Good afternoon, Talos readers.

I'm just going to cut to the chase since I know all anyone wants to read about is Log4J. For the latest Talos research, continually check back on our blog post here. Above is the live stream we recorded Monday morning updating everyone on the situation, but of course, a lot has already changed since then. Which is why Beers with Talos will be returning for a live recording Friday at noon ET. You can join us on any of our social media platforms or over on our YouTube page.

This will be the last Threat Source newsletter of 2021 as we head into the holiday break. We hope everyone is able to put Log4J behind them at least for a few days and enjoy some quality time with friends and family.

Cybersecurity week in review

  • The Log4j vulnerability made national news this week and is starting to become a talking point at companies around the globe. It's been particularly dangerous because it's relatively to exploit, and affects such a broad range of software.
  • It didn't take long for state-sponsored actors to notice, either. Microsoft issued a warning that actors based out of China, Iran, North Korea and Turkey have already started testing, exploiting and using the Log4j bug to deploy malware.
  • The U.S. Cybersecurity and Infrastructure Security Agency set a deadline of Dec. 24 for federal agencies to patch for Log4shell, the nickname given to the vulnerability. CISA director Jen Easterly called it "a severe risk."
  • Some people online even claim they've been able to use Log4shell on Apple devices and Tesla electric cars. In both cases, researchers could trick the targeted servers into visiting the site of their choice.
  • Microsoft released its monthly round of security patches Tuesday, though it was overshadowed by Log4j. Still, it's important to note the company disclosed six critical vulnerabilities in its products, one of which received a severity rating of 9.6 out of 10.
  • Google also released its own round of patches, fixing five vulnerabilities in its Chrome web browser. One vulnerability, tracked as CVE-2021-4102, is already being exploited in the wild, Google warned.
  • Not to be outdone, Apple also jumped on the Patch Tuesday train, updating its iOS mobile operating system to fix a vulnerability that could have allowed anyone to jailbreak the new iPhone 15. There are several other patches to fix issues that could have allowed an attacker to execute remote code on a targeted device.
  • Attackers stole $135 million worth of virtual currency from online gamers by targeting the VulcanForged blockchain. This is the third attack of this kind this month, costing a combined $400 million.
  • Car manufacturer Volvo says a "limited amount" of R&D information has been stolen as the result of a cyber attack. The company is still investigating the initial cause of the breach.

Notable recent security issues

Log4j vulnerability could have long-term implications for the internet at large

Defenders across the security community are pushing to address CVE-2021-44228, an actively exploited vulnerability in Apache Log4j. The vulnerability affects a widely used Java logging library that many large organizations may have in their environment. So far, major targets have included Apple and the popular video game "Minecraft." This library may also be used as a dependency by a variety of web applications found in enterprise environments, including Elastic. Due to the nature of this vulnerability, Cisco Talos believes this will be a widely exploited vulnerability among attackers moving forward, and users should patch affected products and implement mitigation solutions as soon as possible. Apache has released a new update for Log4j, version 2.16.0. While the previous release (2.15.0) removed the ability to resolve lookups and addressed issues to mitigate CVE-2021-44228, this release disables JNDI by default and removes support for message lookups. Please refer to the Mitigations section for more details.

SNORTⓇ SIDs: 58722 - 58744, 58751, 58784 - 58790, 58795

Snort 3 SIDs: 300055 - 300058

ClamAV signatures: : Java.Exploit.CVE_2021_44228-9914600-1, Java.Exploit.CVE_2021_44228-9914601-1, Java.Exploit.CVE_2021_44228-9914600-2, Java.Exploit.CVE_2021_44228-9914601-4, Java.Exploit.CVE_2021_44228-9915330-0, Java.Malware.CVE_2021_44228-9915820-0, Java.Malware.CVE_2021_44228-9915819-0, Java.Malware.CVE_2021_44228-9915818-0, Java.Malware.CVE_2021_44228-9915817-0, Java.Malware.CVE_2021_44228-9915816-0, Java.Malware.CVE_2021_44228-9915813-0 and Java.Malware.CVE_2021_44228-9915812-0

Microsoft issues patches for 80 vulnerabilities as part of December Patch Tuesday

Microsoft released its monthly security update Tuesday, disclosing 80 vulnerabilities across its large collection of hardware and software. None of the vulnerabilities disclosed this month have been actively exploited in the wild, the first that’s been the case in several months, though four have already been publicly disclosed. December’s security update features five critical vulnerabilities, with the remaining being considered “important.” The most serious of the issues is CVE-2021-43215, a memory corruption vulnerability that could lead to remote code execution in iSNS Server. The iSNS protocol interacts with iSNS servers and iSNS clients, which manages a server that allows network users to query an iSNS database. An attacker could exploit this vulnerability by sending a specially crafted request to an iSNS Server. This vulnerability was assigned a severity score of 9.8 out of 10.

SNORTⓇ SIDs: 58752 - 58757, 58635 and 58636

Most prevalent malware files this week

SHA 256: 0ab024b0da0436fddc99679a74a26fdcd9851eb00e88ff2998f001ccd0c9016f

MD5: ee30d6928c9de84049aa055417cc767e

Typical Filename: app.exe

Claimed Product: N/A

Detection Name: Glupteba::gravity::W32.Auto:0ab024b0da.in03.Talos

SHA 256: 5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13

MD5: a6a7eb61172f8d988e47322ebf27bf6d

Typical Filename: wx.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Wingo::in07.talos

SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37

MD5: a5e345518e6817f72c9b409915741689

Typical Filename: swupdater.exe

Claimed Product: Wavesor SWUpdater

Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos


SHA 256: e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762

MD5: 6ea750c9d69b7db6532d90ac0960e212

VirusTotal:

Typical Filename: deps.zip

Claimed Product: N/A

Detection Name: Auto.E5044D5AC2.242358.in07.Talos

SHA 256: 1487f122c92f3bade35e03b6b0554a80b1563f2c167d9064263845653d912ec6

MD5: ee62e8f42ed70e717b2571c372e9de9a

Typical Filename: lHe

Claimed Product: N/A

Detection Name: W32.Gen:MinerDM.24ls.1201

Keep up with all things Talos by following us on Twitter. Snort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.