Iran’s Log4j foray, Meta’s “Oops” and a looming ban on ransomware payments
Illustration: Si Weon Kim
Welcome to Changelog for 11/20/22, published by Synack! Blake here, delivering the week’s news alongside README senior editor Nathaniel Mott. A quick programming note before we dive in: Changelog won’t publish next Sunday as we take a Thanksgiving break. Happy Turkey Day to those who celebrate!
The payload
Yes, we still need to talk about Log4j.
Nearly a year after the bombshell vulnerability pushed security teams into overdrive, the U.S. Cybersecurity and Infrastructure Security Agency and the FBI issued a joint advisory detailing some new Log4j-related hijinks.
The agencies warned that a “suspected Iranian government-sponsored” threat actor had exploited the Log4Shell vulnerability in VMware Horizon to compromise the network of a federal civilian executive branch organization earlier this year. And to any organization that has not yet applied a patch to affected VMware systems, FBI and CISA had a sobering message: “Assume compromise and initiate threat hunting activities.”
The Washington Post reported that the breach in early February affected the U.S. Merit Systems Protection Board, an independent agency charged with hearing and overseeing federal workplace complaints, including employee whistleblower allegations. The suspected Iranian attackers, tracked under the name Nemesis Kitten, used their Log4j-enabled access to install cryptocurrency mining software and credential harvesters.
“It’s been a year since discovery of the Log4j vulnerability. Patches have been produced, workarounds documented and available; yet the government still has to issue an alert,” said Curtis Dukes, executive vice president and general manager of the Center for Internet Security. “Organizations and their leadership have to be held accountable for not establishing a standard duty of care.”
The week, compiled
Twitter isn’t the only social media company with security problems lately. The Wall Street Journal reported Thursday that Meta “has fired or disciplined more than two dozen employees and contractors over the last year whom it accused of improperly taking over user accounts, in some cases allegedly for bribes, according to people familiar with the matter and documents viewed by” reporters at the publication.
The employees and contractors in question don’t appear to have been part of a privileged group within Meta that needed these capabilities to do their jobs. The Wall Street Journal said that some of the people fired were security guards who had been given access to Facebook’s “internal mechanism for employees to help users having trouble with their accounts.”
That seems… not great? It makes sense for this tool — which according to the Journal is known internally as “Oops” — to exist. People are going to lock themselves out of their Facebook accounts; being able to recover access to those accounts is important. But this feature is inherently vulnerable to abuse, and it’s surprising that contract security guards were given access to it in the first place. “Oops” doesn’t cover it.
Here are some of the other things that happened this week:
Reuters: A software company called Pushwoosh that claimed to be based in the U.S. is actually headquartered in Russia, according to Reuters, although the company has denied that it attempted to hide its connection to its home country. The revelation prompted the U.S. Centers for Disease Control to remove the software from “seven public-facing apps” for Android and iOS.
KrebsOnSecurity: Alleged cyber criminal Vyacheslav “Tank” Penchukov was arrested in Switzerland in October, KrebsOnSecurity reported. He is said to have led “a prolific cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses in the United States and Europe.”
A message from Synack
APIs are on track to be the most frequent attack vector in 2022, according to Gartner. Join Synack co-founder and CTO Mark Kuhr and Sabre application security principal Cris Rodriguez for a webinar to learn of a better way to pentest for APIs. They break down the top API vulnerabilities and share best practices for securing this critical part of organizations’ attack surfaces. Learn more and view the webinar on demand here.
Flash memory
The so-called Guardians of Peace started to leak emails, scripts and other data stolen from Sony Pictures Entertainment on Nov. 24, 2014. The hack-and-leak operation was followed by threats of terrorist attacks on U.S. theaters if “The Interview,” a Seth Rogen and Evan Goldberg comedy in which James Franco plays a journalist asked by the CIA to assassinate North Korean dictator Kim Jong-un, was released.
The hack worked: Sony canceled the wide theatrical release for “The Interview,” had to scramble to bring its network back online after the Guardians of Peace deployed wiper malware and ultimately agreed to an $8 million settlement for employees whose data was exposed as a result of the hack. Reports based on leaked emails also led to what The New York Times called an “unraveling of relationships in Hollywood.”
The demand for Sony to pull “The Interview” from theaters — along with evidence collected by the FBI, NSA and FireEye — led many to conclude North Korea was responsible for the Sony hack just a few weeks after it was revealed. The Department of Justice unsealed an indictment of Park Jin Hyok in September 2018 for his involvement with the Sony hack as well as the creation of WannaCry, among other allegations.
The attribution is often made directly to The Lazarus Group, of which Hyok was said to have been a part, that remains active to this day. The group has mostly focused on stealing cryptocurrency in recent months — CoinDesk reported that it’s stolen more than $725 million in crypto from various exchanges, funds and other firms.
Local files
Risky Business News: A hack-and-leak operation targeting the government of Moldova revealed Telegram conversations between the country’s Minister of Justice and its Defense and National Security Advisor, RBN reported. The group behind the operation has said it plans to publish other private communications among Moldovan government officials.
The Record: Australia could move to ban ransomware payments as part of its efforts to discourage cybercriminals from targeting organizations within the country, The Record reported, despite criticism of similar proposals claiming that criminalizing ransom payments would simply make organizations targeted by ransomware gangs even more reluctant to cooperate with law enforcement.
BleepingComputer: The Computer Emergency Response Team of Ukraine said this week that Russian hacktivists affiliated with the group “From Russia with Love” have deployed new ransomware called Somnia against “multiple organizations” within Ukraine.
Off-script
The World Cup kicks off today in Qatar, after the tiny peninsular nation along the Persian Gulf spent over a decade overhauling its infrastructure and building stadiums in preparation. The work came at a steep human cost: The Guardian reported last year that an average of 12 migrant workers have died each week in Qatar since late 2010.
I visited Qatar earlier in that fateful year, just before it was awarded the rights to host the 2022 World Cup in a controversial FIFA vote.
Even in 2010, the running joke was that Qatar’s national bird was “the construction crane.” Now that the country has muscled its way into the global spotlight for the next few weeks, we’ll see what all the buildup can bring.
That’s it for now — see you in December! Enjoy some soccer over the Thanksgiving holiday, and don’t forget to send any tips and feedback to bsobczak@synack.com or nmott@synack.com.