Threat Summary

Log4j/Log4shell is a remote code execution vulnerability (RCE) in Apache software allowing attackers unauthenticated access into the remote system. It is found in a heavily utilized java open-source logging framework known as log4j. The framework is widely used across millions of enterprise applications and therefore a lucrative target for threat actors to exploit. The availability of the POC exploit and ease of exploitation triggered the widespread exploitation attempts that we are now witnessing.

CVE-2021-44228 – Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation.

Should the vulnerability be present, an attacker might run arbitrary code by forcing the application or server to log a specific string. This string can force the vulnerable system to download and run a malicious script from the attacker-controlled system, which would allow them to effectively take over the vulnerable application or server.

A full technical analysis can be found here:

McAfee Advanced Threat Research: Log4Shell Vulnerability is the Coal in our Stocking for 2021

In this blog, we present an overview of how you can mitigate the risk of this vulnerability exploitation with McAfee Enterprise solutions. Due to the severity of this vulnerability and the observed exploitation attempts already taking place, the KB article linked below will be continually updated to communicate detailed actions to mitigate risk with McAfee Enterprise products. Subscribe to this KB article to receive updates pertaining to related coverage and countermeasures.

KB95091: McAfee Enterprise coverage for Apache Log4j CVE-2021-44228 Remote Code Execution

Attack Chain and Defensive Architecture

Organisations preparing to defend against this threat needs to think beyond the initial access vector. What the vulnerability allows a threat actor to do is initially only connect to a remote endpoint and establish a beachhead. The attacker only gets a return on investment when they can exploit that initial foothold either to move laterally, execute additional payloads on the endpoint or attack other organisations as part of a botnet. Instead of just focusing on the initial access vector, let’s look at the entire defensive kill chain.

The impact on organisations varies between resource takeover, denial of service or data theft. Therefore, making visibility in attack patterns and trend via threat intelligence extremely critical. In addition, other attack vectors have been discovered which allows for local exploitation of the log4j library over WebSocket.

Let’s walk through the defense lifecycle in more details

Getting the Latest Threat Intelligence

Threat Intelligence is critical to adapt security controls and gain an understanding of attacker techniques and active campaigns exploiting the vulnerability

 

The MVISION Insights platform reports threat intelligence related to the Log4j attacks under the campaign name Log4Shell – A Log4j Vulnerability – CVE-2021-44228.

The Global Prevalence map snapshots captured on the 10th and 16th December 2021 demonstrates how impactful has being the vulnerability so far and how fast activity, both defender and attack, is increasing and spreading worldwide.

MITRE Techniques Observed:

Exploit Public-Facing Application – T1190 (Initial Access)
Exploitation of Remote Services – T1210 (Lateral Movement)
External Remote Services – T1133 (Initial Access, Persistence)
Resource Hijacking – T1496 (impact)
Web Shell – T1505.003 (Persistence)

As we are writing this blog, on MVISION Insights there are 1,813 IOCs including MD5, SHA256, URL, IP, DOMAIN, HOSTNAME. In terms of Determinism, 1,632 are unique and 30 are commodity.

The top MD5 detected so far has been related to Kinsing (MD5: 648effa354b3cbaad87b45f48d59c616), a crypto miner with backdooring features. The file runs on Linux machines and has been uploaded on Virus Total for the first time in December 2020.  Its detection increased by 161% between the 11th and the 15th of December 2021 and it is currently observed in 19 different countries. The log4j vulnerability is helping threat actors to push Kinsing malware via encoded payloads to vulnerable services exposed to the internet. And this is just the tip of the iceberg. We are actively monitoring for and analyzing new payloads.

The same unique indicator is also reported as part of other two threat campaign on MVISION Insights:

Kinsing Malware Adds Windows to Its Target List
Misconfigured Apache Hadoop YARN Exploited

Since April 2020, when the Kinsing crypto miner was discovered, further developments of the malware have occurred including a rootkit component and other features that make detection harder. Kinsing comes with multiple shell scripts that download and install the backdoor, miner, and rootkit alter the system itself.

The IP address 45.155.205[.]233 included within the MVISION Insights IOCs and used by threat actor as a log4j callback attack server has been detected 6,884 times by December 4th topping 15,106 detections by December 7th. Most detected countries included the United States, Turkey, Thailand, UK, Taiwan, and Italy.

MVISION Insights also includes indicators related to unique variants of MIRAI botnet that McAfee observed being leveraged by threat actors to exploit the log4j vulnerability.

Shell scripts are using wget and curl tools for external communication as part of the attack chains analyzed.

Latest updates highlighted Conti ransomware group actively leveraging the Log4Shell exploit to gain access to internal corporate resources and lunch their malicious payloads. But also, Khonsari group and state sponsored APT35 have been reported by researchers.

Determining your Asset Exposure

In this case, you should detect and prioritise internet facing applications running java-based web servers such as Apache Tomcat, either isolate or patch these resources. Run vulnerability scans for both monolithic and containerized workloads to build an inventory of assets that might be impacted.

MVISION Cloud

Continuously discovers your cloud resources and can run vulnerability scans for Virtual Machines and Containerized workloads in the cloud. MVISION Cloud has the ability to build an inventory of running processes within workloads as part of it application control capabilities. If log4j is used as a separate package we will detect the vulnerability in both runtime and container registry. If the log4j is included in the java binary we will not be able to scan it.

Ensure you run configuration audits for cloud assets that allow unrestricted outbound access and does not use firewalls or NAT GW’s for outbound connections. Run configuration audits for secondary misconfigurations that might allow the attacker to exploit IAM to elevate privileges, gain persistence or takeover other resources. 

MVISION Insights

Compares the available defensive capabilities on the endpoint to the attacker techniques, tools and IOC’s and highlights exposed endpoints.

MVISION EDR

You can perform real time searches in MVISION EDR to identify endpoints with Log4j binaries.

Blocking Exploitation Attempts

The attacker only succeeds if they can get to this stage so blocking outbound suspicious connections, preventing execution of additional payloads, and protecting credentials/auth tokens theft are things that could prove to be critical in defeating the attack. As part of the available threat intelligence attackers are using several post exploit methodologies to pivot from the original log4j injection vulnerability. This varies from misuse of resources with crypto miners, deploying malware, or exfiltrating sensitive information.

MVISION Cloud – Cloud Native Application Protection Platform (CNAPP)

Use Application Control (VM and Containers) to kill unverified server processes and payloads from executing.

OS Hardening (VM) – ensure that SE Linux state is enforcing

MVISION UCE

Use UCE URL filtering and Remote Browser Isolation to prevent browser-based exploit attempts over WebSocket and C2 attempts.

McAfee Endpoint Protection Platform

Use signature-based protection in ENS 10.7 to block known hashes of second stage malicious payloads. On December 12, 2021, McAfee Enterprise released V3 AMCore content 4648 (ENS) and V2 DAT 10196 (VSE). Generic detections are provided under the title Exploit-CVE-2021-44228.C.

In ENS (Endpoint Security) 10.7 update 4 and above, there is a powerful security feature available to every defender, which is the ability to trigger a memory scan from an Expert Rule. For more details on this capability, please see this blog post from our AC3 team

https://www.mcafee.com/blogs/enterprise/log4j-and-the-memory-that-knew-too-much

Additionally, it is recommended to enable the ENS ATP rules that prevent or detect post exploitation techniques such of second stage payload execution, credential dumping or encryption activity from ransomware, use of malicious tools or lateral movement.

Network Security Platform

An Emergency User Defined Signature has been written and tested by McAfee Enterprise to provide immediate protection against the Apache Log4j2 Remote Code Execution Vulnerability.

User-Defined Signature: KB95088 – REGISTERED – NSP Emergent UDS Release Notes – UDS-HTTP: Apache Log4j2 Remote Code Execution Vulnerability
Attack ID: 0x4529f700
Attack Protocol: HTTP
Attack Direction: Client to Server
To be included in the next regular sigset? Yes
Released date: December 10, 2021

For details on latest signatures, please follow the KB…KB95091: McAfee Enterprise coverage for Apache Log4j CVE-2021-44228 Remote Code Execution

Detecting and Hunting for Exploitation Activities

Assuming breach is critical especially if you know that you had exposed assets and therefore, build forensics and post exploitation detection techniques this includes exploitation of living of the land binaries (LOLBINS), credential dumping as well as using information such as known file hashes / hunting queries to query web server / reverse proxy/ Network IPS logs.

MVISION Insights

In addition to an Intelligence Summary, Insights provides exportable YARA rules to find additional Indicators of Compromise.

MVISION EDR

As mentioned above, you can leverage Real Time and Historical Search functionality to proactively identify vulnerable systems or post exploit activity such as…

historical process execution spawning from Java as this could be a clear indicator that the parent java process was used to spawn additional malicious processes.
monitoring for detection of threats emanating from assets running Java
identify outbound communication attempts to known C2 domains through DNS or Web traffic

Identify Indicators of Compromise associated with exploit payloads

Data Exfiltration Visibility and Control with Cloud Security

Along with control on the endpoint, visibility into attacks and where data is being uploaded is also critical to stopping Data Exfiltration. Mapping threats to the MITRE ATT&CK Framework will provide visibility into ongoing attacks happening in the cloud and where security controls can be improved to stop future attacks.

Another critical method to stopping the exfiltration of data is putting restrictions against data uploads to non-sanctioned cloud storage. Limiting data uploads to only sanctioned Cloud Service Providers can stop external and insider threats from transferring data to Cloud Services that are questionable or not sanctioned. The Cloud Registry within MVISION Cloud/Unified Cloud Edge will provide ratings for well over 25,000 Cloud Service Providers so restrictions can be placed on CSPs with high risks or attributes that put company data at risk.

Summary

The current situation is dynamic and our resources to help you understand the attack and mitigations available are also evolving. For the latest updates on McAfee Enterprise threat intelligence and defender resources please continue to follow these sites

MCFE Log4Shell Vulnerability KB: https://kc.mcafee.com/corporate/index?page=content&id=KB95091

MCFE Log4Shell Security Bulletin: https://kc.mcafee.com/corporate/index?page=content&id=SB10377

MCFE Log4Shell Vulnerability Blog: https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/log4shell-vulnerability-is-the-coal-in-our-stocking-for-2021/

MCFE Log4Shell Exploit Demonstration by McAfee ATR: https://www.linkedin.com/posts/mcafeeenterprise_cve-2021-44228-log4shell-exploitation-activity-6876241150219485184-URLE

MCFE LinkedIn Live Customer Briefing: https://www.linkedin.com/posts/mcafeeenterprise_mcafee-enterprise-atr-explore-the-internet-breaking-activity-6876614287197122560-wNuD

FEYE Log4Shell Vulnerability KB: https://community.fireeye.com/s/article/000003827

The post Threat Intelligence and Protections Update Log4Shell CVE-2021-44228 appeared first on McAfee Blogs.

Read More

Most of us take our skills for granted when it comes to technology. We move effortlessly between applications and multiple devices. We install new software, set up numerous accounts, and easily clear technical hurdles that come our way. Unfortunately, that picture isn’t the norm for many older adults.  

Engaging with technology can be challenging for older adults. However, when digital literacy skills are neglected or avoided, everyday activities such as online bill paying, shopping, medical appointments, and even social media can be overwhelming. And, since the pandemic, the digital divide between older adults and digital skills has become even more evident.   

Digital Divide  

One Pew study revealed that older adults continue to lag behind younger adults when it comes to technology adoption in that 41% do not use the internet at all, 23% do not use cell phones, and over 75% say they require help when learning how to use new technology.   

Bridging the Gap 

The Pew study also highlighted good news: Attitudes shift for the better when older adults increase their digital skills and access the Internet more frequently. Fully 79% of older adults who use the internet regularly agree with the statement that “people without internet access are at a real disadvantage because of all the information they might be missing.” In comparison, 94% agree with the statement that “the internet makes it much easier to find information today than in the past.” 

So how can we help the older adults in our lives grow both their digital skills and their confidence? Building practical digital skills begin with a commitment to one another, to consistency, and to learning. Here are some tips to get you started.  

7 Ways to Boost Digital Literacy 

1. Schedule dedicated time.

If you are helping an older adult build their digital skills, it’s crucial to schedule dedicated training time. Commitment and consistency will be key to achieving real results. If you’re the older adult learning on your own, set aside dedicated learning time with clear goals. For instance, “Each day this week from 7 a.m. to 9 a.m. I will learn how to set up my email and how to maximize security on all my devices.”  

2. Choose your resources and go!

Fortunately, more and more resources are emerging to help older adults bridge their technology gaps, and most are free. A few places to begin include AARP’s Senior Planet, Candoo Tech, and GetSetUp. To find a program in your area, go to at3center.net. 

3. Prioritize cybersecurity. 

Online security is one of the most critical conversations you can have with the older adults in your life. Following best practices such as installing security software, using strong passwords with Two-Factor Authentication (2FA), understanding data privacy, and knowing how to identify phishing and malware scams are fundamental components of digital literacy. For a deeper dive into cybersecurity best practices, read more.  

4. Explore media literacy.

Older adults can easily fall prey to scams, conspiracies, hoaxes, and false news stories online. A recent study out of Princeton and NYU found that, prior to the 2016 election, adults over 65 were seven times more likely than those under 29 to post articles from fake news domains. Understanding how to spot misinformation online is a critical skill for anyone online. One resource to build media literacy is MediaWise for Seniors, a series of free online courses by Poynter designed to help older adults detect and combat fake news and misinformation. In addition, consider dialogue on how to challenge each piece of digital content by asking: 

Do I understand all the points of view of this story? 
What do I think about this topic or idea? 
Am I overly emotional and eager to share this publicly? 
Am I being manipulated by this content? 
What if I’m wrong? 

5. Avoid technical jargon. 

Jargon excludes and when you use insider language with a non-technical person, it can get overwhelming. Slow down. Use ordinary terms. For instance, instead of the hyperlink, consider “link.” Instead of URL, opt for “website address.” Rather than DM/PM, use “Private Message.” Note: Avoiding jargon doesn’t mean you dumb down to a person; it means using plain language to explain the same concept.   

6. Be patient. 

It’s a myth (and an unfortunate stereotype) that older adults don’t have the ability or don’t want to learn about technology. Frankly, they can, and they do. However, physical and mental changes are part of the aging process, which means repetition and patience are part of the process. Consider creating easy-to-read cheat sheets to summarize the day’s lesson.  

Technology is impacting our lives in myriad ways, and no one feels this reality pressing in more than older adults. If you find yourself in the privileged position of coaching an older adult toward digital confidence, remind them of the gains ahead and that the gap from “here” to “there” isn’t nearly as large as they’ve imagined. Whenever possible, point their sights to the proven benefits of stepping off the sidelines and into a connected world.  

The post Helping Older Adults Build Strong Digital Literacy Skills appeared first on McAfee Blogs.

Read More

Most of us use the internet every day, so we’re comfortable sharing a lot of information online. However, cybercriminals want us to get a bit too comfortable so they can take our personal or financial data and use it for their benefit. This is called identity theft, and it can cost people money and may dip their credit score.

Fortunately, you can help minimize what happens by knowing the signs of identity theft and taking fast action when you recognize them. Find out how below.

How does identity theft happen?

Being online comes with many benefits, but it can also come with some risks. Identity theft usually begins with the criminal accessing sensitive personal data, such as Social Security numbers, birthdates, home addresses, bank account information, and driver’s license details. The fraudster can then take this information to fake your identity, using it to take out credit cards, apply for loans, and more.

Here’s a quick look at some ways identity thieves can get their hands on your valuable data:

Phishing scams: Phishing scams can come in the form of mail, email, or websites. They may involve an identity thief pretending to be an entity you trust, like your own bank or insurance provider, to extract personal data.
Data breaches: Many companies store your data, from your health care provider to your internet service provider. For example, you may save payment details for your favorite shopping site. If hackers target those companies in a data breach, they can leak or access your sensitive information.
Social media snooping: Criminals may look to your social media to get information, like your birthdate and home address. Even seemingly innocent details, like the names of your children or pets, can be of interest to an identity thief. Why? People often use these details in their passwords.
Hacking devices: Hackers may try to infiltrate your computer, tablet, or mobile device through viruses or malware. That’s where antivirus software can help. McAfee’s Total Protection service works for you by protecting your devices and personal information from criminals.
Simple theft: Not all identity thieves use advanced methods to get your information. In fact, a person can steal your phone and access any personal data you have on it if they can unlock it. Since many people save passwords to sensitive accounts on their devices, they are easy to hack.
Dumpster diving: This is another example of a less tech-savvy approach to identity theft. If you throw away documents with sensitive data, thieves may get the information they want from your garbage. For example, bank account statements contain your account numbers, while pay stubs may include Social Security numbers. You should always shred paperwork before tossing it.

There are many ways thieves can get their hands on your data. Luckily, there are ways you can protect yourself against these methods. For example, you can protect your computer, tablet, or mobile device against hackers by equipping it with a strong password and safeguarding against phishing by adding a firewall and utilizing a virtual private network (VPN) like those offered by McAfee.

9 warning signs your identity has been stolen

With some best practices, you can protect your data and help safeguard you and your family against identity theft. One way to continue living your best life online is to watch for potential warning signs of identity theft. This ensures you can take fast action and minimize the effects if you’re targeted. Here are some essential signs to look out for.

You’re alerted to a credit card charge you didn’t make

Financial identity theft is one of the most common types of identity theft, and credit cards are a popular target. The rise in online shopping has made credit card fraud even more common.

Your online banking portal or app should allow you to set up alerts to email, call, or text you about suspected fraudulent credit card charges. If you get an alert, someone may have taken your identity.

Your loan or credit card application was denied

If you apply for a loan or line of credit and your application is denied, dig deeper. A rejection could indicate that your credit score is lower than you thought, possibly due to fraudulent activity. For example, someone may use your information to get new credit cards and not pay them off, leaving you responsible.

There’s a change to your credit score

Changes in your credit score can indicate identity theft. For example, if someone takes out utility bills in your name and doesn’t pay them, your credit score may dip. Checking your credit report from each of the three major credit bureaus (Equifax, Experian, and TransUnion) can help pinpoint the problem.

The Federal Trade Commission (FTC) allows U.S. consumers to get a free credit report every 12 months. Just visit AnnualCreditReport.com to get a copy of yours from the credit reporting agencies. You can also pay for credit monitoring services to track your score.

There’s a new account you didn’t open under your name

Once identity thieves obtain enough data, including your name and address, they might be able to open new accounts and credit cards. When you check your credit report, keep an eye out for new accounts that you didn’t open. Another red flag is if you start getting bank statements or bills addressed to you for accounts you don’t recognize.

Your information was part of a data breach

Companies are required to notify customers of data breaches that could impact them. For example, if you save your payment information and home address on a music streaming provider’s website and their database is hacked, identity thieves may get your data. Keep an eye out for notifications and read the news. The McAfee blog is another great resource for information on data breaches.

Debt collectors call about accounts you never opened

If debt collectors start calling, be cautious, especially if they’re referring to accounts you aren’t familiar with. Don’t provide personal information to any collection agencies that call, as this can be a potential phishing scam. However, it’s a good idea to follow up on these cases by checking your credit report for new accounts. You could be liable if someone opened accounts under your name and didn’t pay them.

You receive bills for medical services you never used

Medical theft occurs when a fraudster imitates another person to get health care or supplies. For example, a person might use your identity to get prescription medication at a pharmacy. If you get unfamiliar medical bills, follow up. Incorrect medical records could impact your insurance premiums or interfere with your ability to get the care you need in the future.

Mail is addressed to your home but with another person’s name

This could be an indicator of synthetic identity theft. This occurs when a fraudster creates a fake identity using various people’s real information. For example, they may use your address and Social Security number and another person’s photo to create a fake persona that’s creditworthy. They can then take out credit cards in that fake person’s name.

A tax return is filed under your name without your knowledge

If you receive a confirmation of an annual tax filing before you’ve filed, take note. Criminals may try to file a tax return for another person to access their tax refund. Alternatively, you may find that you’re unable to e-file your taxes, which can occur if someone else has already filed under your name.

What to do if you think your identity has been stolen

No one wants their identity stolen, but it’s still good to be prepared if it does happen. If you notice the above red flags, here are some steps you may need to take:

Change passwords and login details for any affected accounts. If you use the same password for other accounts, change those too. The good news is that McAfee’s identity protection services come with a password manager, so you don’t have to worry about remembering your credentials across devices.
Freeze accounts with banks or credit card companies that show any suspicious activity, including debit and credit card Most financial institutions have a dedicated fraud department to help.
Review your credit reports if you haven’t already and report any suspected fraud to the respective credit bureau.
Contact local law enforcement to file a police report for lost or stolen credit cards, driver’s licenses, and more. Also, report your lost license to the DMV.
Alert the IRS fraud alert department in case of tax-related fraud.
Report Social Security-related fraudulent activity to the relevant government agency, the Social Security Administration’s Office of the Inspector General.
Place a freeze on your credit report. This blocks access to it to extend credit, ensuring no one can take out new lines of credit in your name.

You may also want to visit IdentityTheft.gov to report identity theft and find resources to help guide your recovery plan.

Get personalized online protection

Worries about identity fraud shouldn’t prevent your household from enjoying the benefits of a connected world. McAfee’s identity theft protection services can help you enjoy everyday conveniences while keeping you safe. Packages can be tailored to your needs, including 24/7 monitoring, ID theft coverage, VPN services, and more. It’s guided online protection made easy.

The post 9 Ways to Determine If Your Identity Has Been Stolen appeared first on McAfee Blogs.

Read More