You can’t stop the ‘next SolarWinds’ — but you can slow it down

by Kyle Alspach | Dec 31, 2021 | Cybersecurity

It’s one of the biggest questions in cybersecurity of 2021, and it’s sure to remain on the minds of countless businesses into the next year, too: How do you prevent a software supply chain attack?

Such attacks have soared by 650% since mid-2020, due in large part to infiltration of open source software, according to a recent study by Sonatype.

But an even bigger driver of the question, of course, has been the unprecedented attack on SolarWinds and customers of its Orion network monitoring platform. In the attack, threat actors compromised the platform with malicious code that was then distributed as an update to thousands of customers, including numerous federal agencies.

Addressing supply chain attacks

The one-year anniversary of the attack’s discovery is on Monday, but the answer for how to stop the “next SolarWinds” attack doesn’t seem much clearer now than it did in the wake of the breach.

Perhaps because it’s the wrong question.

Peter Firstbrook, a research vice president and analyst at Gartner, has experience trying to answer this question because he’s been asked it a lot. However, in terms of preventing the impacts from a software supply chain attack, “the reality is, you can’t,” he said last month during Gartner’s Security & Risk Management Summit — Americas virtual conference.

While companies should perform their due diligence about what software to use, the chances of spotting a malicious implant in another vendor’s software are “extremely low,” Firstbrook said.

But that doesn’t mean there’s nothing to be done.

Zero-trust segmentation

While technology that offers guaranteed protection against the impacts of software supply chain breaches may never exist, solutions for zero-trust segmentation may be the next best thing, said James Turgal, a vice president at cybersecurity consulting firm Optiv.

Prior to Optiv, Turgal spent 22 years serving in the FBI, including as executive assistant director for the bureau’s Information and Technology Branch. There, he saw first-hand the types of cyber strategies that are most effective at disrupting attackers.

One of the biggest takeaways, Turgal said, is that the more difficult you can make it for attackers to transit through environments, the safer you’ll be. “I’ve interviewed these guys. Most of them are lazy as hell,” he said. “Making it more difficult for them to move across networks is really helpful.”

That’s where zero-trust segmentation comes in. The idea is to divide a company’s cloud and datacenter environments into different segments — all the way down to the level of workload — which can each be locked down with their own security controls. For a business, segmenting their architecture in this way — while also using zero-trust authentication that repeatedly verifies a user’s identity — can make it “more difficult for the bad guys to move through networks and move laterally,” Turgal said.

Reducing the blast radius

One fast-growing vendor that is entirely focused on solutions for zero-trust segmentation is Illumio, which achieved a $2.75 billion valuation in June in connection with its $225 million series F funding round.

Founded in 2013, Illumio offers segmentation solutions for both datacenter and cloud environments, with the addition of its cloud-native solution in October. The Sunnyvale, California-based company expects to reach “well north” of $100 million in annual recurring revenue this year, according to Illumio cofounder and CEO Andrew Rubin.

When it comes to segmentation, Illumio’s solutions were in fact successfully used by customers that were impacted by the SolarWinds compromise to protect against further damage from the attackers, Rubin said.

During the attack campaign, “we had customers that were running that [SolarWinds] infrastructure and used us to segment that problem off from the rest of their environment,” Rubin said in an interview with VentureBeat. “I can tell you that segmentation was an effective security control for reducing the blast radius of that problem.”

What Illumio offers with zero-trust segmentation is actually very similar in principle to the approach that’s been taken to slow the spread of COVID-19, he noted. “The fact is that if we can stop it from spreading, that is an unbelievably effective way to control the damage,” Rubin said. “We knew we couldn’t prevent the initial problem, because we already missed that. But we knew that we did have the ability to change how quickly and how pervasively it spread.”

In many ways, he said, the cybersecurity industry “is now appreciating the value of that storyline by saying, ‘We’re going to stop a lot of things — but we can’t stop everything. So let’s try and do a really good job of controlling the blast radius when they occur.’”

Second ransomware family exploiting Log4j spotted in U.S., Europe

by Kyle Alspach | Dec 25, 2021 | Cybersecurity

Researchers say a second family of ransomware has been growing in usage for attack attempts that exploit the critical vulnerability in Apache Log4j, including in the U.S. and Europe.

A number of researchers, including at cybersecurity giant Sophos, have now said they’ve observed the attempted deployment of a ransomware family known as TellYouThePass. Researchers have described TellYouThePass as an older and largely inactive ransomware family — which has been revived following the discovery of the vulnerability in the widely used Log4j logging software.

TellYouThePass is the second family of ransomware that’s been observed to exploit the vulnerability in Log4j, known as Log4Shell, joining the Khonsari ransomware, according to researchers.

Beyond China

While previous reports indicated that TellYouThePass was mainly being directed against targets in China,  researchers at Sophos told VentureBeat that they’ve observed the attempted delivery of TellYouThePass ransomware both inside and outside of China — including in the U.S. and Europe.

“Systems in China were targeted, as well as some hosted in Amazon and Google cloud services in the U.S. and at several sites in Europe,” said Sean Gallagher, a senior threat researcher at Sophos Labs, in an email to VentureBeat on Tuesday.

Sophos detected attempts to deliver TellYouThePass payloads by utilizing the Log4j vulnerability on December 17 and December 18, Gallagher said.

TellYouThePass has versions that run on either Linux or Windows, “and has a history of exploiting high-profile vulnerabilities like EternalBlue,” said Andrew Brandt, a threat researcher at Sophos, in an email.

The Linux version is capable of stealing Secure Socket Shell (SSH) keys and can perform lateral movement, Brandt said. Sophos initially disclosed its detection of TellYouThePass ransomware in a December 20 blog post.

Growing usage

The first report of TellYouThePass ransomware exploiting the Log4j vulnerability appears to have come from the head of Chinese cybersecurity group KnownSec 404 Team on December 12. The attempted deployment of TellYouThePass in conjunction with Log4Shell was subsequently confirmed by additional researchers, according to researcher community Curated Intelligence.

In a blog post Tuesday, Curated Intelligence said its members can now confirm that TellYouThePass has been seen exploiting the vulnerability “in the wild to target both Windows and Linux systems.”

The TellYouThePass ransomware is “capable of lateral movement through the theft of SSH credentials and OS credential dumping to propagate to other systems it can authenticate with on the local network,” Curated Intelligence said in the post.

Additionally, researchers at cyber firm Uptycs told VentureBeat that a family of Linux ransomware they had previously reported discovering is from the TellYouThePass family. The ransomware, which the company discussed in a post December 20, was observed to encrypt files with the extension “.locked,” which has been associated with numerous ransomware varieties in the past including TellYouThePass.

Ransomware, old and new

TellYouThePass had most recently been observed in July 2020, Curated Intelligence said. It joins Khonsari, a new family of ransomware identified in connection with exploits of the Log4j vulnerability.

First disclosed by Bitdefender, Khonsari exclusively targets Windows systems and has been confirmed by cybersecurity firms including Microsoft. In its post Monday, Sophos said it has observed and blocked a delivery vehicle for Khonsari, prior to deployment of the ransomware. Researchers have not reported that Khonsari includes a way for a ransom payment to be made, suggesting that it’s “effectively a wiper” used to delete hard drive data, Emsisoft threat analyst Brett Callow said on Twitter.

Still, the detection of the two ransomware families “shows that some ransomware operators are moving forward with Log4j as part of their deployment scheme,” Gallagher told VentureBeat.

In addition to ransomware operators, the vulnerability in the open source logging library has been exploited by brokers looking to sell their access to ransomware affiliates, according to researchers.

Ransomware attempts utilizing the Log4j vulnerability are far from widespread at this point, however. Researchers at Cisco Talos, for instance, have not observed any activity resulting in ransomware being deployed thus far, threat researcher Chris Neal told VentureBeat.

“After initial access, these attackers will commonly choose to gain persistence, and then minimize their footprint to prevent detection and perform reconnaissance,” Neal said in an email. “This type of behavior may account for the lack of ransomware campaigns utilizing this exploit being observed.”

Notably, Talos researchers have seen Log4j exploit attempts that led to connections back to previously known malicious Cobalt Strike servers — a common tactic both for ransomware operators and some state-sponsored actors, he said. Cobalt Strike is a popular tool used for malicious hacking, enabling activities such as remote reconnaissance and lateral movement.

Shifting from crypto mining

Even before the discovery of the widespread and trivial-to-exploit vulnerability in Log4j, Veeam chief technology officer Danny Allan expected that 2022 would see a greater shift from cryptocurrency mining to ransomware as the predominant activity for malicious actors.

Ransomware attacks, which by some estimates surged by 148% during the first three quarters of 2021, just offer “a much faster path to ROI for the threat actor” than crypto mining, Allan told VentureBeat.

And if that shift was likely even prior to the disclosure of Log4Shell, it’s definitely true now, he said. Allan expects that exploits for Log4j will be pre-built into “ransomware-as-a-service” packages, which threat actors are able to acquire in order to make it easier to carry out attacks.

Researchers say a significant amount of the Log4j exploitation activity so far has involved mining operations for cryptocurrencies such as Bitcoin. But that also doesn’t preclude the possibility of ransomware operators later using the crypto miners’ initial access to launch an attack.

“Some of these small things, like a crypto miner, can end up just being that first stage of attack,” said Roger Koehler, vice president of threat ops at Huntress. “Because they can go and sell that access on the black market. And somebody bigger and badder may buy that and do something more detrimental, like a ransomware attack.”

Ultimately, “those crypto miners can seem small, but that can escalate to something bigger,” Koehler told VentureBeat.

Access brokers

Along with attempted delivery of TellYouThePass and Khonsari, researchers at security firms including Microsoft and Sophos have seen activities by suspected “access brokers.” These threat actors work to establish a backdoor in corporate networks that can later be sold to ransomware operators. Log4j exploits by ransomware gang Conti have been observed, as well.

Microsoft and cyber firm Mandiant also said last week that they’ve observed activity from nation-state groups — tied to countries including China and Iran — seeking to exploit the Log4j vulnerability. Microsoft said that an Iranian group known as Phosphorus, which has previously deployed ransomware, has been seen “acquiring and making modifications of the Log4j exploit.”

At the time of this writing, there has been no public disclosure of a successful ransomware breach that exploited the vulnerability in Log4j.

Security firm Check Point reported Monday it has now observed attempted exploits of vulnerabilities in the Log4j logging library on more than 48% of corporate networks worldwide, up from 44% last Tuesday.

Widespread vulnerability

Many applications and services written in Java are potentially vulnerable due to the flaws in Log4j prior to version 2.17, which was released last Friday. The flaws can enable remote execution of code by unauthenticated users.

Version 2.17 of Log4j is the third patch for vulnerabilities in the software since the initial discovery of a remote code execution (RCE) vulnerability on December 9.

Along with enterprise products from major vendors including Cisco, VMware, and Red Hat, the vulnerabilities in Log4j affect many cloud services. Research from Wiz provided to VentureBeat suggests that 93% of all cloud environments were at risk from the vulnerabilities, though an estimated 45% of vulnerable cloud resources have been patched at this point.

Looking ahead, there’s an “extremely high” likelihood of ransomware attacks deriving from the vulnerability in the coming weeks and months, Wiz cofounder and CEO Assaf Rappaport told VentureBeat. “It’s only a matter of time, if it hasn’t started already,” he said.

‘Vaccine’ against Log4Shell vulnerability has potential—and limitations

by Kyle Alspach | Dec 12, 2021 | Cybersecurity

A “vaccine” against the Log4Shell vulnerability appears to offer a way to reduce risk from the widespread flaw affecting servers that run Apache Log4j. The script was developed by researchers at security vendor Cybereason and released for free on Friday evening, following the disclosure of the critical zero-day vulnerability late on Thursday.

The Log4Shell vulnerability affects Apache Log4j, an open source Java logging library deployed broadly in cloud services and enterprise software. The flaw is considered highly dangerous since it can enable remote code execution (RCE) — in which an attacker can remotely access and control devices — and is seen as fairly easy to exploit, as well. Log4Shell is “probably the most significant [vulnerability] in a decade” and may end up being the “most significant ever,” Tenable CEO Amit Yoran said Saturday on Twitter.

Widespread vulnerability

According to W3Techs, an estimated 31.5% of all websites run on Apache servers. The list of companies with vulnerable infrastructure reportedly includes Apple, Amazon, Twitter, and Cloudflare. Vendors including Cisco, VMware, and Red Hat have issued advisories about potentially vulnerable products.

“This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use,” said Jen Easterly, director of the federal Cybersecurity and Infrastructure Security Agency (CISA), in a statement posted Saturday.

The vulnerability has impacted version 2.0 through version 2.14.1 of Apache Log4j, and organizations are advised to update to version 2.15.0 as quickly as possible.

Buying some time

But patching can be a time-consuming process. To supplement patching efforts, Cybereason says its tool — which it calls “Logout4Shell” — has the potential to “immunize” vulnerable servers, providing protection against attacker exploits that target the flaw.

While updating to the latest version of Log4j is no doubt the best solution, patching is often complex, requiring a release cycle and testing cycle, said Yonatan Striem-Amit, cofounder and chief technology officer at Cybereason. “A lot of companies find it difficult to go and deploy emergency patches,” he said in an interview with VentureBeat.

The Logout4Shell “vaccine” essentially buys some time for security teams as they work to roll out patches, Striem-Amit said. The fix disables the vulnerability and allows organizations to stay protected while they update their servers, he said.

Cybereason has described the fix as a “vaccine” because it works by leveraging the Log4Shell vulnerability itself. “The fix uses the vulnerability itself to set the flag that turns it off,” Striem-Amit wrote in a blog post. “Because the vulnerability is so easy to exploit and so ubiquitous — it’s one of the very few ways to close it in certain scenarios.”

Additionally, the Cybereason fix is “relatively simple” because only basic Java skills are required to implement it, he wrote.

Potential to help

With the Logout4Shell tool, security teams can “take a server that you suspect is vulnerable, and feed the string into places that you think are potentially vulnerable. If your application is not vulnerable at all, nothing happens,” Striem-Amit told VentureBeat.

“However, if your server is vulnerable to this attack, the exploit will get triggered, which will download the code that we supply,” he said. “And what that source code does is go into the configuration and disable the vulnerable components. So the server continues running, none the wiser — but any future attempt to exploit this vulnerability now won’t do anything. The vulnerable component is now disabled, and you’re done.”

Casey Ellis, founder and chief technology officer at bug bounty platform Bugcrowd, told VentureBeat that the Cybereason fix appears to be effective and has the potential to assist security teams.

Ellis said that due to the complexity of regression testing Log4j, “I’ve already heard from a number of organizations that are pursuing the workarounds contained in the Cybereason tool as their primary approach.”

“It remains to be seen whether many enterprises choose to exploit the vulnerability itself in order to achieve this,” he said. “But I would expect at least some to use the tool selectively and situationally.”

Limitations

There are some limitations for the Cybereason fix, however.

For one thing, the mitigation does not work prior to version 2.10 of Log4j. The exploit also must “fire properly” in order to be effective, Ellis said. “And even when it does run properly, it still leaves the vulnerable code in place,” he said.

Still, “this strikes me as a very clever ‘option of last resort,’” Ellis said. “Many organizations are currently struggling to inventory where Log4j exists in their environment, and updating a component like this necessitates a dependency analysis in order to avoid breaking a system in the pursuit of fixing a vulnerability.”

All of this “adds up to a lot of work. And having a ‘fire and forget’ tool to clean up anything that may have been missed at the end of it all seems like a scenario that many organizations will find themselves in, in the coming weeks,” he said.

Ultimately, Ellis said he sees the Cybereason fix as a supplementary tool rather than a cure-all.

“It’s a workaround with a number of limitations,” he said. “[But] it has intriguing potential as a tool in the toolbox as organizations reduce Log4j risk. And if it makes sense for them to use it, one of the primary reasons will be speed to risk reduction.”

Positive feedback

Striem-Amit told VentureBeat that he’s seen a large amount of positive feedback about Logout4Shell, on Twitter and other websites, but said that Cybereason is not tracking usage of it.

The company — which says that none of its own products are affected by the Log4Shell vulnerability — also plans to develop a version of the Logout4Shell tool that can support earlier versions of Log4j, so that all servers can be protected using this method, he said.

Importantly, no one should see the tool as a “permanent” solution to addressing the Log4Shell vulnerability, according to Striem-Amit.

“The idea isn’t that this is a long-term fix solution,” he said. “The idea is, you buy yourself time to now go and apply the best practices — patch your software, deploy a new version, and all the other things required for good IT hygiene.”

Report: Cybersecurity recruitment, training misses the mark

by Kyle Alspach | Nov 28, 2021 | Cybersecurity

As the massive shortage of security talent and skills continues, sub-par recruitment processes and outdated training for cybersecurity professionals are exacerbating the problem, according to a new survey. If hiring and training processes are adjusted, however, retention of workers and the availability of crucial cyber skills can both be improved, said Adi Dar, founder and CEO of security skills development platform provider Cyberbit, which conducted the survey.

In the U.S. alone, job tracker Cyber Seek estimates that there are currently about 460,000 openings in cybersecurity — and these positions take an average of 21% longer to fill than other IT roles.

The SOC Skills Survey from Cyberbit gathered responses from 100 cybersecurity professionals, in 17 countries, from organizations with a security operations center (SOC) team larger than five and an IT budget of more than $20 million.

Training shortcomings

The survey found that on-the-job training is the main technique used to get SOC team members up to speed, with 41% of respondents saying that was how they were taught. The main training technique for 26% of respondents was courses, while simulation-based training — such as cyber labs, cyber ranges, or red vs. blue training — is used by just 22%, according to the survey.

In the high-stakes realm of cybersecurity, “on-the-job training is really not the way to go,” Dar said. “On-the-job training means that the first time you see ransomware is when it hits you.” The Ra’anana, Israel-based company offers a cyber range that simulates attacks and cyber labs tools that help develop hands-on security skills.

Many cybersecurity professionals also reported that they don’t feel prepared for key aspects of incident response. In the area of intrusion detection, only 45% of respondents said they felt their team was adequately skilled, while in network monitoring, only 42% reported feeling their team was prepared.

Recruitment woes

Recruitment of security professionals is another weak spot, according to the survey. Just 33% of respondent reported that human resources recruiters for their company usually or always understand the requirements for working on a cybersecurity team. Additionally, 70% of respondents said that cybersecurity candidates are being assessed in the same way as other workers — through interviews — rather than using available tools to assess their practical skills.

“HR is following the traditional way of hiring,” Dar said. “But what the industry needs is to hire people based on their hands-on experience. You need to assess people based on their capabilities.”

Taking these issues together, many hires of cybersecurity workers end up being mis-hires, leading to low retainment and more open jobs, he said.

Ultimately, Dar said, “we must change the balance between the continuous investment in technologies and tools and the almost non-existent budgets that are invested in the cyber teams.”