Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Cybersecurity Snapshot: Insights on Log4j, Memory Attacks, Cloud Security, Ransomware

Cybersecurity Snapshot: Insights on Log4j, Memory Attacks, Cloud Security, Ransomware

Get the latest on an APT’s Log4Shell exploit; tips to prevent memory attacks; cloud security trends; metaverse security; and more! 

Dive into 6 things that are top of mind for the week ending Nov. 18.

1 - CISA Advisory: Iranian APT exploits Log4Shell to breach U.S. government agency

In a high-profile public exploit of Log4Shell, an advanced persistent threat (APT) group from Iran leveraged the dreaded Log4j vulnerability to breach a U.S. government agency.

How did they do it? They compromised an unpatched VMware Horizon server. The breach occurred in February and wasn’t discovered until mid-year when the Cybersecurity and Infrastructure Security Agency (CISA) investigated suspicious APT activity at the unnamed agency.

CISA Advisory: Iranian APT exploits Log4Shell to breach U.S. government agency
After exploiting Log4Shell, the attackers “installed XMRig crypto mining software, moved laterally to the domain controller, compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence,” reads a joint advisory issued by CISA and the FBI this week.

The advisory, titled “Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester,” details the APT group’s tactics, techniques and procedures, and its indicators of compromise. CISA and the FBI urge all organizations with vulnerable VMware systems to assume they’ve been compromised and launch threat hunting efforts.

For more information, read the CISA/FBI advisory, their official announcement and a malware analysis report. You can find more coverage and analysis from The Register, SecurityWeek, The Record, TechCrunch and Silicon Angle.

You can also check out Tenable’s Log4j page, which has a wealth of information and resources about Log4Shell, which was discovered almost one year ago.

2- How’s cloud security going for you?

Security is top of mind for any organization adopting cloud, so at our recent webinar “Cloud Security Roundtable: Scaling Cloud Adoption without Sacrificing Security Standards” we took the opportunity to poll attendees about their main challenges, approaches and priorities for cloud security. Check out the results below.

Biggest cloud security challenges poll

(60 respondents polled by Tenable, October 2022)

Current approaches to cloud security

(56 respondents polled by Tenable, October 2022)
Top cloud security priorities poll

(39 respondents polled by Tenable, October 2022)

For more information about cloud security, check out these Tenable resources:

3 - Excess user privilege: A cloud security weak link

Giving users more permissions than they need is a common configuration mistake organizations make in their cloud deployments because, in case of a breach, it helps intruders move laterally and compromise additional assets.

That’s one of the findings from the “2022 IBM Security X-Force Cloud Threat Landscape Report,” which found this problem of “excess privilege” for cloud identities in a whopping 99% of analyzed penetration tests.

Here are other findings from the report, which is based on an analysis of threat intelligence data, pen testing results, incident response results, dark web insights and other information compiled between July 2021 and June 2022:

  • More than 100,000 cloud accounts were found being peddled on the dark web, a 200% jump from 2021. Access to most (76%) is sold through remote desktop protocol, followed by compromised/stolen credentials (19%.)
  • Cryptominers and ransomware are the top malware types used to target cloud environments.
  • 26% of the cloud compromises analyzed resulted directly from exploiting a vulnerability, as cloud vulnerabilities have surged 540% in the last six years, while also increasing in severity.

Cloud vulnerabilities grow exponentially in past 10 years

(Source: “2022 IBM Security X-Force Cloud Threat Landscape Report,” October 2022)

For more details, check out this summary of the report.

Here’s more information about cloud security:

4 - Report highlights ransomware threat against U.S. banks

U.S. banks reported the highest number of ransomware-related incidents ever, as well as the largest amount of actual or demanded ransomware payments, to the U.S. Treasury Department in 2021. According to a report, the department’s Financial Crimes Enforcement Network (FinCEN) received almost 1,500 reports worth nearly $1.2 billion, up 188% from $416 million in 2020. The report also notes that during the second half of 2021, the majority of the ransomware variants reported to FinCEN could be related to Russian cyberattackers.

“Today’s report reminds us that ransomware — including attacks perpetrated by Russian-linked actors — remain a serious threat to our national and economic security,” said FinCEN Acting Director Himamauli Das in a statement.

FinCEN’s detection and mitigation recommendations for financial institutions include:

  • To actively block suspicious activity, feed indicators of compromise from threat data sources into intrusion detection systems and security alert systems.
  • If you identify ransomware activity, report it right away to law enforcement, including CISA, the FBI, FinCEN, the U.S. Secret Service and the Office of Foreign Assets Control.
  • Be on the lookout for “red flag” indicators of ransomware-related financial activity, such as IT activity detected in system log files or network traffic that points to known ransomware indicators or actors.

For more guidance and best practices:

5 - Europol: Police chiefs need to get hip to the metaverse

The metaverse is still under construction, but the time is now for law enforcement agencies to get ready to police it. So says Europol, which just released a report that explains what the metaverse is, how it could be used by cybercriminals and what steps law enforcement agencies can take to prepare.

Law enforcement must prepare to policy the metaverse

Titled “Policing in the metaverse: what law enforcement needs to know,” the report highlights key areas for potential criminal activity in the metaverse, including:

  • Identity, because the metaverse will exponentially enrich digital identities, making them more valuable to cybercriminals
  • Finance, because it will create a fertile environment for fraud and money laundering as financial transactions involve decentralized cryptocurrencies 
  • Harassment, abuse and exploitation, including of children, as the boundary between a person’s physical and digital identity further blurs in virtual reality
  • Terrorism, because the more immersive experience of the metaverse will allow terrorist organizations to intensify their recruitment and training activities
  • Mis- and disinformation, as the metaverse offers much more precise data to target specific demographics with propaganda

Europol advises law enforcement agencies to build an online presence in the metaverse; experience the metaverse and its related technologies; and engage with companies that are creating it.

“Having an understanding of what is being developed will be essential for engaging all relevant actors and building a picture of the needs and responsibilities of law enforcement in the metaverse,” reads the report.

For example, the report highlights the examples of Norway, which since 2015 has been putting “internet patrols” on various social media, gaming and streaming platforms as a resource for users; and of France, where law enforcement set up an online presence in Fortnite to help children who face abuse there.

For more information, read the report and watch this Europol video:

Check out additional coverage and analysis of metaverse security from VentureBeat, ZDNet, TechTarget, MIT Technology Review and Wired, as well as this video report from Minneapolis TV station KARE 11: https://www.youtube.com/watch?v=p8QV0j5uUv4

6 - NSA zeroes-in on software memory vulnerabilities

Developers should use programming languages that are less likely to yield applications vulnerable to software memory attacks like buffer overflows. That’s the advice from the U.S. National Security Agency (NSA), which just released a guide focused on software memory safety. 

In it, the NSA discourages developers from using languages such as C and C++, because they offer too much “freedom and flexibility” when it comes to memory management, and put the onus on the developer to ensure the application isn’t vulnerable to software memory attacks.

“Software analysis tools can detect many instances of memory management issues and operating environment options can also provide some protection, but inherent protections offered by memory safe software languages can prevent or mitigate most memory management issues,” the guide reads.

The NSA recommends using “memory safe” languages, including C#, Go, Java, Ruby, Rust and Swift. If a developer must use an unsafe memory language, the NSA encourages them to use static and dynamic application security testing tools to flag memory use problems. 

In addition, “anti-exploitation” steps can be taken to harden compilation and execution environments via features and techniques like control flow guard (CFG), address space layout randomization (ASLR) and data execution prevention (DEP).

For more information:

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.