Greetings!! I’m Shannon Morse and this is ThreatWire
for December 14, 2021! This is your weekly summary of the threats
to our security, privacy and Internet freedom. THANK YOU to long time patron David for the
upgrade, and to Bry for joining this week on Patreon. Patreon.com/ThreatWire as always to keep this
show ad free. And if you want to support the show but don’t
wanna join on Patreon, you can grab your own ThreatWire merch for the holidays at the link
below. Use the coupon code Turkey for 15% off!. With that, onto the news!! I know y’all are all here for this Log4Shell
attack so let’s get right into it. On Thursday last week this new vulnerability
started showing up online via news sources and within the infosec community. By the weekend, it’d become widely known
to be a huge concern given it’s ease of attack and the potential for compromising
servers given it’s attack surface is relatively ubiquitous and used across millions of apps. Log4Shell is tracked as CVE 2021-44228 and
is the nickname given to a critical zero day vulnerability, and it has a maximum severity
score of 10, meaning it’s a problem. A big problem. This attack was first noted in the wild to
be used against a Minecraft server in a remote code exploitation but the reason the Minecraft
server was compromised also affects millions of other apps and servers because the source
of this problem is used by so many. The source is called Log4j. Log4j is an open source Java utility by Apache
built into a bunch of apps that easily logs user input and performs network lookups within
the JNDI (or Java Naming and Directory Interface), to obtain services from LDAP (or the Lightweight
Directory Access Protocol). Log4j captures a message as a URL, fetches
the correct response, and can execute code with full privileges. So researchers found out this can be exploited
in text by using a specific syntax - an attacker could scan for vulnerable servers, find one,
and use a text box to enter a line of code to trigger the log4j utility to start a lookup. But instead of just allowing you to do something
like a user would - i.e. logging into your apple id, connecting to a minecraft server,
whatever… this would allow them to do things like install crypto miners, grow a botnet,
or exfiltrate data from the targeted server. A great example of this is changing your iphones
name on your iphone to the delegated syntax, which triggers the vuln on apple’s servers
as this red teamer shared. Yesterday Tom Anthony, CTO of searchpilot,
pointed out that if you don’t close the payload with a closing bracket, it’ll just
keep exfiltrating data until the next bracket comes along. So that’s great. Just great. So what’s the explanation you can tell your
fam when they see TV news mention it in a one liner to freak everyone out? CTO of SonaType Iikka Turunen gave me this
comparison: it’s like a captains log on a ship but for software. This allows programs to record what happens
when it runs, and usually when a user enters something simple into a text form, it’s
boring stuff (like changing your iphones name). But someone, somewhere found out you can enter
that code into these text fields to make the app do weird stuff. For admins, they gotta update the app… and
anything else they use written in java, and a lot of companies just don’t know what
components go where so they gotta look at literally everything to make sure each and
every bit is patched. That’s what makes this so serious. Even though it was publicly disclosed last
week, Matthew Prince, cofounder and ceo of cloudflare, tweeted they saw evidence of it
being used in the wild as early as December 1. That means it’s been used for a while before
anyone knew about the problem. A Github page shows potential impact and while
not verified, includes a slew of potentially affected brands including Twitter, Steam,
Apple, Tesla, Amazon, Unifi, Webex, LinkedIn and more. There’s also an extensive list of responses
from brands linked on github as well. Researchers have explained that if you use
Apache Struts, you’re likely vulnerable. Sadly, users can’t do much since this requires
app configurations and server updates for programs and websites you use. The best users can do is alert the industries
they rely on to check for the vulnerable utility and update. Services should update log4j to version 2.15.0,
but it’s kind of like putting out a ton of little fires - one app can use a ton of
additional backend programs to run - and each of those might use log4j too. Microsoft and Sophos both have intensive articles
explaining how you can prevent, detect, and hunt down any exploitation of this vulnerability. And many companies have already started patching. Please treat your fellow infosec employees
and admins with some empathy and patience through this holiday season. I’m sure a lot of folks are working overtime
to patch this problem with zero thanks so let me be the one to say thank you for your
hard work. You deserve a raise for all you do to keep
users protected. Botnets are still alive and well at the end
of 2021, but Google has stepped in to disrupt one botnet that has infected 1 million devices. This botnet is coined Glupteba and it infects
Windows machines. Operators were using google services to distribute
the botnet, so, with the help of the CyberCrime Investigation Group, Google’s Threat Analysis
Group terminated 63 million google docs, 1183 google accounts, 908 cloud projects and 870
google ads that were being using. But Glupteba is still being spread using the
bitcoin blockchain as it’s command and control server for resilience. Google TAG also worked with hosting and infrastructure
providers to remove servers hosting the botnet and put a warning page in front of malicious
domains. Google has taken it a step further by filing
a lawsuit against who they allege are behind the operation of this botnet. Google filed a lawsuit in the southern district
of new york against two Russian defendants, stating they’ve infiltrated over a million
computers and devices to create this botnet for illicit purposes such as stealing google
users’ login credentials. But that’s not all! Glupteba was being used to steal account information,
vend credit cards to create fraudulent purchases via Google Ads, serve up pop up ads on compromised
machines, and mine cryptocurrency. This botnet was first documented a decade
ago and it just keeps going. This disruption will help, but it likely won’t
be the end of it’s spread. I love it when y’all send me these adorable
pictures of your pets so these are a few from my hush puppy Patreon Alliance members. You can always support this content and keep
it ad free for as little as $2 / month, and get a slew of perks at the same time! Each alliance member gets over 10 perks as
soon as you sign up at patreon.com/threatwire. With that, now onto the third story. The open source package repository called
NPM was being used to distribute 17 malicious packages that are being used to steal credentials
and information on discord servers. While discord is usually used for user communication
and community, it’s also used as Command and Control channels for botnets, as well
as a proxy for downloading data. Attackers appear to have used a series of
techniques to trick devs into downloading the malicious package instead of a legitimate
one. They’re able to do this because repositories
are trusted by devs and machines, so no flags are raised whenever comms happen between the
repo and the dev platform. Automated installation such as using the NPM
client also create a “ripe attack vector”, according to two jFrog researchers who discussed
this attack vector via a post published on Wednesday. The malicious NPM packages work in a variety
of ways. A few are purported to be the discord.js library
but actually include malicious code. Another acts like a discord bot that fixes
errors but actually steals credit card information. A third example includes a remote access trojan. While these specific packages have been removed
from NPMs repositories, if you download a lot of open source packages, it’s crucial
to only download them from legitimate sources. Want more tech content? Subscribe at youtube.com/ShannonMorse for
my gift guides. Don't forget to like and subscribe to this
channel as well! Next week is my annual Biggest hacks video,
then I’ll be out for the holidays and back in January. I'm Shannon Morse, I'll see you on the Internet!