FBI Security Alerts

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • SalesServiceGuy
    Field Supervisor

    Site Contributor
    5,000+ Posts
    • Dec 2009
    • 8187

    #106
    Re: FBI Security Alerts
    • November 26, 2021


    IKEA is battling an ongoing cyberattack where threat actors are targeting employees in internal phishing attacks using stolen reply-chain emails.

    A reply-chain email attack is when threat actors steal legitimate corporate email and then reply to them with links to malicious documents that install malware on recipients' devices.

    IKEA is warning employees of an ongoing reply-chain phishing cyber-attack targeting internal mailboxes. These emails are also being sent from other compromised IKEA organizations and business partners.

    "There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA," explained an internal email sent to IKEA employees.

    "This means that the attack can come via email from someone that you work with, from any external organisation, and as a reply to an already ongoing conversations. It is therefore difficult to detect, for which we ask you to be extra cautious."

    IKEA IT teams warn employees that the reply-chain emails contain links with seven digits at the end and shared an example email





    Threat actors have recently begun to compromise internal Microsoft Exchange servers using the ProxyShell and ProxyLogin vulnerabilities to perform phishing attacks.
    Once they gain access to a server, they use the internal Microsoft Exchange servers to perform reply-chain attacks against employees using stolen corporate emails.
    As the emails are being sent from internal compromised servers and existing email chains, there is a higher level of trust that the emails are not malicious.


    Attack used to spread Emotet or Qbot trojan

    The Qbot and Emotet trojans both lead to further network compromise and ultimately the deployment of ransomware on a breached network.

    Due to the severity of these infections and the likely compromise of their Microsoft Exchange servers, IKEA is treating this security incident as a significant cyberattack that could potentially lead to a far more disruptive attack.


    Comment

    • SalesServiceGuy
      Field Supervisor

      Site Contributor
      5,000+ Posts
      • Dec 2009
      • 8187

      #107
      Re: FBI Security Alerts

      Log4Shell attack

      Does anybody have any idea of how vulnerable a network copier/printer is to this newfound design flaw in many computer systems?

      What the Log4Shell Bug Means for SMBs: Experts Weigh In | Threatpost

      Apache Log4j is a Java-based logging tool that is used by many companies around the world, either through open source libraries or directly embedded in their software. The Log4Shell vulnerability can be easily exploited for remote code execution by sending a specially crafted request to the targeted system.


      The request generates a log using Log4j, which leverages the Java Naming and Directory Interface (JNDI) lookup feature to perform a request to an attacker-controlled server, from which it fetches a malicious payload and executes it.
      Last edited by SalesServiceGuy; 12-14-2021, 11:33 PM.

      Comment

      • rthonpm
        Field Supervisor

        2,500+ Posts
        • Aug 2007
        • 2853

        #108
        Re: FBI Security Alerts

        Originally posted by SalesServiceGuy
        Log4Shell attack

        Does anybody have any idea of how vulnerable a network copier/printer is to this newfound design flaw in many computer systems?

        What the Log4Shell Bug Means for SMBs: Experts Weigh In | Threatpost
        This is an application level flaw, not a computer flaw. I would highly doubt that MFP's are using anything beyond standard Unix logging, especially as log4j is Java dependent, which would add an additional layer of complexity to the very basic embedded operating systems that most MFP's use.

        This would be found more in server applications where you may need a more sophisticated logging function for an application.

        There's also no way to query the logs of an MFP beyond a simple download, and also no way to actively run commands.

        Sent from my BlackBerry using Tapatalk

        Comment

        • SalesServiceGuy
          Field Supervisor

          Site Contributor
          5,000+ Posts
          • Dec 2009
          • 8187

          #109
          Re: FBI Security Alerts

          Originally posted by rthonpm
          This is an application level flaw, not a computer flaw. I would highly doubt that MFP's are using anything beyond standard Unix logging, especially as log4j is Java dependent, which would add an additional layer of complexity to the very basic embedded operating systems that most MFP's use.

          This would be found more in server applications where you may need a more sophisticated logging function for an application.

          There's also no way to query the logs of an MFP beyond a simple download, and also no way to actively run commands.

          Sent from my BlackBerry using Tapatalk
          Would something like Papercut or Docuware installed on a client's server be vulnerable to this type of attack?

          Would apps installed in a copier be vulnerable?

          Would Cloud apps like MS365 be vulnerable?

          Is Windows 10 installed on a local PC vulnerable?

          Toshiba copiers run on a Linux operating system. Is Linux vulnerable?

          Comment

          • rthonpm
            Field Supervisor

            2,500+ Posts
            • Aug 2007
            • 2853

            #110
            Re: FBI Security Alerts

            Originally posted by SalesServiceGuy
            Would something like Papercut or Docuware installed on a client's server be vulnerable to this type of attack?

            Would apps installed in a copier be vulnerable?

            Would Cloud apps like MS365 be vulnerable?

            Is Windows 10 installed on a local PC vulnerable?

            Toshiba copiers run on a Linux operating system. Is Linux vulnerable?
            The only thing vulnerable is the log4j framework itself. If an application uses it and isn't patched it can be used to run code on the device it's installed on. Beyond that, if there's no Java or Java based applications on a system and no log4j, you're in good shape.

            M365 wouldn't be vulnerable since it doesn't rely on or use Java in any manner whatsoever.

            I spent most of my Monday wasting my time with a customer who needed to be assured that nothing in his environment was susceptible to exploit. Nothing in the environment was using the framework so there was nothing to worry about.

            This is going to hit fringe applications and custom apps more than anything as this is not like Heartbleed where it's a vulnerability in a crucial component of an OS like SSH. This is a developer tool for building logging.

            If there's any doubt, check the developers of any third-party applications in a customer environment as it can be hidden in plain sight.

            Sent from my BlackBerry using Tapatalk

            Comment

            • SalesServiceGuy
              Field Supervisor

              Site Contributor
              5,000+ Posts
              • Dec 2009
              • 8187

              #111
              Re: FBI Security Alerts

              US government to offer up to $5,000 'bounty' to hackers to identify cyber vulnerabilities


              The Department of Homeland Security is launching a "bug bounty" program, potentially offering thousands of dollars to hackers who help the department identify cybersecurity vulnerabilities within its systems.

              DHS will pay between $500 and $5,000 depending on the gravity of the vulnerability and the impact of the remediation, Homeland Security Secretary Alejandro Mayorkas announced Tuesday.

              "It's a scalable amount of money but we consider that quite significant," he said, speaking at the Bloomberg Technology Summit. "We're really investing a great deal of money, as well as attention and focus, on this program."

              Hackers will earn the highest bounties for identifying the most severe bugs, DHS said.

              Some private companies offer much higher bounties for uncovering vulnerabilities. For instance, payouts from Apple range from $25,000 to $1 million and Microsoft offers up to $200,000.

              The announcement comes a day after senior Biden administration cyber officials warned that hackers are exploiting a newly revealed software vulnerability.

              The vulnerability is in Java-based software known as "Log4j" that large organizations, including some of the world's biggest tech firms, use to configure their applications.
              Jen Easterly, director of the DHS Cybersecurity and Infrastructure Security Agency, said the "vulnerability is one of the most serious that I've seen in my entire career, if not the most serious," during a call with executives from major US industries Monday.

              As part of the "Hack DHS program," the department will verify the vulnerability within 48 hours and either remediate it within 15 days or, if required, develop a plan for remediation within a 15-day period, according to Mayorkas.

              The program will be open to vetted cybersecurity researchers who have been invited to access select external DHS systems.

              "Hack DHS" will be carried out in three phases. First, hackers will conduct virtual assessments, which will be followed by a live, in-person hacking event. During the third phase, DHS will identify and review lessons learned and plan for future bug bounties, according to the department.

              Asked whether this program will last into future administrations, Mayorkas said that if it proves valuable, "we will continue the program for as long as we can."

              Katie Moussouris, CEO and founder of Luta Security, welcomed the move but raised concerns about the program's timeline.

              "It's great that DHS is working with hackers and welcoming their findings; however, time-bound bug bounty programs do not deliver consistent security improvements,".

              "It's time to mature government vulnerability disclosure and bug bounty programs towards measurable security outcomes."

              She also pointed out that bug bounties are meant to catch what internal security due diligence missed.

              "I will be interested to see if this newest bug bounty reveals more complex bugs than typical low-hanging fruit normally found in bug bounties," she added. The department ran a bug bounty pilot program in 2019, which stemmed from legislation that allows DHS to compensate hackers for evaluating department systems. It also build on similar efforts, like the Department of Defense's "Hack the Pentagon" program.

              Democratic Sen. Maggie Hassan of New Hampshire and Republican Sen. Rob Portman of Ohio, who helped draft the initial bug bounty legislation, praised the announcement.

              "At a time when cyber threats are on the rise, I'm pleased that DHS is making permanent the bug bounty program I created with Senator Hassan to ensure our federal government is better prepared to protect itself," Portman said in a statement.

              Comment

              • rthonpm
                Field Supervisor

                2,500+ Posts
                • Aug 2007
                • 2853

                #112
                Re: FBI Security Alerts

                The amazing thing about log4j is that despite multi-million dollar companies using it in their products, it's only maintained by a handful of people who do it in their spare time.

                While the tech world loves open source software, no-one seems to want to chip in with any support for it which is what leads to issues like this.

                Sent from my BlackBerry using Tapatalk

                Comment

                • tonerhead
                  Senior Tech

                  500+ Posts
                  • Sep 2009
                  • 582

                  #113
                  Re: FBI Security Alerts

                  Originally posted by rthonpm
                  The amazing thing about log4j is that despite multi-million dollar companies using it in their products, it's only maintained by a handful of people who do it in their spare time.

                  While the tech world loves open source software, no-one seems to want to chip in with any support for it which is what leads to issues like this.

                  Sent from my BlackBerry using Tapatalk
                  Man, you have really nailed it. So true. It also frustrates the heck out of me how many companies like Google take open-source, free software, add a little code to it and commercialize it. In particular, chrome browser, chrome os, and android. After they get done with their little coding all of a sudden it becomes proprietary. Make the open source better by supporting it, not making it proprietary and profitting from it.
                  I've proved mathematics wrong. 1 + 1 doesn't always equal 2.........


                  Especially when it comes to sex

                  Comment

                  • PrintWhisperer
                    Trusted Tech

                    250+ Posts
                    • Feb 2018
                    • 469

                    #114
                    Re: FBI Security Alerts

                    Originally posted by tonerhead
                    Man, you have really nailed it. So true. It also frustrates the heck out of me how many companies like Google take open-source, free software, add a little code to it and commercialize it. In particular, chrome browser, chrome os, and android. After they get done with their little coding all of a sudden it becomes proprietary. Make the open source better by supporting it, not making it proprietary and profitting from it.
                    You left Apple out of your list....
                    "Being ignorant is not so much a shame, as being unwilling to learn" - Benjamin Franklin

                    Comment

                    • SalesServiceGuy
                      Field Supervisor

                      Site Contributor
                      5,000+ Posts
                      • Dec 2009
                      • 8187

                      #115
                      Re: FBI Security Alerts

                      Papercut advised via email this AM that the latest version of their popular print management software....


                      PaperCut is aware of the RCE vulnerability in the Apache Log4j library also known as Log4Shell or CVE-2021-44228. This issue has been classified by the Apache Logging security team as a critical severity issue.
                      The Log4j library is in widespread use by Java-based software globally—you can expect to hear from a number of software vendors on this topic.

                      PaperCut has confirmed thatPaperCut MF and PaperCut NG 21.0 and above can be exploited by this issue. We have also verified that previous versions do not include the vulnerable Apache Log4j component.

                      Comment

                      • PrintWhisperer
                        Trusted Tech

                        250+ Posts
                        • Feb 2018
                        • 469

                        #116
                        Re: FBI Security Alerts

                        Originally posted by SalesServiceGuy

                        PaperCut has confirmed thatPaperCut MF and PaperCut NG 21.0 and above can be exploited by this issue. We have also verified that previous versions do not include the vulnerable Apache Log4j component.
                        "Being ignorant is not so much a shame, as being unwilling to learn" - Benjamin Franklin

                        Comment

                        • SalesServiceGuy
                          Field Supervisor

                          Site Contributor
                          5,000+ Posts
                          • Dec 2009
                          • 8187

                          #117
                          Re: FBI Security Alerts

                          The Log4j security flaw could impact the entire internet.


                          A critical flaw in widely used software has cybersecurity experts raising alarms and big companies racing to fix the issue.

                          The vulnerability, which was reported late last week, is in Java-based software known as "Log4j" that large organizations use to configure their applications -- and it poses potential risks for much of the internet.

                          Apple's cloud computing service, security firm Cloudflare, and one of the world's most popular video games, Minecraft, are among the many services that run Log4j, according to security researchers.

                          Jen Easterly, head of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), called it "one of the most serious flaws" seen in her career. In a statement on Saturday, Easterly said "a growing set" of hackers are actively attempting to exploit the vulnerability.

                          As of Tuesday, more than 100 hacking attempts were occurring per minute, according to data this week from cybersecurity firm Check Point.

                          "It will take years to address this while attackers will be looking... on a daily basis [to exploit it]," said David Kennedy, CEO of cybersecurity firm TrustedSec. "This is a ticking time bomb for companies."

                          Attackers appear to have had more than a week's head start on exploiting the software flaw before it was publicly disclosed, according to cybersecurity firm Cloudflare. Now, with such a high number of hacking attempts happening each day, some worry the worst is to yet come.

                          "Sophisticated, more senior threat actors will figure out a way to really weaponize the vulnerability to get the biggest gain," Mark Ostrowski, Check Point's head of engineering, said Tuesday.

                          Late Tuesday, Microsoft said in an update to a blog post that state-backed hackers from China, Iran, North Korea and Turkey have tried to exploit the Log4j flaw.

                          Comment

                          • tonerhead
                            Senior Tech

                            500+ Posts
                            • Sep 2009
                            • 582

                            #118
                            Re: FBI Security Alerts

                            Originally posted by PrintWhisperer
                            You left Apple out of your list....
                            True, and in some respects M$ also.
                            I've proved mathematics wrong. 1 + 1 doesn't always equal 2.........


                            Especially when it comes to sex

                            Comment

                            • SalesServiceGuy
                              Field Supervisor

                              Site Contributor
                              5,000+ Posts
                              • Dec 2009
                              • 8187

                              #119
                              Re: FBI Security Alerts

                              The bad news is that most copier/printer vendors do not know today if the are effected by Log4J. Toshiba is vigorously working to test its product against this potential vulnerability and may have to issue a firmware update.


                              Tech Solvency - The Story So Far


                              Log4Shell log4j vulnerability (CVE-2021-44228 / CVE-2021-45046) - cheat-sheet reference guide

                              Last updated: $Date: 2021/12/16 17:25:22 $ UTC - best effort, validate all for your environment/model before use, unofficial sources may be wrong
                              by @TychoTithonus (Royce Williams), standing on the shoulders of many giants
                              Send updates or suggestions (please include category / context / public (or support-walled) links if you can)


                              Contents



                              NOTE: All previous mitigations - based on anything other than upgrade to log4j 2.16 or entirely removing JndiLookup classes - are likely not full mitigation
                              (but still useful coverage while waiting for later vendor guidance)


                              Context - who (and what) is affected

                              • Impact: arbitrary code execution as the user the parent process is running as (code fetched from the public Internet, or lolbins already present on system, or just fetching shared secrets or environment variables and returning them to the attacker)
                              • Targets: Servers and clients that run Java and also log anything using the log4j framework - primarily a server-side concern, but any vulnerable endpoint could be a target or a pivot point
                              • Downstream projects: until proven otherwise, assume anything that includes log4j, or depends on something that does, is affected in a way that requires mitigation; see below
                              • Affected versions: log4j 2.x confirmed - log4j 1.x only indirectly (previous information disclosure vulns, harder to exploit) (in some configurations). Also, presence of 1.x is not good - 1.x went EOL in August 2015!
                              • Appliances: Don't forget appliances and other opaque or third-party systems that may be using Java server components, but won't be detected by un-credentialed vulnerability scanning or simple exploitation tests
                              • Log forwarding: logging infrastructure often has many "northbound" (send my logs to someone) and "southbound" (receiving logs from someone) forwarding/relaying topologies. Chaining them together for exploitation must also be considered. (For those not familiar, these are terms of art in the NMS/logging space - ref, ref, ref)
                              • Cloud: Multiple large providers also affected (but this guide focuses mostly on customer-managed side)
                              • Deadlines: CISA orders federal agencies to patch Log4Shell by December 24th

                              Scope / seriousness

                              • "hearing folks compare #log4shell is "as bad as heartbleed" - imo it's much, much worse. aside from having RCE as the impact, the number of interdependencies around log4j (and particularly the age of them) is orders of magnitude higher" -@caseyjohnellis
                              • "What people seem to miss: The #Log4Shell vulnerability isn't just a RCE 0day. It's a vulnerability that causes hundreds and thousands of 0days in all kinds of software products. It's a 0day cluster bomb." -@cyb3rops@rakyll (AWS)
                              • "The Log4j vulnerability is the most serious vulnerability that I've seen in my decades-long career." - CIA Director Jen Easterly, in interview
                              • The Wikipedia article on log4j is informative to understand usage and scope
                              • Earliest detection known: 2021-12-01 04:36:50 UTC
                              • Misnomers: No, it is not also called LogJam. That name is already taken. (Initial LunaSec post used that name, then picked a new one once they found out.)
                              • Pronunciation: its main author pronounces it "log 4 jay", not "logforge"

                              back to top
                              Summaries

                              • CVEs: CVE-2021-44228, CVE-2021-45046 (not quite as bad). Note also unrelated (but also bad) CVE-2021-4104, announced 2021-12-13 and affecting 1.2 JMSAppender behavior (not the default)
                                "Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."

                              Comment

                              • slimslob
                                Retired

                                Site Contributor
                                25,000+ Posts
                                • May 2013
                                • 37468

                                #120
                                Re: FBI Security Alerts

                                Comment

                                Working...