Daily NCSC-FI news followup 2021-12-12

Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation

www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/ Microsoft’s unified threat intelligence team, comprising the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, RiskIQ, and the Microsoft Detection and Response Team (DART), among others, have been tracking threats taking advantage of CVE-2021-44228, a remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the Microsoft Security Response Center blog. The bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers.

Log4Shell: Reconnaissance and post exploitation network detection

research.nccgroup.com/2021/12/12/log4shell-reconnaissance-and-post-exploitation-network-detection/ Note: This blogpost will be live-updated with new information. NCC Group’s RIFT is intending to publish PCAPs of different exploitation methods in the near future last updated December 12th at 19:15 UTC. In the wake of the CVE-2021-44228 (a.k.a. Log4Shell) vulnerability publication, NCC Group’s RIFT immediately started investigating the vulnerability in order to improve detection and response capabilities mitigating the threat. This blog post is focussed on detection and threat hunting, aalthough attacNCk surface scanning and identification are also quintessential parts of a holistic response. Multiple references for prevention and mitigation can be found included at the end of this post. This blogpost provides Suricata network detection rules that can be used not only to detect exploitation attempts, but also indications of successful exploitation. In addition, a list of indicators of compromise (IOC’s) are provided. These IOC’s have been observed listening for incoming connections and are thus a useful for threat hunting.

Inside the Log4j2 vulnerability (CVE-2021-44228)

blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/ Yesterday, December 9, 2021, a very serious vulnerability in the popular Java-based logging package Log4j was disclosed. This vulnerability allows an attacker to execute code on a remote server; a so-called Remote Code Execution (RCE). Because of the widespread use of Java and Log4j this is likely one of the most serious vulnerabilities on the Internet since both Heartbleed and ShellShock. It is CVE-2021-44228 and affects version 2 of Log4j between versions 2.0-beta-9 and 2.14.1. It is patched in 2.15.0.

You might be interested in …

Daily NCSC-FI news followup 2021-12-08

Huijauspuhelut tulevat yhä useammin väärennetystä numerosta Näin Elisa ja Traficom kitkevät huijauksia www.tivi.fi/uutiset/tv/31f2dc55-c825-4b0a-bee3-c17fd2899325 Liikenne- ja viestintävirasto Traficom valmistelee keinoja estää huijauspuheluissa yleistynyt soittajan numeron väärentäminen. Keinoja etsitään yhdessä Suomessa toimivien teleoperaattoreiden kanssa. Tavoite on kansainvälisten rikollisten toiminnan vaikeuttaminen ja estäminen. New German government coalition promises not to buy exploits therecord.media/new-german-government-coalition-promises-not-to-buy-exploits/ The three political parties set […]

Read More

Daily NCSC-FI news followup 2020-08-29

Emotet malware’s new ‘Red Dawn’ attachment is just as dangerous www.bleepingcomputer.com/news/security/emotet-malwares-new-red-dawn-attachment-is-just-as-dangerous/ The Emotet botnet has begun to use a new template for their malicious attachments, and it is just as dangerous as ever. After a five-month “vacation, ” the Emotet malware returned in July 2020 and began to spew massive amounts of malicious spam worldwide. […]

Read More

Daily NCSC-FI news followup 2020-12-25

SUNBURST Additional Technical Details www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html FireEye has discovered additional details about the SUNBURST backdoor since our initial publication on Dec. 13, 2020. Before diving into the technical depth of this malware, we recommend readers familiarize themselves with our blog post about the SolarWinds supply chain compromise, which revealed a global intrusion campaign by a sophisticated […]

Read More