Back

Help Net Security: 4 practical strategies for Log4j discovery

On December 27, 2021, NetSPI COO Charles Horton was featured as a guest writer for Help Net Security. Read the full article below or online here.

+ + +

For security teams scrambling to secure their organizations against Log4j exploitation, one of the first and most challenging tasks is understanding where Log4j exists within their environment. Without this understanding, any remediation efforts will be hamstrung from the get-go. Of course, this type of asset management can prove exceedingly difficult as Log4j is represented across thousands of products.

Still, even missing one vulnerable instance of Log4j can leave an organization at risk, which is why discovery is one of the most important steps in the remediation process. Below are four easy-to-implement vulnerability discovery strategies that can be used to assess an environment for vulnerable Log4j implementations.

Conduct full port vulnerability scanning

First, organizations should perform full port vulnerability scanning with service fingerprinting enabled. Scanning tools like Nmap can allow security teams to identify commonly abused protocols like HTTP and Remote Method Invocation (RMI). Vulnerability scanning tools can also identify RMI services that are hosted by Java applications. Teams can also conduct server layer vulnerability scanning with tools like Nessus or Nexpose to identify vulnerable Log4j instances by injecting into the top HTTP Header injection points. This process should take minimal effort if executed from a single location.

To go a step further, experts can use the Nessus or Nmap output to configure a tool such as EyeWitnessWitnessMe, or Aquatone to perform a screen scraping of available websites. This will help create a catalog of websites to review, which can then be used to identify web applications that may need to be targeted for more thorough testing. Once the list of web applications has been generated, teams can use a tool like Burp Suite Pro with the Log4Shell Scanner plugin to identify vulnerable Log4j instances. This is accomplished by injecting exploitable strings to initiate callbacks to the user into all the dynamic elements of the web application it can map.

Target files unique to Log4j

Log4j is open source, which means its use in applications is widespread due to it being free, practical, easily distributed, and modifiable. However, the open-source nature of Log4j can also prove useful in the discovery stage. Security teams can easily download Log4j and create an inventory of all the files that are used by the package, and from there target files that are unique to Log4j.

Once this inventory is developed, security teams could leverage it with endpoint detection and response (EDR), file integrity monitoring (FIM), and configuration management tools that already exist in an organization’s security environment to identify vulnerable instances of Log4j. Additionally, in theory, the same inventory could be used as a dictionary against web servers. By utilizing this strategy, security teams can make efficient use of existing automation tools, saving time and resources that can then be used on the actual task of remediation.

Collaborate with your development teams

Security is everyone’s responsibility. To ensure an organization is truly secure, security and developer teams must work together. Comprehensive insight is needed to successfully mitigate Log4j risks. This process requires in-depth collaboration with business units and development teams to ensure that all Log4j instances are truly uncovered. In some cases, this can be a challenge when there are “black boxes” on an organization’s networks that have no clear owner.

Security teams must first work with development teams to create a list of all internally developed applications and the associated application owners. Then they must connect with the application owners and determine if a given application utilizes Log4j. For those that do, the security team and application owners will need to work together to apply the required patches. While this strategy requires a more hands-on approach, it will offer significant benefits in terms of remediating some of the more difficult to find Log4j implementations.

Shore up your vendor risk management

Third-party software providers have proven one of the main sources of cybersecurity risk for organizations over the past decade. Log4j is no exception. Security teams must communicate with vendors to determine Log4j’s relation to external applications, determine which vendors and services leverage Log4j, whether those organizations have taken the necessary steps for discovery and remediation, and whether they’ve tested their networks for successful exploitation or instructions.

Communication with vendors to this effect should be started as soon as possible so teams will know which services they might need to isolate or cease using, as well as how that might affect their organization’s functionality or services in turn.

Log4j discovery is the first hurdle

The ubiquitous nature of Log4j presents a clear challenge for cybersecurity experts, and with many security teams already short-staffed, finding all possible vulnerabilities seems like an insurmountable challenge. Establishing a discovery strategy is the first step in overcoming the challenge. With a straightforward strategy and clear communication and collaboration, teams can and will continue to protect the organizations they serve.

Back

Best of NetSPI: Top Cybersecurity Blogs, Resources, Webinars, and Podcasts of 2021

Keeping up with modern cybersecurity best practices and the latest news is no simple task. In today’s digital world there are countless ways to digest information – from social media to podcasts to whitepapers and beyond.

At NetSPI we’ve made it our mission to keep our finger on the pulse of the security industry and only report on the most important news and cybersecurity challenges of the moment. We pay close attention to our client’s biggest pain points, gaps where more cyber awareness and education is needed, and when we can provide insight and support around the most critical security incidents.

This is evident in our top blogs, resources, webinars, and podcasts of 2021. Not only were these the most read, downloaded, watched, and listened to content of the year, but can also serve as an indicator of the security industry’s focus over the past 365 days. Continue reading to learn which topics were deemed “The Best of NetSPI” in 2021.

Top Executive Blogs

Log4j: Is My Organization Impacted? | Team NetSPI

It’s no surprise that a Log4j-centric blog post topped the charts with only one month left in the year… not to mention ThreatPost referenced the blog in a story about Log4Shell mutations. Read the blog for an overview of Log4j, its impact, detection best practices, and more.

The State of ATM Security: DMA Vulnerabilities are Lurking | Larry Trowell, Principal Consultant

NetSPI’s Larry Trowell is one of the foremost experts on IoT penetration testing. In this article, he explores the current state of ATM security, including common vulnerabilities, a deep dive on DMA attacks, and ATM security best practices. Attending the ATM Industry Association (ATMIA) annual conference in February? Larry will be sharing additional ATM cybersecurity tips during the Fraud and Logical Security Workshop on Tuesday, February 8.

A Checklist for Application Security Program Maturity | Nabil Hannan, Managing Director

Applications are the lifeblood of organizations today – and application security must be prioritized. However, building an AppSec program that stays current is no easy feat. To help, Nabil developed an application security checklist to help organizations shore up their security processes and take the necessary steps to establish a mature AppSec program.

The Best Blogs for Pentesters

Escalating Azure Privileges with the Log Analytics Contributor Role | Karl Fosaaen, Director

Karl explains how he discovered a privilege escalation that allowed an Azure AD user to escalate from the Log Analytics Contributor role to a full Subscription Contributor role. He also details how he worked with Microsoft to remediate the situation by removing the Automation Accounts permissions from the affected role.

Azure Persistence with Desired State Configurations | Jake Karnes, Managing Consultant

Jake details how pentesters can use the Desired State Configuration (DSC) VM extension to run arbitrary commands in Azure environments, with built-in functionality for recurring commands and persistence.

Tokenvator Release 3 | Alexander Polce Leary, Principal Consultant

NetSPI’s Alexander Polce Leary authored Tokenvator, a pentesting tool that can alter privileges with Windows tokens. This year, he made some big improvements to the tool including the user interface, impersonation/thread tokens, and the ability to change privileges on the token.

Ransomware, Pentesting, and Red Teams Top the Resource Charts

The Ultimate Guide to Ransomware Attacks

Ransomware was and continues to be one of the greatest threats to businesses. We developed this Ultimate Guide to Ransomware Attacks to help business leaders get up to speed on the latest ransomware trends, targets, and families, understand how ransomware works, and provide checklists for ransomware prevention and detection.

How to Choose a Penetration Testing Company

There are hundreds of penetration testing companies, and each offer different levels of service, pentesting methodologies, and technologies. We created this guide to help you choose the best pentesting company to work with. It features criteria to consider, questions to ask your partners during the RFP process, pentesting use cases, and more.

5 Things Every Red Team Needs to Optimize Operations

For a red team to be successful, it must have these 5 things: the right soft skills, an understanding of the business objectives, alignment on goals, ability to communicate business impact, and the best red team tools. Learn more about what it takes to create a successful red team in this tip sheet.

Most Watched Webinars

Understanding Modern EDR Tools: How They Work, How They Provide Value, and How to Bypass Them | Nick Landers, Head of Adversarial Research and Development

During this webinar, Nick explores the role modern EDRs play today, details the latest defensive evasion techniques adversaries use to bypass EDR tools, and shares advice for evaluating the technologies.

CVE-2020-17049: Kerberos Bronze Bit Attack – Explained and Exploited | Jake Karnes, Managing Consultant

In late 2020, Jake Karnes discovered the Kerberos Bronze Bit Attack: CVE-2020-17049. Stemming from the discovery and responsible disclosure to Microsoft, he presented a webcast to explain the inner workings of the vulnerability, which would allow attackers to bypass security features and escalate privileges in an Active Directory domain. This webinar is a must-watch for those looking to better understand Kerberos.

Automated Social Engineering for the Antisocial Engineer | Patrick Sayler, Principal Security Consultant

Phone communication remains a lucrative avenue for attackers, otherwise known as “vishing.” Putting your employees to the test against realistic vishing attempts is manual and time consuming. In this webcast, NetSPI’s Patrick Sayler describes how he configured interactive voice response (IVR) technology into a build-you-own social engineering robot.

Top Cybersecurity Podcasts

Startup Security, Threat Modeling, Pre-Social Engineering, and More – Insights Gained from a Unique Career Path | Episode 024 – Hadas Cassorla, CISO at M1 Finance

Nabil sits down with Hadas to discuss the challenges and opportunities of startup security, the effectiveness of threat modeling, what “pre-social engineering” means, and unconventional, empathetic security training tactics.

What Makes a Successful Technologist, A Day in the Life of a Security Firm CISO, and Lessons from an Effective Phishing Engagement | Episode 020 – Roshan Popal, CISO at MicroStrategy

Nabil is joined by Roshan, who shares advice for emerging security professionals, discusses what it’s really like to be a CISO at a security firm, and reminisces about an effective phishing campaign that fooled Nabil when the two worked together.

A Day in the Life of a NetSPI Penetration Tester | Episode 037 – Austin Altmann and Marissa Allen, NetSPI Security Consultants

Want a glimpse into a day in the life of a NetSPI penetration tester? Austin and Marissa explore what it takes to be a great pentester, share stories from their entry-level days in NetSPI University, how the current security curriculum could be improved, cybersecurity career misconceptions and more.

Sign up for our monthly newsletter to receive the latest content from NetSPI in 2022
Back

5 Apache Log4j Discovery Tips

The first step to remediating Log4j vulnerabilities? Discovery.

Identifying Apache Log4j usage at scale in any environment can be a challenge. Generally, we’re seeing companies struggle to develop comprehensive strategies to identify the vulnerability accurately across their entire environment. Getting real coverage involves reviewing all assets from both an authenticated and unauthenticated perspective, and often requires additional collaboration with business units and development teams. In some cases, this can be a challenge when there are “black boxes” on their networks that have no clear owner.

To help you get started, we’ve pulled together five discovery tips to identify vulnerable instances of Log4j. For additional detail and best practices for discovery, download our tip sheet: 5 Strategies for Log4j Vulnerability Identification.

  1. Perform both internal and external network scanning using common vulnerabilities scanners, such as Nmap or Nessus. Most of the Apache Log4j plugins used by vulnerability scanners only test a small subset of common HTTP headers, but they still provide basic coverage. To provide more comprehensive coverage, also perform focused web application testing. Create an inventory of externally and internally available web applications.
  2. Leverage existing security or configuration management tooling to search systems for files that are unique to Log4j. Then, follow up on positive matches to determine if they are running a vulnerable version of Apache Log4j. The files can be downloaded online: https://logging.apache.org/log4j/2.x/index.html.
  3. Reach out to vendors to determine if vulnerable Apache Log4j versions are being used for applications that were not developed by your company that have already been deployed to the environment.
  4. Collaborate with internal business units and development groups to determine if vulnerable Apache Log4j versions are being used by internally developed applications.
  5. Prioritize additional testing based on company defined risk. Testing should focus on mapping the web applications attack surface and testing all identifiable dynamic elements such common HTTP headers, parameters (GET, POST, JSON), and cookies.

Log4j is another example of attackers targeting software that’s integrated into core IT supply chains. However, Log4j represents a much greater risk than some of its predecessors, because it’s widely associated with multiple operating systems and websites exposed to the internet. As a result, attackers are scrambling to use it as quickly as possible to gain a foothold in environments and leverage it to deploy sophisticated attacks, such as ransomware. I think this will be the first of many breakouts that target, not common software packages, but their dependencies/third party components.

Time is critical in this situation, and vulnerability discovery is the first step to protecting your organization from exploitation. Connect with NetSPI to learn how we can help you with our Log4j Vulnerability Assessment: https://www.netspi.com/contact-us/.

Download NetSPI's Resource, "5 Strategies for Log4j Vulnerability Identification" Now!

Back

CSO: 8 top penetration testing certifications employers value

On December 20, 2021, NetSPI Managing Security Consultant Melissa Miller was featured in an article written by Josh Fruhlinger for CSO. Read the full article below or online here.

+++

Penetration testing, sometimes called ethical hacking or red team hacking, is an exciting career path in which you simulate cyberattacks on target systems in order to test (and, ultimately, improve) their security. It’s a job that lots of people currently working in infosec would like to have, and one that can be tricky to get as competition heats up.

“It used to be the best way to grow a career in attack and penetration was through hands-on experience,” says Matthew Eidelberg, technical manager for threat management at Optiv. “It’s becoming harder and harder to break into pen testing as a beginner, because these roles are no longer considered niche. They are in high demand. As a result, a lot of effort has gone into certifications based on training and real-world lab simulations for both students and professionals.”

In fact, a range of penetration testing certifications are now available from various companies and industry organizations—and earning these certs can boost your career prospects, says Ron Delfine, director of career services at Carnegie Mellon University’s Heinz College. “Depending on what skills an organization is seeking,” he says, “certification holders may have a competitive advantage related to career advancement, as they have already been through a proven process requiring them to display evidence of strong penetration testing skills through the certification and recertification process.”

Top penetration testing certifications

How can you pick the best penetration testing certification for you? We spoke to a number of pen testing pros to see how different certifications have helped their careers or helped them find good candidates when they were hiring. In general, most of the people we spoke to grouped certs offered by the same orgs together, so that’s how we’ll treat them here too.

  • Offensive Security Certified Professional (OSCP)
  • Offensive Security Wireless Professional (OSWP)
  • Offensive Security Experienced Penetration Tester (OSEP)
  • GIAC Penetration Tester (GPEN)
  • GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
  • EC-Council Certified Ethical Hacker (CEH)
  • EC-Council Certified Penetration Testing Professional (CPENT)/Licensed Penetration Tester (LPT Master)
  • CompTIA PenTest+

. . .

EC-Council

The EC-Council is a cybersecurity education and training nonprofit founded in the wake of the 9/11 attacks, and Certified Ethical Hacker (CEH) is perhaps their highest-profile cert—in fact, it’s one of the best-known certifications in the field. The EC-Council recently launched a twinned pair of certs, Certified Penetration Testing Professional (CPENT) and Licensed Penetration Tester (LPT Master), that are based on the same training material and exam, with the LPT Master going to those who score best on the test.

CEH is relatively well known, and the security pros we spoke to note that it has its place in the field, but they were less enthusiastic about it than they were about certs from GIAC or Offensive Security. “I would note CEH as a ‘foot-in-the-door’ certification for a pen testing internship or in preparation for additional study,” says Melissa Miller, managing security consultant at NetSPI. Critical Start’s Rhoads-Herrera calls it “valuable as a good way to get past HR screeners” but adds that “the course work is not up to par with other certifications.”

“CEH does qualify you for a number of contracts by virtue of being one of the oldest in the game,” says Pluralsight’s Rosenmund, “but doesn’t necessarily ensure from an employer perspective that you are ready to do the job.” Counter Hack Challenges’ Elgee gives a specific example: “CEH is most valuable for checking specific certification boxes, especially in US government,” but says it “otherwise has a low value to price ratio.”

Certified Ethical Hacker (CEH):

Prerequisites: You must either take an EC-Council-approved CEH training course or establish that you have at least two years of professional infosec experience before you can take the exam.

Test format: Four hours, 125 multiple choice questions. If you pass this exam, you can also take the Certified Ethical Hacker Practical exam—six hours, 20 practical challenges—in order to earn CEH Master certification.

Cost: The exam costs $1,199 plus $100 for remote proctoring; there is a $100 nonrefundable application fee, and official training courses can cost anywhere from $850 to $2,999.

Official website: https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/

Certified Penetration Testing Professional (CPENT)/Licensed Penetration Tester (LPT Master):

Prerequisites: Candidates must have already received CEH and Certified Security Analyst certs from the EC-Council, and submit an application that includes a criminal background check. The exam is meant to follow on from the EC-Council’s CPENT training course, although experienced pen testers can request to “challenge” the exam based on their existing skills. 

Test format: A 24-hour online practical exam in which you deploy advanced pen-testing techniques. A 90% score or above earns you the LPT certification, while 70-90% scores you a CPENT.

Cost: The CPENT course is $2,199, which includes the exam and access to the EC-Council’s practice range and other content. There is also a $500 application fee (which covers the background check.)

Official website: https://www.eccouncil.org/programs/licensed-penetration-tester-lpt-master/

Back

SC Media: As New York bank begins minting stablecoins, security concerns ensue

On December 13, 2021, NetSPI Chief Technology Officer Travis Hoyt was featured in an article written by Karen Hoffman for SC Media. Read the full article below or online here.

+++

A regional bank based in New York announced earlier this month that it would begin issuing stablecoins, raising the issue of how the traditional banking industry might deal with the security and regulatory concerns of dealing in cryptocurrencies. 

New York Community Bank, based in Westbury, New York, announced it would be the first U.S. banking institution to begin minting stablecoins, despite the fact that the Biden administration and Congress have been trumpeting strict regulation on this and other forms of cryptocurrency. Clark Frogley, Americas head of financial crime solutions at Quantexa, a data and analytics software company, said: “This is the kind of action we will begin to see more and more happening in the coming year. Some large banks around the world were looking to do this as early as three years ago, so definitely a move that has been anticipated.”

Stablecoins are linked to the U.S. dollar, a digital asset meant to offset cryptocurrency volatility, making stablecoins more acceptable to the mainstream banking industry and its customers.

“The payments landscape is ripe for disruption — but of both a commercial and regulatory variety,” said Brock Dahl, Head of U.S. Fintech & Counsel at Freshfields. “The federal government clearly signaled its growing concern with the expanding market power of stablecoin offerings in the White House’s recent working group report on the matter. Solutions aligned with traditional intermediaries will look most palatable to regulators, but time will tell just how much innovation the government will permit.”

Indeed, a government report issued last month on stablecoins recommended that Congress legislate oversight of stablecoins, in the interest of making them more widely accepted. The stablecoin market has grown more than tenfold in the past year from a market cap of $20 billion last year to more than $137 billion in November 2021, according to a report from Morgan Stanley. And given the recent attacks on cryptocurrency, there is reason to be concerned for the security of this approach.

Stablecoins face same risks as other cryptocurrency, experts say

Max Galka, founder and CEO of Elementus, a blockchain search engine, pointed out that the smartest blockchain companies in the world routinely get hacked and have vulnerabilities exploited. “But I think what makes this different for financial institutions [compared with] blockchain companies is that this is not their traditional domain of expertise,” Galka said. 

“It’s not the kind of risk that banks are used to facing, and the risk to them is higher because there’s more at stake,” Galka added. “Most of the crypto companies that are working on stablecoins don’t have the same kind of large legacy business at stake where if there is some kind of vulnerability, people lose faith in the institution.”

A systemic threat? The stable coin market is small but growing quickly, creating concerns that some nonbank issuers could fail.

Andrew Howard, CEO of Kudelski Security, believed the risks of stablecoins are similar to other blockchain currencies.

“The difference is in the guaranteed backing of specific currencies. This means the additional risks introduced are more aligned to corporate financial institutions’ accounts, such as fraud, theft, and other loss of funds scenarios,” Howard said. “Also, this naturally introduces centralization to a decentralized financial model, which has its own issues.”

Howard said he does not see minting stablecoins as a big trend at U.S. financial institutions, “although a few more may enter the market.” 

Travis Hoyt, chief technology officer at NetSPI, who has previously led security programs Bank of America and TIAA, said he sees the potential security flaws in stablecoins as there might be in any new technology.

“A distributed ledger that employs smart contract functionality and is accessible by the public comes with the risk of abusing those platforms and the smart contracts that run on them,” Hoyt said, adding that in the past year, there have been a few notable examples of these security risks in Decentralized Autonomous Organizations (DAOs) being hacked, causing a wide group of individuals and institutions to be impacted, including financial services institutions and retail investors. 

Sean Tierney, Constella’s vice president of threat Intelligence, pointed out that stablecoin inherits many of the “same cybersecurity risks and challenges faced by financial intuitions, cryptocurrency exchanges, and e-commerce. These can include attacks against the institution such as denial of service, various forms of fraud and attacks on customers or end user, as well as cyberattacks against the firms such those which have impacted SWIFT banking network and several cryptocurrency exchanges.”  

“However, they should also presume blockchain implementations as a whole, along with their particular implementation and platform will garner increasing attention from those who would find and exploit weakness for profit or other gain,” Tierney added. “The mitigations will involve continued defense and in-depth, good security hygiene and practices.”

“It is highly likely we’ll see growing involvement from FSIs, including minting their own coins, as they learn to legally operate with existing and emerging regulation,” Tierney said.

As Hoyt noted that with any blockchain, the security of that chain depends on the strength of its decentralization. For example, with Providence Blockchain, there are 21 validators — which would universally be considered a very small population — while this doesn’t imply the blockchain would be suspect, those in the cryptocurrency space should be cautious of cybersecurity threats.

“On the flip side, having a relatively small group of validators could enable reversal of transactions if something negative occurs. When looking at potential security risks, there would need to be an exit mechanism for threat actors to cause real harm,” Hoyt said, adding that since there are currently no cross-chain capabilities or accessible fiat exits available, threat actors would have no means to extract any value from the chain, making the possibility for exploitation minimal.

“However, this does not mean that they couldn’t disrupt the chain itself in a destructive manner, which could still cause damage,” said Hoyt.

Back

Log4j: Is My Organization Impacted?

Talk to any security professional and they’ll tell you that a vulnerability that allows for unauthenticated remote code execution is as about as critical as it gets. That’s exactly what CVE-2021-44228 allows.

On December 9, 2021, the severe Apache Log4j zero-day vulnerability was disclosed, along with its known exploits, creating a panic across the security community. The mere fact that a fix was put into place in a matter of hours of discovery is an indicator of how severe the vulnerability truly is. Given its severity, users are encouraged to take action immediately.

As teams scrambled to address CVE-2021-44228, a new vulnerability came about: CVE 2021-45046, as the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was deemed “incomplete in certain non-default configurations.” It causes Log4j2 Thread Context Message Pattern and Context Lookup Pattern to be vulnerable to a Denial of Service (DoS) attack.

…And then yet another surfaced overnight, CVE-2021-45105. The third Log4j vulnerability is very similar to the initial Log4Shell zero-day. Previous patches did not protect against uncontrolled recursion from self-referential lookups which could also result in a DoS attack.

Continue reading for details on the impact of these critical vulnerabilities, guidance to determine whether your organization is at risk of Log4j exploit, and mitigation recommendations.

What is the impact of the Log4Shell zero-day vulnerability?

The ubiquity of Log4j is the greatest concern. In just 24 hours, it has been reported that Apple iCloud, Twitter, Cloudflare, Minecraft, and Steam, identified the vulnerability in their systems.

Its impact is expected to spread even further given Log4j is widely used across enterprise applications, including mobile applications, thick client applications, web applications, desktop GUI applications, and other Java-based applications to record/log activities within an application.

If exploited, cybercriminals can take control of an affected system remotely.

Is my organization vulnerable?

The first step to threat mitigation is to understand Log4j’s presence in your organization. To answer the question “Which of my applications use Log4j?” NetSPI recommends:

  • Searching code repositories for the following and setting them to the correct parameter value based on the CVE remediation
    recommendation.
    • “log4j2.formatMsgNoLookups”
    • “com.sun.jndi.rmi.object.trustURLCodebase”
    • “com.sun.jndi.cosnaming.object.trustURLCodebase”
For additional detection tips, download our tip sheet, 5 Strategies for Log4j Vulnerability Identification
  • Check your asset management database to see if you are running Apache Log4j2 versions ranging from 2.0 to 2.16 in your environment. If so, you are likely vulnerable and require an update, though there are some exceptions.
  • Check for affected versions of log4j jar files on file systems to prioritize systems that require further analysis.
  • If a software composition analysis (SCA) tool is being used, request the tool to develop a check for the vulnerability or create a custom check for the incorrect setting.

What can I do to protect my organization?

Review the Apache Log4j security vulnerability announcement and update to the appropriate version of Log4j 2. It is important to follow the mitigation steps outlined by Apache and continuously check in for additional vulnerable instances.

NetSPI also recommends organizations ensure their detection tools (Qualys, Nessus, Nexpose, etc.) produce checks for the vulnerability as this is likely to have lasting impacts.

If you have questions about the Log4j vulnerabilities or would like NetSPI to perform a targeted test for the vulnerability in your environment, please visit https://www.netspi.com/security-testing/apache-log4j-assessment.

Back

Threatpost: Log4Shell Is Spawning Even Nastier Mutations

On December 13, 2021, NetSPI was featured in an article written by Lisa Vaas for Threatpost. Read the full article below or online here.

+++

What some call the worst cybersecurity catastrophe of the year – the Apache Log4j logging library exploit – has spun off 60 bigger mutations in less than a day, researchers said.

The internet has a fast-spreading, malignant cancer – otherwise known as the Apache Log4j logging library exploit – that’s been rapidly mutating and attracting swarms of attackers since it was publicly disclosed last week.

Most of the attacks focus on cryptocurrency mining done on victims’ dimes, as seen by SophosMicrosoft and other security firms. However, attackers are actively trying to install far more dangerous malware on vulnerable systems as well.

According to Microsoft researchers, beyond coin-miners, they’ve also seen installations of Cobalt Strike, which attackers can use to steal passwords, creep further into compromised networks with lateral movement and exfiltrate data.

Also, it could get a lot worse. Cybersecurity researchers at Check Point warned on Monday that the evolution has already led to more than 60 bigger, brawnier mutations, all spawned in less than a day.

“Since Friday we witnessed what looks like an evolutionary repression, with new variations of the original exploit being introduced rapidly: over 60 in less than 24 hours,” they said.

The flaw, which is uber-easy to exploit, has been named Log4Shell. It’s resident in the ubiquitous Java logging library Apache Log4j and could allow unauthenticated remote code execution (RCE) and complete server takeover. It first turned up on sites that cater to users of the world’s favorite game, Minecraft, last Thursday, and was being exploited in the wild within hours of public disclosure.

Mutations May Enable Exploits to Slip Past Protections

On Monday, Check Point reported that Log4Shell’s new, malignant offspring can now be exploited “either over HTTP or HTTPS (the encrypted version of browsing),” they said.

The more ways to exploit the vulnerability, the more alternatives attackers have to slip past the new protections that have frantically been pumped out since Friday, Check Point said. “It means that one layer of protection is not enough, and only multilayered security postures would provide a resilient protection,” they wrote.

Because of the enormous attack surface it poses, some security experts are calling Log4Shell the biggest cybersecurity calamity of the year, putting it on par with the 2014 Shellshock family of security bugs that was exploited by botnets of compromised computers to perform distributed denial-of-service (DDoS) attacks and vulnerability scanning within hours of its initial disclosure.

Tactical Shifts

Besides variations that can slip past protections, researchers are also seeing new tactics.

Luke Richards, Threat Intelligence Lead at AI cybersecurity firm Vectra, told Threatpost on Monday that initial exploit attempts were basic call backs, with the initial exploit attempt coming from TOR nodes. They mostly pointed back to “bingsearchlib[.]com,” with the exploit being passed into the User Agent or the Uniform Resource Identifier (URI) of the request.

But since the initial wave of exploit attempts, Vectra has tracked many changes in tactics by the threat actors who are leveraging the vulnerability. Notably, there’s been a shift in the commands being used, as the threat actors have begun obfuscating their requests.

“This originally included stuffing the User Agent or URI with a base64 string, which when decoded by the vulnerable system caused the host to download a malicious dropper from attacker infrastructure,” Richards explained in an email. Following this, the attackers started obfuscating the Java Naming and Directory Interface (JDNI) string itself, by taking advantage of other translation features of the JDNI process.

He offered these examples:

${jndi:${lower:l}${lower:d}a${lower:p}://world80
${${env:ENV_NAME:-j}n${env:ENV_NAME:-d}i${env:ENV_NAME:-:}${env:ENV_NAME:-l}d${env:ENV_NAME:-a}p${env:ENV_NAME:-:}//
${jndi:dns://

…All of which achieve the same objective: “to download a malicious class file and drop it onto the target system, or to leak credentials of cloud-based systems,” Richards said.

Bug Has Been Targeted All Month

Attackers have been buzzing around the Log4Shell vulnerability since at least Dec. 1, it turns out, and as soon as CVE-2021-44228 was publicly disclosed late last week, attackers began to swarm around honeypots.

On Sunday, Sophos researchers said that they’d “already detected hundreds of thousands of attempts since December 9 to remotely execute code using this vulnerability,” noting that log searches by other organizations (including Cloudflare) suggest that the vulnerability may have been openly exploited for weeks.

“Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC,” Cloudflare CEO Matthew Prince tweeted on Saturday. “That suggests it was in the wild at least nine days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.”

On Sunday, Cisco Talos chimed in with a similar timeframe: It first saw attacker activity related to CVE-2021-44228 starting on Dec. 2. “It is recommended that organizations expand their hunt for scanning and exploit activity to this date,” it advised.

Exploits Attempted on 40% of Corporate Networks

Check Point said on Monday that it’s thwarted more than 845,000 exploit attempts, with more than 46 percent of those attempts made by known, malicious groups. In fact, Check Point warned that it’s seen more than 100 attempts to exploit the vulnerability per minute.

As of 9 a.m. ET on Monday, its researchers had seen exploits attempted on more than 40 percent of corporate networks globally.

The map below illustrates the top targeted geographies.

Top affected geographies. Source: Check Point.

Hyperbole isn’t an issue with this flaw. Security experts are rating it as one of the worst vulnerabilities of 2021, if not the tip-top most terrible. Dor Dali, Director of Information Security at Vulcan Cyber, classes it in the top-three worst flaws of the year: “It wouldn’t be a stretch to say that every enterprise organization uses Java, and Log4j is one of the most-popular logging frameworks for Java,” Dali noted via email on Monday. “Connecting the dots, the impact of this vulnerability has the reach and potential to be substantial if mitigation efforts aren’t taken right away.”

As has been repeatedly stressed since its initial public disclosure, the Log4j vulnerability “is relatively easy to exploit, and we’ve already seen verifiable reports that bad actors are actively running campaigns against some of the largest companies in the world,” Dali reiterated. “Hopefully every organization running Java has the ability to secure, configure and manage it. If Java is being used in production systems IT security teams must prioritize the risk and mitigation campaigns and follow remediation guidelines from the Apache Log4j project as soon as possible.”

This situation is rapidly evolving, so keep an eye out for additional news. Below are some of the related pieces we’ve seen, along with some of the new protections and detection tools.

More News

New Protections, Detection Tools

  • On Saturday, Huntress Labs released a tool – available here – to help organizations test whether their applications are vulnerable to CVE-2021-44228.
  • Cybereason released Logout4Shell, a “vaccine” for the Log4Shell Apache Log4j RCE, that uses the vulnerability itself to set the flag that turns it off.

Growing List of Affected Manufacturers, Components

As of Monday, the internet was still in meltdown drippy mode, with an ever-growing, crowd-sourced list hosted on GitHub that only scratches the surface of the millions of applications and manufacturers that use log4j for logging. The list indicates whether they’re affected by Log4Shell and provides links to evidence if they are.

Spoiler alert: Most are, including:

A Deep Dive and Other Resources

  • Immersive Labs has posted a hands-on lab of the incident.
  • Lacework has published a blog post regarding how the news affects security best practices at the developer level.
  • NetSPI has published a blog post that includes details on Log4Shell’s impact, guidance to determine whether your organization is at risk, and mitigation recommendations.
Back

Help Net Security: NetSPI offers protection against cybersecurity threats with IoT penetration testing services

On December 10, 2021, NetSPI was featured in an article written by Help Net Security. Read the full article below or online here.

+++

NetSPI launched its IoT penetration testing services, which will be added to its existing suite of penetration, adversary simulation, and attack surface management capabilities.

NetSPI IoT penetration testing

With the stark growth of IoT adoption over the past few years, pentesting is now a critical asset for companies to understand and assess the overall strength and accountability of their internet-connected systems against sophisticated and targeted cyber attacks.

NetSPI’s new IoT testing services encompass the following capabilities:

  • ATM penetration testing. Identify the security issues and common vulnerabilities on relevant ATM systems and provide actionable recommendations for improving the overall security posture.
  • Automotive penetration testing. Identify security issues on relevant vehicles and provide recommendations to improve the current systems – at any stage of automotive development.
  • Medical device penetration testing. Through a combination of threat modeling and penetration testing, determine possible medical device security risks and identify whether devices meet or exceed the current standards and recommendations by the FDA Premarket Cybersecurity Guidelines.
  • Operational technology (OT) architecture and security review. Identify industrial control system (ICS) vulnerabilities with a focus on the OT processes in a Defense in Depth strategy. NetSPI will investigate the configuration and architecture of the systems and help address issues with asset inventory, network configuration, and segmentation.
  • Embedded penetration testing. Identify embedded system vulnerabilities in a multitiered penetration test across multiple disciplines. Look for security gaps at all stages of embedded development that may affect each layer of the device.

“IoT has become part of our daily lives, but these devices and systems are often overlooked from a security perspective. Tapping into our innovation-driven culture and our best-in-class technologies, NetSPI’s IoT pentesting team is uniquely qualified to find and help fix the most critical security gaps in these systems,” said Aaron Shilts, President and CEO at NetSPI. “Our team is currently gearing up for game changing IoT pentesting projects in 2022. We were selected to test smart city technologies and ATM networks for some of the most transformative organizations in the world. NetSPI is thrilled to be a prominent player in future-proofing IoT security worldwide.”

To keep up with the growth of IoT and assist with the complexity in this space, NetSPI has brought on one of the foremost IoT security experts, Larry Trowell, as Principal Consultant to provide additional leadership, guidance, and accountability within the IoT security practice.

“IoT pentesting has become an important part of security strategy and business processes – especially given the increased connectedness in both personal and professional lives,” said Trowell. “There is currently a gap in the market to effectively monitor and assess the risks of these devices. NetSPI’s new offering allows our team to devote its resources and ensure the security of all embedded devices for our customers.”

Back

VMBlog.com: NetSPI Adds IoT Penetration Testing to its Suite of Offensive Security Services

On December 8, 2021, NetSPI was featured in an article written by David Marshall for VMBlog.com. Read the full article below or online here.

+++

NetSPI announced the launch of its IoT penetration testing services, which will be added to its existing suite of penetration, adversary simulation, and attack surface management capabilities. With the stark growth of IoT adoption over the past few years, pentesting is now a critical asset for companies to understand and assess the overall strength and accountability of their internet-connected systems against sophisticated and targeted cyber attacks.

NetSPI’s new IoT testing services encompass the following capabilities: 

  • ATM Penetration Testing. Identify the security issues and common vulnerabilities on relevant ATM systems and provide actionable recommendations for improving the overall security posture. 
    Learn more about ATM pentesting.
  • Automotive Penetration Testing. Identify security issues on relevant vehicles and provide recommendations to improve the current systems – at any stage of automotive development. 
    Learn more about automotive pentesting.
  • Medical Device Penetration Testing. Through a combination of threat modeling and penetration testing, determine possible medical device security risks and identify whether devices meet or exceed the current standards and recommendations by the FDA Premarket Cybersecurity Guidelines. 
    Learn more about medical device pentesting.
  • Operational Technology (OT) Architecture and Security Review. Identify industrial control system (ICS) vulnerabilities with a focus on the OT processes in a Defense in Depth strategy. NetSPI will investigate the configuration and architecture of the systems and help address issues with asset inventory, network configuration, and segmentation. 
    Learn more about OT architecture and security review.
  • Embedded Penetration Testing. Identify embedded system vulnerabilities in a multitiered penetration test across multiple disciplines. Look for security gaps at all stages of embedded development that may affect each layer of the device. 
    Learn more about embedded pentesting.

“IoT has become part of our daily lives, but these devices and systems are often overlooked from a security perspective. Tapping into our innovation-driven culture and our best-in-class technologies, NetSPI’s IoT pentesting team is uniquely qualified to find and help fix the most critical security gaps in these systems,” said Aaron Shilts, President and CEO at NetSPI. “Our team is currently gearing up for game changing IoT pentesting projects in 2022. We were selected to test smart city technologies and ATM networks for some of the most transformative organizations in the world. NetSPI is thrilled to be a prominent player in future-proofing IoT security worldwide.”

To keep up with the growth of IoT and assist with the complexity in this space, NetSPI has brought on one of the foremost IoT security experts, Larry Trowell, as Principal Consultant to provide additional leadership, guidance, and accountability within the IoT security practice. 

“IoT pentesting has become an important part of security strategy and business processes – especially given the increased connectedness in both personal and professional lives,” said Trowell. “There is currently a gap in the market to effectively monitor and assess the risks of these devices. NetSPI’s new offering allows our team to devote its resources and ensure the security of all embedded devices for our customers.”

Back

VMBlog.com: Expert Commentary: Cybersecurity Threats During the Holidays

On December 10, 2021, NetSPI Principal Security Consultant Larry Trowell was featured in an article written by David Marshall for VMBlog.com. Read the full article below or online here.

+++

With the holiday season in full swing, cybercriminals know consumers are relying heavily on online shopping to fulfill their Christmas gifting lists, and organizations are at an increased risk of threats.  Here’s some helpful advice from several cybersecurity experts.

NetSPI, Larry Trowell, Principal Consultant

“As we enter the holiday season, security professionals must be aware of the threats that come with holiday gifts, specifically smart IoT devices. These connected gadgets open up a new host of security risks for both employees’ personal lives and corporate networks. 

Over the last two years alone, more people have set up multiple devices that connect to a single home network, including corporate-issued computers and tablets. With so many devices already in play, employees need to understand that some of the most popular technology gifts, such as robot vacuums, Tile, and Alexa come equipped with Bluetooth and Wi-Fi, cameras and geo mapping. These capabilities create a complex system that is more prone to attacks because it has greater potential for flaws and vulnerabilities within an increased attack surface – especially when integrated with other home automation products. 

In tandem with this increased tech adoption, the pandemic and rise in remote work brought all corporate devices into employees’ homes and opened up Pandora’s box for potential vulnerabilities — home office networks are said to be 3.5 times more likely to be attacked than corporate networks. To better understand, assess, and manage how employees are accessing company networks during the holidays, companies should educate their workforce about potential risks to their home network that come with tech gifts, and set up regular tests of their corporate systems as computers leave the office. Having a security testing program set in place — prior to the holidays — can help to identify any vulnerabilities within the corporate network quickly and efficiently and allow employees to better understand all the risks at play this time of year.”

Immersive Labs, Kevin Breen, Director of Cyber Threat Research

“Cyberattackers like to take advantage of human behaviors and the holiday season is no exception. The increase in online and in-store shopping makes for an easy in, whether via phishing emails that mirror holiday marketing campaigns or fraud through the digital domain. 

Toys and gifts are also becoming more high-tech and connected to WiFi or Bluetooth. Sadly, manufacturers don’t always consider the security risks when building these connected devices, since they’re hyperfocused on the user experience, which can present some exposure to users.    

The human element also makes the holidays a particularly vulnerable time. There’s a societal pressure to exchange gifts, make memories, finish the year strong and make ends meet-creating a slew of open opportunities for cyber threats and disruption. We’ve seen some of the most impactful ransomware attacks happen during holiday periods, for example,  where there’s minimal security staffing and an increase in external commitments. Cyberattacks don’t stop during the holidays, in fact, they’re often amplified, so it’s critical that organizations remain vigilant and prepared.”

Gigamon, Joe Slowik, Senior Manager of Threat Intelligence

“Supply chains are especially vulnerable to cyber attacks this holiday season. Supply chain attacks raise the prospect of stealthy, nearly impossible to detect intrusions by subverting fundamental trusts between network operators and their suppliers, contractors, and related parties…

…While concrete proof or direct evidence for any of these alleged incidents is circumstantial at best and typically nonexistent, the nature of the problem makes proving (or disproving) such events difficult or impossible. Once fundamental system trust is questioned, discussion quickly shifts such that one must prove that a device is not compromised which is a near impossible task.

One mechanism for adversaries, defenders and networker owners to retain significant ‘first mover’ advantage in that they own, manage, and (ideally) can design the landscape on which intruders must operate – emerges through implementing “zero trust” security architecture. One of the core mechanisms to achieve and maintain zero trust principles is rigorous network segmentation through physical and virtual mechanisms. System owners can reduce direct connectivity between devices and establish authentication or rigorous trust boundaries between segments. Adversary lateral movement then becomes significantly more difficult even if the initial breach takes place via a supply chain mechanism circumventing other controls. Thorough segmentation becomes especially valuable when paired with monitoring and visibility. System owners and network defenders gain insight into internal network traffic flows between discrete zones as opposed to just internal-external communications. Combined with a robust approach to C2 traffic monitoring described in the previous section, defenders gain layered visibility into adversary operations throughout multiple phases of operations.”

Datto, Ryan Weeks, Chief Information Security Officer

“The holiday season presents a “perfect storm” of opportunity for threat actors. Timing is the sweet spot for most attackers; the longer it takes for someone to notice there has been an intrusion, the more damage they can do. With an abundance of shopping deals, marketing emails and greater online traffic, the holidays are a perfect time for employees to fall for phishing tactics that enable hackers to propagate throughout a network – long before a company even realizes it. 

In fact, phishing emails top the list of successful attack vectors at 54%. Further, a lack of education, weak passwords and poor user practices are among the top causes for ransomware attacks. In the weeks leading up to the holidays, companies should ensure their employees are properly educated and trained on how to spot phishing tactics and thwart intrusions that could quickly spread to infect an entire organization during the holidays.”

Veriff, Janer Gorohhov, Co-founder and Chief Product Officer

“The accelerated digital transformation of companies around the world has led to an increase in fraud rates globally, and retail is no exception. To combat this increase in fraud and maintain trust and safety online this holiday season, more organizations must leverage artificial intelligence tools to identify and stop bad actors in their tracks, saving online retailers money and protecting both their employees and customers.”

Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.

X