Threat Reports

Fight for the Users

Eclypsium Threat Report December 2021 FirmwareFight for the Users

What a December! Let’s see if we can write a threat report without mentioning log4j. Possible? Let’s find out! While everyone else is writing about it and you are completely overwhelmed, over-vendored, and over exhausted by it, there is still a lot of other activity going on that shouldn’t be ignored, missed or forgotten.

On the heels of our Meris botnet blog, CISA just released new guidance recommending organizations patch their MikroTik routers for the same CVE that continue to plague these cheap but powerful devices. Remember, a patched device doesn’t mean the device isn’t being used maliciously by Meris, or Gluteba, or Trickbot, etc. More often than not, these devices are simply maliciously configured, versus having been implanted with malicious code.

Beyond only Mikrotik routers, AT&T’s Alien Labs just discovered another botnet called BotenaGo (written in Go language) that can target millions of exposed and vulnerable devices with an arsenal of over 30 exploits. The attack surface of these devices is massive, yet awareness of this attack surface is still low; something CISA has been working very hard to change. 

Did you know that 60% of breaches involving a vulnerability were against devices for which a patch was available, but was never applied? You do now!

Speaking of Gluteba, (many believe this is the group that compromises devices like MiroTik, and then sells access to these devices to botnet operators/campaigns), it has a new trick: leveraging Bitcoin’s public ledger to maintain C2 in away that is both a) resilient and b) slightly Darwinian. This tactic is double-edged for the attackers as it allows the good guys to also see and anticipate the same public wallet addresses and new domains just like the malware does. This might come in handy some day when it comes time to prosecute them, too. 

Log4J represents another ‘first wave’ of attacks that gained an initial foothold and allowed myriad actors with myriad motives to gain presence wherever they might. Once a foothold had been established, however, the real story begins to play out.

One of these stories may be destruction – just as we saw when actors leveraged recent MS Exchange vulnerabilities to drop a destructive payload on victim machines. Another could be ransomware just like what we saw following the Microsoft Exchange attacks. Indeed, the Trickbot group behind Conti has already begun leveraging Log4J to drop ransomware only a few days after discovering its potential. Recall that ProxyLogon, too, was similarly used by ransomware gangs only days after its discovery. If destruction sounds incredulous or unlikely, check out what these Iranian nation state actors just did by leveraging a new HP iLO firmware vulnerability to wipe servers remotely.

This kind of rapid weaponization and ability to deploy follow-on payloads quickly puts a tremendous amount of pressure on security teams to patch and mitigate immediately. The very same group still leverages Fortinet vulnerabilities and ZeroLogon vulnerabilities, as well as look for vulnerabilities at the UEFI in order to implant there, just like many APTs have been discovered having done so of late.

Hackers have also been able to leverage Log4j exploits to specifically target ultra high end server hardware from HP (ones running Zen 3-based EPYC Milan CPUs) in order to mine the Raptoreum ($RTM) crypto currency.

In a dramatic yet somehow not surprising fashion, the Chinese government has decided to stop collaborating with Alibaba on cyber threat intelligence for a period no less than six months, after the organization failed to tell the government about the Log4J vulnerability prior to public disclosure. This demonstrates two things: 1) China’s bite is as bad as their bark in this regard; other organizations now have precedence, which they can use to justify disclosing vulns early and exclusively to the Chinese government and 2) he degree to which China’s offensive security strategy (proactively attacking western interests in order to gain key economic and military advantage) is overtly in play. 

Well, we didn’t think we’d be able to write this threat report without including Log4j, and sure enough, we had to.

A final word to reflect upon the passing of Dan Kaminsky, a luminary beyond compare in the field of cyber security and a dear friend to so many of us in the community. This month he was posthumously entered into the Internet Hall of Fame. He was the hero that saved the Internet more than once… but moreso, the hero that best embodied true discourse, critical thought, debate, rational exploration of myriad problem spaces, and someone that served as the pillar of ground truth and perspective for so many. Beyond even these things, he was the warmest of souls, the kindest of friends, and one of the most endearingly comical people any of us have ever met. Dakami, we’ll pour one out for you this NYE.

Here’s to a fantastic 2022. Let us be a stronger community, let us unite to fight those that do us cyber harm and protect those that cannot protect themselves, and let us innovate to solve for a better future together. We fight for the users!