Logjam: #Log4j exploit attempts continue in globally distributed scans, attacks
China and Russia, Kinsing miner botnet dominate sources of exploit attempts...
1/16
Since the first vulnerability in the Apache Foundation’s Log4j logging tool was revealed on December 10, three sets of fixes to the Java library have been released as additional vulnerabilities were uncovered. 2/16
This rapid iteration of fixes has left software developers and organizations worldwide scrambling to assess and mitigate their exposure with nearly daily-changing guidance.
In the meantime, we’ve seen attempts to detect or exploit the vulnerability continue non-stop. 3/16
As we pass the first week since the exposure of the first vulnerability, SophosLabs has continued to track attempts against our customers’ networks to exploit Log4Shell. 4/16
The traffic we’ve observed includes benign scans by security researchers and penetration testers as well as malicious activity, and it does not directly reflect the state of criminal and state actor attempts to exploit the vulnerability. 5/16
But from portions of the data, we can see enough about the requests to gain some insight into the infrastructure involved in these attempts, and in some cases the intent behind them. 6/16
We have not seen a significant reduction in exploit attempts since they peaked on December 15, and that these probes and exploits are coming from a globally distributed infrastructure...
We have seen MILLIONS of incoming attempts to exploit #Log4j in customer telemetry. 7/16
While we cannot distinguish the intent of every request, the segment of our telemetry that provided traffic details provides a snapshot.
Looking at the source of attempted abusive packets thus far, the vast majority come from IP addresses in Russia and China. 8/16
Because of the way Log4j exploits work—by prompting “lookups” to remote servers via LDAP, DNS, and other Java Name and Directory Interface (JNDI) supported protocols—the lookup requests can be directed to a different location than the source of the exploit. 9/16
Nearly two-thirds of these requests had URLs for infrastructure in India. And over 40% had URLs directed to infrastructure in the US. Over seven percent of exploit requests were directed to the Interactsh tool’s domain—18% of all the traffic to US infrastructure. 10/16
Because Interactsh has been used by researchers AND malicious actors, it’s difficult to separate the benign from the bad—just as it is with other traffic we’re detecting and blocking.
But it is clear that malicious exploit attempts remain a majority of this traffic. 11/16
The only sure way to protect against exploitation—either to gain remote code execution or to cause denial of service—is to update software to use the current “safe” versions of Log4j (2.17.0 for Java 8, 2.12.3 for Java 7). 12/16
Where fixes are not yet available, network filtering definitions will protect against a large percentage of existing exploit traffic—but do not guarantee protection against emerging threats and highly targeted attacks. 13/16
@Sophos continues to identify new methods of obfuscation for exploiting traffic, and new payloads being deployed via Log4j exploits. The following are current Signature IDs published to Sophos intrusion protection products (latest in bold), by product, as of December 20. 14/16
The following is a list as of December 20 of all payloads Sophos has detected as part of Log4j exploit attempts (new payloads in bold): 15/16
NEW: Avos Locker remotely accesses boxes, even running in Safe Mode
Infections involving this relatively new ransomware-as-a-service spiked in November and December...
1/16
Over the past few weeks, an up-and-coming ransomware family that calls itself Avos Locker has been ramping up attacks while making significant effort to disable endpoint security products on the systems they target. 2/16
In a recent series of ransomware incidents involving this ransomware, Sophos Rapid Response discovered that attackers had booted their target computers into Safe Mode to execute the ransomware, similar to now-defunct Snatch, REvil, and BlackMatter ransomware families. 3/16
NEW: Attackers test “CAB-less 40444” exploit in a dry run
An updated exploit takes a circuitous route to trigger a Word document into delivering an infection without using macros...
1/11
In September, Microsoft published mitigation steps and released a patch to a serious bug (CVE-2021-40444) in the Office suite of products. Criminals began exploiting the Microsoft MSHTML Remote Code Execution Vulnerability at least a week before September’s Patch Tuesday... 2/11
...but the early mitigations (which involved disabling the installation of ActiveX controls), and the patch (released a week later), were mostly successful at stopping the exploits that criminals had been attempting to leverage to install malware. 3/11
The critical vulnerability in Apache’s #Log4j Java-based logging utility (CVE-2021-44248) has been called the “most critical vulnerability of the last decade.”
The flaw has forced developers of many software products to push out updates or mitigations to customers. 2/21
And Log4j’s maintainers have published two new versions since the bug was discovered—the second completely eliminating the feature that made the exploit possible in the first place. 3/21
Microsoft wraps up 2021 with 64 patched vulnerabilities—including Windows 7 fixes...
1/11
While Log4J may have cast a very long shadow over this month, Microsoft has released fixes for 64 more vulnerabilities in its software products, including 16 Chromium-based bugs in the Edge browser that were already patched in updates pushed since last month. 2/11
Some of the remaining fixes apply to versions of Windows stretching back to the end-of-life’d Windows 7...
There are 17 bugs being patched in Windows 7 this month, including three of this month’s seven critical vulnerabilities—all of which are remote code execution bugs. 3/11
A vulnerability in a widely-used Java logging component is exposing untold numbers of organizations to potential remote code attacks and information exposure...
1/16
On December 9, a severe remote code vulnerability was revealed in Apache’s Log4J , a very common logging system used by developers of web and server applications based on Java and other programming languages. 2/16
The vulnerability affects a broad range of services and applications on servers, making it extremely dangerous—and the latest updates for those server applications urgent. 3/16
NEW ransomware actor uses password-protected archives to bypass encryption protection
Calling themselves "Memento team", actors use Python-based ransomware that they reconfigured after setbacks...
1/13
In late October, Sophos MTR’s Rapid Response Team encountered a new ransomware group with an interesting approach to holding victims’ files hostage.
The ransomware used by this group, who identify themselves as “Memento Team,” doesn’t encrypt files. 2/13
Instead, it copies files into password-protected archives, using a renamed freeware version of the legitimate file utility WinRAR—and then encrypts the password and deletes the original files. 3/13