Friday, December 10, 2021

Threat Source Newsletter (Dec. 16, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

I'm just going to cut to the chase since I know all anyone wants to read about is Log4J. For the latest Talos research, continually check back on our blog post here. Above is the live stream we recorded Monday morning updating everyone on the situation, but of course, a lot has already changed since then. Which is why Beers with Talos will be returning for a live recording Friday at noon ET. You can join us on any of our social media platforms or over on our YouTube page

This will be the last Threat Source newsletter of 2021 as we head into the holiday break. We hope everyone is able to put Log4J behind them at least for a few days and enjoy some quality time with friends and family.

Cybersecurity week in review


  • The Log4j vulnerability made national news this week and is starting to become a talking point at companies around the globe. It's been particularly dangerous because it's relatively to exploit, and affects such a broad range of software.
  • It didn't take long for state-sponsored actors to notice, either. Microsoft issued a warning that actors based out of China, Iran, North Korea and Turkey have already started testing, exploiting and using the Log4j bug to deploy malware.
  • The U.S. Cybersecurity and Infrastructure Security Agency set a deadline of Dec. 24 for federal agencies to patch for Log4shell, the nickname given to the vulnerability. CISA director Jen Easterly called it "a severe risk."
  • Some people online even claim they've been able to use Log4shell on Apple devices and Tesla electric cars. In both cases, researchers could trick the targeted servers into visiting the site of their choice.
  • Microsoft released its monthly round of security patches Tuesday, though it was overshadowed by Log4j. Still, it's important to note the company disclosed six critical vulnerabilities in its products, one of which received a severity rating of 9.6 out of 10. 
  • Google also released its own round of patches, fixing five vulnerabilities in its Chrome web browser. One vulnerability, tracked as CVE-2021-4102, is already being exploited in the wild, Google warned.
  • Not to be outdone, Apple also jumped on the Patch Tuesday train, updating its iOS mobile operating system to fix a vulnerability that could have allowed anyone to jailbreak the new iPhone 15. There are several other patches to fix issues that could have allowed an attacker to execute remote code on a targeted device.
  • Attackers stole $135 million worth of virtual currency from online gamers by targeting the VulcanForged blockchain. This is the third attack of this kind this month, costing a combined $400 million.
  • Car manufacturer Volvo says a "limited amount" of R&D information has been stolen as the result of a cyber attack. The company is still investigating the initial cause of the breach.

Notable recent security issues


Log4j vulnerability could have long-term implications for the internet at large

Defenders across the security community are pushing to address CVE-2021-44228, an actively exploited vulnerability in Apache Log4j. The vulnerability affects a widely used Java logging library that many large organizations may have in their environment. So far, major targets have included Apple and the popular video game "Minecraft." This library may also be used as a dependency by a variety of web applications found in enterprise environments, including Elastic. Due to the nature of this vulnerability, Cisco Talos believes this will be a widely exploited vulnerability among attackers moving forward, and users should patch affected products and implement mitigation solutions as soon as possible. Apache has released a new update for Log4j, version 2.16.0. While the previous release (2.15.0) removed the ability to resolve lookups and addressed issues to mitigate CVE-2021-44228, this release disables JNDI by default and removes support for message lookups. Please refer to the Mitigations section for more details. 
SNORTⓇ SIDs: 58722 - 58744, 58751, 58784 - 58790, 58795
Snort 3 SIDs: 300055 - 300058 
ClamAV signatures: : Java.Exploit.CVE_2021_44228-9914600-1, Java.Exploit.CVE_2021_44228-9914601-1, Java.Exploit.CVE_2021_44228-9914600-2, Java.Exploit.CVE_2021_44228-9914601-4, Java.Exploit.CVE_2021_44228-9915330-0, Java.Malware.CVE_2021_44228-9915820-0, Java.Malware.CVE_2021_44228-9915819-0, Java.Malware.CVE_2021_44228-9915818-0, Java.Malware.CVE_2021_44228-9915817-0, Java.Malware.CVE_2021_44228-9915816-0, Java.Malware.CVE_2021_44228-9915813-0 and Java.Malware.CVE_2021_44228-9915812-0 
 

Microsoft issues patches for 80 vulnerabilities as part of December Patch Tuesday

Microsoft released its monthly security update Tuesday, disclosing 80 vulnerabilities across its large collection of hardware and software. None of the vulnerabilities disclosed this month have been actively exploited in the wild, the first that’s been the case in several months, though four have already been publicly disclosed. December’s security update features five critical vulnerabilities, with the remaining being considered “important.” The most serious of the issues is CVE-2021-43215, a memory corruption vulnerability that could lead to remote code execution in iSNS Server. The iSNS protocol interacts with iSNS servers and iSNS clients, which manages a server that allows network users to query an iSNS database. An attacker could exploit this vulnerability by sending a specially crafted request to an iSNS Server. This vulnerability was assigned a severity score of 9.8 out of 10. 
SNORTⓇ SIDs: 58752 - 58757, 58635 and 58636


Most prevalent malware files this week


MD5: ee30d6928c9de84049aa055417cc767e 
Typical Filename: app.exe 
Claimed Product: N/A 
Detection Name: Glupteba::gravity::W32.Auto:0ab024b0da.in03.Talos 

MD5: a6a7eb61172f8d988e47322ebf27bf6d 
Typical Filename: wx.exe
Claimed Product: N/A 
Detection Name: Win.Dropper.Wingo::in07.talos

MD5: a5e345518e6817f72c9b409915741689 
Typical Filename: swupdater.exe 
Claimed Product: Wavesor SWUpdater 
Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos 
MD5: 6ea750c9d69b7db6532d90ac0960e212 
VirusTotal: 
Typical Filename: deps.zip 
Claimed Product: N/A 
Detection Name: Auto.E5044D5AC2.242358.in07.Talos 

MD5: ee62e8f42ed70e717b2571c372e9de9a 
Typical Filename: lHe 
Claimed Product: N/A 
Detection Name: W32.Gen:MinerDM.24ls.1201 

Keep up with all things Talos by following us on TwitterSnort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.