Romanian cybersecurity technology company Bitdefender said Monday that attempts are being made to attack Windows computers with a new ransomware family called Khonsari Ransomware, as well as the Orcus remote access Trojan, using the recently discovered critical Log4j vulnerability.

The attack exploits a remote code execution vulnerability to download an additional payload, a .NET binary, from a remote server that encrypts all .khonsari files and displays a ransom request that prompts victims to make a payment in bitcoin in exchange for regaining access to the files.

The vulnerability is tracked as CVE-2021-44228 and is also known as Log4Shell or Logjam. Simply put, a bug can force an affected system to download malware, giving attackers a digital foothold on servers located on corporate networks.

Log4j is an open-source Java library run by the non-profit Apache Software Foundation. With approximately 475,000 downloads from the GitHub project and is widely used for logging application events, this utility is also part of other frameworks such as Elasticsearch, Kafka, and Flink that are used by many sites, the Internet, and popular services.

The information was disclosed as the United States Cyber ​​and Infrastructure Security Agency (CISA) raised the alarm over the active and widespread exploitation of a vulnerability that, if left unchecked, could provide unhindered access and unleash a new round of cyberattacks as a result the mistake made companies rush to find and fix vulnerable machines.

“An attacker could exploit this vulnerability by submitting a specially crafted request to an affected system, causing that system to execute arbitrary code,” said a guide released by the agency on Monday. “The request allows an attacker to take full control of the system. An attacker could then steal information, launch khonsari ransomware, or perform other malicious actions. ”

In addition, CISA also added the Log4j vulnerability to its catalogue of known exploitable vulnerabilities, giving federal agencies a December 24 deadline for patching the vulnerability. Similar guidelines have already been issued by government agencies in Austria, Canada, New Zealand and the United Kingdom.

So far, active exploitation attempts recorded in the wild have included the abuse of a vulnerability to connect devices to a botnet and remove additional payloads such as Cobalt Strike and cryptocurrency miners. Cybersecurity firm Sophos said it has also observed attempts to steal keys and other personal data from Amazon Web Services.

As a sign that the threat is rapidly evolving, Check Point researchers warned that 60 new variants of the original Log4j exploit were deployed in less than 24 hours, adding that it blocked more than 845,000 intrusion attempts, with 46% of attacks originating from known malware. groups.

The vast majority of attempts to use Log4Shell originated in Russia (4275), based on Kaspersky telemetry data, followed by Brazil (2493), USA (1746), Germany (1336), Mexico (1177), Italy (1094), France (1008) and Iran (976). In comparison, only 351 attempts were made in China.

Despite the exploit’s mutant nature, its widespread adoption across multiple industries has also put production control systems and operational technology environments that power critical infrastructure on high alert.

“Log4j is widely used in external / internet and internal applications that control and monitor manufacturing processes, leaving many industrial operations insight, such as electricity, water, food and beverage, manufacturing and others. Potential remote use and access” said Sergio Caltagirone, vice president of Threat Intelligence at Dragos. “It is important to prioritize external and Internet applications over internal applications because of their access to the Internet, although both are vulnerable.”

The development further highlights how key security vulnerabilities identified in open source software can pose a significant threat to organizations that include such standard dependencies in their IT systems. Beyond its broad reach, Log4Shell is even more worrisome because of its relative ease of use, laying the foundation for future ransomware attacks.

“To be clear, this vulnerability poses a serious risk,” said CISA director Jen Easterly. “This vulnerability, which is widely exploited by a growing circle of attackers, is an urgent problem for network defenders given its widespread occurrence. Vendors must also communicate with their customers to ensure that end users are aware that their product contains this vulnerability and must prioritize software updates. ”

The post Hackers Exploiting Log4j Vulnerability to Infect Computers with Khonsari Ransomware appeared first on OFFICIAL HACKER.

When the Log4j vulnerability emerged in December 2021, Synack and our clients’ security teams immediately sensed its urgency. The Synack Red Team began testing within hours of the initial discovery for our customer base. 

Almost a year later, Log4j continues to show up in our pentesting results. Here are some quick stats from our findings:

• 750+ instances of the Log4j (CVE-2021-44228) missions run by SRT researchers since 2021 as part of our zero day response coverage
• 100+ susceptible instances found so far as part of Synack Penetration Testing
• Over 2 million IPs checked to date  

Log4j Is “Endemic,” Says Federal Cyber Board

The Cyber Safety Review Board (CSRB) called Log4j (CVE-2021-44228) an “endemic” vulnerability in the board’s first published report. The group of public and private sector cybersecurity leaders stated that the vulnerability is expected to continue to be a prominent threat for “a decade or longer.”

The CSRB’s consideration of Log4j as a persistent threat points to the critical nature of such zero days. They are not something to be solved in the week they appear, with security teams “working through the weekend” and then moving on. They highlight the larger need for readily available talent and emergency response processes across a longer span of time.

Luckily, there have been no successful Log4j-based attacks to critical infrastructure, according to the CSRB. However, the board urges organizations to continue to mitigate risk related to Log4j and prepare for future zero day vulnerabilities of similar criticality. 

Log4j and the Cyber Talent Gap – Surge Capacity

Nearly two in three organizations say they are understaffed in cybersecurity. But even for those that report having enough cyber talent on hand, the surge demand needed to respond to a vulnerability like Log4j can still be taxing. The CSRB report states:

“Perhaps most significantly, the force exerted on the urgent response and the challenges in managing risk also contributed to professional “burnout” among defenders that may, compounded with the generally intense pace of many cybersecurity jobs, have a long-term impact on the availability of cybersecurity talent.”

Chris Hallenbeck writes for VentureBeat about lessons learned in the face of Log4j, including the fact that the “skills shortage is an existential threat.” If organizations are to effectively prepare for future CVEs and zero days, they must consider their hiring strategies in the face of the cyber talent shortage, while also considering how to deal with potential burnout and stress from surge demand in the face of emergency. 

Preparing for Zero Day Response with Human Talent

The CSRB issued recommendations to mitigate zero day risks, including the documentation of a vulnerability management and response program, and consideration of “cultural shifts” that are “necessary to solve for the nation’s digital security.”

Synack believes that the most effective way to test for a zero day vulnerability is with human expertise. Scanners are not able to detect zero day vulnerabilities until they are updated with a signature for the vulnerability. 

In the face of the cybersecurity talent gap, testing with humans to meet the surge demand of a zero day can be challenging. That’s why on-demand access to a community of researchers is paramount. Synack provides access to such a community, the Synack Red Team, through a SaaS platform, for on-demand zero day response. This talent augmentation can be a key cultural shift for companies struggling to hire or retain cyber talent, and can help prevent an in-house team from experiencing the severe burnout alluded to above.

Within the Synack Platform is a catalog of CVEs that can be tested on-demand by skilled SRT researchers. When Log4j first emerged, it was added to the catalog within hours, and top researchers began testing and collaborating on methodologies. 

After only a few days, Synack had checked over half a million IP addresses confirming the status of thousands of CVE-2021-44228 checks and providing detailed reports containing proof of work and methodologies. 

Contact us today for a conversation about how we can help you mitigate Log4j risk or prepare for future zero days.

The post Preparing for the Next Log4j in the Face of the Cyber Talent Gap appeared first on Synack.

Testing for CVE-2021044228 (Log4j) with Synack

Since Friday, December 10, 2021, researchers from the Synack Red Team (SRT) have been solving customer needs related to CVE-2021-44228—the CVE that details a critical log4j vulnerability with wide-reaching implications across industries.

Responding to the Critical Vulnerability with Synack Testing

By 8 A.M. PST, when its magnitude and implications became clear to Synack operations, a new CVE entry was created in the Synack Platform to address CVE-2021-44228. Log4j immediately became available for customers to launch, long before most of the world read about the vulnerability in headlines and social feeds.

Synack CVE Checks connect an organization to SRT researchers capable of accomplishing specific security tasks. In this case, organizations can select CVE-2021-44228 within the Synack Platform and have a researcher check for the vulnerability on-demand.

Testing with the Best Researchers on the Planet

Over 30 SRT members assembled to cultivate ideas and improve the entire community’s efficiency and effectiveness. Together, they are bringing a diverse spectrum of perspectives from different backgrounds, ranging from military and government to academia and tech. This collaboration of top researchers allows Synack to improve the quality of testing for all customers with better processes, tools, and payloads.

The SRT often shares best practices within the community to help each other level up and make the entire internet safer. Compared to traditional testers or automated scanning tools, the SRT brings these sorts of advantages: human collaboration, diversity and creativity.

The Landscape of CVE-2021-44228 Across Industries

Since Friday morning, Synack has checked over half a million IP addresses across our customer base, confirming the status of thousands of CVE-2021-44228 checks and providing detailed reports containing proof of work and methodologies. With a combination of human intelligence and automated tools, Synack is addressing the vulnerability at an unprecedented scale and pace.

Vulnerable instances span across countries and industries and exist both in the government and private sectors. The urgency of the vulnerability has not been overstated by news outlets and social media – Synack recommends that customers activate the CVE check as soon as possible.

Checking for CVE 2021-44228 On-Demand—The Advantages of Synack Campaigns

Since the weekend that followed the CVE’s publication, Synack customers have utilized the Synack Platform to activate hundreds of checks from researchers around the world.

Synack beats other models to the punch. Scanners do not yet have the vulnerability’s signature, traditional pentesting engagements take significant time to spin up, and other bug bounty models do not provide the immediacy or certainty of a vulnerability as this one requires. The model provides on-demand services relevant to CVEs today and prepares organizations for the next 0day like CVE-2021-44228. Reach out to a Synack representative today to explore existing CVE checks, as well as other offerings available in the Synack Catalog.

The CVE-2021-44228 testing provided by Synack provides immediate results and reporting. The researcher will provide a clear yes/no answer on an asset’s vulnerability status, as well as details about their methodology, screenshots, and general proof of work.

Activate the Synack CVE-2021-44228 Test Today

Reach out to your Synack representative to activate the CVE-2021-44228 test today. If you’re new to the Synack Platform, reach out to us here and learn how to get started with Synack’s on-demand security platform and pentesting.

Update: Synack was asked whether our systems are vulnerable to Log4j. Synack does not use Log4j and has determined that we are not vulnerable to exploitation. In response to increased attack traffic attempting to exploit the vulnerability, we have taken additional steps to block the malicious traffic accordingly.

The post Providing On-Demand Testing for CVE-2021-44228 (Log4j) with Synack Testing appeared first on Synack.