Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Log4j Vulnerability Now Used by state-backed Hackers, Access Brokers

Log4j Vulnerability Now Used by state-backed Hackers, Access Brokers

As expected, nation-state hackers of all kinds have jumped at the opportunity to exploit the recently disclosed critical vulnerability (CVE-2021-44228) in the Apache Log4j Java-based logging library.

Also known as Log4Shell or LogJam, the vulnerability is now being used by threat actors linked to governments in China, Iran, North Korea, and Turkey, as well as access brokers used by ransomware gangs.

Also Read: 12 Benefits of Data Protection for Business Success

All hackers switch to Log4Shell

Among the first threat actors to leverage Log4Shell to drop payloads are cryptocurrency mining groups and botnets, who started to attack immediately after the proof-of-concept exploit code became available.

In a report on Sunday, Microsoft Threat Intelligence Center (MSTIC) observed the critical Log4j bug being exploited to drop Cobalt Strike beacons, which could indicate that more menacing actors were at play since the payload is often part of network breaches.

MSTIC updated the report on Tuesday to add that it detected nation-state activity using Log4Shell, sometimes in active attacks. The researchers tracked groups “groups originating from China, Iran, North Korea, and Turkey.”

“This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives” Microsoft Threat Intelligence Center

One of the actors is the Iranian threat group Phosphorus – also tracked as Charming Kitten, APT 35, who Microsoft observed “acquiring and making modifications” to the Log4Shell exploit.

Unlike most APT groups operating these days, Charming Kitten also has a history of ransomware attacks, mainly to disrupt operations rather than cash in, along with cyberespionage activity.

Also Read: Privacy policy template important tips for your business

Another nation-state threat actor taking advantage of the Log4Shell bug is Hafnium, a hacking group linked to China.

The adversary became more broadly known after exploiting the ProxyLogon zero-day vulnerabilities in Microsoft Exchange Server in the period between the bugs were reported and a patch became available.

Microsoft says that Hafnium is now using Log4Shell in attacks against virtualization infrastructure “to extend their typical targeting

According to the researchers, the systems that Hafnium used in these attacks were using a DNS service that is normally seen in testing activity to fingerprint machines.

Cybersecurity firm Mandiant has confirmed that Chinese and Iranian state actors are using the Log4j vulnerability in attacks and is expecting that other groups to be doing the same or be in a preparation stage.

John Hultquist, VP of Intelligence Analysis at Mandiant, told BleepingComputer that adversaries will waste no time creating persistence on targeted networks for future development of the attack.

“We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time. In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting” – John Hultquist

While the report from MSTIC also mentions state-backed hacking groups from North Korea and Turkey, the researchers did not offer any information on how these actors leveraged Log4Shell.

Ransomware attacks to be expected

Apart from nation-state actors, Microsoft has confirmed that brokers providing initial network access to various groups, mostly financially motivated have also started to exploit the Log4j flaw.

Initial access brokers typically work with ransomware-as-a-service (RaaS) operations, to which they sell access to compromised company networks.

“We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms” – Microsoft Threat Intelligence Center

Log4Shell has already been used in a ransomware attack from a new actor named Khonsari, a report from Bitdefender shows.

Based on available information, Khonsari may be used to wipe data instead of encrypting it because its ransom note includes contact details for a Louisiana antique shop owner instead of the attacker.

It is no surprise that Log4Shell has attracted hackers of all sorts. The bug has a maximum severity score and can be exploited remotely without authentication to take full control of a vulnerable system. Furthermore, the vulnerable Log4j library is included in products from dozens of vendors.

Given the damage this bug can cause, the Cybersecurity Infrastructure Security Agency (CISA) has ordered federal agencies to patch systems immediately.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us