Not the Yule log we were expecting

Helpful resources:

Log4J – So what?

Five steps to addressing Log4J vulnerability

mark.brett@socitm.net 

Not the Yule log we were expecting

Written by Mark Brett, Socitm Honorary Life Member / Pro bono Cyber advisor

It’s not often that a small log file manipulation routine causes wide spread panic across the internet.

That’s what has happened when a small, beautifully formed Java function was exploited to be naughty not nice by ‘Elf on the Shelf’ gamers wanting to have fun with Minecraft servers.

The trials and tribulations, over the last week, only go to show that cyber and information security aren’t boring career options. The Log4j vulnerability means that the logging utility program can be exploited to do things it shouldn’t, which ultimately means it could be used to deliver malware and ransomware for crypto mining or to steal credentials.

Now, most of the activity is scanning “reconnaissance”, which means that “hostile actors” as we call then are looking around the internet to find vulnerable servers that could be exploited later. There have been noted activities by hostile actors even at a state level.

Whilst there has been a report of the Log4j vulnerability being used to deliver malicious code (what we call malware and ransomware), all is not lost. The National Cyber Security Centre (NCSC) has produced a lot of useful advice and guidance.

Over the past week, we have highlighted numerous articles, bits of advice and guidance, the best of these being:

• a repository detailing the Indicators of Compromise (IOC) and affected IP addresses to block;
• a comprehensive resource for tools, techniques and software to help; and
• a response playbook approach and related resources.

The overarching advice is to subscribe to the NSCS Active Cyber Defence tools. Sign up to the NCSC Cyber Security Information Sharing Partnership (CISP) portal. Make sure you’re a member of your regional Warning and Reporting Point (WARP). And, make use of the C-TAG guidance covering information asset management, incident response and the Data Handling Guidelines.

We’ve developed a six steps approach to deal with these types of incidents:

1. Prepare
2. Scan
3. Patch
4. Configure
5. Monitor
6. Respond

Incidents, such as the Log4j vulnerability, are not just an Information Technology issue. They are as much about procurement and the supply chain. The risks are generated by code that is  embedded in off-the-shelf software applications, systems and services. Suppliers have a key role to play here in ensuring their products and services are patched and repaired as soon as possible.

We entered this week being told that Log3j version 2.14 was the flaky one. By the end of the week, we were being told to patch to version 2.17! This only goes to show that the issue is part of a complex, dynamic situation that is continually evolving. For a good walk through the actual attack vector (how it can happen), the Swiss Government Computer Emergency Response Team (GovCERT.ch) has a very good explainer.

Finally, don’t let this ruin Christmas. Be kind to your IT team; they do care but can’t deal with this without top level support in the organisation, so perhaps, get them a thank you for what they’ve done this week!

---

Nid y Nadolig roeddem yn ei ddisgwyl!

Mark Brett 19eg Rhagfyr 2021

Nid yn aml y mae trefn trin ffeiliau bach yn achosi panig eang ar draws y Rhyngrwyd.

Dyna beth sydd wedi digwydd pan fanteisiwyd ar swyddogaeth Java, wedi’i ffurfio’n hyfryd, i fod yn ddrwg ac nid yn braf gan chwareuwyr ‘Elf on the Shelf’ a oedd eisiau cael hwyl gyda gweinyddwyr Minecraft [1].

Dim ond i ddangos nad yw Seiber a Diogelwch Gwybodaeth yn opsiynau gyrfa diflas y mae’r treialon a’r gorthrymderau, dros yr wythnos ddiwethaf. Mae bregusrwydd “Log4j” yn golygu y gellir manteisio ar y rhaglen cyfleustodau logio i wneud pethau na ddylai, sy’n golygu yn y pen draw y gellid ei defnyddio i ddarparu Malware a Ransomware ar gyfer Crypto Mining neu i ddwyn tystlythyrau.

Nawr, mae’r rhan fwyaf o’r gweithgaredd yn sganio “rhagchwilio”, sy’n golygu bod “Actorion Elyniaethus” fel rydyn ni’n eu galw wedyn yn edrych o gwmpas y rhyngrwyd i ddod o hyd i weinyddion bregus y gellid eu hecsbloetio yn nes ymlaen. Mae gweithgareddau wedi’u nodi gan actorion gelyniaethus hyd yn oed ar lefel y wladwriaeth [2].

Er y cafwyd adroddiad bod bregusrwydd Log4j yn cael ei ddefnyddio i ddarparu cod maleisus (yr hyn yr ydym yn ei alw’n Malware a Ransomware) [3], nid yw’r cyfan yn cael ei golli. Mae’r Ganolfan Seiberddiogelwch Genedlaethol (NCSC) wedi cynhyrchu llawer o gyngor ac arweiniad defnyddiol [4].

Dros yr wythnos ddiwethaf, rydym wedi tynnu sylw at nifer o erthyglau, darnau o gyngor ac arweiniad, a’r gorau o’r rhain yw:

• ystorfa sy’n manylu ar yr IOC (Dangosyddion Cyfaddawd) a’r Cyfeiriadau IP yr Effeithir arnynt i’w blocio [5];
• adnodd cynhwysfawr ar gyfer offer, technegau a meddalwedd i helpu [6]; a
• dull llyfr chwarae ymateb ac adnoddau cysylltiedig [7].

Y cyngor trosfwaol yw tanysgrifio i offer Seiber-Amddiffyn Gweithredol yr NSCS [8]. Cofrestrwch i Borth Partneriaeth Rhannu Gwybodaeth Seiberddiogelwch NCSC (CISP) [9]. Sicrhewch eich bod yn aelod o’ch Pwynt Rhybuddio ac Adrodd rhanbarthol (WARP) [10]. A, defnyddiwch y canllawiau C-TAG sy’n ymdrin â gwybodaeth Rheoli Asedau, Ymateb i Ddigwyddiadau a’r Canllawiau Trin Data [11].

Rydym wedi datblygu dull chwe cham i ddelio â’r mathau hyn o ddigwyddiadau:

1. Paratoi
2. Sganio
3. Patch
4. Ffurfweddu
5. Monitro
6. Ymateb

Nid mater Technoleg Gwybodaeth yn unig yw digwyddiadau, fel bregusrwydd Log4j. Maent yn ymwneud cymaint â chaffael a’r gadwyn gyflenwi. Cynhyrchir y risgiau trwy god sydd wedi’i fewnosod mewn cymwysiadau meddalwedd, systemau a gwasanaethau oddi ar y silff. Mae gan gyflenwyr rôl allweddol i’w chwarae yma wrth sicrhau bod eu cynhyrchion a’u gwasanaethau yn cael eu clytio a’u hatgyweirio cyn gynted â phosibl [12].

Aethom i mewn yr wythnos hon gan gael gwybod mai fersiwn 2.14 Log3j oedd yr un fflach. Erbyn diwedd yr wythnos, dywedwyd wrthym am glytio i fersiwn 2.17! [13]. Nid yw hyn ond yn dangos bod y mater yn rhan o sefyllfa gymhleth, ddeinamig sy’n esblygu’n barhaus. Am dro da trwy’r fector ymosodiad go iawn (sut y gall ddigwydd), mae gan Dîm Ymateb Brys Cyfrifiaduron Llywodraeth y Swistir (GovCERT.ch) esboniwr da iawn [14].

Yn olaf, peidiwch â gadael i’r Nadolig hwn ddifetha. Byddwch yn caredig i’ch tîm IT; maen nhw’n poeni ond ni allant ddelio â hyn heb gefnogaeth lefel uchaf yn y sefydliad, felly efallai, gofynnwch iddyn nhw am yr hyn maen nhw wedi’i wneud yr wythnos hon!

Sources

[1] https://www.theguardian.com/commentisfree/2021/dec/18/how-cut-and-pasted-programming-is-putting-the-internet-and-society-at-risk

[2] https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-by-state-backed-hackers-access-brokers/

[3] https://appleinsider.com/articles/21/12/13/critical-log4j-java-flaw-being-used-to-deliver-malware-crypto-miners

[4] https://www.ncsc.gov.uk/blog-post/log4j-vulnerability-what-should-boards-be-asking

[5] https://github.com/curated-intel/Log4Shell-IOCs

[6] https://github.com/snyk-labs/awesome-log4shell

[7] https://www.cisecurity.org/log4j-zero-day-vulnerability-response/

[8] https://www.ncsc.gov.uk/section/active-cyber-defence/introduction

[9] https://www.ncsc.gov.uk/section/keep-up-to-date/cisp

[10] https://socitm.net/about/warps/

[11] https://guidance.ctag.org.uk

[12] https://www.reuters.com/technology/major-tech-companies-struggle-plug-holes-logging-software-2021-12-16/

[13] https://www.zdnet.com/article/apache-releases-new-2-17-0-patch-for-log4j-to-solve-denial-of-service-vulnerability/

[14] https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/