Log4j’s anniversary, Apple security moves and risky Exchange servers

Tabitha Turner / Unsplash

Welcome to Changelog for 12/11/22, published by Synack! Blake here, excited to share that I’ll be co-hosting Season 2 of the WE’RE IN! cybersecurity podcast alongside Bella DeShantz-Cook. Check out the trailer here, and stay tuned for more. Now, for the week’s cybersecurity news, with an assist from README senior editor Nate Mott:

 

The payload

Friday marked the one-year anniversary of the Log4j vulnerability, whose severity sent shockwaves through the cybersecurity industry. Vulnerable instances of the Java-based logging tool seemed to be everywhere when news of the vuln broke: Healthcare organizations, Cisco products, Zoom and thousands of other places were affected.

It’s strange to commemorate Dec. 9 as a sort of “Log4j day.” For an open-source software flaw this pervasive, every day is Log4j day. Many organizations still haven’t bothered to check their environments for Log4j ghosts in the cupboards. Those that have checked may have inadvertently re-introduced old versions of the Apache Software Foundation code into their increasingly complex software supply chains.

The U.S. Cyber Safety Review Board warned in its inaugural report earlier this year that Log4j could be with us for a decade or more, noting, “significant risk remains.”

The report underscored how the open-source software community isn’t equipped to handle bombshell vulnerabilities, even as it credited the nonprofit Apache Software Foundation for having a “well-established software development lifecycle with clear roles for vetting, testing, and approving new code.”

Log4j was broadly met with an appropriate sense of urgency — “yet organizations still struggled to respond to the event, and the hard work of upgrading vulnerable software is far from complete across many organizations,” the CSRB warned.

Hopefully organizations can patch things up in time for Log4j’s five-year anniversary.

The week, compiled

There may be no worse time to run an Exchange server.

Rackspace announced on Dec. 6 that recent outages affecting its Hosted Exchange service were the result of a ransomware attack. The company said it “has engaged a leading cyber defense firm to investigate” the incident, but in the meantime it’s “in ongoing communication with Hosted Exchange customers to help them migrate to a new environment as quickly as possible.”

 1_WM84m6ggpjX2oTrqcC6DqQ
Daria Nepriakhina / Unsplash

Security researcher Kevin Beaumont reported that Rackspace appeared to be running a version of Exchange released in August. That version debuted before Microsoft patched the ProxyNotShell vulnerabilities, which could help explain how Rackspace was compromised.

Wired reported in October that it was “time to say goodbye to on-premise Exchange” because of the number of vulnerabilities found within the service, the number of threat actors looking to exploit them and the difficulty associated with keeping up with Microsoft’s security updates. Even organizations that can keep up with Exchange patches have to watch out for potential bypasses.

Now it seems that relying on anyone but Microsoft to manage an Exchange server is risky for everyone involved. Rackspace’s share price has plunged since the Hosted Exchange outages started, and a class-action lawsuit has been filed against the company “for negligence and related violations arising out of the email hosting provider’s recent high-profile data breach.”

Here are some of the other things that happened this week:

NBC: The Secret Service said on Dec. 5 that a Chinese threat actor, APT41, stole more than $20 million in COVID relief benefits in a pandemic fraud scheme that NBC reported “began in mid-2020 and spanned 2,000 accounts associated with more than 40,000 financial transactions.” The Secret Service has reportedly reclaimed “about half of the stolen $20 million” and is continuing to investigate similar cases.

WSJ: Apple announced on Dec. 7 that it plans to introduce “powerful new data protections” — iMessage Contact Key Verification, Security Keys for Apple ID and Advanced Data Protection for iCloud — “focused on protecting against threats to user data in the cloud.” That should be welcome news for Apple’s customers, but as always, the FBI said in a statement to The Wall Street Journal that it was “deeply concerned with the threat end-to-end and user-only-access encryption pose” to criminal investigations.

A message from Synack

Insecure and unmanaged APIs can lead to multimillion-dollar security incidents, according to Gartner. Join Synack co-founder and CTO Mark Kuhr and Sabre application security principal Cris Rodriguez for a webinar to learn of a better way to pentest for APIs. They break down the top API vulnerabilities and share best practices for securing this critical part of organizations’ attack surfaces. Learn more and view the webinar on demand here.

Flash memory

Happy birthday, Chrome!

Google officially released its own browser on Dec. 11, 2008. In the 14 years since, both Chrome and the open source Chromium project it’s built upon have become a platform unto themselves.

 1_ms1OaPfcVXJ7gM4tV1yShg
Growtika / Unsplash

StatCounter reports that Chrome has roughly 66% of the browser market at time of writing. Chromium provides the foundation for Microsoft Edge, Opera and Brave as well as other browsers.

That popularity means vulnerabilities in Chrome and Chromium have the potential to reach the vast majority of people browsing the web. Threat actors have been racing to discover and exploit these security flaws — Google has patched nine zero-day vulnerabilities in Chrome since the start of the year.

Many of those zero-days are exploited in the wild. A threat actor associated with the North Korean government exploited a Chrome zero-day earlier this year, for example, and Google’s Threat Analysis Group recently said a spyware vendor called Variston IT used similar flaws in its exploitation framework. Threat actors have also used malicious browser extensions, fake update pages and other tricks to take advantage of Chrome’s popularity without exploiting any vulnerabilities in the browser itself.

That’s all the bad news. The good news is that Chrome seems to be exempt from Google’s strategy of introducing a new project, working on it for a while and then canceling it. (See: Reader, Stadia… actually, just check out the Google graveyard.) Maybe that’s because most browsers never truly die: Google reported on Dec. 7 that Microsoft had to release an update to Internet Explorer, which it officially stopped maintaining in November 2020, because North Korean threat actors were exploiting a zero-day vuln in it.

Local files

HRW: Human Rights Watch said on Dec. 5 that it — along with “at least 18 other high-profile activists, journalists, researchers, academics, diplomats, and politicians working on Middle East” — has been targeted by “an ongoing social engineering and credential phishing campaign” it attributed to an Iranian government-backed threat actor tracked as APT42 by Mandiant and Charming Kitten by Google.

Reuters: A state-owned Russian bank, VTB, said on Dec. 6 that it was responding to a massive distributed denial-of-service (DDOS) attack. “The bank’s technological infrastructure is under an unprecedented cyber attack from abroad,” VTB told Reuters. “The largest not only this year, but in the whole time the bank has operated.” DDOS attacks are a hallmark of the volunteer IT Army of Ukraine created earlier this year.

The Record: New Zealand’s Office of the Privacy Commissioner said on Dec. 6 that a managed service provider called Mercury IT had been targeted by a ransomware attack. The Record reported that the attack “is feared to have disrupted dozens of organizations in the country, including several government departments and public authorities,” due to Mercury IT’s popularity throughout New Zealand.

Off-script

Last week, I was rooting for France to win the World Cup.

That was before the Morocco made history by becoming the first African nation to reach the semifinal of a World Cup, besting Portugal 1–0.

It’s hard not to cheer for the Atlas Lions, as the Moroccan men’s national soccer team is known. Just look at forward Sofiane Boufal celebrating with his mother after Saturday night’s win.

I’m feeling very torn about my French allegiance as Morocco squares off against Les Bleus in the semifinal Wednesday. Good luck to… both teams?

 1_yhxVb6j3rGKAoNiSEX2ZKQ
Moroccon goalkeeper Yassine Bounou has been unflappable for the Atlas Lions throughout the World Cup this year. Abdellatif Zahim/Wikimedia Commons

That’s it for now — see you next Sunday! Don’t forget to send tips and feedback to bsobczak@synack.com or nmott@synack.com.