Cyber Pulse: Edition 167 | 13 December 2021

QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

Zero-day in ubiquitous Log4j tool poses a grave threat to the internet

Exploit code has been released for a serious code-execution vulnerability in Log4j, an open-source logging utility that's used in countless apps, including those used by large enterprise organisations, several websites reported last Thursday. Log4j is incorporated into a host of popular frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink. One of the few early sources providing a tracking number for the vulnerability was Github, which said it's CVE-2021-44228. Security firm Cyber Kendra on late Thursday reported a Log4j RCE zero day being dropped on the internet and concurred with Moore that “there are currently many popular systems on the market that are affected.”

The Apache Foundation has yet to disclose the vulnerability, and representatives there didn't respond to an email. This Apache page does acknowledge the recent fixing of a serious vulnerability. Moore and other researchers said the Java deserialisation bug stems from Log4j making network requests through the JNDI to an LDAP server and executing any code that's returned. The bug is triggered inside of log messages with use of the ${} syntax.

Additional reporting from security firm LunaSec said that Java versions greater than 6u211, 7u201, 8u191, and 11.0.1 are less affected by this attack vector, at least in theory, because the JNDI can't load remote code using LDAP. Hackers may still be able to work around this by leveraging classes already present in the target application. Success would depend on whether there are any dangerous gadgets in the process, meaning newer versions of Java may still prevent code execution but only depending on the specifics of each application. The firm strongly urged people to use the latest version of Log4j2 available here.

Banking trojan now spreading ransomware payloads

Qakbot, the trojan known for stealing bank credentials, has started spreading ransomware payloads. The recent tactic is so confusing that network defenders are finding it hard to differentiate Qakbot from other attacks. A recent analysis by Kaspersky disclosed statistics related to the detection of Qakbot, which suggests that the trojan’s infection rate increased by 65% between January and July in comparison to the same period during the last year. The main infection vectors for Qakbot include email attachments, embedded images, or links. Additionally, it uses VBA macros and legacy Excel 4.0 macros.

It uses process injection to hide malicious processes, creates scheduled tasks for persistence, and manipulates the Windows registry. Upon execution, it uses numerous techniques for lateral movement, leverages Cobalt Strike, or delivers ransomware. Qakbot is using multiple modules to achieve different goals. These modules may be developed by the attackers themselves or they may have borrowed them from third-party repositories and adapted as per their requirements. It uses the Cookie Grabber module to collect cookies from web browsers, Hidden VNC to connect to the infected machine, and Email Collector to find Outlook on the infected machine. Additionally, it uses the Hooking module for web injections, the Passgrabber module to collect logins/passwords from different sources, and the Proxy module to find out available ports.

Attacker almost blacked out 3 million Australian homes

One day in late November, an Australian electricity utility company was attacked. While it was initially suspected that the attack was conducted by Chinese hackers, it was later discovered that the attack was launched by a Russian hacker group – Wizard Spider. CS Energy, an electric utility owned by the Government of Queensland, suffered a digital disruption on 27 November. It later discovered that the ransomware attack was conducted by Wizard Spider. The attack sabotaged the production of more than 3,500 MW of electricity and could have caused a blackout for around 3 million homes. However, the disaster was averted as the IT staff blocked the hackers’ access at the right time.

“CS Energy moved quickly to contain this incident by segregating the corporate network from other internal networks and enacting business continuity processes,” Mr Bills from CS Energy said.

“We immediately notified relevant state and federal agencies and are working closely with them and other cyber security experts. Unfortunately, cyber events are a growing trend in Australia and overseas. This incident may have affected our corporate network, but we are fortunate to have a resilient and highly skilled workforce who remain focused on ensuring CS Energy continues to deliver electricity to Queenslanders.”

Conti is designed and distributed by Wizard Spider, the same group that created the Ryuk ransomware. CS Energy was mentioned in Conti’s naming and shaming website. The attack implies that the threat actors were looking to add CS Energy to their ever-growing list of financially motivated attacks.

1.6 million WordPress sites under cyberattack

As many as 1.6 million WordPress sites have been targeted by an active large-scale attack campaign originating from 16,000 IP addresses by exploiting weaknesses in four plugins and 15 Epsilon Framework themes. WordPress security company Wordfence, which disclosed details of the attacks, said Thursday it had detected and blocked more than 13.7 million attacks aimed at the plugins and themes in a period of 36 hours with the goal of taking over the websites and carrying out malicious actions.

Most of the attacks observed by Wordfence involve the adversary updating the “users_can_register” (anyone can register) option to enabled and setting the “default_role” setting (the default role of users who register at the blog) to administrator, thereby allowing an adversary to register on the vulnerable sites as a privileged user and seize control. In light of active exploitation, WordPress site owners running any of the aforementioned plugins or themes are recommended to apply the latest fixes to mitigate the threat.

Attacker runs rogue relays to expose Tor users

An unknown threat actor has been discovered running thousands of malicious Tor relay servers to unmask Tor users. The group, tracked as KAX17, is believed to be active since 2017. KAX17 was found running relay servers in different positions, such as entry, middle, and exit nodes, within the Tor network. Researchers have recently removed at least 900 servers used by the group between October and November to hover around a daily total of up to 9,000-10,000. Controlling these relays allows its operators to find out which website the user is connected to. Further, if a user is using an insecure connection, the traffic may be manipulated. Most of the Tor relay servers used by the KAX17 group were located in data centers worldwide and were configured as entry and middle points.

In August 2020, a security researcher (who uses the moniker Nusenu) had revealed that for the first time a threat actor managed to control 23% of the entire Tor network’s exit nodes. The recent findings show how anonymous networks meant to be private can be attacked as well. However, the findings were shared with the Tor Project and all the exit relays set up in October 2020 were removed. Additionally, malicious relays set up between October and November were also deleted.

E-commerce website plugin prone to Magecart attack risk

The Christmas holiday shopping season is around the corner and so are the Magecart attackers. Interestingly, these attackers have become more active than ever, with each attack taking place every 16 minutes. Above all, retailers using the WooCommerce WordPress plugin are the fresh targets of the Magecart attackers. This open-source WordPress plugin is easily customisable and represents 29% of the top one million using e-commerce technologies. This rising popularity has made the plugin prone to Magecart risk.

Researchers at RiskIQ detected three new skimmers targeting retailers using the WooCommerce plugin. The three skimmers dubbed WooTheme, Slect, and Gateway have been designed to evade detection and enable attackers to steal customers’ banking details. Attackers exploited vulnerabilities in third-party themes and tools integrated into WooCommerce pages to launch the skimming codes onto the sites. The discovery of new skimmers indicates how threat actors are coming up with unique ways to gain access, deploy, and hide their tools on targeted websites. Therefore, retailers must raise their readiness for credit card skimming attacks. Besides this, having robust malware detection methods, and regularly inspecting the crontab commands for strange contents can reduce the risk of such attacks.

Warning over legacy crypto keys

Security firm Venafi enlisted the help of noted researcher Scott Helme to analyse the world’s top one million sites over the past 18 months. The resulting TLS Crawler Report revealed some progress in a few areas. Nearly three-quarters (72%) of sites now actively redirect traffic to use HTTPS, an increase of 15% since March 2020. Even better, more than half of the sites studied that use HTTPS are on the latest version of TLS: TLSv1.3. It has now overtaken TLSv1.2 to become the most popular protocol version. In addition, almost one in five of the top one million sites now use the more secure HSTS (HTTP Strict Transport Security) – a 44% increase since March 2020. Better still, the number of top one million sites using EV certificates is at its lowest point ever in the last six years of analysis. These are noted for slow, manual approval processes which drive too much friction for end users.

RSA is significantly less secure than modern alternative ECDSA, a public key cryptography encryption algorithm which boasts greater computational complexity and smaller authorisation keys. The latter means they require less bandwidth to set up an SSL/TLS connection, making them ideal for mobile apps and support for IoT and embedded devices, according to Venafi. Helme branded the RSA findings "a shame and somewhat surprising."

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.