One of the mysteries about Log4shell so far has been the relative absence of Russian exploitation, whether by privateers or intelligence services. Given the extensive activity observed on the part of China, North Korea, Iran, and Turkey, where have the Russian threat actors been? BGRnoted that the usual Russian operators seemed to have been quiet, so far. Mandiant, in its own rundown of cyberespionage taking advantage of Log4j vulnerabilities, sensibly said, "We expect threat actors from additional countries will exploit it shortly, if they havent already. In some cases, state sponsored threat actors will work from a list of prioritized targets that existed long before this vulnerability was known. In other cases, they may conduct broad exploitation and then conduct further post-exploitation activities of targets as they are tasked to do so."
SecurityScorecard has solved that mystery. It reported this morning that it's observed Drovorub activity, and Drovorub points to its masters at Fancy Bear, APT28, Russia's GRU military intelligence service. Drovorub, which means "woodcutter," is a toolkit developed by the GRU's 85th Main Special Services Center for use against Linux-based systems. And that activity has been extensive. SecurityScorecard regards Russian reconnaissance, probing, and probable exploitation as comparable in scale to what's been observed from China. More developments can be expected, the researchers write: "Its important to remember that we are still in the very early days of trying to understand this security issue and how its being used by threat actors."
There's reason to think that self-propagating worms are under development to take advantage of Log4j bugs. Researcher Greg Linares believes at least three groups are working on a Log4j worm. SecurityWeek, which cites Linares, also quotes other researchers who think the news of a coming worm is unproven at least, unlikely at best, or probably likely to lead to worms less serious than some of the high-profile cases observed earlier this century.
The US Cybersecurity and Infrastructure Security Agency (CISA) this morning issued Emergency Directive 22-02, directing the US Federal agencies that fall within its remit to identify and update all vulnerable systems no later than 5:00 PM Eastern Standard Time on December 23rd. CISA gives the agencies until December 28th to report completion. In full, the required actions are as follows:
"By 5 pm EST on December 23, 2021:
"By 5 pm EST on December 28, 2021:
Log4j is from Apache's open source library, and some have asked if the vulnerability exposed as Log4shell should call into question the very idea of using open-source software. The short answer would be, according to some, not at all. IT World Canada has a useful discussion of the issue, in which they point out that the Open Source Security Foundation is well-funded, backed by deep-pocketed tech firms, and that securing open source software is not a hobbyist's labor of love. The piece quotes the CTO of NCC Group, Ollie Whitehouse, who frames it this way:
All software, open-source, closed-source, has latent cybersecurity vulnerabilities. We are only now getting to a point where we understand how to industrialize the detection and remediation of that. And the Open Source Security Foundation, with very large technology vendor backing now, is making concerted efforts to give it support, understanding that some of these projects are maintained by small teams.
MIT Technology Review takes the contrary view, arguing that the security of open-source software is indeed overlooked and underfunded. Their article quotes Veracode's CTO, Chris Wysopal, who says, The open-source ecosystem is up there in importance to critical infrastructure with Linux, Windows, and the fundamental internet protocols. These are the top systemic risks to the internet.
In truth there are probably significant local variations in resourcing and attention, which is the case with software produced by a variety of teams in any organization.
Vendors are working to patch their products against Log4shell, and it's proving to involve the "struggle" most observers have foreseen, Reuters reports. As the patches are issued, they should of course be applies when practicable.
Ric Longenecker, CISO at Open Systems, wrote to offer an assessment of the Log4shell (and yes, he thinks, the exploits are indeed wormable):
Some are calling Log4J the vulnerability of the decade. Forty percent of organizations are reportedly being targeted, and it is wormable. Weve already gotten a taste of the potential impact of this vulnerability with Kronos Global being hit, and we should be wary of other potential organizations at risk and how it may impact the ability to distribute paychecks before the holidays. Companies must continue taking this very seriously and must ensure round-the-clock monitoring. We strongly encourage all companies to seek out a trusted security partner to help protect themselves against a potential attack. Log4J might be a doorway into an organization thats used as a foothold, but not executed on for several months. When that time comes, enterprises may be able to avert a severe compromise or ransomware attack if proper steps are taken beforehand.
He recommends that all organizations take these steps to protect themselves:
Rezilion also sent us some recommendations, and theirs are directed toward small businesses:
"Scan now with what you have, but make sure your scan also accounts for various types of nested JAR files and for cases in which Log4j isn't explicitly mentioned as part of the JAR name.
"Build a remediation plan that prioritizes patching Log4j instances that are loaded into memory first. This will ensure you patch what's actually exploitable first versus applying remediation efforts where it's not critically needed.
"Devote some resources into validating whether active exploitation of your organization is taking place. For organizations without appropriate commercial solutions, there are some recent open source projects available that are aimed at discovering exploitation attempts."
And the holiday season may be a busy one for IT and security teams. Randal Pinto, CTO of Red Sift, commented:
The log4j vulnerability will still be around for some time and security teams will have a busy holiday season patching up systems. But our advice for organizations is to be thorough in your assessment. Dont only look internally but also at your supply chain, given the number of ways this vulnerability can be exploited. Ultimately this is another stark reminder that hackers will try all channels as a way to infiltrate a system, not only the obvious ones.
Link:
Log4j: Where's Fancy Bear been? Right there, choppin' lumber... - The CyberWire
- Labour frontbencher advocates for open source software and regulatory innovation - Computing - February 9th, 2024
- Open Source Software: Meaning, Importance, and Examples | Spiceworks - Spiceworks News and Insights - February 9th, 2024
- Office of National Cyber Director Issues 2023 Year-End Report on Open Source Software Security Initiative - Executive Gov - February 1st, 2024
- 40 Must-Have Free Open Source Software for 2023 - Tecmint - October 16th, 2023
- What Is Open Source Software and How Does It Work? | Synopsys - March 5th, 2023
- 15 Best Open Source Software You Must Try in 2023 - Turing - February 25th, 2023
- Cyber Security Today, Feb. 24, 2023 Holes in open source software, ransomware gang tries to evade cyber insurers and more - IT World Canada - February 25th, 2023
- What is Open Source Software? - SourceForge Articles - February 15th, 2023
- About the Open Source Initiative | Open Source Initiative - December 28th, 2022
- Comparison of free and open-source software licenses - December 20th, 2022
- Building an open source software community - SAS Users - December 4th, 2022
- The US Securing Open Source Software Act of 2022 is a step in the right direction - TechCrunch - November 25th, 2022
- Microsoft: Hackers are using open source software and fake jobs in ... - November 17th, 2022
- Open Source Software Directory - OSSD - October 23rd, 2022
- Source Code for Open Source Software Components - Oracle - October 15th, 2022
- We dont teach developers how to write secure software Linux Foundations David A Wheeler on reversing the CVE surge - The Daily Swig - October 15th, 2022
- Learn Linux online for free with Linux Foundation Courses from edX - TechRepublic - October 15th, 2022
- The Blockchain Sector is growing with the help of Open-Source Technology - Wales 247 - October 15th, 2022
- GCHQ chief warns of Chinese . US open source software bill advances. Financial Stability Board on crypto regulation. - The CyberWire - October 15th, 2022
- When transparency is also obscurity: The conundrum that is open-source security - Help Net Security - October 7th, 2022
- You thought you bought software all you bought was a lie - The Register - October 7th, 2022
- Linux Foundation Energy Gains More Industry Support to Drive the Energy Transition - PR Newswire - October 7th, 2022
- State of Open Source Survey By OpenLogic To Take Place In 2023 - Open Source For You - September 29th, 2022
- 15-Year-Old Python Vulnerability Still Affects Over 350,000 Open-Source Projects - Spiceworks News and Insights - September 29th, 2022
- How Can Open Source Sustain Itself without Creating Burnout? - thenewstack.io - September 29th, 2022
- OpenAI opens doors to DALL-E after the horse has bolted to Midjourney and others - The Register - September 29th, 2022
- Red Hat And NdcTech Collaborate To Deliver Solutions Based On Open Source - Open Source For You - September 21st, 2022
- Paladin Cloud Joins the Cloud Native Computing Foundation - GlobeNewswire - September 21st, 2022
- Open Source Software - W3 - September 13th, 2022
- Understanding the hows and whys of open source audits - Security Boulevard - September 13th, 2022
- New Metaverse Track at O3DCon to Tackle Big Questions and Practical Applications of Emerging Graphical Technology - PR Web - September 13th, 2022
- TechOps is a mess: Open source is the solution - BetaNews - September 13th, 2022
- Rezilion Recognized as SBOM Tool Provider in Gartner Emerging Technologies Trend Report on Software Bills of Materials (SBOM) USA - English - USA -... - September 13th, 2022
- Open Security: The next step in the evolution of cybersecurity - SC Media - September 13th, 2022
- 11 Interesting Firefox Add-ons to Improve Your Browsing Experience - It's FOSS - September 13th, 2022
- why the giants fight over open source - Gearrice - September 5th, 2022
- Compare Files in Linux With These Tools - It's FOSS - September 5th, 2022
- Microsoft and ByteDance are collaborating on a big AI project, even as US-China rivalry heats up - CNBC - August 28th, 2022
- OpenSSF Announces 13 New Members Committed to Strengthening the Security of the Open Source Software Supply Chain - DARKReading - August 20th, 2022
- How W4 plans to monetize the Godot game engine using Red Hats open source playbook - TechCrunch - August 20th, 2022
- Secure Open Source Rewards' to help in preventing assaults on the software supply chain. Check out how! - Economic Times - August 20th, 2022
- Free Dev Tools! But Whats the Catch? - DevOps.com - August 20th, 2022
- This Company is Aiming to Do to the Guest what VMWare and AWS Did to the Host - GeekWire - August 20th, 2022
- What Is Open-Source Software? (Definition and Examples) - August 12th, 2022
- What is open source software? | IBM - August 12th, 2022
- 55+ Best Open Source PC Software for almost Everything - August 12th, 2022
- 80 percent of enterprises use open source software and nearly all worry about security - BetaNews - August 12th, 2022
- The US Military Should Red-Team Open Source Code - Defense One - August 12th, 2022
- Boeing joins the ELISA Project as a Premier Member to Strengthen its Commitment to Safety-Critical Applications - PR Newswire - August 12th, 2022
- Looking for simplicity in the cloud? The future is going to be open and hybrid - The Register - August 12th, 2022
- AAIS & The Linux Foundation Welcome Jefferson Braswell as openIDL Project Executive Director - The Bakersfield Californian - August 4th, 2022
- Wicked Good Development Episode 13: Hacks and Ax, July Edition - Security Boulevard - August 4th, 2022
- Microsoft changes its policy against the sale of open source software in the Microsoft Store - BetaNews - July 26th, 2022
- BMW Group Joins the Linux Foundation's Yocto Project - PR Newswire - July 18th, 2022
- Free and Open Source Software (FOSS) - UNESCO - July 9th, 2022
- Know Your Enemy and Yourself: A Deep Dive on CISA KEV - Security Boulevard - June 29th, 2022
- CD Foundation Announces State of CD in 2022 Report, Opens Third Annual cdCon with New Project CDEvents, New... - DevOps.com - June 10th, 2022
- Samsung teams up with Red Hat for memory software development - The Korea Herald - May 25th, 2022
- OpenSSF Helping to Secure Open Source Software - ITPro Today - May 25th, 2022
- Only Microsoft can give open-source the gift of NTFS. Only Microsoft needs to - The Register - May 11th, 2022
- Protestware: what organisations should be aware of when using open source software - Lexology - May 11th, 2022
- This Week in Washington IP: Open Source Cybersecurity Solutions, Civil Capabilities for Space Situational Awareness and Using AI for Effective RegTech... - May 11th, 2022
- Red Hat Expands Capabilities to Provide Streamlined Application Development and Delivery in the Cloud - Business Wire - April 28th, 2022
- Industry 4.0 why smart manufacturing is moving closer to the edge - The Register - April 28th, 2022
- Open source software and DevOps: What are they, and how can your business benefit? - SmartCompany - April 13th, 2022
- Truist Joins the Open Invention Network - GlobeNewswire - April 13th, 2022
- OpenMetal Joins the Open Infrastructure Foundation - PR Newswire - April 13th, 2022
- An Early Test of The Adams Administration's Values and Tech Prowess - Gotham Gazette - April 13th, 2022
- Open Source Software Faces Threats of Protestware and Sabotage - WIRED - April 1st, 2022
- The Promise of Open Source Code and the Paradox of ProtestWare - Security Boulevard - April 1st, 2022
- Software Composition Analysis Market to Witness Massive Growth by 2029 | Open Source Software, Oracle, Smartbear Software - Digital Journal - April 1st, 2022
- Why now is the time to host your code in the cloud - TechRadar - April 1st, 2022
- Those looking for clues to Googles search demise are asking the wrong question - TechRepublic - April 1st, 2022
- Open Source Sabotage Incident Hits Software Supply Chain | eSecurityPlanet - eSecurity Planet - January 15th, 2022
- Open-source software and threats to critical infrastructure. - The CyberWire - January 15th, 2022
- Google wants secure open-source software to be the future - TechRadar - January 15th, 2022
- Baumer, Infineon, Qualcomm Innovation Center, Percepio and Silicon Labs Select Zephyr RTOS for their Next Generation of Products and Solutions - Yahoo... - January 15th, 2022
- How Open Source Is Shaping The World Around Us - Outlook India - December 19th, 2021
- The Projects and People That Shaped Security in 2021 The New Stack - thenewstack.io - December 19th, 2021
- Aqua Security acquires Argon to protect the software supply chain - VentureBeat - December 6th, 2021