FBI Security Alerts

Collapse
X
Collapse
 
  • Page of 9
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 4 5 6 7 8 9 template Next
  • SalesServiceGuy
    replied
    Re: FBI Security Alerts

    The bad news is that most copier/printer vendors do not know today if the are effected by Log4J. Toshiba is vigorously working to test its product against this potential vulnerability and may have to issue a firmware update.


    Tech Solvency - The Story So Far


    Log4Shell log4j vulnerability (CVE-2021-44228 / CVE-2021-45046) - cheat-sheet reference guide

    Last updated: $Date: 2021/12/16 17:25:22 $ UTC - best effort, validate all for your environment/model before use, unofficial sources may be wrong
    by @TychoTithonus (Royce Williams), standing on the shoulders of many giants
    Send updates or suggestions (please include category / context / public (or support-walled) links if you can)

    Contents


    NOTE: All previous mitigations - based on anything other than upgrade to log4j 2.16 or entirely removing JndiLookup classes - are likely not full mitigation
    (but still useful coverage while waiting for later vendor guidance)
    Context - who (and what) is affected

    • Impact: arbitrary code execution as the user the parent process is running as (code fetched from the public Internet, or lolbins already present on system, or just fetching shared secrets or environment variables and returning them to the attacker)
    • Targets: Servers and clients that run Java and also log anything using the log4j framework - primarily a server-side concern, but any vulnerable endpoint could be a target or a pivot point
    • Downstream projects: until proven otherwise, assume anything that includes log4j, or depends on something that does, is affected in a way that requires mitigation; see below
    • Affected versions: log4j 2.x confirmed - log4j 1.x only indirectly (previous information disclosure vulns, harder to exploit) (in some configurations). Also, presence of 1.x is not good - 1.x went EOL in August 2015!
    • Appliances: Don't forget appliances and other opaque or third-party systems that may be using Java server components, but won't be detected by un-credentialed vulnerability scanning or simple exploitation tests
    • Log forwarding: logging infrastructure often has many "northbound" (send my logs to someone) and "southbound" (receiving logs from someone) forwarding/relaying topologies. Chaining them together for exploitation must also be considered. (For those not familiar, these are terms of art in the NMS/logging space - ref, ref, ref)
    • Cloud: Multiple large providers also affected (but this guide focuses mostly on customer-managed side)
    • Deadlines: CISA orders federal agencies to patch Log4Shell by December 24th

    Scope / seriousness

    • "hearing folks compare #log4shell is "as bad as heartbleed" - imo it's much, much worse. aside from having RCE as the impact, the number of interdependencies around log4j (and particularly the age of them) is orders of magnitude higher" -@caseyjohnellis
    • "What people seem to miss: The #Log4Shell vulnerability isn't just a RCE 0day. It's a vulnerability that causes hundreds and thousands of 0days in all kinds of software products. It's a 0day cluster bomb." -@cyb3rops@rakyll (AWS)
    • "The Log4j vulnerability is the most serious vulnerability that I've seen in my decades-long career." - CIA Director Jen Easterly, in interview
    • The Wikipedia article on log4j is informative to understand usage and scope
    • Earliest detection known: 2021-12-01 04:36:50 UTC
    • Misnomers: No, it is not also called LogJam. That name is already taken. (Initial LunaSec post used that name, then picked a new one once they found out.)
    • Pronunciation: its main author pronounces it "log 4 jay", not "logforge"

    back to top
    Summaries

    • CVEs: CVE-2021-44228, CVE-2021-45046 (not quite as bad). Note also unrelated (but also bad) CVE-2021-4104, announced 2021-12-13 and affecting 1.2 JMSAppender behavior (not the default)
      "Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."

      Leave a comment:

    • tonerhead
      replied
      Re: FBI Security Alerts

      Originally posted by PrintWhisperer
      You left Apple out of your list....
      True, and in some respects M$ also.

        Leave a comment:

      • SalesServiceGuy
        replied
        Re: FBI Security Alerts

        The Log4j security flaw could impact the entire internet.


        A critical flaw in widely used software has cybersecurity experts raising alarms and big companies racing to fix the issue.

        The vulnerability, which was reported late last week, is in Java-based software known as "Log4j" that large organizations use to configure their applications -- and it poses potential risks for much of the internet.

        Apple's cloud computing service, security firm Cloudflare, and one of the world's most popular video games, Minecraft, are among the many services that run Log4j, according to security researchers.

        Jen Easterly, head of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), called it "one of the most serious flaws" seen in her career. In a statement on Saturday, Easterly said "a growing set" of hackers are actively attempting to exploit the vulnerability.

        As of Tuesday, more than 100 hacking attempts were occurring per minute, according to data this week from cybersecurity firm Check Point.

        "It will take years to address this while attackers will be looking... on a daily basis [to exploit it]," said David Kennedy, CEO of cybersecurity firm TrustedSec. "This is a ticking time bomb for companies."

        Attackers appear to have had more than a week's head start on exploiting the software flaw before it was publicly disclosed, according to cybersecurity firm Cloudflare. Now, with such a high number of hacking attempts happening each day, some worry the worst is to yet come.

        "Sophisticated, more senior threat actors will figure out a way to really weaponize the vulnerability to get the biggest gain," Mark Ostrowski, Check Point's head of engineering, said Tuesday.

        Late Tuesday, Microsoft said in an update to a blog post that state-backed hackers from China, Iran, North Korea and Turkey have tried to exploit the Log4j flaw.

          Leave a comment:

        • PrintWhisperer
          replied
          Re: FBI Security Alerts

          Originally posted by SalesServiceGuy

          PaperCut has confirmed thatPaperCut MF and PaperCut NG 21.0 and above can be exploited by this issue. We have also verified that previous versions do not include the vulnerable Apache Log4j component.

            Leave a comment:

          • SalesServiceGuy
            replied
            Re: FBI Security Alerts

            Papercut advised via email this AM that the latest version of their popular print management software....


            PaperCut is aware of the RCE vulnerability in the Apache Log4j library also known as Log4Shell or CVE-2021-44228. This issue has been classified by the Apache Logging security team as a critical severity issue.
            The Log4j library is in widespread use by Java-based software globally—you can expect to hear from a number of software vendors on this topic.

            PaperCut has confirmed thatPaperCut MF and PaperCut NG 21.0 and above can be exploited by this issue. We have also verified that previous versions do not include the vulnerable Apache Log4j component.

              Leave a comment:

            • PrintWhisperer
              replied
              Re: FBI Security Alerts

              Originally posted by tonerhead
              Man, you have really nailed it. So true. It also frustrates the heck out of me how many companies like Google take open-source, free software, add a little code to it and commercialize it. In particular, chrome browser, chrome os, and android. After they get done with their little coding all of a sudden it becomes proprietary. Make the open source better by supporting it, not making it proprietary and profitting from it.
              You left Apple out of your list....

                Leave a comment:

              • tonerhead
                replied
                Re: FBI Security Alerts

                Originally posted by rthonpm
                The amazing thing about log4j is that despite multi-million dollar companies using it in their products, it's only maintained by a handful of people who do it in their spare time.

                While the tech world loves open source software, no-one seems to want to chip in with any support for it which is what leads to issues like this.

                Sent from my BlackBerry using Tapatalk
                Man, you have really nailed it. So true. It also frustrates the heck out of me how many companies like Google take open-source, free software, add a little code to it and commercialize it. In particular, chrome browser, chrome os, and android. After they get done with their little coding all of a sudden it becomes proprietary. Make the open source better by supporting it, not making it proprietary and profitting from it.

                  Leave a comment:

                • rthonpm
                  replied
                  Re: FBI Security Alerts

                  The amazing thing about log4j is that despite multi-million dollar companies using it in their products, it's only maintained by a handful of people who do it in their spare time.

                  While the tech world loves open source software, no-one seems to want to chip in with any support for it which is what leads to issues like this.

                  Sent from my BlackBerry using Tapatalk

                    Leave a comment:

                  • SalesServiceGuy
                    replied
                    Re: FBI Security Alerts

                    US government to offer up to $5,000 'bounty' to hackers to identify cyber vulnerabilities


                    The Department of Homeland Security is launching a "bug bounty" program, potentially offering thousands of dollars to hackers who help the department identify cybersecurity vulnerabilities within its systems.

                    DHS will pay between $500 and $5,000 depending on the gravity of the vulnerability and the impact of the remediation, Homeland Security Secretary Alejandro Mayorkas announced Tuesday.

                    "It's a scalable amount of money but we consider that quite significant," he said, speaking at the Bloomberg Technology Summit. "We're really investing a great deal of money, as well as attention and focus, on this program."

                    Hackers will earn the highest bounties for identifying the most severe bugs, DHS said.

                    Some private companies offer much higher bounties for uncovering vulnerabilities. For instance, payouts from Apple range from $25,000 to $1 million and Microsoft offers up to $200,000.

                    The announcement comes a day after senior Biden administration cyber officials warned that hackers are exploiting a newly revealed software vulnerability.

                    The vulnerability is in Java-based software known as "Log4j" that large organizations, including some of the world's biggest tech firms, use to configure their applications.
                    Jen Easterly, director of the DHS Cybersecurity and Infrastructure Security Agency, said the "vulnerability is one of the most serious that I've seen in my entire career, if not the most serious," during a call with executives from major US industries Monday.

                    As part of the "Hack DHS program," the department will verify the vulnerability within 48 hours and either remediate it within 15 days or, if required, develop a plan for remediation within a 15-day period, according to Mayorkas.

                    The program will be open to vetted cybersecurity researchers who have been invited to access select external DHS systems.

                    "Hack DHS" will be carried out in three phases. First, hackers will conduct virtual assessments, which will be followed by a live, in-person hacking event. During the third phase, DHS will identify and review lessons learned and plan for future bug bounties, according to the department.

                    Asked whether this program will last into future administrations, Mayorkas said that if it proves valuable, "we will continue the program for as long as we can."

                    Katie Moussouris, CEO and founder of Luta Security, welcomed the move but raised concerns about the program's timeline.

                    "It's great that DHS is working with hackers and welcoming their findings; however, time-bound bug bounty programs do not deliver consistent security improvements,".

                    "It's time to mature government vulnerability disclosure and bug bounty programs towards measurable security outcomes."

                    She also pointed out that bug bounties are meant to catch what internal security due diligence missed.

                    "I will be interested to see if this newest bug bounty reveals more complex bugs than typical low-hanging fruit normally found in bug bounties," she added. The department ran a bug bounty pilot program in 2019, which stemmed from legislation that allows DHS to compensate hackers for evaluating department systems. It also build on similar efforts, like the Department of Defense's "Hack the Pentagon" program.

                    Democratic Sen. Maggie Hassan of New Hampshire and Republican Sen. Rob Portman of Ohio, who helped draft the initial bug bounty legislation, praised the announcement.

                    "At a time when cyber threats are on the rise, I'm pleased that DHS is making permanent the bug bounty program I created with Senator Hassan to ensure our federal government is better prepared to protect itself," Portman said in a statement.

                      Leave a comment:

                    • rthonpm
                      replied
                      Re: FBI Security Alerts

                      Originally posted by SalesServiceGuy
                      Would something like Papercut or Docuware installed on a client's server be vulnerable to this type of attack?

                      Would apps installed in a copier be vulnerable?

                      Would Cloud apps like MS365 be vulnerable?

                      Is Windows 10 installed on a local PC vulnerable?

                      Toshiba copiers run on a Linux operating system. Is Linux vulnerable?
                      The only thing vulnerable is the log4j framework itself. If an application uses it and isn't patched it can be used to run code on the device it's installed on. Beyond that, if there's no Java or Java based applications on a system and no log4j, you're in good shape.

                      M365 wouldn't be vulnerable since it doesn't rely on or use Java in any manner whatsoever.

                      I spent most of my Monday wasting my time with a customer who needed to be assured that nothing in his environment was susceptible to exploit. Nothing in the environment was using the framework so there was nothing to worry about.

                      This is going to hit fringe applications and custom apps more than anything as this is not like Heartbleed where it's a vulnerability in a crucial component of an OS like SSH. This is a developer tool for building logging.

                      If there's any doubt, check the developers of any third-party applications in a customer environment as it can be hidden in plain sight.

                      Sent from my BlackBerry using Tapatalk

                        Leave a comment:

                      • SalesServiceGuy
                        replied
                        Re: FBI Security Alerts

                        Originally posted by rthonpm
                        This is an application level flaw, not a computer flaw. I would highly doubt that MFP's are using anything beyond standard Unix logging, especially as log4j is Java dependent, which would add an additional layer of complexity to the very basic embedded operating systems that most MFP's use.

                        This would be found more in server applications where you may need a more sophisticated logging function for an application.

                        There's also no way to query the logs of an MFP beyond a simple download, and also no way to actively run commands.

                        Sent from my BlackBerry using Tapatalk
                        Would something like Papercut or Docuware installed on a client's server be vulnerable to this type of attack?

                        Would apps installed in a copier be vulnerable?

                        Would Cloud apps like MS365 be vulnerable?

                        Is Windows 10 installed on a local PC vulnerable?

                        Toshiba copiers run on a Linux operating system. Is Linux vulnerable?

                          Leave a comment:

                        • rthonpm
                          replied
                          Re: FBI Security Alerts

                          Originally posted by SalesServiceGuy
                          Log4Shell attack

                          Does anybody have any idea of how vulnerable a network copier/printer is to this newfound design flaw in many computer systems?

                          What the Log4Shell Bug Means for SMBs: Experts Weigh In | Threatpost
                          This is an application level flaw, not a computer flaw. I would highly doubt that MFP's are using anything beyond standard Unix logging, especially as log4j is Java dependent, which would add an additional layer of complexity to the very basic embedded operating systems that most MFP's use.

                          This would be found more in server applications where you may need a more sophisticated logging function for an application.

                          There's also no way to query the logs of an MFP beyond a simple download, and also no way to actively run commands.

                          Sent from my BlackBerry using Tapatalk

                            Leave a comment:

                          • SalesServiceGuy
                            replied
                            Re: FBI Security Alerts

                            Log4Shell attack

                            Does anybody have any idea of how vulnerable a network copier/printer is to this newfound design flaw in many computer systems?

                            What the Log4Shell Bug Means for SMBs: Experts Weigh In | Threatpost

                            Apache Log4j is a Java-based logging tool that is used by many companies around the world, either through open source libraries or directly embedded in their software. The Log4Shell vulnerability can be easily exploited for remote code execution by sending a specially crafted request to the targeted system.


                            The request generates a log using Log4j, which leverages the Java Naming and Directory Interface (JNDI) lookup feature to perform a request to an attacker-controlled server, from which it fetches a malicious payload and executes it.
                            Last edited by SalesServiceGuy; 12-14-2021, 11:33 PM.

                              Leave a comment:

                            • SalesServiceGuy
                              replied
                              Re: FBI Security Alerts
                              • November 26, 2021


                              IKEA is battling an ongoing cyberattack where threat actors are targeting employees in internal phishing attacks using stolen reply-chain emails.

                              A reply-chain email attack is when threat actors steal legitimate corporate email and then reply to them with links to malicious documents that install malware on recipients' devices.

                              IKEA is warning employees of an ongoing reply-chain phishing cyber-attack targeting internal mailboxes. These emails are also being sent from other compromised IKEA organizations and business partners.

                              "There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA," explained an internal email sent to IKEA employees.

                              "This means that the attack can come via email from someone that you work with, from any external organisation, and as a reply to an already ongoing conversations. It is therefore difficult to detect, for which we ask you to be extra cautious."

                              IKEA IT teams warn employees that the reply-chain emails contain links with seven digits at the end and shared an example email




                              Threat actors have recently begun to compromise internal Microsoft Exchange servers using the ProxyShell and ProxyLogin vulnerabilities to perform phishing attacks.
                              Once they gain access to a server, they use the internal Microsoft Exchange servers to perform reply-chain attacks against employees using stolen corporate emails.
                              As the emails are being sent from internal compromised servers and existing email chains, there is a higher level of trust that the emails are not malicious.


                              Attack used to spread Emotet or Qbot trojan

                              The Qbot and Emotet trojans both lead to further network compromise and ultimately the deployment of ransomware on a breached network.

                              Due to the severity of these infections and the likely compromise of their Microsoft Exchange servers, IKEA is treating this security incident as a significant cyberattack that could potentially lead to a far more disruptive attack.

                                Leave a comment:

                              • SalesServiceGuy
                                replied
                                Re: FBI Security Alerts

                                MORE Alarming Cybersecurity Stats For 2021 !

                                A new study says by cybersecurity company BlueVoyant shows that the supply chain is a magnet for cyber breaches. “A whopping 97% of firms have been impacted by a cybersecurity breach in their supply chain, and 93% admitted that they have suffered a direct cybersecurity breach because of weaknesses in their supply chain.“ Supply chain cybersecurity breaches have hit alarming percentage of firms: survey | Fox Business

                                “Supply chain attacks rose by 42% in the first quarter of 2021 in the US, impacting up to seven million people, according to research. Analysis of publicly-reported data breaches in quarter one by the Identity Theft Resource Center (ITRC) found 137 organizations reported being hit by supply chain cyber-attacks at 27 different third-party vendors.” ‘Troubling’ rise in supply chain cyber-attacks – Supply Management (cips.org)

                                For a deeper dive into supply chain cyber issues, please see: Chuck Brooks: Government Focused on Securing the Cyber Supply Chain

                                “Supply chain issues are being formally adapted into security strategy by the federal government. On May 15, 2019, the White House Presidential Executive order was issued to help secure the supply chain (both public and commercial) poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States.”

                                The remedy to fixing supply chain vulnerabilities is heightening government and industry collaboration highlighted in the policy initiatives, such as NIST, and in task forces on supply chain security established by the Executive Branch. More precisely, it requires enacting a risk management process that identifies vulnerable systems (especially legacy) and gains visibility into all the elements of the supply chain.”


                                Cybersecurity is all about risk management. The Cyber Risk list below compiled by Fortinet speaks volumes:

                                1. [*=left]Cyber RisksIDC predicts there will be 55.7 billion connected devices by 2025, of which 75% will be connected to the IoT. IDC also estimates that IoT devices will generate 73.1 zettabytes of data by 2025, up from just 18.3 zettabytes in 2019.
                                  [*=left]Cisco data estimates that distributed denial-of-service (DDoS) attacks will grow to 15.4 million by 2023, more than double the 7.9 million in 2018.
                                  [*=left]DDoS attacks became more prevalent in 2020, with the NETSCOUT Threat Intelligence report seeing 4.83 million attacks in the first half of the year. That equates to 26,000 attacks per day and 18 per minute.
                                  [*=left]More than four-fifths of data breaches in 2020 (86%) were financially motivated, according to Verizon’s 2020 Data Breach Investigations Report (DBIR).
                                  [*=left]Security threats against industrial control systems (ICS) and operational technology (OT) more than tripled in 2020, according to Dragos Inc.’s Year in Review report.
                                  [*=left]McKinsey insight finds 70% of security executives believe their budget will decrease in 2021, which will limit and reduce their spending on compliance, governance, and risk tools.
                                  [*=left]Organizations must defend their networks, systems, and users against several major cybersecurity threats. For example, Verizon’s 2020 DBIR found that 70% of breaches were caused by outsiders, 45% involved hacking, 86% were financially motivated, 17% involved some form of malware, and 22% featured phishing or social engineering.

                                  Leave a comment:

                                Previous 1 2 3 4 5 6 7 8 9 template Next
                                Working...