The hunt for Log4Shell bug continues, and lessons from a ransomware attack on hospitals in Ireland.
Welcome to Cyber Security Today. It’s Wednesday, December 15th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
IT staff continue to hunt for evidence of the Log4Shell vulnerability in their systems. They face two problems: First, it could be a long hunt. The U.S. Cybersecurity and Infrastructure Security Agency estimates hundreds of millions of devices are vulnerable to the flaw in the Java-based Log4j2 logging capability. The SANS Institute offers this advice: Enumerate all internet-connected devices with log4j2 installed, make sure you monitor all the alerts from them, and configure a web application firewall to reduce the attack surface and the volume of alters. If you’ve been thinking of moving Java-based applications to another technology, now’s the time to do it.
The second problem is your IT system may have been penetrated as early as the first of the month. Security researchers at Cloudflare and Cisco Systems reportedly found evidence of an exploit attempt that far back. So if your organization’s IT environment is exposed to the vulnerability, in addition to shutting the door look for evidence of compromise. Researchers note that attackers are already trying to leverage the vulnerability to install ransomware and cryptomining applications. The Canadian Centre for Cyber Security warned that log4j2 is used in many third-party enterprise applications and frameworks.
NOTE FOR DEVELOPERS: If your application includes log4j2 install the latest version, which is 2.16. It disables the vulnerability completely.
A huge number of successful cyber attacks start with an employee clicking on a malicious link in an email. That’s exactly how the ransomware attack on Ireland’s healthcare system started last May, according to a report released this month. Here’s a brief description of what happened: On March 18th the employee opened an infected Microsoft Excel file attached to a phishing email. That allowed the attacker to compromise that computer, and start looking around. Thirteen days later the health network’s antivirus software detected two software tools that are often used by crooks called Cobalt Strike and Mimikatz. Mimikatz is used for stealing passwords. But the antivirus was set to monitor mode, so it didn’t block the use of those tools. Nor was there any detection by the network’s incident response provider. Almost two months after the initial compromise the attacker started compromising other systems. One hospital detected the Cobalt Strike tool on two of its systems, but failed to act. In all six hospitals were compromised in early May. On May 12th suspicious activity was detected and warned the health system, but it was too late to stop the ransomware attack on six hospitals two days later. The Irish Department of Health, however, acted fast enough so most of its systems were spared. The Conti ransomware gang eventually released decryption keys after a public uproar. But it took months for the healthcare system to be cleansed at a cost of about $600 million. I’ll have a longer story about the report on ITWorldCanada.com. But the report says there are several lessons: One is the cybersecurity maturity of the Irish healthcare system was low. Crucially, the system had a flat IT network. A segmented network is better at preventing compromises from spreading. The system relied on a single antivirus product that was not regularly patched across the network. In addition, the security monitoring couldn’t effectively detect, investigate and respond to cybersecurity alerts.
Finally, yesterday was Microsoft’s monthly Patch Tuesday, when security patches were released for Microsoft products. Make sure your systems have been updated. The patches fix a number of critical vulnerabilities. Apple released updates for its iOS, iPadOS, macOS and other operating systems. And Google is pushing out an update to the Chrome browser to fix a number of issues, one of which is critical.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.