Log4j, Log4Shell or LogJam CVE- 2021-44228 RCE

Explaining #log4j for non-technical people, because the internet is burning down and y'all might want to know what's happening and why there's all this "${jndi:ldap" stuff out there.

Log4j is a popular logging library used in Java programming language. A logger is a piece of software that saves data on a computer. It is used to monitor what is happening, determine if the software runs smoothly, or catch information to help debugging when things go wrong.

It logs a lot of information. When you browse to a website, it will write down what IP address you have, what browser you are using (firefox, chrome, edge... ), when you made the request, what page you accessed... and more!

So, this log4j library is used in A LOT of Java software, and there is approximately 3 billion devices that run Java. Quick math: that's huge.

Log4j is present in web servers, your phones, possibly on your smart fridge and plenty of other places...

A logger is supposed to just write down what happens to a hard drive, or send it to another server to store it. But in the case of log4j, there are a few things that are performed before writing anything. One of the things it does is look for patterns like ${something} and will try to replace it with another piece of information. It is used to add context, for example, ${date} would be replaced by today's date.(I have no idea if this example works, it's just to keep it simple)

So when there's a ${jndi: pattern, it will try to replace it. 

Except that this pattern triggers another mechanism that loads a resource from another computer, anywhere on the internet, we just have to tell it where to get the data from. This data can be a malicious software.

Due to some internal Java mechanism, this malicious software is automatically run on the computer that used log4j. This means that at this point hackers can make the targeted computer do (almost) whatever they want. This gets really bad because we don't need to know which computer to target.

Remember when I said the web servers logs what browser you use? Well, we can just tell it that our browser is "${jndi: [...]", and if it uses log4j it will trigger the vulnerability.

In real life that would be the same as giving the keys to your house to a random stranger you just saw pass in front of you, without even realizing it. So... yeah. #log4j the above simple explanation by Emy| eq in tweeter entropyquween_

So this is big and affected a lot of companies with servers confirmed to be vulnerable to Log4Shell attacks include the likes of Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, DIDI, JD, NetEase, and possibly thousands more.

Apache has released Log4j 2.15.0 to address the maximum severity CVE- 2021-44228 RCE vulnerability.  https://t.co/PzSkXJUxEi 

Workaround so far: Upgrade log4j or if you cannot upgrade then you can mitigate the RCE vulnerability by setting log4j2.formatMsgNoLookups to True (-Dlog4j2.formatMsgNoLookups=true in JVM command line).

Note that this workaround only works for log4j2 version 2.10...2.15. If companies have an older library version of log4j2 (note that having an older version inside .jar archive does count) this workaround is not safe to use.

Mitigation for previous releases (>=2.10): set system property "log4j2.formatMsgNoLookups" to "true" or remove the JndiLookup class from the classpath.

Issue Found on update: 

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. https://www.cve.org/CVERecord?id=CVE-2021-45046

 

And another issue discovered: Web infrastructure company Cloudflare on Wednesday revealed that threat actors are actively attempting to exploit a second bug disclosed in the widely used Log4j logging utility, making it imperative that customers move quickly to install the latest version as a barrage of attacks continues to pummel unpatched systems with a variety of malware.

The new vulnerability, assigned the identifier CVE-2021-45046, makes it possible for adversaries to carry out denial-of-service (DoS) attacks and follows disclosure from the Apache Software Foundation (ASF) that the original fix for the remote code execution bug — CVE-2021-44228 aka Log4Shell — was "incomplete in certain non-default configurations." The issue has since been addressed in Log4j version 2.16.0.

More Details Here:

https://thehackernews.com/2021/12/hackers-begin-exploiting-second-log4j.html

Detection:

A. Test and detect vulnerable applications. by John Hammond

https://log4shell.huntress.com/

The explain-like-I'm-five breakdown is that you simply copy and paste the generated JNDI syntax into _anything_ (typically form fields, application input boxes, logins, anything) and check if it received a connection. NO code is ran on other than making this connection to test.

B. How to test your apps for #log4shell vulnerability

1. Generate a DNS token https://t.co/vCzVG0O03i

2. Wrap that token in 

Prefix: ${jndi:ldap://

Suffix: /a}

3. Use that value in search forms, profile data, settings etc. of your apps

4. Get notified when you triggered a reaction https://t.co/1w6jmF9qgy

C. I know that using regex is dumb and shit, but it's just first-line defense. This one I is capable to detect obfuscated payloads and should produce very few false positives:

\${(\${(.*?:|.*?:.*?:-)('|"|`)*(?1)}*|[jndi:(ldap|rm)]('|"|`)*}*){9,10}

D. If you are looking for Vulnerable Software on Linux, Docker Container, Kubernetes Pods the following command may help you.

find -name "*.jar" -exec sh -c 'unzip -l "{}" | grep -i --color=always JndiLookup.class' ; -print

find -name ".jar" -exec sh -c 'unzip -l "{}" | grep -i --color=always log4j-core-2..jar' ; -print

E. A quick and dirty way by Jay Minton you can find his other awesome work here https://www.jaiminton.com/#

 To find jar files that have a JndiLookup.class in PowerShell (change drive).

gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path

Running the following in PowerShell as Admin on Windows should mitigate the issue for any instances >=2.10

[Environment]::SetEnvironmentVariable("LOG4J_FORMAT_MSG_NO_LOOKUPS","true","Machine")

For forensic examiners, it's not known how practical exploitation is, but both Cellebrite BlackLight and Autopsy use components that leverage the vulnerable log4j class.

Elasticsearch for BlackLight (possibly inspector also), and Apache Solr for Autopsy keyword searching.

F. You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log

This command searches for exploitation attempts in compressed files in folder /var/log and all sub folders

sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+'

Grep / Zgrep - Obfuscated Variants

These commands cover even the obfuscated variants but lack the file name in a match.

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -I -i 'jndi:(ldap[s]?|rmi|dns):'" \;

This command searches for exploitation attempts in compressed files in folder /var/log and all sub folders

sudo find /var/log/ -name "*.log.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'"  \;

Guidance from Microsoft: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/

Microsoft Sentinel queries Possible exploitation of Apache log4j component detected

https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Apache_log4j_Vulnerability.yaml

This hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache.  Attackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and executed by the Log4j component.

Cryptocurrency miners EXECVE : This query hunts through EXECVE Syslog data generated by AUOMS to find instances of cryptocurrency miners being downloaded.  It returns a table of suspicious command lines.

Microsoft Sentinel also provides a CVE-2021-44228 Log4Shell Research Lab Environment for testing the vulnerability:  https://github.com/OTRF/Microsoft-Sentinel2Go/tree/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell

CURATED Intel: IOC and report https://github.com/curated-intel/Log4Shell-IOCs

https://crowdsec.net/log4j-tracker/

Other info:

This repo seems to have a good few high traffic sites being vulnerable for CVE- 2021-44228   https://github.com/YfryTchsGD/Log4jAttackSurface 

Customers can run commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE- 2021-44228 can be found here  https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b

PoC:  https://t.co/yShp4iRTxJ

Patch:  https://t.co/rVSq2EZfoT

Technical breakdown:  https://t.co/QWRkh6rk4y

Crowdstrike blog https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/

 And more

https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217

https://gist.github.com/yt0ng/8a87f4328c8c6cde327406ef11e68726

https://urlhaus.abuse.ch/browse/tag/log4j/

Fortinet  detection solution https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Using-FortiAnalyzer-to-detect-activities-related/ta-p/201026

Try hackme box for practice : https://tryhackme.com/room/solar

Happy Hunting.

Read More

Best Free Open Source Software of 2022 for your Home or Small Business

The term OPEN SOURCE refers to software whose source code is freely available to download, edit, use and share, with no copyright restrictions and that's why we love it.

You will find open source versions of almost every software imaginable - from Operating systems, office suites, media to accounting, and productivity. With that in mind, here's our pick of the very best open-source software.

Operating System: Linux

Let's start with the main thing you need first is an Operating System for your PC or Laptop. In the past 10 years, the gap between the features in all the major operating systems has become smaller and smaller. Linux operating systems aren't just for geeks and nerds. Anyone can install Linux and use it for their everyday computing needs including browsing the web, watching Netflix, typing letters, sorting home finances, video editing, photo editing, and managing music collections. There is a lot of option to choose from for everyone from Novice to System Administrator to  Hackers and Security professionals everyone loves Linux as their OS.

Ubuntu: One of the most popular distros for good reason, Ubuntu is an open-source software operating system that runs from the desktop, to the cloud, to all your internet connected things.

Ubuntu is officially released in three editions: Desktop, Server, and Core (for the internet of things devices and robots). Ubuntu is a popular operating system for cloud computing. Ubuntu is released every six months, with long-term support (LTS) releases every two years.  Download form here

 

Linux Mint is a great ‘default’ distro for new Linux users, as it comes with a lot of the software you’ll need when switching from Mac or Windows, such as LibreOffice, the favored productivity suite of Linux users. It also has better support for proprietary media formats, allowing you to play videos, DVDs, and MP3 music files out of the box. Why not give it a go today.  

Office software: LibreOffice

The next is you required your productivity tool and here comes to the rescue. LibreOffice is a powerful office suite – its clean interface and feature-rich tools help you unleash your creativity and enhance your productivity.  LibreOffice is a full suite of workplace software package, together with wonderful apps for text documents, spreadsheets, presentations, and databases. These are all absolutely compatible with the most recent Microsoft file formats, thus you’ll haven't any hassle sharing files that employ with users of Word, Excel, PowerPoint, and Access.

LibreOffice includes several applications that make it the most powerful Free and Open Source office suite on the market. You can download it form clicking on their official link here .

 

Email client: Mozilla Thunderbird

Email is a key part of our everyday life Thunderbird is a free and open-source email, news feed, chat, and calendaring client, that’s easy to set up and customize. One of the core principles of Thunderbird is the use and promotion of open standards - this focus is a rejection of our world of closed platforms and services that can’t communicate with each other. We want our users to have freedom and choice in how they communicate. You can download it form clicking on their official link here .

Web browser: Mozilla Firefox

Download Mozilla Firefox, a free Web browser. Firefox is created by a global non-profit dedicated to putting individuals in control online. Firefox is available for Microsoft Windows, macOS, Linux, BSD, illumos, and Solaris operating systems. Its sibling, Firefox for Android, is also available.You can download it form clicking to their official link here even you can download in your onw language .

 

Accounting / Small Business Accounting: GnuCash

GnuCash is personal and small-business financial-accounting software, freely licensed under the GNU GPL and available for GNU/Linux, BSD, Solaris, Mac OS X, and Microsoft Windows. Designed to be easy to use, yet powerful and flexible, GnuCash allows you to track bank accounts, stocks, income, and expenses. As quick and intuitive to use as a checkbook register, it is based on professional accounting principles to ensure balanced books and accurate reports. Download here

Clean Your System and Free Disk Space: BleachBit

When your computer is getting full, BleachBit quickly frees disk space. When your information is only your business, BleachBit guards your privacy. With BleachBit you can free cache, delete cookies, clear Internet history, shred temporary files, delete logs, and discard junk you didn't know was there. Designed for Linux and Windows systems, it wipes clean thousands of applications including Firefox, Internet Explorer, Adobe Flash, Google Chrome, Opera, Safari, and more. Beyond simply deleting files, BleachBit includes advanced features such as shredding files to prevent recovery, wiping free disk space to hide traces of files deleted by other applications, and vacuuming Firefox to make it faster. Better than free, BleachBit is open source. Download link

Password manager: KeePass Password Safe

Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your website's FTP password, online passwords (like website member account), etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem... A serious problem. The thief would have access to your e-mail account, website, etc. Unimaginable.

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). Download link

Safeguard Your Data/ Disk Encryption: 

DiskCryptor is an open encryption solution that offers encryption of all disk partitions, including the system partition. DiskCryptor is file and drives encryption software with all the whistles and bells you will ever need. Just like in TrueCrypt, DiskCrypror can encrypt any of your files, system drives, and other external devices like CD’s and thumb drives. Moreover, DiskCryptor can encrypt your data with different encryption algorithms like AES (Advanced Encryption Standard), Twofish, Serpent, and also uses a combination of cascaded algorithms for increased security. If you are previously using TrueCrypt for your encryption purposes, then DiskCryptor is the closest free option available with active development and support.

Media player: VLC Media Player

VLC media player (commonly known as VLC) is a free and open-source, portable, cross-platform media player and streaming media server.VLC offers everything you could need from a media player - comprehensive format support, streaming, downloading, and much more download here

 

Photo editor: GIMP

GIMP is a cross-platform image editor available for GNU/Linux, OS X, Windows, and more operating systems. It is free software, you can change its source code and distribute your changes. Whether you are a graphic designer, photographer, illustrator, or scientist, GIMP provides you with sophisticated tools to get your job done. You can further enhance your productivity with GIMP thanks to many customization options and 3rd party plugins.Download Link

Video editor: Shotcut

Shotcut is a free, open-source, cross-platform video editor. Shotcut is a free, open-source, cross-platform video editor for Windows, Mac and Linux. Major features include support for a wide range of formats; no import required meaning native timeline editing; Blackmagic Design support for input and preview monitoring; and resolution support to 4k. More features and download link here

Audio editor: Audacity

Free, open-source, cross-platform audio software. Audacity is an easy-to-use, multi-track audio editor and recorder for Windows, Mac OS X, GNU/Linux  Download Here

What did we miss?

Is there an open-source application that we missed? These are just a few of the best open-source/ free software I use for my personal use. They offer terrific value and since most of them are open source they are more secure for your privacy and protection in this digital age. 

We think of this as a work in progress, so if you believe there is software that should be added to this list, please let us know in the comments section below.

If you like this post feel free to re and if you want to connect with me just add me up on LinkedIn  Faysal Hasan https://au.linkedin.com/in/faysalhasan

Read More

Insider Threat

 

An Insider can be ANYONE Employee, Contractor, Business Partner, etc. with the right motive and means, and can have a Tactics at their disposal, that will put an organization’s assets at risk. An organization must Think Outside The Box to successfully detect and mitigate the risks posed by Insiders.

 

 

 

Malicious Insiders don’t care about compliance regulations. They just look for security gaps and vulnerabilities within an organization, to achieve their objectives. The impacts from Insider Threat incidents can be very severe, costly and damaging. 

 

Not all incidents by Insiders are malicious. Non-Malicious Insider incidents can be just as damaging as malicious incidents. Given this threat landscape, it is imperative that critical infrastructure entities prioritize and dedicate resources to preempt and/or mitigate insider threat.

 

To help The National Counterintelligence and Security Center (NCSC) issued “Insider Threat Mitigation for U.S. Critical Infrastructure Entities: Guidelines from an Intelligence Perspective. Read on attached document if you interested .  insider threat 

 

Related to this is another whitepaper by Simone (Cy) Genna publish by SANS Title: Information Security Starts with the Employees which you can download from here 

 

 

 

#cybersecurity #informationsecurity #databreach #datasecurity #intelligence #infrastructure #risk

Read More

Kaseya VSA Supply-Chain Ransomware Attack

After #printnightmare Another High Alert for Security Community and administrators. No weekend or holidays for #cybersecurity .

#Kaseya VSA Supply-Chain #Ransomware Attack by ransomware group REvil is exploiting vulnerable instances of Kaseya VSA globally. 

Kaseya VSA is a platform that provides endpoint management and network monitoring. Anyone who is currently using or has a MSP that is running #Kaseya software has potentially been compromised! 

Once inside the supplier’s system, attackers use it as a jumping off point to access its customers’ networks too. Then they install ransomware, which locks up victims’ data, only releasing it once a ransom payment has been made.

It is recommend organisations follow the advice provided by Kaseya, to immediately #shutdown your Kaseya server until further notice. 

So far 200 US company affected and one of Sweden's biggest grocery chains, closed all of its 800 stores today after this attack as they were unable to operate its cash registers.

Technical Details: Kaseya supply chain attack Indicators of Compromise (IOCs)

HASHES (SHA256) d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e e

2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 8

dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd 

More info available here: https://lnkd.in/gJ5hfD2 S

someone rightly said Cybercriminals are awful for a whole bunch of reasons, but especially for ruining long weekends and holidays for IT professionals over and over again. Be nice to your IT team. They're the ones working through the nights and weekends to protect you from these scum. 

 #ThreatHunting #IOC #REvil #KaseyaVSA #KaseyaHacked #KaseyaVSA #MSP

Read More

Print Spooler vulnerability PrintNightmare

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. 

An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. Attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the #Print #spooler service disabled. Do It now and save yourself from Print spooler vulnerability CVE-2021-34527 #printnightmare

see the flowchart to determine if you required to disable print spooler now

If disabling the Print Spooler service is appropriate for your organisation you can do the following way.

1. The recommended way to do this is using a Group Policy Object via

Computer Configuration > Administrative Templates > Printers >>

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks 

 2. You can also use the following PowerShell commands:

 Stop-Service -Name Spooler -Force 

 Set-Service -Name Spooler -StartupType Disabled

 Good Luck. 

 #windows #printer #printnightmare

Read More

Commmon Cyber Security Terms

Real life example of Cyber risk response.  This might help you to understand some key concept in cyber world. After all, Cyber Security don't have to be boring, right. Then read on, this might help you smile. 

 

Threat Actors = someone who wants to punch you in the face. 

Threat = the punch being thrown.

Severity = whether you fall down after the punch, and how long it might take for you to stand up again.

Vulnerability = your inability to defend against the punch 

Risk = the likelihood of getting punched in the face  

Acceptable Risk = your willingness to be punched in the face  

Attack Surface = the size and shape of your face 

Impact = broken nose, medical bills, lost time at work
Single loss event = one tooth,
Risk appetite = number of teeth willing to part with,
Compensating control = dentures / Mate who was in the special forces'
Vulnerability Assessment = checking the size and shape of your face
Compliance = how you think this all works until you've been punched in the face
Risk posture = whether you know that talking shit in a pub is likely to get you punched in the face or not.
RTO = how long it takes you to regain consciousness
RPO = how much you forget when you blacked out 

Cyber Risk Insurance = your mates at the pub betting on if you can "talk that kinda shit" and not get punched in the face 

 

Penetration testing / PEN TEST = saying "boo" very loudly to see if you'll protect your face 

Red Team = boxing 

Exploit = the fist 

0day = kick in the groin  

Side channel = your wallet being nicked whilst you are being punched in the face.

APT = a mate who also wants to punch you in the face 

Unhackable = Pissing off professional boxers while bragging about your knowledge of Karate.

Bounty Hunter = someone who promises to wear gloves when they punch you if you promise to pay them based on where they punch you 

Bug Crowd = cage fight organizer.

Security stack /  Blue Team = your mates at the pub with you 

Patch Tuesday = your weekly gym visit

Alert = friend who calls an ambulance.
Investigation ➡️ triage: the EMTs who arrive.
Incident response: the doctors who remediate your punched face.
Digital forensic: documenting your injuries to reconstruct the type of punch in detail.
Threat Intelligence = pointing at a person that has a history of punching people in the face.i e, “Bob’s going to come at you with a right cross” 

Air gap = avoiding the pub by staying at home
DEFCON presentation = all of your friends getting drunk in Las Vegas watching video of you being punched in the face.


Enjoy your day.

credit: it all started from caseyjohnellis @cje twitter account

Thanks  Faysal Hasan  Connect with me in Linked In

Read More