Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Logging Tool. Show all posts

CISA Unveils Logging Tool to Aid Resource-Scarce Organizations

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has introduced a security tool named "Logging Made Easy" with the aim of assisting organizations, particularly those with limited resources, in safeguarding their Windows-based devices and sensitive information.

This tool, provided as an open-source log management solution, is available free of charge to both public and private sector entities. It serves to proactively monitor potential threats, conduct retrospective investigations, and offer guidance for remedial actions in the event of a cyber incident. CISA's decision to relaunch and widen the availability of this tool comes after its initial development and upkeep by the United Kingdom's National Cyber Security Centre.

Chad Polan, the product manager for cyber shared services at CISA, emphasized the agency's objective to promote the implementation of cybersecurity measures that are demonstrably effective. This includes furnishing cybersecurity capabilities and services to bridge existing gaps. He highlighted the tool's relevance for organizations with substantial data holdings but limited resources to shield against cyberattacks.

The updated version of Logging Made Easy serves as a ready-to-use log management solution for organizations that previously utilized the service under the auspices of the U.K.’s National Cyber Security Centre. CISA is also extending access to new users seeking an accessible logging tool.

The service offers clear-cut installation instructions and can be seamlessly integrated into various logging and protective monitoring strategies. It incorporates preconfigured security detection rules to expedite responses to cyber incidents. Additionally, it includes coding designed to lower financial barriers for organizations aiming to implement fundamental logging and monitoring capabilities.

Lindy Cameron, CEO of the NCSC, commended the tool's track record, stating that it has "undeniably delivered results" and supported numerous defenders in safeguarding their networks.

CISA Director Jen Easterly underscored that this new service offering aligns with the agency's commitment to aiding resource-constrained organizations with limited defenses against cyber threats.

At present, the tool exclusively covers Windows-based devices. However, CISA has expressed openness to considering the potential expansion of the service to encompass additional operating systems in the future.

Attackers Can Still Exploit Log4j Vulnerability to Track Activities

 

Countless digital goods and services have been affected internationally since December 1, 2021, as a vulnerability related to the open-source logging framework Apache Log4j 2 has been aggressively abused. 

The researchers claim that the flaw is still present in an excessive number of systems around the world and that attackers will continue to successfully exploit it for years. 

Every year, a number of urgently needed fixes for severe vulnerabilities are found, but Log4Shell stood out because it was so simple to exploit wherever it was found and offered little to no room for attackers to maneuver. Logging tools are used by developers to keep track of activity within a certain application. 

To take advantage of Log4Shell, all attackers have to do is trick the system into logging a unique piece of code. They can then take over their target's computer and install malware or launch other types of online attacks. Because log-makers are going to log in, adding the malicious snippet to an email or account username is an easy way to introduce it. 

“Logging is fundamental to essentially any computer software or hardware operation. Whether it’s a phlebotomy machine or an application server, logging is going to be present,” stated David Nalley, president of the nonprofit Apache Software Foundation. “We knew Log4j was widely deployed, we saw the download numbers, but it is hard to fully grasp since in open source you're not selling a product and tracking contracts. 

 “I don’t think you fully appreciate it until you have a full accounting of where software is, everything it's doing, and who's using it. And I think the fact that it was so incredibly ubiquitous was a factor in everyone reacting so immediately. It's a little humbling, frankly.” 

The topic is relevant to more general discussions about the software supply chain and how it is more challenging to find and fix vulnerable code because many firms do not have a complete accounting of all the software they use in their systems. However, even if a company has a record of all the software it has purchased or installed, such programmes may still contain additional software parts, especially open-source libraries and tools like Log4j, that the end user is not directly aware of and did not choose. 

As a result, companies become exposed to vulnerabilities like Log4Shell and experience the long tail of patching, where they are either unaware that they are exposed or fail to see the urgency of making changes. 

Attackers are still actively using Log4Shell everywhere, from criminal hackers looking for a way into targets' systems to attackers with the support of the Chinese and Iranian governments who use the exploit in their espionage operations. 

“Log4Shell is one that’s going to show up in data breaches for the next decade as part of the root cause—all it takes is one instance of Log4Shell to be vulnerable. Thankfully, most consumers didn’t feel an impact last year, because the severity of it was so high that folks scrambled over that terrible weekend and throughout the holidays in a race with attackers. But there's an economic impact to that, a massive effort cost to do that remediation. And we’re not going to be able to scramble everybody for something that is even slightly less severe,” stated Dan Lorenc, CEO of the software supply-chain security firm Chainguard. 

When Apache made the issue public on December 9 of last year, Apache had to work quickly to be prepared to deliver updates for Log4Shell. Researchers soon discovered workarounds and edge cases for the changes as a result, and Apache was compelled to release additional revisions, which exacerbated the uncertainty. 

However, according to researchers, Apache's overall response was good. Nalley continues, "In response to the Log4Shell story, Apache has made changes and improvements and hired dedicated employees to expand the security support it can provide to open-source projects in order to discover problems before they are shipped in code and respond to incidents as necessary." 

The fact that even a year later, around a quarter or more of the Log4j downloads from the Apache repository Maven Central and other repository servers are still full of susceptible versions of Log4j illustrates the situation's most worrying future development. In other words, software developers continue to actively support computers running vulnerable utility versions or even create new insecure software. 

According to Brian Fox, cofounder and chief technology officer of the software supply-chain firm Sonatype, version downloads in Maven Central and other repositories reached a plateau where about 60% of the downloads were of patched versions and 40% were still of vulnerable versions following the initial rush to resolve Log4Shell. Fox and Apache's Nalley claims that over the past three months or so, the numbers have dropped to about a 75/25 split for the first time. Nevertheless, according to Fox, "a year later, a fourth of the downloads is still very poor."

Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers

 

Researchers have provided a detailed look at a system called DoubleFeature, which is dedicated to logging the various stages of post-exploitation resulting from the Equation Group's deployment of DanderSpritz, a full-featured malware architecture. 

DanderSpritz was discovered on April 14, 2017, when a hacker group known as the Shadow Brokers published a report titled "Lost in Translation" that included the exploit tool and others. EternalBlue, a cyberattack exploit created by the US National Security Agency (NSA) that allowed threat actors to carry out the NotPetya ransomware attack on unpatched Windows PCs, was also included in the leaks. 

The tool is a modular, covert, and fully functioning framework for post-exploitation activities on Windows and Linux that depends on dozens of plugins. One of them is DoubleFeature, which serves as a "diagnostic tool for victim machines carrying DanderSpritz," according to Check Point researchers in a new paper released Monday. 

The Israeli cybersecurity firm added, "DoubleFeature could be used as a sort of Rosetta Stone for better understanding DanderSpritz modules, and systems compromised by them. It's an incident response team's pipe dream." 

DoubleFeature is a Python-based dashboard that doubles as a reporting utility to exfiltrate logging information from an infected system to an attacker-controlled server. It's designed to keep track of the types of tools that could be deployed on a target machine. A specific executable named "DoubleFeatureReader.exe" is used to interpret the output. 

Data Breach Prevention 

Some of the plugins monitored by DoubleFeature include remote access tools called UnitedRake (aka EquationDrug) and PeddleCheap, a stealthy data exfiltration backdoor dubbed StraitBizarre, an espionage platform called KillSuit (aka GrayFish), a persistence toolset named DiveBar, a covert network access driver called FlewAvenue, and a validator implant named MistyVeal that verifies if the compromised system is indeed an authentic victim machine and not a research environment. 

The researchers stated, "Sometimes, the world of high-tier APT tools and the world of ordinary malware can seem like two parallel universes." 

"Nation-state actors tend to [maintain] clandestine, gigantic codebases, sporting a huge gamut of features that have been cultivated over decades due to practical need. It turns out we too are still slowly chewing on the 4-year-old leak that revealed DanderSpritz to us, and gaining new insights."