What a December! Let’s see if we can write a threat report without mentioning log4j. Possible? Let’s find out! While everyone else is writing about it and you are completely overwhelmed, over-vendored, and over exhausted by it, there is still a lot of other activity going on that shouldn’t be ignored, missed or forgotten.
On the heels of our Meris botnet blog, CISA just released new guidance recommending organizations patch their MikroTik routers for the same CVE that continue to plague these cheap but powerful devices. Remember, a patched device doesn’t mean the device isn’t being used maliciously by Meris, or Gluteba, or Trickbot, etc. More often than not, these devices are simply maliciously configured, versus having been implanted with malicious code.
Beyond only Mikrotik routers, AT&T’s Alien Labs just discovered another botnet called BotenaGo (written in Go language) that can target millions of exposed and vulnerable devices with an arsenal of over 30 exploits. The attack surface of these devices is massive, yet awareness of this attack surface is still low; something CISA has been working very hard to change.
Did you know that 60% of breaches involving a vulnerability were against devices for which a patch was available, but was never applied? You do now!
Speaking of Gluteba, (many believe this is the group that compromises devices like MiroTik, and then sells access to these devices to botnet operators/campaigns), it has a new trick: leveraging Bitcoin’s public ledger to maintain C2 in away that is both a) resilient and b) slightly Darwinian. This tactic is double-edged for the attackers as it allows the good guys to also see and anticipate the same public wallet addresses and new domains just like the malware does. This might come in handy some day when it comes time to prosecute them, too.
Log4J represents another ‘first wave’ of attacks that gained an initial foothold and allowed myriad actors with myriad motives to gain presence wherever they might. Once a foothold had been established, however, the real story begins to play out.
One of these stories may be destruction – just as we saw when actors leveraged recent MS Exchange vulnerabilities to drop a destructive payload on victim machines. Another could be ransomware just like what we saw following the Microsoft Exchange attacks. Indeed, the Trickbot group behind Conti has already begun leveraging Log4J to drop ransomware only a few days after discovering its potential. Recall that ProxyLogon, too, was similarly used by ransomware gangs only days after its discovery. If destruction sounds incredulous or unlikely, check out what these Iranian nation state actors just did by leveraging a new HP iLO firmware vulnerability to wipe servers remotely.
This kind of rapid weaponization and ability to deploy follow-on payloads quickly puts a tremendous amount of pressure on security teams to patch and mitigate immediately. The very same group still leverages Fortinet vulnerabilities and ZeroLogon vulnerabilities, as well as look for vulnerabilities at the UEFI in order to implant there, just like many APTs have been discovered having done so of late.
Hackers have also been able to leverage Log4j exploits to specifically target ultra high end server hardware from HP (ones running Zen 3-based EPYC Milan CPUs) in order to mine the Raptoreum ($RTM) crypto currency.
In a dramatic yet somehow not surprising fashion, the Chinese government has decided to stop collaborating with Alibaba on cyber threat intelligence for a period no less than six months, after the organization failed to tell the government about the Log4J vulnerability prior to public disclosure. This demonstrates two things: 1) China’s bite is as bad as their bark in this regard; other organizations now have precedence, which they can use to justify disclosing vulns early and exclusively to the Chinese government and 2) he degree to which China’s offensive security strategy (proactively attacking western interests in order to gain key economic and military advantage) is overtly in play.
Well, we didn’t think we’d be able to write this threat report without including Log4j, and sure enough, we had to.
A final word to reflect upon the passing of Dan Kaminsky, a luminary beyond compare in the field of cyber security and a dear friend to so many of us in the community. This month he was posthumously entered into the Internet Hall of Fame. He was the hero that saved the Internet more than once… but moreso, the hero that best embodied true discourse, critical thought, debate, rational exploration of myriad problem spaces, and someone that served as the pillar of ground truth and perspective for so many. Beyond even these things, he was the warmest of souls, the kindest of friends, and one of the most endearingly comical people any of us have ever met. Dakami, we’ll pour one out for you this NYE.
Here’s to a fantastic 2022. Let us be a stronger community, let us unite to fight those that do us cyber harm and protect those that cannot protect themselves, and let us innovate to solve for a better future together. We fight for the users!
Threat actor uses HP iLO rootkit to wipe servers
“An Iranian cyber-security firm said it discovered a first-of-its-kind rootkit that hides inside the firmware of HP iLO devices and which has been used in real-world attacks to wipe servers of Iranian organizations.”
- APT trends report Q3 2021
- New Dell BIOS updates cause laptops and desktops not to boot
- Hacker Hijacks HP AMD EPYC Servers For Raptoreum Crypto Mining
- Dell driver fix still allows Windows Kernel-level attacks
- GovCert.ch Zero-Day Exploit Targeting Popular Java Library Log4j
- Low-level ‘Destructive’ cyberattack hits National Bank of Pakistan
- The malware was pushed via privileged account in active directory which corrupted the boot sequence of the computers and hence prevented them from booting
- AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits
- APT Conducts Active Campaign Against ManageEngine ServiceDesk Plus
- MosesStaff Locks Up Targets, with No Ransom Demand, No Decryption
- High profile attacks, ransomware gangs and weaponisation part of cybersecurity predictions for 2022
- Jumping the air gap: 15 years of nation‑state effort
- Thousands of Industrial Systems Targeted With New ‘PseudoManuscrypt’ Spyware
- CONTI Ransomware Advisory: Log4Shell Exploitation for Initial Access & Lateral Movement
- Thousands of Industrial Systems Targeted With New ‘PseudoManuscrypt’ Spyware
- How Cybercriminals Are Using Bitcoin’s Blockchain to Make Botnets Stronger Than Ever
- University loses 77TB of research data due to backup error
Dan Kaminsky 2021 Internet Hall of Fame Induction Ceremony
“Dan inspired so many people, both technically and in hacker community personification of who we should all be, he reached the entire world, saved the internet more than a few times, and was literally and figuratively a key to the internet kingdom we all use.”
- Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center
- Chinese Government Punishes Alibaba for Not Telling It First About Log4Shell Flaw: Report
- Vladislav Klyushin: Russia condemns Swiss extradition of citizen to US
- Special Agent BJ Kang’s Affidavit charging five APT 28 threat actors for cyber/financial crimes
CISA Adds Zoho, Qualcomm, Mikrotik Flaws to ‘Must-Patch’ List
“The U.S. government’s cybersecurity agency has updated its catalog of “known exploited vulnerabilities” and set deadlines for federal agencies to apply fixes for security defects in software made by Qualcomm, Mikrotik, Zoho and the Apache Software Foundation.”
New Malware Uses SSD Over-Provisioning to Bypass Security Measures
“Korean researchers have detected a vulnerability in SSDs that allows malware to plant itself directly in an SSD’s empty over-provisioning partition. As reported by BleepingComputer, this allows the malware to be nearly invincible to security countermeasures.”
- A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution
- A system of systems: Cooperation on maritime cybersecurity
- 17 Malware Frameworks Target Air-Gapped Systems for Espionage
The firmware supply-chain security is broken: can we fix it?
“We decided to build an open-source framework to identify known vulnerabilities in the context of UEFI specifics, classify them based on their impact and detect across the firmware ecosystem with the help of the LVFS project. We will be sharing our approach as well as the tooling we have created to help industry identify the problems and get patched.”
- CISA Log4j (CVE-2021-44228) Vulnerability Guidance
- CISA: Don’t Let Cyber Criminals Steal Your Connections: Securing Internet-Accessible Systems
- CMMC Awesomeness | CMMC-COA (NIST 800-171 and CMMC Scoping Tools)
- Enter PSP: #Fiedka :octopus: 1.2.1 has been released, now with initial support for AMD/PSP #firmware analysis!
- Log4j impact on manufacturers and components summary from the Internet community
- Log4Shell log4j vulnerability (CVE-2021-44228 / CVE-2021-45046) – cheat-sheet reference guide
- NCSC-NL- llog4shell – List of vendors affected, with current status each
- Log4Jmemes – comic relief during industry-wide challenge
- EfiGuard: a portable x64 UEFI bootkit
- Tool to dump EFI Variables: dumpEfiVars
Definitive Guide to Enterprise Firmware Security
The security industry has made huge strides in reducing cybersecurity risk in operating systems and applications. But the underlying firmware, the digital DNA of every device, has largely been ignored…by everyone but our adversaries. With firmware threats and exploits increasing, security teams need a way to defend this unguarded attack surface. This Guide shows them how to do just that.