SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Log4j continues to haunt defenders even after holiday break
Description: A critical vulnerability in Log4j is still under active exploitation weeks after it was initially disclosed. Microsoft released a warning this week that its customers are still seeing state-sponsored actors and cyber criminals target the widely used library. The vulnerability could allow an attacker to completely take over an affected server. Log4Shell, the nickname given to this vulnerability, will likely take years to remediate because of how widely the software component is used in applications and services. It can be leveraged in default configurations by an unauthenticated remote attacker to target applications that make use of the Log4j library. This vulnerability, tracked as CVE-2021-44228, received a CVSS severity score of a maximum 10.0, and is widely believed to be easy to exploit. This library may also be used as a dependency by a variety of web applications found in enterprise environments, including Elastic. Due to the nature of this vulnerability, Cisco Talos believes this will be a widely exploited vulnerability among attackers moving forward, and users should patch affected products and implement mitigation solutions as soon as possible.
References: https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
Snort SIDs: 58722 - 58744, 58751, 58784 - 58790, 58795, 58801 and 58811-58814
Snort 3 SIDs: 300055 - 300058
ClamAV signatures: Java.Exploit.CVE_2021_44228-9914600-1 Java.Exploit.CVE_2021_44228-9914601-1 Java.Exploit.CVE_2021_44228-9914600-2 Java.Exploit.CVE_2021_44228-9914601-4 Java.Exploit.CVE_2021_44228-9915330-0 Java.Malware.CVE_2021_44228-9915820-0 Java.Malware.CVE_2021_44228-9915819-0 Java.Malware.CVE_2021_44228-9915818-0 Java.Malware.CVE_2021_44228-9915817-0 Java.Malware.CVE_2021_44228-9915816-0 Java.Malware.CVE_2021_44228-9915813-0 Java.Malware.CVE_2021_44228-9915812-0 PUA.Java.Tool.CVE_2021_44228-9916978-0
Title: Vulnerabilities in metal detector peripheral could allow attackers to manipulate security devices
Description: Cisco Talos recently discovered multiple vulnerabilities in a device from Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, manipulate metal detector configurations, and even execute arbitrary code on the device. The vulnerabilities specifically exist in the Garrett iC module, which provides network connectivity to the Garrett PD 6500i or Garrett MZ 6100 walk-through metal detectors commonly used at security checkpoints. An attacker could manipulate this module to remotely monitor statistics on the metal detector, such as whether the alarm has been triggered or how many visitors have walked through. They could also make configuration changes, such as altering the sensitivity level of a device, which potentially poses a security risk to users who rely on these metal detectors.
References: https://blog.talosintelligence.com/2021/12/vuln-spotlight-garrett-metal-detector.html
Snort SIDs: 58013 - 58017
Title: Log4j continues to haunt defenders even after holiday break
Description: A critical vulnerability in Log4j is still under active exploitation weeks after it was initially disclosed. Microsoft released a warning this week that its customers are still seeing state-sponsored actors and cyber criminals target the widely used library. The vulnerability could allow an attacker to completely take over an affected server. Log4Shell, the nickname given to this vulnerability, will likely take years to remediate because of how widely the software component is used in applications and services. It can be leveraged in default configurations by an unauthenticated remote attacker to target applications that make use of the Log4j library. This vulnerability, tracked as CVE-2021-44228, received a CVSS severity score of a maximum 10.0, and is widely believed to be easy to exploit. This library may also be used as a dependency by a variety of web applications found in enterprise environments, including Elastic. Due to the nature of this vulnerability, Cisco Talos believes this will be a widely exploited vulnerability among attackers moving forward, and users should patch affected products and implement mitigation solutions as soon as possible.
References: https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
Snort SIDs: 58722 - 58744, 58751, 58784 - 58790, 58795, 58801 and 58811-58814
Snort 3 SIDs: 300055 - 300058
ClamAV signatures: Java.Exploit.CVE_2021_44228-9914600-1 Java.Exploit.CVE_2021_44228-9914601-1 Java.Exploit.CVE_2021_44228-9914600-2 Java.Exploit.CVE_2021_44228-9914601-4 Java.Exploit.CVE_2021_44228-9915330-0 Java.Malware.CVE_2021_44228-9915820-0 Java.Malware.CVE_2021_44228-9915819-0 Java.Malware.CVE_2021_44228-9915818-0 Java.Malware.CVE_2021_44228-9915817-0 Java.Malware.CVE_2021_44228-9915816-0 Java.Malware.CVE_2021_44228-9915813-0 Java.Malware.CVE_2021_44228-9915812-0 PUA.Java.Tool.CVE_2021_44228-9916978-0
Title: Vulnerabilities in metal detector peripheral could allow attackers to manipulate security devices
Description: Cisco Talos recently discovered multiple vulnerabilities in a device from Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, manipulate metal detector configurations, and even execute arbitrary code on the device. The vulnerabilities specifically exist in the Garrett iC module, which provides network connectivity to the Garrett PD 6500i or Garrett MZ 6100 walk-through metal detectors commonly used at security checkpoints. An attacker could manipulate this module to remotely monitor statistics on the metal detector, such as whether the alarm has been triggered or how many visitors have walked through. They could also make configuration changes, such as altering the sensitivity level of a device, which potentially poses a security risk to users who rely on these metal detectors.
References: https://blog.talosintelligence.com/2021/12/vuln-spotlight-garrett-metal-detector.html
Snort SIDs: 58013 - 58017