homepage
Open menu
Contact Sales

SANS NewsBites

Continued Action to Mitigate Log4j Vulnerability Required; Protect Building Automation System Security Keys to Prevent Denial of Access Attacks; Use Slow Holiday Period to Extend Change Windows and Patch Critical Windows Servers

December 21, 2021  |  Volume XXIII - Issue #99

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2021-12-19

And Another (Third) Log4J Issue

Apache has once again updated Log4j, this time to version 2.17. The newest version of the logging library fixes a high-severity denial-of-service issue. The vulnerability affects all versions of Log4j from 2.0-beta9 through 2.16.0. Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) directed federal agencies to patch systems or apply mitigations by Friday, December 24.

Editor's Note

As of this week, if you run Java 8, log4j 2.17.0 is the latest version fixing all known issues. For Java 7, log4j 2.12.2 should be used. As mentioned before: Keep good notes. You will have to do this again in the near future. log4j 2.15 fixes most issues, and the vulnerabilities in 2.15/16 are only exploitable if the logging configuration uses a non-default pattern layout with a context lookup. If there are critical systems still running log4j < 2.15: Patch them first before you redo the systems already at 2.15.

Johannes Ullrich
Johannes Ullrich

This is an infinite recursion bug. Essentially the function keeps being called until the host runs out of resources. I’m having flashbacks to recursive programming in college, and these are a bugger. You can either deploy Log4j 2.17, or you can change your code. The choices are to replace context lookups with thread context map patterns or remove context lookups where they originate from sources external to the application. Hint: deploy Log4j 2.17.

Lee Neely
Lee Neely

As more focus is given to log4j, we expect other vulnerabilities to surface. Now that you have an inventory and understanding of your attack surface as it relates to log4j, apply the patches in a cadence that matches your threat model and risk appetite.

Jorge Orchilles
Jorge Orchilles

2021-12-20

HHS Urges Healthcare Orgs to Address Log4j Vulnerabilities

The US Department of Health and Human Services (HHS) is urging organizations within the healthcare sector to prioritize addressing the Log4j vulnerabilities. The HHS 405(d) program Situation, Background, Assessment, Recommendation (SBAR) brief notes that the available “patch may not supply a fix for all organizations because of legacy systems that may be present in their network.”

Editor's Note

Healthcare remains a primary target, as is any sector perceived as over loaded and under-resourced. Spin up a team to review your security posture, include outsiders to avoid overlooking issues you’re desensitized to. Verify your monitoring is covering current and legacy systems. Make sure that your segmentation not only protects components from the primary network, but also protects the network from them.

Lee Neely
Lee Neely

2021-12-20

ICS Security Company Helps Firm Recover From Cyberattack on Building Automation System

An industrial control systems security firm brought in to help an automation engineering company deal with a major attack against a Building Automation System (BAS), which includes light switches, motion detectors, and other devices. Limes Security was able to help the engineering company regain control of the compromised components. Limes has since learned of similar attacks against BAS running on KNX BAS technology.

Editor's Note

Do you have resources identified to help recover from an attack like this when it happens, or do you still have an action item for someone to find a resource after the last tabletop? If you have a resource, have you had them participate in your recovery exercise to make sure the vision and reality align? Lastly, find out if they have assessment and/or best practices options you can leverage to raise the security bar.

Lee Neely
Lee Neely

Interesting case of not only a well-documented attack against building automation systems, but also a security feature used to achieve a DoS attack.

Johannes Ullrich
Johannes Ullrich

2021-12-20

Microsoft Urges Users to Apply Fixes for Active Directory Security Issues

In November, Microsoft released fixes for two Windows Active Directory domain service privilege escalation vulnerabilities. Earlier this month, a proof-of-concept exploit for the flaws was released. When exploited together, the flaws allow attackers to take control of vulnerable Windows domains. Microsoft’s guidance includes a “step by step guide to identify potential compromised computers via Advanced Hunting query.”

Editor's Note

For many organizations, the last week of December brings reduced user and customer traffic and a good chance for longer change windows. If you have that opportunity, good idea to take advantage make sure all those Windows servers have all those critical Window patches that have come out in the last few months. If there is resistance, following Microsoft threat hunting guidance first may prove to be a good way to gain backing for doing so.

John Pescatore
John Pescatore

The bulletin includes the specific events related to exploiting those vulnerabilities. Use the information to verify you’re in good shape. Also, after you apply the fixes to your domain controllers, have a serious conversation about making sure that is all those systems do, that you’re using application allow/deny lists to prevent execution of any “extra” software. Make sure that your Domain Admin accounts require MFA, particularly your Enterprise Admin.

Lee Neely
Lee Neely

These vulnerabilities may have flown under the radar with all the focus on log4j. A compromised Active Directory can lead to the entire organization being compromised. Highly recommend applying these fixes and hunting for indicators of adversary behaviors.

Jorge Orchilles
Jorge Orchilles

The Rest of the Week's News

2021-12-20

Belgian Defense Ministry Networks Breached Through Log4J Vulnerability

Belgium’s Ministry of Defense says that its networks were breached through exploitation of the Log4J vulnerability. The Defense Ministry deployed “quarantine measures” to help prevent the attack from spreading. Portions of the Ministry’s network have been unavailable since Thursday, December 16.

Editor's Note

We have not seen a lot of reports of actual breaches caused by log4j. A lot of exploit attempts, but most of them just spray the exploit without much consideration if the exploit will actually work. This smoke screen of exploit attempts may cover up some of the more dangerous attempts.

Johannes Ullrich
Johannes Ullrich

Risks like this can be reduced with a properly configured WAF and appropriate monitoring to detect maleficence. Look at this as a long-term strategy, not just appropriate for Log4j. While disabling Log4j is an option, the operational impact risk is high, suggest not choosing this approach.

Lee Neely
Lee Neely

2021-12-20

FBI Warning: APT Actors Exploiting Zoho ManageEngine Vulnerability

In a December 17 TLP: White Flash bulletin, the FBI warned that “APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers.” ManageEngine parent company Zoho released a security advisory for the issue earlier this month. The Flash includes technical details, indicators of compromise, and recommended mitigations.

Editor's Note

The fix is to upgrade to the fixed versions now. The FBI/IC3 bulletin includes indicators and actions to take to ensure you’re not compromised as well as Yara rules to aid detection. As this is being actively exploited, don’t wait to find out the hard way that you’re compromised.

Lee Neely
Lee Neely

2021-12-20

Western Digital Urges Customers to Upgrade to My Cloud OS 5

Data storage company Western Digital is urging customers who own MyCloud devices to upgrade to My Cloud OS 5. As of January 15, 2022, “devices that are compatible with My Cloud OS 5 will no longer support prior generations of the My Cloud OS, including My Cloud OS 3.” As of April 15, 2022, Western Digital is discontinuing support for older generations of My Cloud OS. This means that users with devices incompatible with MyCloud OS 5 will no longer be able to access those devices remotely.

Editor's Note

Keep an eye on lifecycle, particularly on SOHO focused products. If updates are no longer available, prioritize replacing the device. As Internet accessible NAS remains a target, don’t expose it, in any fashion, to the Internet. If you want external access to your content, consider using a mainstream cloud service (Google, Microsoft, Box, etc.) which are engineered and secured for this type of access. The cost difference will be far less than an incident.

Lee Neely
Lee Neely

2021-12-20

Avast: US Federal Government Entity Network Breached

Researchers from Avast detected a cyberattack against the internal network of “a small, lesser-known U.S. federal government commission associated with international rights.” The Avast report says they reached out to the organization but after initial contact, the organization has not responded. While Avast does not have information about how the incident affected the organization or steps the organization took to mitigate the event, “based on [Avast’s] analysis of the files in question, … it’s reasonable to conclude that the attackers were able to intercept and possibly exfiltrate all local network traffic in this organization.”

Editor's Note

Make sure that you have published security contacts for reporting of discoveries such as this. Additionally, respond to and validate the reports, acting where needed. The last thing you want is public disclosure of weaknesses. Security through obscurity is still not a viable approach. In general US Agencies are bound by BOD 20-01 to develop and publish a vulnerability disclosure policy.

Lee Neely
Lee Neely

2021-12-20

Healthcare Sector Breach Roundup

Recently reported cyber incidents involving healthcare organizations include a telephone network and website outage at Capital Region Medical Center in Missouri; the theft of data belonging to more than 500,000 patients of Texas ENT Specialists; continuing operational disruptions at the Maryland Department of health following a cyber incident; and a ransomware attack affecting the Coombe Women and Infants University Hospital in Dublin, Ireland.

Editor's Note

A nice roundup to remind people that those behind most cyberattacks are not the Hollywood depicted “computer nerd,” but in fact are cold hearted criminals who do not care what damage they cause or who they hurt in order to reach their goals. During a pandemic it is unthinkable and despicable for criminals to be targeting healthcare providers.

Brian Honan
Brian Honan

This is a good roundup of incidents and responses to learn from. Even if you’re not in healthcare, read to see where you may have similar gaps in your protections as well as better understand how the attacks are initiated and spread. Ask your team what would happen at your company and how they would handle it.

Lee Neely
Lee Neely

At a minimum, clinical applications should be isolated from vulnerable applications like e-mail and browsing.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner