OSIRIS Brief 1.16.0
Log4Shell, Pegasus spyware used against US Government, Ransomware battles intensify, Tor deanonymization, and Nobelium bypassing 2FA
With the holidays approaching/upon us, things have gotten far busier than I would have ever expected. Consequently, I missed last week’s brief and came close to missing this week as well. Rather than blow off two briefs in a row, I’m going to try an experiment: this brief will be longer than usual to include information from last week, and will not include the usual one-page PDF. Let me know what you think in the comments below.
Massive Exploits of Log4Shell
The information security community has its latest major security challenge in “Log4Shell” Log4Shell, or “Log4J” is a zero-day vulnerability in a popular Java library. Libraries are tools programmers write to accomplish simple tasks, and which other programmers reuse. While libraries are convenient, when a security vulnerability emerges in a popular library, the vulnerability creates a major security challenge throughout the industry.
Libraries are like having everyone copy test answers from the smartest kid in class. As long as the answers are right, there is no problem. Even the smartest kid makes mistakes sometimes, and when that happens everyone gets the answer wrong.
The Log4J vulnerability essentially allows an attacker to use a log file to inject malicious code. Log files are an important part of programming and security, because log files record what the program does, usually tracking every operation. Consequently, nearly every online service uses log files, and Log4Shell is a library that many services use to create the log file. Imagine if someone could make your car do almost anything the car was capable of any time a spark plug fired in the engine.
The Log4Shell vulnerability has spawned dozens of attacks. The problem is expanding, as new varieties of attacks emerge. Patches are available and security companies have released mitigating software.
The Log4Shell vulnerability is a big deal, with some people claiming it “threatens the entire internet.” It is too soon to tell if concern about Log4Shell is hyperbolic, but I’ve personally seen and done more scrambling surrounding this vulnerability than I have in the past. Even people who only run a home Minecraft Java server, are having to patch their systems, so a lot more people are having to work to fix the problem than usual. I will write up a better explanation as more information becomes available.
Pegasus Was Used Against the US Dept. of State
Reuters reported last week that an unknown actor had deployed the “Pegasus” spyware against US State Department officials. Reports indicate that at least nine people working in the US Embassy in Uganda, or working on topics related to Uganda, had their phones compromised. There have been indications in the past that American officials might have fallen victim to Pegasus. This is the first confirmation I am aware of that the NSO spyware was used against US government interests.
Pegasus’s use against US government targets will likely increase pressure on the NSO Group. Ample research has shown that claims the NSO Group’s spyware was only used against terrorists are false. Pegasus has even been used against human rights activists. Adding the US government to a list of adversaries is a dire sign for the company.
Battle Against Ransomware Rages
Ransomware users and defenders against ransomware continue to wage an intense online battle. A previously-known malware called Trickbot started spreading Emotet ransomware. By combining Trickbot with Emotet, the Emotet botnet is a threat again less than a year after a multinational operation took down the original botnet in January. Emotet returned in November and is infecting computers using Microsoft Office documents. The latest version of Emotet also spreads through Windows Installer programs.
Ransomware groups are debuting new tactics, targets, and exploits, too. A ransomware gang called “Cuba” has extorted $44 million in the US. Ransomware shut down the British supermarket chain, Spar and interrupted service on the Toronto Transit Commission. Planned Parenthood revealed a ransomware gang had also stolen 400,000 patients’ data. Ransomware gangs are also using social media to pressure reluctant companies to pay ransoms.
Governments have struck back against ransomware gangs, with some success. The US has collaborated with Eastern European governments to crack down on REvil, one of the most notorious ransomware gangs. The US is also offering $10 million for information about the leadership of the DarkSide ransomware gang. The crackdown has been so successful, some gangs are questioning whether they can freely operate in those countries. How durable these counter-ransomware successes are, remains to be seen.
Someone Is Trying to De-Anonymize Tor
An independent researcher discovered a threat actor he calls KAX17 attempting to discover the identities of people using the Tor network. The Tor network is a network of computers on the internet that, when used properly, hides a user’s identity from observers and allows users to bypass government controls on internet use. Relays that do not collect information about who is using the network are an important component of the Tor network.
Imagine the internet like a subway system. If we want to track someone moving along the subway trains, all we need to do is watch where people enter the subway and track which train they board at which station. The stations are the same as routers or relays on the internet. On the normal internet, it is possible to track people moving across the subway system, but the Tor network sets up different stations that people cannot observe. Therefore we can observe traffic entering the Tor network, but once on the Tor network, we can no longer see where the traffic goes. On our imaginary subway system, people get onto the subway, but change trains in stations where no one can see them changing trains.
The researcher writing as “nusenu” identified malicious Tor network relays in the past. KAX17 may be trying to inject enough malicious relays into the Tor network to discover users’ hidden identities by ensuring most users will transit a malicious relay. If KAX17 can put enough Tor relays into the network, it becomes possible that KAX17 would be able to track some Tor network traffic. The effect would be like placing observers in enough of the secret subway stations that you could follow someone as they change trains.
Many groups could be responsible for such efforts, and nusenu does not speculate who is behind the malicious relays. The most likely candidates are China or Russia, who invest a lot of time and money into domestic surveillance. The Tor network is one of the ways Chinese and Russian citizens can get around information controls. Western governments, like the US and UK, could also execute such an ambitious plan. Law enforcement agencies in all countries view the Tor network with suspicion, as criminals also use the Tor network.
Russian Threat Actor Bypasses 2FA
Researchers demonstrated that the Advanced Persistent Threat (APT) Microsoft calls “Nobelium” can defeat push-notification-based multi-factor authentication (MFA). Nobelium is probably a Russian APT. MFA increases security by requiring that users prove their identity using more than one method. Push notification MFA sends users a notification to their cell phone through an app on their phone, which users can then acknowledge by tapping a button. Nobelium bypasses MFA by acclimatizing to receiving multiple authentications and habitually approving the authentication.
Other APTs have demonstrated similar capabilities but having Nobelium develop the ability to bypass an important security feature is especially alarming. Nobelium is one of the most active and dangerous APTs operating. Most research indicates Nobelium is a Russian APT behind the Solar Winds attack, but the exact identity remains unclear. Being able to bypass MFA makes Nobelium even more dangerous.
David Benson is a Professor of Strategy and National Security focusing on cyberstrategy and international relations. You can reach him at firstname.lastname@example.org.
To get more insightful analysis like this in your inbox at no cost please subscribe.
Ask a question! Raise an objection! Leave a comment!