The hunt for the Log4Shell bug continues and lessons learned from the ransomware attack on hospitals in Ireland.
Welcome to Cybersecurity today. It’s Wednesday, December 15th. I’m Howard Solomon, contributing cybersecurity writer for ITWorldCanada.com.
IT staff continue to hunt for evidence of a Log4Shell vulnerability in their system. They face two problems: First, it can be a lengthy hunt. The US Infrastructure and Cybersecurity Agency estimates hundreds of millions of devices are vulnerable to a vulnerability in the Java-based Log4j2 logging capabilities. The SANS Institute gives this advice: List all internet-connected devices with log4j2 installed, make sure you monitor all warnings from them, and configure the web application firewall to reduce the attack surface and volume change. If you have been thinking of porting Java-based applications to another technology, now is the time to do it.
The second problem is that your IT system could have been compromised as early as the first day of the month. Security researchers at Cloudflare and Cisco Systems reported finding evidence of an earlier exploit attempt. So if your organization’s IT environment has a security hole, in addition to closure, look for evidence of a breach. The researchers note that attackers are trying to take advantage of the vulnerability to install ransomware and cryptocurrency mining applications. Canada’s Cybersecurity Center warns that log4j2 is used in many third-party enterprise applications and frameworks.
NOTE TO DEVELOPERS: If your app includes log4j2, install the latest version which is 2.16. It completely disables the vulnerability.
A large number of successful cyber attacks begin with an employee clicking a malicious link in an email. That’s exactly how the ransomware attack on Ireland’s healthcare system began last May, according to a report published this month. Here’s a brief description of what happened: On March 18, this employee opened a malicious Microsoft Excel file that was attached to a phishing email. That allows an attacker to get into that computer and start looking around. Thirteen days later, the health network’s antivirus software discovered two software tools commonly used by crooks named Cobalt Strike and Mimikatz. Mimikatz is used to steal passwords. But the anti-virus has been put in monitoring mode, so it doesn’t block the use of those tools. Nor were there any detections by the network’s incident response provider. Almost two months after the first compromise, the attackers began to infiltrate other systems. One hospital detected the Cobalt Strike tool on two of their systems, but failed to do so. In all six hospitals were compromised as of early May. On May 12, suspicious activity was detected and alerted the health system, but it was too late to stop the ransomware attack on six hospitals two days later. However, the Irish Department of Health acted quickly enough that most of its systems were out of order. The Conti ransomware gang finally released the decryption keys after a public outcry. But it took months for the health care system to be cleaned up at a cost of about $600 million. I will have a longer story on the report on ITWorldCanada.com. But the report says there are some lessons: One is the low level of cybersecurity maturity in the Irish healthcare system. Importantly, the system has a flat IT network. The shard network is better at preventing compromises from spreading. The system is based on a single anti-virus product that is not regularly patched on the network. In addition, security monitoring cannot effectively detect, investigate, and respond to cybersecurity alerts.
Final, Yesterday was Microsoft’s Monthly Patch Tuesday, when security patches are released for Microsoft products. Make sure your system is up to date. The patch fixes a number of critical vulnerabilities. Apple has released updates for iOS, iPadOS, macOS, and other operating systems. And Google is rolling out an update to the Chrome browser that fixes a number of issues, one of which is critical.
It is done. Remember the links to detailed information on the podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find my other stories.
Subscribe to Cyber Security Today on Apple Podcasts, Google Podcasts, or add us to Flash Summary on your smart speaker.