This week
Mine for wood: more log4j
Crypto-miners, ransomware operators and nation-state groups are all getting in on critical ‘log4shell’ vulnerabilities (vol. 4, iss. 50) in the popular log4j library.
Cloudflare and Cisco have reported seeing evidence of attacks as early as 1st and 2nd of December, over a week before the public disclosure. What’s more, the original patch, released quickly to address the issue, contained another vulnerability that allows denial-of-service attacks against apps running version 2.15.0. (Time to go back ‘round the houses!) Not to mention IT vendors are scrambling to get patches out for affected software: over 100 VMware products are vulnerable, and giants like IBM and Cisco are also releasing loads of patches.
Meanwhile, the ‘spray and prey’ nature of crypto-mining malware (which can be largely automated and needs high levels of infection to yield decent returns) means those criminals have been amongst the first to capitalise on the vulnerability. This week we’re starting to see ‘initial access brokers’ (IABs) get in on the action — often a precursor to ransomware — as well as ransomware groups themselves, with the Conti cybercriminals, actively scanning for vulnerable VMware server instances.
Google’s open-source team have been scanning Maven Central, a Java package repository, and found that over 35,000 packages (around 8% of the ~440K in the repository) contain Log4j. 13% of those vulnerable have now updated their project to include a newer version of the Log4j library, but the nature of nested projects and dependencies complicates things: only 7,000 of those 35,000 packages contain Log4j as a direct dependency, the remaining 28,000 packages contain it as a dependency between two to nine levels deep.
It’s been hectic enough for IT teams trying to identify affected applications and installing the initial wave of patches: the week before Christmas looks no less busy, and the issues will likely persist well into the new year, and beyond.
therecord.media (Cloudflare/Cisco), arstechnica.com (DoS vulnerability), wired.com, theregister.com (VMware), zdnet.com (IT vendor fixes), therecord.media (Conti), therecord.media (dependencies)
Interesting stats
7 spyware/surveillance companies - akin to NSO Group - that were behind 1,500 Facebook and Instagram accounts, targeting 50,000 people in 100 countries have been banned from Meta’s platforms, according to Meta and Citizen Lab techcrunch.com
Other newsy bits
The UK unveils cyber strategy through 2025
It’s been five years since the UK’s first cyber strategy was unveiled and this week its successor was released, setting aims and objectives for the UK government’s approach to, and £2.6B funding of, cyber through 2025. Miriam Howe from BAE Systems’ blog post is a good, quick summary of the strategy that is aligned around five pillars:
- Strengthening the UK cyber ecosystem, investing in our people and skills and deepening the partnership between government, academia and industry
- Building a resilient and prosperous digital UK, reducing cyber risks so businesses can maximise the economic benefits of digital technology and citizens are more secure online and confident that their data is protected
- Taking the lead in the technologies vital to cyber power, building our industrial capability and developing frameworks to secure future technologies
- Advancing UK global leadership and influence for a more secure, prosperous and open international order, working with government and industry partners and sharing the expertise that underpins UK cyber power
- Detecting, disrupting and deterring our adversaries to enhance UK security in and through cyberspace, making more integrated, creative and routine use of the UK’s full spectrum of levers
The University of Surrey’s Professor Alan Woodward commented to The Register on the changing definition of the problem scope:
”One other point that I thought was interesting is the way they have expanded the definition of the problem space into the user experience. Hence, this isn’t just about tweaking blue widgets to breach defences but includes scamming, disinformation, and the whole panorama of threats posed by content and its use.” — Professor Alan Woodward
The UK will seek to take a greater role in defining international standards, too, as well as developing home-grown technologies (including the design of new AI microprocessor(!)). Meanwhile, on ransomware, there’s much stronger language on the payment of ransom demands: ”Law enforcement do not encourage, endorse, nor condone the payment of ransom demands.”
Industry is still core to the strategy — both contributing to cyber defence and also economic prosperity — and the UK’s 1,400+ businesses generating revenues of £8.9 billion last year are celebrated for creating 46,700 skilled jobs (a workforce growth of around 50% in the last four years).
For all the progress against the previous strategy, and phenomenal rate of technological change, the new strategy acknowledges some aspects are yet to have demonstrated any return on investment, with the new strategy acknowledging “our approach to cyber deterrence does not yet seem to have fundamentally altered the risk calculus for attackers.” The velocity of change has outpaced social and legal norms and the global nature of cyberspace which is expected to increasingly be a “clash of competing interests, values and visions.”
gov.uk, baesystems.com, therecord.media, theregister.com, theguardian.com
KnowBe4 as an example of poor security defaults
Security products should improve your security posture. Unfortunately, that’s not always the case, as highlighted by _MG_ on Twitter this week. Popular security awareness and training vendor, KnowBe4, has a phishing solution to simulate phishing emails on employees that asks customers to add ‘X-PHISHTEST’ email headers to their allow list of mail filters to let the messages through.
That leaves the door open to attackers also adding the same headers to their campaigns and slipping straight past other security controls that KnowBe4 customers have been asked to weaken.
This is a fairly open/shut case where the product needs to have ‘secure defaults’, just like consumer wifi routers having unique admin passwords (something that new legislation from Singapore, to the UK and US is trying to address (if primarily for IoT devices)).
KnowBe4 customers do have the option of changing this header via their admin panel and I’d recommend setting a unique, random one for your organisation.
Long reads
Large-scale, long-term phishing study
Conducted over 15 months with more than 14,000 (unaware) participants, Daniele Lain, Kari Kostiainen, and Srdjan Čapkun from ETH Zurich have some really interesting findings from their study including ‘embedded’ training when a user falls for a phishing email may make them more susceptible to future attacks and that the length and detail of a warning messages do not improve user detection of phishing emails. Providing positive feedback to those that report phishing emails results in them being more likely to report more emails.
In brief
Attacks, incidents & breaches
- HR and workforce management company UKG (Ultimate Kronos Group) has suffered a ransomware attack and expects ‘several weeks’ to restore systems, including outsourced payrolls services (Merry Christmas!) therecord.media
- The private keys to 96 wallets of blockchain gaming company VulcanForge have been compromised attackers and used to steal $135M of cryptocurrency vice.com]
- Gumtree has self-reported itself to the UK Information Commissioner after it became aware that you could ‘F12’ their website to reveal the GPS coordinates or postcode of a seller and reveal user information via an API used by the company’s iOS app theregister.com
- Another outage at AWS: US-WEST-1 and US-WEST-2 taken offline for hours because of ‘issues affecting Internet connectivity’ bleepingcomputer.com, blgospot.com
- Patients being treated for opioid addiction unable to access prescriptions after healthcare company Behavioural Health Group (BHG) “took certain systems offline out of an abundance of caution” to contain a security incident bleepingcomputer.com
- Natural gas supplier Superior Plus, who service Canadian and US customers, has ‘temporarily disabled certain computer systems’ as it investigates and restores systems from a ransomware attack zdnet.com
Threat intel
- Ransomware group RansomEXX may be engaging in business email compromise attacks on the supply chain of victims, as reported by logistics company Hellmann Worldwide following an attack on, and data exfiltration from, their systems bleepingcomputer.com
- The sophistication of NSO Group’s exploits is “on par with serious nation-state capabilities,” says Google’s Project Zero group after analysing the spyware company’s FORCEDENTRY exploit, used as a ‘zero click’ method of gaining entry to Apple devices wired.com
- Hive ransomware group and affiliates may have compromised over 350 companies in the last four months bleepingcomputer.com
Vulnerabilities
- US Cybersecurity and Infrastructure Agency (CISA) has ordered US agencies to patch zero-days in Chrome and Windows 10 that are being used to drop Emotet therecord.media
- If you use MobileIron’s device management suite, get patching to avoid Log4j exploitation. (MDM platforms provide an attractive target for attackers, not just because they can control and deploy software to large volumes of devices, but also because these devices are often used as second factors for authentication) zdnet.com
- Server side request forgery vulnerability in VMWare Workspace ONE UEM console allows unauthenticated network users to ‘gain access to sensitive information’. It’s rated 9.1/10 and comes hot on the heels of over 100 of VMware’s products being vulnerable to log4j theregister.com
- Google releases Chrome update to address CVE-2021-4102 ‘use after free’ vulnerability in the V8 Javascript engine being exploited in the wild bleepingcomputer.com
- Lenovo ThinkPad and Yoga laptops are vulnerable to privilege escalation. CVE-2021-3922 and CVE-2021-2969 affect devices running Lenovo system Interface Foundation before version 1.1.20.3 bleepingcomputer.com
Privacy
- Apple releases ‘Tracker Detect’ app for Android users to scan for nearby AirTags that may be being used to track people zdnet.com, Google Play Store
- Datatilsynet, the Norwegian data protection agency, has fined social network Grindr $7.1M for unlawfully disclosing personal data to third parties for marketing purposes cyberscoop.com
Public policy
- UK Parliament’s Joint Committee on the Online Safety Bill says that _”end-to-end encryption should be identified as a specific risk factor,” and that technology communications companies should be required to “identify and address risks arising from the encrypted nature of their services” as part of meeting Safety by Design requirements theregister.com
Law enforcement
- Ukraine National Police arrest 51 suspected of selling stolen personal data of over 300 million people bleepingcomputer.com
- London’s Met Police arrest two with access to NHS databases for selling fake vaccination status entries to the NHS’ passport app theregister.com
Mergers, acquisitions and investments
- API security outfit, Noname Security, closes $135M Series C round at a $1B valuation to advance R&D and go to market operations techcrunch.com
- LogMeIn plans to spin off password manager product, LastPass, to work on the product against ‘an accelerated timeline’ zdnet.com
And finally
On vetting of politicians
Government security clearances and vetting often focus on financial stability in the hopes to avoid those with access to top-secret information being ‘bought’ by foreign powers. Daniel Cuthbert brings that thinking to the story this week of UK Conservative MP Daniel Kawczynski.
“A sitting politician openly asking a foreign government for funding shows how they could be easily compromised” — @dcuthbert
Kaczynski’s Courting of second jobs with Saudi Arabian companies, that included WhatsApp messages seeking good remuneration because “I need it to pay school fees!”. Excluding politicians on their financial background is not the right answer, however, the question of ethical standards, and vetting of business interests, needs review.