Connect with us


Microsoft: Log4j exploits extend past crypto mining to outright theft



Microsoft said Saturday that exploits so far of the critical Apache Log4j vulnerability, known as Log4Shell, extend beyond crypto coin mining and into more serious territory such as credential and data theft.

The tech giant said that its threat intelligence teams have been tracking attempts to exploit the remote code execution (RCE) vulnerability that was revealed late on Thursday. The vulnerability affects Apache Log4j, an open source logging library deployed broadly in cloud services and enterprise software. Many applications and services written in Java are potentially vulnerable.

More serious exploits

Attacks that take over machines to mine crypto currencies such as Bitcoin, also known as cryptojacking, can result in slower performance.

In addition to coin mining, however, Log4j exploits that Microsoft has seen so far include activities such as credential theft, lateral movement, and data exfiltration. Along with providing some of the largest platforms and cloud services used by businesses, Microsoft is a major cybersecurity vendor in its own right with 650,000 security customers.

In its post Saturday, Microsoft said that “at the time of publication, the vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed.”

In particular, “Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems,” the company said.

Microsoft did not provide further details on any of these attacks. VentureBeat has reached out to Microsoft for any updated information.

According to a post from Netlab 360, attackers have exploited Log4Shell to deploy malware including Mirai and Muhstik—two Linux botnets used for crypto mining and distributed denial of service (DDoS) attacks.

The Swiss Government Computer Emergency Response Team posted that it has observed use of Mirai and Muhstik (also known as Tsunami) to deploy DDoS attacks, as well as deployment of Kinsing malware for crypto mining.

Behavior-based detection

In response to the vulnerability, Microsoft said that security teams should focus on more than just attack prevention—and should also be looking for indicators of an exploit using a behavior-based detection approach.

Because the Log4Shell vulnerability is so broad, and deploying mitigations takes time in large environments, “we encourage defenders to look for signs of post-exploitation rather than fully relying on prevention,” the company said in its post. “Observed post exploitation activity such as coin mining, lateral movement, and Cobalt Strike are detected with behavior-based detections.”

Cobalt Strike is a legitimate tool for penetration testing that is commercially available, but cyber criminals have increasingly begun to leverage the tool, according to a recent report from Proofpoint. Usage of Cobalt Strike by threat actors surged 161% in 2020, year over year, and the tool has been “appearing in Proofpoint threat data more frequently than ever” in 2021, the company said.

In terms of Microsoft’s own products that may have vulnerabilities due to use of Log4j, the company has said that it’s investigating the issue. In a separate blog post Saturday, the Microsoft Security Response Center wrote that its security teams “have been conducting an active investigation of our products and services to understand where Apache Log4j may be used.”

“If we identify any customer impact, we will notify the affected party,” the Microsoft post says.

Patching the flaw

The Log4Shell vulnerability has impacted version 2.0 through version 2.14.1 of Apache Log4j, and organizations are advised to update to version 2.15.0 as quickly as possible. Vendors including CiscoVMware, and Red Hat have issued advisories about potentially vulnerable products.

“Something to keep in mind about this vulnerability is that you may be at risk without even knowing it,” said Roger Koehler, vice president of threat ops at managed detection and response firm Huntress, in an email. “Lots of enterprise organizations and the tools they use may include the Log4j package bundled in — but that inclusion isn’t always evident. As a result, many enterprise organizations are finding themselves at the mercy of their software vendors to patch and update their unique software as appropriate.”

However, patches for software products must be developed and rolled out by vendors, and it then takes additional time for businesses to test and deploy the patches. “The process can end up taking quite some time before businesses have actually patched their systems,” Koehler said.

To help reduce risk in the meantime, workarounds have begun to emerge for security teams.

Potential workaround

One tool, developed by researchers at security vendor Cybereason, disables the vulnerability and allows organizations to stay protected while they update their servers, according to the company.

After deploying it, any future attempts to exploit the Log4Shell vulnerability won’t work, said Yonatan Striem-Amit, cofounder and chief technology officer at Cybereason. The company has described the fix as a “vaccine” because it works by leveraging the Log4Shell vulnerability itself. It was released for free on Friday evening.

Still, no one should see the tool as a “permanent” solution to addressing the vulnerability in Log4j, Striem-Amit told VentureBeat.

“The idea isn’t that this is a long-term fix solution,” he said. “The idea is, you buy yourself time to now go and apply the best practices — patch your software, deploy a new version, and all the other things required for good IT hygiene.”

Widespread vulnerability

The Log4Shell vulnerability is considered highly dangerous because of the widespread use of Log4j in software and because the flaw is seen as fairly easy to exploit. The RCE flaw can ultimately enable attacker to remotely access and control devices.

Log4Shell is “probably the most significant [vulnerability] in a decade” and may end up being the “most significant ever,” Tenable CEO Amit Yoran said Saturday on Twitter.

According to W3Techs, an estimated 31.5% of all websites run on Apache servers. The list of companies with vulnerable infrastructure reportedly includes Apple, Amazon, Twitter, and Cloudflare.

“This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use,” said Jen Easterly, director of the federal Cybersecurity and Infrastructure Security Agency (CISA), in a statement posted Saturday.

Source link


Identity in the metaverse: Creating a global identity system



With the advent of the metaverse, the need for a global identity system has become apparent. There are many different ways to create an identity in the metaverse, but no single system is universally accepted. 

The challenge is usually two-fold: first, how to create an identity that is accepted by all the different platforms and services in the metaverse, and second, how to keep track of all the different identities a person may have.

There are many proposed solutions to these challenges, but no clear consensus has emerged. Some believe that a single, global identity system is the only way to ensure interoperability between different platforms and services. Others believe that multiple identities are necessary to allow people to maintain their privacy and security.

The debate is ongoing, but it is clear that the need for a global identity system is becoming more urgent as the metaverse continues to grow.


Intelligent Security Summit

Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.

Register Now

In this article, we will explore the various options for creating a global identity system in the metaverse. We will discuss the pros and cons of each option, and try to identify the best solution for the future.

Option 1: A single global identity

The simplest solution to the problem of identity in the metaverse is to create a single, global identity system. This would be a centralized system that would be responsible for managing all identities in the metaverse. 

The advantages of this approach are obvious: It would be much easier to keep track of identities, and there would be no need to worry about different platforms and services accepting different identities. In addition, a centralized identity system would allow for better security and privacy controls, as well as the ability to track identity theft and fraud.

However, this approach also has several disadvantages. First, it would be very difficult to create a global identity system that is accepted by everyone. Also, a centralized system would be vulnerable to attack and could be used to track people’s movements and activities. Third, it would be difficult to protect the privacy of users in a centralized system.

Option 2: Multiple identities

Another solution to the problem of identity in the metaverse is to allow each person to have multiple identities. This would mean that each person could have one or more identities that they use for different purposes. 

One of the main advantages of this approach is that it would allow people to maintain their privacy and security. Each person could choose which identity to use for each situation, and they would not have to worry about their entire identity being exposed. In addition, this approach would be more resilient to attack, as it would be much harder to take down multiple identities than a single one.

The limitations of such an approach would be that it could be difficult to keep track of all the different identities, and there would be no guarantee that different platforms and services would accept all of them. In addition, multiple identities could lead to confusion and could make it more difficult for people to build trust with others.

Option 3: A decentralized identity system

A third solution to the problem of identity in the metaverse is to create a decentralized identity system. This would be an identity system that is not controlled by any one centralized authority but rather is distributed among many different nodes. 

This might seem like the ideal approach, since decentralization is a common theme in the metaverse. However, there are still some challenges that need to be overcome. For instance, it would need to be ensured that all the different nodes in the system are properly synchronized and that the system as a whole is secure. In addition, it might be difficult to get people to adopt such a system if they are used to the more traditional centralized approach.

One solution would be to get the nodes in the system to be run by different organizations. This would help to decentralize the system and make it more secure. Another advantage of this approach is that it would allow different organizations to offer their own identity services, which could be more tailored to their needs.

Another would be to incorporate an edge computing solution into the system. This would allow for more decentralized processing of data and could help to improve performance. It would also make the system more resilient to attack since there would be no centralized point of failure.

The best solution for the future of identity in the metaverse is likely to be a combination of these approaches. A centralized system might be necessary to provide a basic level of identity services, but it should be supplemented by a decentralized system that is more secure and resilient. Ultimately, the goal should be to create an identity system that is both easy to use and secure.

The ideal identity standards of the metaverse

Now that we have explored the various options for identity in the metaverse, we can start to identify the ideal standards that should be met by any future global identity system. 

It is no easy task to create a global identity system that meets all of the criteria, but it is important to strive for an ideal solution. After all, the metaverse is still in its early stages, and the decisions made now will have a lasting impact on its future. 

Current iterations of the metaverse have used very traditional approaches to identity, but it is time to start thinking outside the box. The ideal solution will be one that is secure, private, decentralized, and easy to use. It will be a solution that allows people to maintain their privacy while still being able to interact with others in the metaverse. 

Most importantly, it will be a solution that can be accepted and used by everyone. Only then can we hope to create a truly global identity system for the metaverse.

The bottom line on identity in the metaverse

The question of identity in the metaverse is a complex one, but it is an important issue that needs to be addressed. 

The challenges associated with creating an implementation that is secure, private and decentralized are significant, but they are not insurmountable. For one, it will be important to get buy-in from organizations that have a vested interest in the metaverse. These organizations can help to promote and support the adoption of identity standards. 

It is also important to keep in mind that the metaverse is still evolving, and the solution that is ideal today might not be ideal tomorrow. As such, it will be critical to have a flexible identity system that can adapt as the needs of the metaverse change. 

Ultimately, the goal should be to create an identity system that is both easy to use and secure. Only then can we hope to create a truly global identity system for the metaverse.

Daniel Saito is CEO and cofounder of StrongNode

Source link

Continue Reading


How to Eliminate Scheduling Inefficiencies in Your Business



What do salons, consultancies, and home service providers all have in common? This question may seem like the prime setup for a joke, but there’s no punchline to look forward…

Continue Reading


Why You Should Start a Business Only While You Have a Job



Opinions expressed by Entrepreneur contributors are their own.

Many people that I meet tell me that they dream of starting their own . I always ask them, “Then why don’t you?” They typically respond by saying that they have so many financial and personal responsibilities, that they can’t just quit their job to start a company, etc. Then I tell them my story …

Hero Images | Getty Images

Related: How to Use Your Current Job to Start Your Next Business

Continue Reading