Volume 21 – Number 48

Internet Storm Center Spotlight

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Critical Apache Log4j vulnerability being exploited in the wild

Description: Defenders across the security community are pushing to address CVE-2021-44228, an actively exploited vulnerability in Apache Log4j. The vulnerability affects a widely used Java logging library that many large organizations may have in their environment. So far, major targets have included Apple and the popular video game "Minecraft." This library may also be used as a dependency by a variety of web applications found in enterprise environments, including Elastic. Due to the nature of this vulnerability, Cisco Talos believes this will be a widely exploited vulnerability among attackers moving forward, and users should patch affected products and implement mitigation solutions as soon as possible. Apache has released a new update for Log4j, version 2.16.0. While the previous release (2.15.0) removed the ability to resolve lookups and addressed issues to mitigate CVE-2021-44228, this release disables JNDI by default and removes support for message lookups. Please refer to the Mitigations section for more details.

References: https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html

Snort SIDs: 58722 - 58744, 58751

Snort 3 SIDs: 300055 - 300058

ClamAV signatures: Java.Exploit.CVE_2021_44228-9914600-1, Java.Exploit.CVE_2021_44228-9914601-1, Java.Exploit.CVE_2021_44228-9914600-2, Java.Exploit.CVE_2021_44228-9914601-4 and Java.Exploit.CVE_2021_44228-9915330-0

Title: Microsoft issues patches for 80 vulnerabilities as part of December Patch Tuesday

Description: Microsoft released its monthly security update Tuesday, disclosing 80 vulnerabilities across its large collection of hardware and software. None of the vulnerabilities disclosed this month have been actively exploited in the wild, the first that’s been the case in several months, though four have already been publicly disclosed. December’s security update features five critical vulnerabilities, with the remaining being considered “important.” The most serious of the issues is CVE-2021-43215, a memory corruption vulnerability that could lead to remote code execution in iSNS Server. The iSNS protocol interacts with iSNS servers and iSNS clients, which manages a server that allows network users to query an iSNS database. An attacker could exploit this vulnerability by sending a specially crafted request to an iSNS Server. This vulnerability was assigned a severity score of 9.8 out of 10.

References: https://msrc.microsoft.com/update-guide/en-us

Snort SIDs: 58752 - 58757, 58635 and 58636

Internet Storm Center Entries

The Log4J vulnerability could be around for years, according to security experts, who have found that attackers can exploit the code in ways that will likely go undetected by network admins and users.

https://www.wired.com/story/log4j-log4shell/

Security advisories, bulletins, and vendor responses related to Log4Shell

https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

U.S. Cybersecurity and Infrastructure Security Agency head Jen Easterly said the Log4J issue illustrates the need for vendors should maintain “software bills of materials.”

https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability

Adversaries stole about $140 million worth of virtual currency from users of popular blockchain gaming company VulcanForge, the latest campaign targeting cryptocurrency investors.

https://www.vice.com/en/article/4awxep/hackers-steal-dollar140-million-from-users-of-crypto-gaming-company

A new White House policy requires some federal agencies to assess the impact of cyberattacks and report them within 24 hours.

https://www.cnn.com/2021/12/10/politics/white-house-red-line-policy-cyberattacks/index.html

An independent report found that a cyber attack targeting Ireland’s national health care system could have been much worse than it was.

https://www.bbc.com/news/technology-59612917

Telehealth app Doxy.me says it fixed a vulnerability in its site that mistakenly leaked confidential patient information to Facebook and Google.

https://www.cyberscoop.com/doxy-me-data-leak-facebook-google/

Car manufacturer Volvo says a ransomware gang infiltrated its network and stole research and developmental information.

https://www.bleepingcomputer.com/news/security/volvo-cars-discloses-security-breach-leading-to-randd-data-theft/

Recent CVEs

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2021-44228

Title: Remote code execution vulnerability in Apache Log4j (Log4Shell)

Description: Log4j2 is a ubiquitous library used by millions for Java applications. In Apache Log4j2, attackers can create customized requests to execute remote code. When message lookup replacement is allowed, an attacker with control over log messages or log message parameters can run arbitrary code imported from LDAP servers.

All versions of Log4j2 versions >= 2.0-beta9 and <= 2.14.1 are affected by this vulnerability.

CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-21954

Title: Command execution vulnerability Anker Eufy Homebase 2.1.6.9h

Description: Anker Eufy Homebase 2.1.6.9h was determined to have vulnerability. This has an impact on the component Network Packet Handler's function wifi country code update in the file home security. The privilege escalation vulnerability is created by manipulating an unknown input.

CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

ID: CVE-2021-20146

Title: Key management for the Gryphon Tower Router

Description: On the Gryphon devices, there is an unsecured ssh private key that might be exploited to gain root access to a server associated with Gryphon's development and infrastructure. The ssh key is used to log into the development server located on Amazon Web Services at the time of discovery.