Maintaining and reviewing adequate system and application-level logging," Steinkamp says. conducting regular penetration testing activities to proactively identify these before being exploited by malicious actors and 4. running regular internal and external vulnerability scans 2. "These measures include but are not limited to: 1. Karl Steinkamp, Director of Delivery Transformation and Automation at Coalfire, recommends organizations ensure they have prevention and detection measures in place to eliminate the effectiveness of these types of attacks while vendor security patching is conducted. North Korean hackers have previously been reported as having been involved in large scale funds transfer thefts, so reporting of Iranian state-backed hackers doing similar is unsurprising.” Crypto offers a convenient means of obtaining and moving funds in a way that could bypass such sanctions. A nation-state attacker might engage in financially motivated hacking as a way to augment their operations and maintain funding especially when faced with economic uncertainty and other financial sanctions. Having access to real-time data and a rapid remediation capability is fundamental to enabling FECB agencies to quickly identify and respond to these types of attacks. Hallenbeck adds, "Time favors the attacker, and the unfortunate reality is that small agencies may not have the resources to support a robust cybersecurity program so they must find ways to improve patching efficacy and increase visibility across their estate. “The challenge has been so great that the government is moving forward with a plan to require an SBOM be created for all software deployed on federal systems.” When Log4Shell initially was announced, Christopher Hallenbeck, Chief Information Security Officer, Americas at Tanium, says, “most security practitioners knew this would be a long-lived issue given how many places the vulnerable software was embedded, along with the difficulty in identifying its presence.” Hallenbeck says the industry will continue to see reports like this exploiting not just Log4Shell but other as yet unknown vulnerabilities hidden within a Software Bill Of Materials (SBOM). Hopefully, crypto-mining was the sole outcome of this attack and not more than that.” This emphasizes the need for MFA inside the network, which was clearly missing here. Randori has been in contact with VMware and is providing relevant information to their teams but will not release proof-of-concept code. As we see here, once a toehold is gained - attackers are then able to simply pick up administrator credentials and use them to move laterally before eventually compromising the entire domain. The Randori Attack Team can confirm exploitability of VMWare products in live environments (VMSA-2021-0028) via Log4j (CVE-2021-44228) aka Log4Shell. It is a gift to state actors and access brokers, and this attack is proof of the impact critical vulnerabilities such as this can have when left unpatched. Yaron Kassner, CTO and Co-Founder of Silverfort, says, “The alert from CISA is evidence of the unfortunate legacy we were warned to expect from Log4Shell at the time of its discovery.
0 Comments
Leave a Reply. |