FBI Security Alerts

**SalesServiceGuy** · 11-29-2021, 02:31 AM

Re: FBI Security Alerts

November 26, 2021

IKEA is battling an ongoing cyberattack where threat actors are targeting employees in internal phishing attacks using stolen reply-chain emails.

A reply-chain email attack is when threat actors steal legitimate corporate email and then reply to them with links to malicious documents that install malware on recipients' devices.

IKEA is warning employees of an ongoing reply-chain phishing cyber-attack targeting internal mailboxes. These emails are also being sent from other compromised IKEA organizations and business partners.

"There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA," explained an internal email sent to IKEA employees.

"This means that the attack can come via email from someone that you work with, from any external organisation, and as a reply to an already ongoing conversations. It is therefore difficult to detect, for which we ask you to be extra cautious."

IKEA IT teams warn employees that the reply-chain emails contain links with seven digits at the end and shared an example email

Threat actors have recently begun to compromise internal Microsoft Exchange servers using the ProxyShell and ProxyLogin vulnerabilities to perform phishing attacks.
Once they gain access to a server, they use the internal Microsoft Exchange servers to perform reply-chain attacks against employees using stolen corporate emails.
As the emails are being sent from internal compromised servers and existing email chains, there is a higher level of trust that the emails are not malicious.

Attack used to spread Emotet or Qbot trojan

The Qbot and Emotet trojans both lead to further network compromise and ultimately the deployment of ransomware on a breached network.

Due to the severity of these infections and the likely compromise of their Microsoft Exchange servers, IKEA is treating this security incident as a significant cyberattack that could potentially lead to a far more disruptive attack.

**SalesServiceGuy** · 12-14-2021, 11:13 PM

Re: FBI Security Alerts

Log4Shell attack

Does anybody have any idea of how vulnerable a network copier/printer is to this newfound design flaw in many computer systems?

What the Log4Shell Bug Means for SMBs: Experts Weigh In | Threatpost

Apache Log4j is a Java-based logging tool that is used by many companies around the world, either through open source libraries or directly embedded in their software. The Log4Shell vulnerability can be easily exploited for remote code execution by sending a specially crafted request to the targeted system.

The request generates a log using Log4j, which leverages the Java Naming and Directory Interface (JNDI) lookup feature to perform a request to an attacker-controlled server, from which it fetches a malicious payload and executes it.

**rthonpm** · 12-14-2021, 11:20 PM

Re: FBI Security Alerts

Originally posted by SalesServiceGuy

Log4Shell attack

Does anybody have any idea of how vulnerable a network copier/printer is to this newfound design flaw in many computer systems?

What the Log4Shell Bug Means for SMBs: Experts Weigh In | Threatpost

This is an application level flaw, not a computer flaw. I would highly doubt that MFP's are using anything beyond standard Unix logging, especially as log4j is Java dependent, which would add an additional layer of complexity to the very basic embedded operating systems that most MFP's use.

This would be found more in server applications where you may need a more sophisticated logging function for an application.

There's also no way to query the logs of an MFP beyond a simple download, and also no way to actively run commands.

Sent from my BlackBerry using Tapatalk

**SalesServiceGuy** · 12-14-2021, 11:37 PM

Re: FBI Security Alerts

Originally posted by rthonpm

This is an application level flaw, not a computer flaw. I would highly doubt that MFP's are using anything beyond standard Unix logging, especially as log4j is Java dependent, which would add an additional layer of complexity to the very basic embedded operating systems that most MFP's use.

This would be found more in server applications where you may need a more sophisticated logging function for an application.

There's also no way to query the logs of an MFP beyond a simple download, and also no way to actively run commands.

Sent from my BlackBerry using Tapatalk

Would something like Papercut or Docuware installed on a client's server be vulnerable to this type of attack?

Would apps installed in a copier be vulnerable?

Would Cloud apps like MS365 be vulnerable?

Is Windows 10 installed on a local PC vulnerable?

Toshiba copiers run on a Linux operating system. Is Linux vulnerable?

**rthonpm** · 12-14-2021, 11:53 PM

Re: FBI Security Alerts

Originally posted by SalesServiceGuy

Would something like Papercut or Docuware installed on a client's server be vulnerable to this type of attack?

Would apps installed in a copier be vulnerable?

Would Cloud apps like MS365 be vulnerable?

Is Windows 10 installed on a local PC vulnerable?

Toshiba copiers run on a Linux operating system. Is Linux vulnerable?

The only thing vulnerable is the log4j framework itself. If an application uses it and isn't patched it can be used to run code on the device it's installed on. Beyond that, if there's no Java or Java based applications on a system and no log4j, you're in good shape.

M365 wouldn't be vulnerable since it doesn't rely on or use Java in any manner whatsoever.

I spent most of my Monday wasting my time with a customer who needed to be assured that nothing in his environment was susceptible to exploit. Nothing in the environment was using the framework so there was nothing to worry about.

This is going to hit fringe applications and custom apps more than anything as this is not like Heartbleed where it's a vulnerability in a crucial component of an OS like SSH. This is a developer tool for building logging.

If there's any doubt, check the developers of any third-party applications in a customer environment as it can be hidden in plain sight.

Sent from my BlackBerry using Tapatalk

**SalesServiceGuy** · 12-15-2021, 12:33 AM

Re: FBI Security Alerts

US government to offer up to $5,000 'bounty' to hackers to identify cyber vulnerabilities

The Department of Homeland Security is launching a "bug bounty" program, potentially offering thousands of dollars to hackers who help the department identify cybersecurity vulnerabilities within its systems.

DHS will pay between $500 and $5,000 depending on the gravity of the vulnerability and the impact of the remediation, Homeland Security Secretary Alejandro Mayorkas announced Tuesday.

"It's a scalable amount of money but we consider that quite significant," he said, speaking at the Bloomberg Technology Summit. "We're really investing a great deal of money, as well as attention and focus, on this program."

Hackers will earn the highest bounties for identifying the most severe bugs, DHS said.

Some private companies offer much higher bounties for uncovering vulnerabilities. For instance, payouts from Apple range from $25,000 to $1 million and Microsoft offers up to $200,000.

The announcement comes a day after senior Biden administration cyber officials warned that hackers are exploiting a newly revealed software vulnerability.

The vulnerability is in Java-based software known as "Log4j" that large organizations, including some of the world's biggest tech firms, use to configure their applications.
Jen Easterly, director of the DHS Cybersecurity and Infrastructure Security Agency, said the "vulnerability is one of the most serious that I've seen in my entire career, if not the most serious," during a call with executives from major US industries Monday.

As part of the "Hack DHS program," the department will verify the vulnerability within 48 hours and either remediate it within 15 days or, if required, develop a plan for remediation within a 15-day period, according to Mayorkas.

The program will be open to vetted cybersecurity researchers who have been invited to access select external DHS systems.

"Hack DHS" will be carried out in three phases. First, hackers will conduct virtual assessments, which will be followed by a live, in-person hacking event. During the third phase, DHS will identify and review lessons learned and plan for future bug bounties, according to the department.

Asked whether this program will last into future administrations, Mayorkas said that if it proves valuable, "we will continue the program for as long as we can."

Katie Moussouris, CEO and founder of Luta Security, welcomed the move but raised concerns about the program's timeline.

"It's great that DHS is working with hackers and welcoming their findings; however, time-bound bug bounty programs do not deliver consistent security improvements,".

"It's time to mature government vulnerability disclosure and bug bounty programs towards measurable security outcomes."

She also pointed out that bug bounties are meant to catch what internal security due diligence missed.

"I will be interested to see if this newest bug bounty reveals more complex bugs than typical low-hanging fruit normally found in bug bounties," she added. The department ran a bug bounty pilot program in 2019, which stemmed from legislation that allows DHS to compensate hackers for evaluating department systems. It also build on similar efforts, like the Department of Defense's "Hack the Pentagon" program.

Democratic Sen. Maggie Hassan of New Hampshire and Republican Sen. Rob Portman of Ohio, who helped draft the initial bug bounty legislation, praised the announcement.

"At a time when cyber threats are on the rise, I'm pleased that DHS is making permanent the bug bounty program I created with Senator Hassan to ensure our federal government is better prepared to protect itself," Portman said in a statement.

**rthonpm** · 12-15-2021, 12:45 AM

Re: FBI Security Alerts

The amazing thing about log4j is that despite multi-million dollar companies using it in their products, it's only maintained by a handful of people who do it in their spare time.

While the tech world loves open source software, no-one seems to want to chip in with any support for it which is what leads to issues like this.

Sent from my BlackBerry using Tapatalk

**tonerhead** · 12-15-2021, 05:19 AM

Re: FBI Security Alerts

Originally posted by rthonpm

The amazing thing about log4j is that despite multi-million dollar companies using it in their products, it's only maintained by a handful of people who do it in their spare time.

While the tech world loves open source software, no-one seems to want to chip in with any support for it which is what leads to issues like this.

Sent from my BlackBerry using Tapatalk

Man, you have really nailed it. So true. It also frustrates the heck out of me how many companies like Google take open-source, free software, add a little code to it and commercialize it. In particular, chrome browser, chrome os, and android. After they get done with their little coding all of a sudden it becomes proprietary. Make the open source better by supporting it, not making it proprietary and profitting from it.

**PrintWhisperer** · 12-15-2021, 07:06 AM

Re: FBI Security Alerts

Originally posted by tonerhead

Man, you have really nailed it. So true. It also frustrates the heck out of me how many companies like Google take open-source, free software, add a little code to it and commercialize it. In particular, chrome browser, chrome os, and android. After they get done with their little coding all of a sudden it becomes proprietary. Make the open source better by supporting it, not making it proprietary and profitting from it.

You left Apple out of your list....

**SalesServiceGuy** · 12-15-2021, 02:51 PM

Re: FBI Security Alerts

Papercut advised via email this AM that the latest version of their popular print management software....

PaperCut is aware of the RCE vulnerability in the Apache Log4j library also known as Log4Shell or CVE-2021-44228. This issue has been classified by the Apache Logging security team as a critical severity issue.
The Log4j library is in widespread use by Java-based software globally—you can expect to hear from a number of software vendors on this topic.

PaperCut has confirmed thatPaperCut MF and PaperCut NG 21.0 and above can be exploited by this issue. We have also verified that previous versions do not include the vulnerable Apache Log4j component.

**PrintWhisperer** · 12-15-2021, 04:26 PM

Re: FBI Security Alerts

Originally posted by SalesServiceGuy

PaperCut has confirmed thatPaperCut MF and PaperCut NG 21.0 and above can be exploited by this issue. We have also verified that previous versions do not include the vulnerable Apache Log4j component.

**SalesServiceGuy** · 12-15-2021, 10:03 PM

Re: FBI Security Alerts

The Log4j security flaw could impact the entire internet.

A critical flaw in widely used software has cybersecurity experts raising alarms and big companies racing to fix the issue.

The vulnerability, which was reported late last week, is in Java-based software known as "Log4j" that large organizations use to configure their applications -- and it poses potential risks for much of the internet.

Apple's cloud computing service, security firm Cloudflare, and one of the world's most popular video games, Minecraft, are among the many services that run Log4j, according to security researchers.

Jen Easterly, head of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), called it "one of the most serious flaws" seen in her career. In a statement on Saturday, Easterly said "a growing set" of hackers are actively attempting to exploit the vulnerability.

As of Tuesday, more than 100 hacking attempts were occurring per minute, according to data this week from cybersecurity firm Check Point.

"It will take years to address this while attackers will be looking... on a daily basis [to exploit it]," said David Kennedy, CEO of cybersecurity firm TrustedSec. "This is a ticking time bomb for companies."

Attackers appear to have had more than a week's head start on exploiting the software flaw before it was publicly disclosed, according to cybersecurity firm Cloudflare. Now, with such a high number of hacking attempts happening each day, some worry the worst is to yet come.

"Sophisticated, more senior threat actors will figure out a way to really weaponize the vulnerability to get the biggest gain," Mark Ostrowski, Check Point's head of engineering, said Tuesday.

Late Tuesday, Microsoft said in an update to a blog post that state-backed hackers from China, Iran, North Korea and Turkey have tried to exploit the Log4j flaw.

**tonerhead** · 12-16-2021, 01:35 AM

Re: FBI Security Alerts

Originally posted by PrintWhisperer

You left Apple out of your list....

True, and in some respects M$ also.

**SalesServiceGuy** · 12-16-2021, 06:32 PM

Re: FBI Security Alerts

The bad news is that most copier/printer vendors do not know today if the are effected by Log4J. Toshiba is vigorously working to test its product against this potential vulnerability and may have to issue a firmware update.

Tech Solvency - The Story So Far

Log4Shell log4j vulnerability (CVE-2021-44228 / CVE-2021-45046) - cheat-sheet reference guide

Last updated: $Date: 2021/12/16 17:25:22 $ UTC - best effort, validate all for your environment/model before use, unofficial sources may be wrong
by @TychoTithonus (Royce Williams), standing on the shoulders of many giants
Send updates or suggestions (please include category / context / public (or support-walled) links if you can)

Contents

Context - who is affected
Summaries
Technical analysis
Remediation
Affected (and unaffected) products
Other product and tool lists - see especially new CISA list on GitHub (but only has public info)
Detection and testers
Exploitation
News and posts

NOTE: All previous mitigations - based on anything other than upgrade to log4j 2.16 or entirely removing JndiLookup classes - are likely not full mitigation
(but still useful coverage while waiting for later vendor guidance)

Context - who (and what) is affected

Impact: arbitrary code execution as the user the parent process is running as (code fetched from the public Internet, or lolbins already present on system, or just fetching shared secrets or environment variables and returning them to the attacker)
Targets: Servers and clients that run Java and also log anything using the log4j framework - primarily a server-side concern, but any vulnerable endpoint could be a target or a pivot point
Downstream projects: until proven otherwise, assume anything that includes log4j, or depends on something that does, is affected in a way that requires mitigation; see below
Affected versions: log4j 2.x confirmed - log4j 1.x only indirectly (previous information disclosure vulns, harder to exploit) (in some configurations). Also, presence of 1.x is not good - 1.x went EOL in August 2015!
Appliances: Don't forget appliances and other opaque or third-party systems that may be using Java server components, but won't be detected by un-credentialed vulnerability scanning or simple exploitation tests
Log forwarding: logging infrastructure often has many "northbound" (send my logs to someone) and "southbound" (receiving logs from someone) forwarding/relaying topologies. Chaining them together for exploitation must also be considered. (For those not familiar, these are terms of art in the NMS/logging space - ref, ref, ref)
Cloud: Multiple large providers also affected (but this guide focuses mostly on customer-managed side)
Deadlines: CISA orders federal agencies to patch Log4Shell by December 24th

Scope / seriousness

"hearing folks compare #log4shell is "as bad as heartbleed" - imo it's much, much worse. aside from having RCE as the impact, the number of interdependencies around log4j (and particularly the age of them) is orders of magnitude higher" -@caseyjohnellis
"What people seem to miss: The #Log4Shell vulnerability isn't just a RCE 0day. It's a vulnerability that causes hundreds and thousands of 0days in all kinds of software products. It's a 0day cluster bomb." -@cyb3rops @rakyll (AWS)
"The Log4j vulnerability is the most serious vulnerability that I've seen in my decades-long career." - CIA Director Jen Easterly, in interview
The Wikipedia article on log4j is informative to understand usage and scope
Earliest detection known: 2021-12-01 04:36:50 UTC
Misnomers: No, it is not also called LogJam. That name is already taken. (Initial LunaSec post used that name, then picked a new one once they found out.)
Pronunciation: its main author pronounces it "log 4 jay", not "logforge"

back to top
Summaries

CVEs: CVE-2021-44228, CVE-2021-45046 (not quite as bad). Note also unrelated (but also bad) CVE-2021-4104, announced 2021-12-13 and affecting 1.2 JMSAppender behavior (not the default)
"Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."

**slimslob** · 12-20-2021, 06:48 PM

Re: FBI Security Alerts

Here's what data the FBI can get from WhatsApp, iMessage, Signal, Telegram, and more

https://blog.malwarebytes.com/privacy-2/2021/12/heres-what-data-the-fbi-can-get-from-whatsapp-imessage-signal-telegram-and-more/?utm_source=blueshift&utm_medium=email&utm_campaign=b2c_tri_oth_b2c_newsletter_dec2021_issue2_163951887915&amp&utm_content=heres-what-data-the-fbi-can-get-from-whatsapp-imessage-signal-telegram-and-more&bsft_aaid=18a8abbd-b7b6-422b-8352-283554e9475a&bsft_eid=afbb8a5f-4095-41f6-0bea-ebc9c9466104&bsft_clkid=70eabf19-104d-43f6-afb5-7b9005614bda&bsft_uid=15706531-ede2-4b17-8e18-97c588fb700b&bsft_mid=cfc3b3df-197f-4adf-ab73-ccf3352f1f80&bsft_mime_type=html&bsft_ek=2021-12-20T16%3A30%3A42Z&bsft_lx=5&bsft_tv=4

A disclosed FBI training document reveals what information can be revealed about your usage of an end to end encrypted instant messaging app.

FBI Security Alerts

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment