A maximum-severity vulnerability has been identified in Apache Log4j, an open-source Java-based logging library used by many thousands of organizations in their enterprise applications and by many cloud services.

The vulnerability, dubbed Log4Shell and tracked as CVE-2021-44228, is serious as they come, with some security researchers claiming the flaw is the most serious to be discovered in the past decade due to its ease of exploitation and the sheer number of enterprise applications and cloud services that are affected.

The vulnerability can be exploited without authentication to achieve remote code execution and take full control of vulnerable systems. The vulnerability affects Apache Log4j between versions 2.0 to 2.14.1, and has been fixed in version 2.15.0.

The advice is to ensure the upgrade is performed immediately as a proof-of-concept exploit for the flaw is in the public domain, extensive scans are being performed for vulnerable systems, and there have been many cases of the flaw being exploited in the wild. Some reports suggest the improper input validation bug has been exploited in the wild for some time before it was discovered by researchers at Alibaba Cloud on November 24.

The vulnerability was first detected being exploited against Minecraft, which still uses Java, although many web apps and business applications use Java and are vulnerable to attack and the vulnerability affects multiple Apache frameworks such as Apache Struts2, Apache Solr, Apache Druid, and Apache Flink, and others.

The vulnerability can be exploited by manipulating log messages to execute arbitrary code from LDAP servers when message lookup substitution is enabled. This is a Java deserialization issue due to the library making network requests through the Java Naming and Directory Interface (JNDI) to an LDAP server and executing code that’s returned. By manipulating the log messages to trigger a look-up to an attacker-controlled server, an attacker can execute code on the victim’s system. Exploiting the bug requires the attacker to get a vulnerable application to log a special string, which is trivial for threat actors and requires a single line of code.

According to UK security researcher Marcus Hutchins, threat actors attacked Minecraft servers by simply pasting a short message into the chatbox. The bug is known to have been exploited to deploy cryptocurrency miners, to install botnet code on IoT devices, and initial access brokers have been scrambling to exploit the code, so it is inevitable that it will provide the initial access to allow ransomware attacks.

“I cannot overstate the seriousness of this threat. On the face of it, this is aimed at cryptominers but we believe this creates just the sort of background noise that serious threat actors will try to exploit in order to attack a whole range of high-value targets such as banks, state security, and critical infrastructure,” explained Lotem Finkelstein, director of threat intelligence and research at Check Point.

If it is not possible to immediately update to version 2.15.0, there are mitigations that can prevent exploitation in version 2.10.0 and later. A vulnerability “vaccine” has been released by Cybereason that can be used to protect against exploitation by using the vulnerability to run code that changes the settings to prevent further exploitation. The vaccine could be used to gain some time, although the best option is to update to the latest Apache Log4j version.

The vulnerable code could be anywhere, so fixing the issue is not likely to be straightforward, although Huntress has released a tool that can be used to check if applications are affected – available here.

Mitigations that can be applied if the update cannot be easily performed have been released by Apache. “In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.”

Since there have been many cases of the flaw being exploited, it is important to not only fix the vulnerability but to also assume the flaw has already been exploited and to check logs for any unusual activity after systems and applications have been secured.

The post Max-Severity Apache Log4j Zero-day Vulnerability Extensively Exploited in the Wild appeared first on HIPAA Journal.

SonicWall has released new firmware for its Secure Mobile Access (SMA) 100 series remote access appliances that fixes 8 vulnerabilities including 2 critical and 4 high-severity flaws.

Vulnerabilities in SonicWall appliances are attractive to threat actors and have been targeted in the past in ransomware attacks. While there are currently no known cases of the latest batch of vulnerabilities being exploited in the wild, there is a high risk of these vulnerabilities being exploited if the firmware is not updated promptly. SMA 100 series appliances include the SonicWall SMA 200, 210, 400, 410, and 500v secure access gateway products, all of which are affected.

The most serious vulnerabilities are buffer overflow issues which could be exploited remotely by an unauthenticated attacker to execute code on vulnerable appliances. These are CVE-2021-20038, an unauthenticated stack-based buffer overflow vulnerability (CVSS score of 9.8), and CVE-2021-20045, which covers multiple unauthenticated file explorer heap-based and stack-based buffer overflow issues (CVSS score 9.4). A further heap-based buffer overflow vulnerability – CVE-2021-20043 – allows remote code execution, although an attacker would need to be authenticated (CVSS score 8.8).

The remaining 3 high-severity vulnerabilities are CVE-2021-20041 – an unauthenticated CPU exhaustion vulnerability (CVSS score 7.5); CVE-2021-20039 – an authenticated command injection vulnerability (CVSS score 7.2); and CVE-2021-20044 – a post-authentication remote code execution vulnerability (CVSS score 7.2).

Two medium-severity vulnerabilities have also been fixed: CVE-2021-20040 – an unauthenticated file upload path traversal vulnerability (CVSS score 6.5) and CVE-2021-20042 – an unauthenticated ‘confused deputy’ vulnerability (CVSS score 6.3).

The firmware update can be accessed at MySonicWall.com and should be applied as soon as possible to prevent exploitation. SonicWall says there are no temporary mitigations that can be implemented to prevent exploitation of the flaws.

The post SonicWall Recommends Immediate Firmware Upgrade to Fix Critical Flaws in SMA 100 Series Appliances appeared first on HIPAA Journal.

A highly sophisticated malware capable of aggressively spreading within networks is being used in targeted attacks on the biomanufacturing sector. The malware has been named Tardigrade by security researchers and initial research suggests it may be a variant of SmokeLoader – A commonly used malware loader and backdoor, although SmokeLoader and Tardigrade malware are quite distinct.

The sophisticated nature of the malware coupled with the targeted attacks on vaccine manufacturers and their partners strongly suggest the malware was developed and is being used by an Advanced Persisted Threat (APT) actor. The malware was first detected being used in attacks on the biomanufacturing sector in the spring of 2021 when an infection was discovered at a large U.S. biomanufacturing facility. The malware was identified again in an attack on a biomanufacturing firm in October 2021 and it is believed to have been used in attacks on several firms in the sector.

In contrast to SmokeLoader, which requires instructions to be sent to the malware from its command-and-control infrastructure, Tardigrade malware has far greater autonomy and can use its internal logic to make decisions about lateral movement and which files to modify. The malware has a distributed command-and-control network and uses a variety of IPs that do not correspond to a specific command-and-control node. The malware is also metamorphic, which means its code regularly changes while retaining its functionality. That means signature-based detection mechanisms are not effective at identifying and blocking Tardigrade malware.

Tardigrade malware is stealthy and can be used to gain persistent access to victims’ systems for espionage. The malware creates a tunnel for data exfiltration and has been used to prepare systems for further malicious activities such as ransomware attacks. The malware was first detected when investigating what appeared to be a ransomware attack.

An advisory about the malware was issued by the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) due to the significant threat the malware poses to the biomanufacturing sector and their partners, with the HHS’ Health Sector Cybersecurity Coordination Center (HC3) also issuing a recent alert about the malware.

BIO-ISAC says all biomanufacturing sites and their partners should assume that they will be targets and should take steps to improve their defenses against this new malware threat. The primary method of malware delivery is believed to be phishing emails, although the malware is capable of spreading via USB drives and can propagate autonomously throughout victims’ networks.

It is important to ensure cybersecurity best practices are followed, such as closing open remote desktop protocols, updating out-of-date operating systems and software, aggressively segmenting networks, implementing multifactor authentication, and ensuring antivirus software is used on all devices that is capable of behavioral analysis.

BIO-ISAC also recommends conducting a “crown jewels” analysis, which should include assessing the impact of an attack should certain critical devices be rendered inoperable, ensuring offline backups are performed on biomanufacturing infrastructure, testing backups to ensure recovery is possible, providing phishing awareness training to the workforce, inquiring about lead times for procuring critical infrastructure components such as chromatography, endotoxin, and microbial containment systems, and accelerating the upgrade of legacy equipment.

Further information on the Tardigrade malware threat is available from BIO-ISAC and HC3.

The post Biomanufacturing Sector Warned of High Risk of Tardigrade Malware Attacks appeared first on HIPAA Journal.