Log4j Vulnerability

Summary: On December 9, 2021, The Log4j zero-day vulnerability (CVE-2021-44228, commonly known as “Log4Shell”) was first detected. When exploited, this vulnerability may allow unauthenticated remote access to servers. Log4j is used in many diverse types of software such as enterprise software, cloud applications, email clients, and open-source programs. It is an open-source logging library written in Java that allows most software developers to log various data within their applications and part of the Apache Logging Services. This raises the significance of this vulnerability since it puts a large variety of software at risk. The vulnerability affected all Log4j versions from 2.0-beta9 to 2.14.1.

In order to exploit the flaw, all that is needed is for the attacker to send malicious code that eventually gets logged by Log4j version 2.0 or higher. By using this exploit, the Java code is injected into the server and allows the attacker remote access.

Additionally, between December 16th and December 18th, 2021, two additional Log4j vulnerabilities (CVE-2021-45046 and CVE-2021-45105) were identified as being susceptible to Denial-of-Service (DoS) attacks. This vulnerability also shares characteristics of information leaks and the remote code execution like aspects of the vulnerability CVE-2021-44228.

Apache has since released a newer version 2.17.0 to remediate and patch for Log4j flaws after discovering issues with their previous releases. Furthermore, The Cybersecurity and Infrastructure Security Agency (CISA) released a Log4j scanner utility which can be used to identify services susceptible to the vulnerability.

Why it matters: Log4j is under active exploit, and it poses one of the most serious vulnerabilities on the internet in recent years as organizations and consumers of all kinds are at-risk due to the exploitable nature of this vulnerability. This vulnerability, when exploited, allows the adversaries to remotely inject malicious code which allows them to send requests to any application on the server and retrieve information about the systems. Luckily, to reduce the potential of this vulnerability being exploited, Apache has since released a newer version 2.17.0 and Log4j Scanners have been released by the Cybersecurity and Infrastructure Security Agency (CISA) to assist in locating these vulnerabilities.

New zero-day exploit for Log4j Java
library is an enterprise nightmare >

Important: Security Vulnerabilities
CVE-2021-45105, CVE-2021-45046
and CVE-2021-44228 >

How to Fix Log4J
Vulnerability >

Omicron Phishing Campaign

Summary: On December 2nd, 2021, just days after the Omicron variant was announced by the World Health Organization (WHO), the first instances of Omicron phishing email scams were brought to light by the consumer watchdog company “Which?“. The UK based company reported on several instances in which UK residents were being targeted with scam emails, text messages, and phone calls relating to the COVID-19 Omicron variant.

The phishing messages attempted to scam targeted recipients by fraudulently offering them free PCR tests that are specifically designed to detect the Omicron variant. The attackers disguised their phishing attempts to appear as though the messages were sent by the National Health Service, a public healthcare provider in England. When victims responded to the messages, they were prompted to provide sensitive information which was then sent directly to the attackers.

On December 7th, 2021, similar phishing campaigns were being spotted in universities across the United States. These phishing emails are targeting students and University staff members. These emails were seen using links to fake university login pages used to lure victims into providing the attackers with login credentials. The fake login page tactic is an example of one of the more advanced types of phishing emails. When using this tactic, the attackers create a clone of a target organization login page, a link to the clone page is provided to the user via email, and when accessed by the user the page prompts the user for login information.

Why it matters: Phishing campaigns often use current events as inspiration for conducting new scams and finding new victims. Attackers can quickly adapt to targeting certain groups of potential victims and leveraging areas of growing concern for said groups. For example, a phishing campaign may target elderly users with emails offering health care or students may be a target for loan forgiveness related phishing scams. For these reasons, it is important to be aware and vigilant when dealing with emails and websites that request any sort of personal information. Learning how to spot phishing scams is the best way to avoid being a victim.

Phishing Scam
Spotted in the UK >

Omicron Phishing
Targeting Universities >

Phishing actors start exploiting
the Omicron COVID-19 variant >

Unpatched Bug Leaves Microsoft Teams Vulnerable

howevSummary: The popular messaging application Microsoft Teams is currently susceptible to three out of the four vulnerabilities that were disclosed by the cybersecurity firm Positive Security. All the vulnerabilities stem from a system bug introduced with the Teams message live preview feature. The disclosure was originally made to Microsoft on March 10, 2021, however, only a single vulnerability has been addressed by Microsoft since then.

On December 22, 2021, a blog post by Fabian Bräunlein from Positive Security contained details of the initial disclosure made to Microsoft in March and the responses received from them. The four vulnerabilities disclosed were server-side forgery, IP address leak, spoofing, and denial of service.

Server-side forgery is an exploit that allows attackers to leak information from an internal network and use the obtained information to perform other attacks such as port scanning, and HTTP based web attacks. In this instance, applying the exploit to the Teams vulnerability may allow attackers access to information from Microsoft’s local network; however, attackers are unable to use this exploit to access user information.

The spoofing exploit, detailed in Bräunlein’s blog post, enables attackers to abuse the link preview bug to change the preview link to any web address destination. Along with the link, attackers can even change the description, mouse on-hover text, and the displayed hostname. This can be used to trick users into clicking a link and opening a malicious website.

Denial-of-Service (DoS) are attacks in which attackers can prevent legitimate users from accessing their system. The Teams vulnerability allows attackers to apply this exploit to users using the Teams Android application. This is achieved when an attacker sends a link preview with an invalid preview link. When a user attempts to access the invalid link on an Android device, the Teams application will force close continuously.

Lastly, the IP address leak vulnerability enables attackers to retrieve a user’s IP address by exploiting the link preview thumbnail. This is currently the only Teams vulnerability that has been patched by Microsoft.

Why it matters: Often vulnerabilities are not immediately patched even after they have been disclosed. In these cases, attackers become aware of the vulnerability and see it as an opportunity to apply their exploits. By paying close attention to relevant vulnerabilities in your environment, potential exploit attempts can be identified and prevented.

Four Bugs in Microsoft Teams
Left Platform Vulnerable Since March >

MS Teams: 1 feature,
4 vulnerabilities >

Researchers Disclose Unpatched
Vulnerabilities in Microsoft Teams Software >

Windows AppX Installer Spoofing Vulnerability

Summary: Microsoft reported a security flaw (CVE-2021-43890) Windows AppX Installer spoofing. This leverages a vulnerability within Microsoft AppX Installer, which is used to install AppX apps on Windows 10 & 11 systems. This flaw is exploited by adversaries using specially crafted packages that download the Emotet malware. According to Microsoft, “An attacker could craft a malicious attachment to be used in phishing campaigns in which the end user would open the specially crafted attachment”. After opening the malicious attachment, end-users would have been tricked into installing what appears to be a legitimate application, by doing so the computer would be infected with Emotet, a Trojan aimed at stealing financial information.

Why it matters: Adversaries can specifically create targeted phishing campaigns to trick end users to gain unauthorized access, install malware and attain personal information. Microsoft has released an update for the AppX Installer (Desktop Installer) as of December 14, 2021. Additionally, Microsoft recommends blocking the installation of Windows app packages for standard users and for apps outside the Microsoft Store via group policies as a countermeasure.

Windows AppX Installer
Spoofing Vulnerability >

Microsoft Fixes Spoofing
Flaw Used In Emotet Attacks >

Microsoft fixes Windows
AppX Installer zero-day
used by Emotet >

CISA Alert (AA20-280A) –
Emotet Malware >

Security Tip of the Month

As we have seen in most of these incidents mentioned in this newsletter, vulnerabilities are brought to light and malicious entities jump at the opportunity to exploit it. The Log4j incident is a prime example of why it is of the utmost importance to keep software updated and do so as soon as possible.

A major cyber security practice to mitigate any vulnerabilities is patching outdated software. Updating both applications and operating systems helps remove critical vulnerabilities that adversaries may potentially use to comprise your infrastructure and devices.

Here are some tips that may be helpful:

Configure your device system settings to automatically keep the operating system up to date.
Desktop web browsers are frequently updated. Therefore, it is important to make sure that the latest version is installed.
Mobile applications and devices are as vulnerable as their desktop counterparts. Regularly checking for phone and mobile application updates should not be neglected.