistance from the Department of Justice Criminal Division’s Money Laundering and Asset Recovery Section and Computer Crime and Intellectual Property Section.

The post FBI traces and grabs back $150 million theft that was turned into bitcoins appeared first on Malwarebytes Labs.

Dridex affiliate dresses up as Scrooge

Threat actors are hoping to catch a few more victims before they leave work for the Christmas holidays. The recent malicious spam campaigns (malspam) we and others have observed appear to have been created by someone who wants to play Scrooge and add onto people’s already heightened state of anxiety.

The lures are particularly mean playing on people’s fears for job security and Covid infections. Unsuspecting users will open those attachments and get infected with Dridex a multi-purpose loader that can drop additional payloads, including ransomware.

Dark lures

An email captured by TheAnalyst shows fake termination letters being sent out by a Dridex affiliate. What kind of employer would terminate someone on Christmas eve?

analyst

We’ve also seen similar morbid subjects using the latest Covid variant, Omicron, likely from the same threat actor.

MBET

The email claims that 80% of the company’s employees have tested positive for Omicron and that you were a close contact. Opening at the so-called test results in the attached document delivers malware.

email

Maldoc leads to Dridex

The Excel document is password protected in order to prevent sandboxes from analyzing and flagging it as malicious. In fact, it also requires user interaction to click on a pop-up dialog in order to run the macro.

It drops a .rtf file into %programdata% and executes via mshta.exe:

mshta

This is used to download the actual payload, hosted on a Discord server.

payload

This binary belongs to the Dridex malware family:

pandora

Malwarebytes customers are protected against this attack thanks to our Anti-Exploit layer which automatically closes the malicious attachment before it can deliver its payload.

block

As always, we recommend users to stay particularly vigilant when opening emails, especially if those sound urgent and require immediate attention. When in doubt, it is best to contact your IT or HR department to ask for more information and confirm whether the email is legitimate.

Indicators of compromise

Malicious documents

TermLetter.xls

Positive_Result_51589380.xls

Results12232021.xls

TestingResult.xls

84d8044a1941e335b9ff716487af5186aa9ec1e796becbde36f7f9b5429afa14

d654757dcf512d8e10a6b58f652bd76c0eba70c3aedb4e0eaef07789ce1ed426

893e5d5e200712098a9c15223a779fc3dc16cbb7789435ba1785cc4fdc43af93

7e68be84324219154e3586e0ae19e8edae5b17c96f08b64e39092a89d10a95b0

Dridex payloads

712f83df9292e0b5f3e102666fd92013c04b3121b56ddd16af1f5f20af28c1f1

71d03ee203392bc1064197db13fd029a268132b710aa23d729c032ef96175549

Network IOCs

cdn[.]discordapp[.]com/attachments/914830201811238985/923509961307357205/cPRBQdzjCbfmuhammadismyfriend.bin

The post Dridex affiliate dresses up as Scrooge appeared first on Malwarebytes Labs.

Police forces pipe 225 million pwned passwords into ‘Have I Been Pwned?’

On his blog, Troy Hunt has announced a major milestone in the ‘Have I Been Pwned?’ project, thanks to the contributions of two of the world’s foremost law enforcement agencies, the FBI and the NCA (the UK equivalent of the FBI, the National Crime Agency).

This enormous injection of used passwords has puffed up the world’s largest publicly available password database by 38%, according to Hunt.

‘Have I Been Pwned?’

‘Have I Been Pwned?’ (HIBP) allows users to type in an email address, phone number or password and find out how many times they’ve been involved in a data breach. So, if HIBP says your email address was involved in the great big LinkedIn breach of 2012, the Canva breach of 2019, or any other notable episode of credential theft, you know to change your passwords on those systems, and not use them anywhere else. If it says a password you use has breached, you know to never use it again.

In recent years, HIBP has been integrated with a number of third-party systems like password managers and web browsers, so they can alert users immediately if they attempt to use a credential that might already be in the hands of cybercriminals.

The site has been around for almost a decade, and through the years it has proven itself to be an extremely useful tool for everyday Internet users, governments, and organizations alike. The project is run by Troy Hunt with support from the community. The model he uses makes sure that privacy is maintained and passwords can safely be checked without any risk of disclosure. And it’s extremely well used. To give you some perspective, in the last month, there were 1,260,000,000 occasions where a service somewhere checked a password against HIBP’s Pwned Password API.

Hunt says the system stores minimal information about each user, and it only stores SHA-1 hashes of passwords (because you can generate a hash from a password, but you can’t generate a password from a hash). If you enter a password to see if it’s been pwned, it’s immediately turned into a SHA-1 hash and checked against the database.

Police pipeline

In May of 2021, Hunt announced that the FBI had reached out to him and discussed what it might look like if the FBI were to feed compromised passwords into HIBP and surface them via the Pwned Passwords feature.

Over the last few months the HIBP project has been revamped to allow data be fed into the system as they are made available by law enforcement. This new pipeline enables the ingestion of passwords from law enforcement agencies, like the FBI and the NCA.

The NCA contribution has been enormous. At some point the NCA indicated it had hundreds of millions of passwords it believed weren’t already in the Pwned Passwords store of 613 million password hashes. After cross-checking, 225,665,425 turned out to be brand new. Adding them has inflated the total Pwned Passwords count to 847,223,402.

Have you been pwned?

While it is useful to know whether your personal details or credentials have been leaked, it is much more important to act on the information. So, what do you do now, knowing that your account might have been compromised?

For starters, change your password. Your new password needs to be hard to guess, and the best way to ensure that is to let a password manager do it for you. If you’re doing it yourself, pick something that is hard to guess: Avoid individual words, and avoid passwords that look like words with a few numb3r5 sprinkled in them. Instead, go for lengthy pass phrases or long, meaningless combinations of letters, numbers, and other characters.

Lastly, use two-factor authentication (2FA) to add a layer of protection to your accounts. We strongly suggest using a hardware key like a YubiKey. The next best option is a one-time password (OTP) app like Google Authenticator. Take note that some big-name companies like Facebook have already started giving their users the option to use a hardware key. So if you want to do that, check if your online service provider offers it, too, and take advantage of it.

Stay safe!

The post Police forces pipe 225 million pwned passwords into ‘Have I Been Pwned?’ appeared first on Malwarebytes Labs.

A week in security (Dec 13 – 19)

When a deepfake “empire” continues to grow

I’ve been quite vocal on the impact of deepfakes, in terms of where the most harm takes place. Back in 2019, we looked at malign interference campaigns. I took the line that, other than revenge porn, this was where deepfakes were likely to have the most influence. Although people keep talking about major election interference, nothing of significance ever happens. Indeed, election fakes tend to be pretty bad.

Meanwhile, in smaller scale but significantly more personal cases, horrible fakes of teenagers were the order of the day. When you make fakery easily available to all on DIY mobile apps, the results are inevitable: People are going to be awful to one another. Deepfake shenanigans are primarily all about mass producing harmful fake porn of individuals without consent.

On that subject specifically, there’s news of yet another site offering easy DIY deepfake porn.

The beginnings of a Deepfake empire?

The unnamed site in question uses AI to generate nude images of women. Sites in the past along these lines have tended to operate in isolation. This time, the site is using “partner agreements” and referral systems to generate look-alike services. If one site goes down, others are ready and waiting to take its place.

Researchers claim the images are “hyper realistic” and are able to generate nude / pornographic imagery even if the photo submitted contains fully clothed individuals. Site operators say they’re building a decentralised model to help ward off the threat of takedowns while raking in the cash. Wired reports up to 50 million visits between January and October of 2021. One day alone apparently saw hundreds of thousands of image uploads run through the fakery tool. These are big numbers, with big money implications.

Reactive measures

When action started to be taken against the main site with payment accounts suspended and hosting removed, numbers fell, which seems to have kickstarted the partner program drive. Wired states that a spin-off site operator claims to be paying about $500 to the main site in return for being able to generate up to 10,000 naked edits.

With the traffic numbers these sites are doing, many would view $500 as a small outlay to generate so many fakes. The spin-off sites funnel image creators down the payment route after allowing visitors to generate some free images initially. It’s a guaranteed money spinner, and fake DIY sites aren’t exactly difficult to find online. As many sites and creators go off and promote their content on social media, it’s becoming increasingly easier to find dubious services along these lines and make use of them.

Where does the deepfake harm lie?

The majority of non-consensual deepfake imagery targets women, and always has done. For every vaguely humorous fake of Tom Cruise being Tom Cruise, there’s a significant amount more women placed into content they want no part of. Laws continue to struggle with dealing with the problem. With anonymous creators generating thousands of images on the fly in other jurisdictions, it’s an uphill struggle to take the reins on the situation.

The genie’s bottle: broken

Deepfakes appear to be seeping into most aspects of technological life. Witness someone resurrect their father, then be utterly mortified by what they’ve done. You’ve got those who continue to talk about the risk it poses to business. Elsewhere, the tattered remnants of “deepfakes could derail the US elections” continue to burn out quietly in the corner.

For most everyone else, though, the only real probable harm is from what pretty much kicked things into the mainstream arena in the first place: Pornographic images created without permission. I’m willing to bet that’s going to be the biggest issue for a long time to come.

The post When a deepfake “empire” continues to grow appeared first on Malwarebytes Labs.

Everything you always wanted to know about NFTs (but were too afraid to ask): Lock and Code S02E24

In August, the NFT for a cartoon rock sold for $1.3 million, and ever since then, much of the world has been asking: What the heck is going on?

NFTs, or non-fungible tokens, have skyrocketed in popularity this year, with the NFTs for several artworks selling for more than $2 million each; the most expensive sale being that of the NFT for the piece “Everydays: The First 5,000 Days,” which sold for $69 million. Many celebrities, including Jay-Z, Steph Curry, Elijah Wood, Reese Witherspoon, and Lindsay Lohan have either purchased, sold, or expressed interest in NFTs, as well.

But just what exactly is an NFT, and when people buy an NFT associated with a piece of art, do they also buy that artwork itself?

Not exactly, as we explain in today’s episode of Lock and Code, with host David Ruiz. An NFT is not the artwork itself, but rather a way to prove that the artwork in question is owned by the NFT’s purchaser. Think of it as a car title—it’s a way to prove that something you say is yours is actually yours. But with a car title, it’s hard to imagine someone purchasing just the slip of paper and not also wanting access to the car. After all, what good is ownership of a thing if you can’t do anything with it?

To answer this and many, many other questions about NFTs, we spoke to three experts on three separate NFT topics: The basics of NFTs and the cryptocurrency-related technology behind them, the implied value of NFTs and why people are paying so much money for them, and the future of NFT’s both within the art world and beyond it.

As to why NFTs are demanding such high prices for such basic art? According to our guest Lucas Matney, a writer for TechCrunch who covers NFTs, it’s that owning a small digital image isn’t just about being able to display it on, say, a Twitter profile. Instead, it’s also about being part of something potentially bigger.

“The idea of ownership is more about it being an investment in something that is, you know, provably yours, you know, that’s how NFTs work, but it’s more about it being kind of a share of a larger product.”

Lucas Matney, TechCrunch

As to whether or not NFTs are a safe or smart investment vehicle? Well, you’ll have to listen to our full episode to learn more.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Everything you always wanted to know about NFTs (but were too afraid to ask): Lock and Code S02E24 appeared first on Malwarebytes Labs.

Grindr fined for selling user data to advertisers

Dating network Grindr has been slapped with a US$7.7 million fine by Norwegian regulator Datatilsynet for sharing data with advertisers.

Grindr—which call itself the world’s largest social networking app for gay, bi, trans, and queer people—sold data which includes GPS, IP address, age, and gender.

No consent, no app

The Norwegian Data Protection Authority (Datatilsynet), ruled that the way in which Grindr collected user consent did not meet with the regulations stipulated in the EU GDPR. And, as such, the disclosure of personal data was in breach of the Privacy Ordinance.

Users had to accept the privacy statement in its entirety to use the app, and they were not specifically asked if they would consent to disclosure to third parties for marketing purposes. In addition, information about the disclosure of personal information was not clear or accessible enough to users.

The fine covers the period from July 2018, when the “Law on the Processing of Personal Data (Personal Data Act)” was established, until April 2020, when Grindr changed the consent solution. Whether Grindr’s current consent solution meets with the legal demands has not been established yet.

Shared data

Grindr disclosed information about a user’s GPS location, IP address, mobile phone advertising ID, age and gender to several third parties for marketing purposes. With this information, users could be identified, and third parties could potentially share this data further.

According to GDPR, the personal data that companies must protect includes any information that can “directly or indirectly” identify a person—or subject—to whom the data belongs or describes. Included are names, identification numbers, location data, online identifiers like screen names or account names, and even characteristics that describe the “physical, physiological, genetic, mental, commercial, cultural, or social identity of a person.”

The authority emphasized that the information that a person is a Grindr user establishes a special category of personal information, because it strongly indicates that they belong to a sexual minority. Information about someone’s sexual orientation has a special protection in the Privacy Ordinance. And since the consent Grindr collected was invalid, Grindr was not legally entitled to share such information.

It is customary in dating apps to be very careful about the information you share. Many users choose not to enter their full name or upload photos of their face so that they can be discreet. Nevertheless, identifiable information about them and their use of Grindr was passed on to an unknown number of companies for marketing purposes.

High fine

Datatilsynet initially fined Grindr around US$12.2 million following an initial ruling in January 2021, but later revised this amount down to 7.7 million, after reviewing Grindr’s turnover figures. Nevertheless, this is the highest fee to date from the Norwegian Data Protection Authority.

Despite reconsidering the amount, Norway considers the offence by Grindr to be “grave” – most likely because the data collected, including gender, falls under the GDPR rules. According to Datatilsynet:

“Because thousands of users in Norway have had their personal information illegally disclosed for Grindr’s commercial interests, including location data and that they are Grindr users. Business models based on behavior-based marketing are common in the digital economy, and it is important that the infringement fee for offenses acts as a deterrent and contributes to compliance with the privacy regulations.“

Grindr has not responded to the fine and now has three weeks to appeal the verdict. The app has previously confirmed that the fined offenses were committed before April 2020, when its terms of use were updated.

Previous concerns

It is not the first time Grindr has raised privacy concerns. Earlier action against the app was sparked by an NPR news report exposing Grindr’s practice of sharing the most personal and sensitive information of its users with third-party analytics firms, without their informed consent. That data included personally identifiable and sensitive user information such as HIV status, email address, telephone number, precise geolocation, sexuality, relationship status, ethnicity and “last HIV tested date.”

The post Grindr fined for selling user data to advertisers appeared first on Malwarebytes Labs.

After Log4j, December’s Patch Tuesday has snuck up on us

For anyone about to sit back after checking their environment for the Log4j vulnerabilities and applying patches where needed, here are some more things that need patching.

Microsoft

In 2021’s final Patch Tuesday, Microsoft included a total of 67 fixes for security vulnerabilities. The total set of updates includes patches for six publicly known bugs and seven critical security vulnerabilities.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let’s have a look at the most interesting ones that were patched in this Patch Tuesday update.

CVE-2021-42310 Microsoft Defender for IoT Remote Code Execution vulnerability. Due to a flaw in the password reset request process, an attacker can reset someone else’s password. The attack may be launched remotely. No form of authentication is required for exploitation.

CVE-2021-43905 Microsoft Office app Remote Code Execution vulnerability. This vulnerability was rated 9.6 out of 10 on the CVSS vulnerability-severity scale, and Microsoft thinks it is likely to be exploited.

CVE-2021-43899 Microsoft 4K Wireless Display Adapter Remote Code Execution vulnerability. This vulnerability was rated 9.8 out of 10 on the CVSS vulnerability-severity scale, even though Microsoft says it’s not likely to be exploited. You will need to install the Microsoft Wireless Display Adapter app from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter. Once installed, use the Update & security section of the app to download and install the latest firmware.

CVE-2021-43890  Windows AppX Installer Spoofing vulnerability. This vulnerability allows an attacker to create a malicious package file and then modify it to look like a legitimate application. We reported on this vulnerability being used in the wild by Emotet (among others).

CVE-2021-43883 Windows Installer Elevation of Privilege vulnerability. This is a patch to patch a bypassed patch in Windows Installer that was initially fixed in November. By exploiting this vulnerability, threat actors that already have limited access to compromised systems can elevate their privileges and use these privileges to spread laterally within a target network.

CVE-2021-43215 iSNS Server Memory Corruption vulnerability can lead to remote code execution (RCE). An attacker could send a specially crafted request to the Internet Storage Name Service (iSNS) server, which could result in an RCE. The Internet Storage Name Service (iSNS) protocol is used for interaction between iSNS servers and iSNS clients.

CVE-2021-43217 Windows Encrypting File System (EFS) Remote Code Execution vulnerability. An attacker could cause a buffer overflow write leading to unauthenticated non-sandboxed code execution. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how EFS makes connections from client to server. When the second phase of Windows updates become available in Q1 2022, customers will be notified via a revision to the security vulnerability.

CVE-2021-41333 Windows Print Spooler Elevation of Privilege vulnerability. Exploit code for this vulnerability is available and the code works in most situations where the vulnerability exists., which makes it a priority to fix, even if we haven’t seen any attacks using this in the wild.

Apple

Apple has also published security updates. The update includes fixes for the remote jail-breaks that were demonstrated at the TianfuCup in October.

Apple has issued security updates for the WebKit in Safari 15.2 and for a total of 42 vulnerabilities in iOS 15.2 and iPadOS 15.2. Included in the patches were several security vulnerabilities that allowed anyone with physical access to a device to view contacts on a locked device, and to view stored passwords without authentication.

Others

Other vendors that issued updates to keep an eye on were:

  • Google (Chrome)
  • Adobe
  • SAP
  • Apache, Cisco, vmWare, UniFi, and probably others as well, issued Log4j related patches.

Stay safe, everyone!

The post After Log4j, December’s Patch Tuesday has snuck up on us appeared first on Malwarebytes Labs.

What SMBs can do to protect against Log4Shell attacks

As you may already know, the business, tech, and cybersecurity industries have been buzzing about Log4Shell (CVE-2021-44228), aka Logjam, the latest software flaw in an earlier version of the Apache Log4j logging utility. As the name suggests, a logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.

Understandably, this may be the first time you’ve been told explicitly about the Log4j tool, but what many don’t realize is that hundreds of millions of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, rely on it. The software and online services you use in your business may be Java-based, too, thus opening you up for possible exploitation.

Exploiting this flaw allows hackers to worm their way into unpatched systems to take control. It’s seriously bad to have this on any endpoint because of its ultra-wide attack surface and the accompanying damage potential that could bring.


Read everything you need to know about Log4Shell in our blog post,
“Log4j zero-day ‘Log4Shell’ arrives just in time to ruin your weekend.”


Because of all of this, there is a great need for businesses, particularly SMBs, to protect themselves against threats that take advantage of the Log4shell vulnerability. Most certainly now that Microsoft has started seeing underground groups they dub as “access brokers,” those exploiting Log4Shell to infiltrate and gain initial access from target company networks in the hopes of selling them to ransomware threat actors.

According to the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft 365 Defender Threat Intelligence Team in a blog post: “We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms.”

Ransomware is not the only concern here, too. Threat actors can also install cryptominers, malware that turns devices into bots and making them part of a botnet—which Mirai bot herders have already started doing—and Cobalt Strike, which cybercriminals abuse to perform network surveillance.

How can SMBs protect themselves from Log4j-enabled attacks?

SMBs who use Linux can start off by checking if the version of the platform they are using is affected. TechRepublic published a nifty guide on just how to do that.

SMB Windows users, on the other hand, should expect to be vulnerable as Microsoft uses Java-based apps in their products. The company has provided a lengthy guidance on the matter of Log4j here, which they have regularly updated with observations on criminal movement involving the abuse of the Log4Shell flaw. It is essential to continuously return to that blog post for updates.

Once you have determined that your platform is impacted by Log4Shell, you must upgrade to the latest version of Apache Log4j, which is 2.15.0. If you’re using versions between 2.10 and 2.14.1 but can’t update to the newest version yet, RiskIQ advises organizations to change the following JVM parameter value to “true” and restart the Java process:

-DLog4j2.formatMsgNoLookups=true

“Organizations who are unclear where to include this parameter must check the documentation of the related Java project/product in use for the correct place,” the company further advises. “Alternatively, they may set the LOG4J_FORMAT_MSG_NO_LOOKUPS=”true” environment variable to force this change. Kubernetes deployments may use this environment variable approach to set it across Kubernetes clusters, effectively reflecting on all pods and containers automatically.”

Finally, the Cybersecurity & Infrastructure Security Agency (CISA) encourages users and business administrators to visit the review this Apache Log4j Security Vulnerabilities page to apply other recommended mitigations steps as soon as possible.

The post What SMBs can do to protect against Log4Shell attacks appeared first on Malwarebytes Labs.