In the second of this three-part blog series, we look at some more highlights from our annual “Defending Against Critical Threats” webinar covering Log4J, Emotet, and the rise of Mac OS malware. Be sure to watch the videos for a more in-depth analysis.
The Cisco Talos Incident Response team (CTIR) were on the front lines of helping our customers tackle the Log4J vulnerability at the end of 2021. Take us through how the events of Log4J unfolded.
Liz Waddell, Incident Response Practice Lead, Cisco Talos: On November 24, 2021, the Alibaba cloud security team alerted Apache that there was a remote code execution vulnerability (RCE) in Apache Log4J2, which is a Java logging library.
There are at least 1,800 unique code libraries and projects which are integrated into cloud services and endpoints that have this logging library. When Log4J was identified, the exposure of this vulnerability was… well, as papers picked up on it, humongous.
December 9th was when things really started getting public attention and the first patch was released by Apache. Then we started seeing exploits and certain odd things popping up. Minecraft users began warning that adversaries could execute malicious code on clients and servers running the Java version of the popular game.
We published our Talos blog on December 10th, which was constantly updated with the latest information. If the past year taught us anything, it’s that the first patch for a vulnerable application is never the first one. Log4J had three patches that came out before December 18th.
Then it got quiet. After last year’s holiday-ruining Solar Winds attack, we expected to spend Christmas 2021 in a similar way. But overall, the number of customers calling us about Log4J over the holidays was fairly light.
Not that there wasn’t anything happening; Talos was aware of active exploitation, including activity from miners and other financially motivated attackers. We had reports of nation-state actor activity, and we observed widespread activity in our honeypots and telemetry sources.
How has Log4J made an impact so far in 2022?
LW: We started to see an uptick of major exploits starting in January. On January 5th, the UK’s National Health Service (NHS) reported seeing Log4Shell vulnerabilities in the VMware Horizon servers.
That’s the situation now – the main exploit of Log4J we are seeing is within VMware Horizon servers.
However, we are still being very diligent with how we’re monitoring the world and dark web, and making sure that we can respond as effectively as possible to any changes and further exploitation.
This application is inside a lot of things. Readers can keep up to date with all our findings on the dedicated Talos blog.
After the 2021 operation led by Europol and the European Union Agency for Criminal Justice Corporation to dismantle the operations of Emotet, how did it come back from the dead towards the end of the year?
Artsiom Holub, Senior Security Analyst, Cisco Umbrella: Due to the nature of the operations, and the profit that this malware was able to generate for the cybercrime community, we did see a resurgence of Emotet. This time it came back with a newly rebuilt infrastructure, which it is continuing to expand today.
The resurgence of Emotet is an illustration of the growing demand of such operations by the ransomware world. It only takes a few highly organized criminal corporations to create endless opportunities for criminal Emotet botnet developers.
The TrickBot and Emotet duo was utilized heavily by Ryuk ransomware, and now Conti is the new logical avenue for the criminals.
Conti organizes highly targeted attacks to maximize revenue. If things continue to head in this direction, with TrickBot and Emotet becoming an exclusive way of distributing Conti Ransomware, it is highly likely that these campaigns will become even more rampant and widespread in the upcoming year.
What advice do you have for defenders to deal with this type of threat in 2022?
AH: I recommend focusing your defense strategy on detecting lateral movement and data exfiltration to the internet. Pay special attention to the outgoing traffic to monitor for cybercriminal connections.
Finally, use the latest threat intelligence to be aware of the tactics, techniques, and procedures (TTPs) used by threat actors. Their tools and operations might change, but their procedures tend to follow whatever’s worked for them in the past.
Could you give us some background to this threat and why you wanted to cover it?
Ashlee Bengee, SecureX Threat Hunter, Cisco Secure: This is my own area of research interest. I wanted to cover it in this report because, for too long, we have operated under the assumption that Mac OS is somewhat impervious to malware.
As Liz mentioned, we receive a firehose of information as security researchers. It’s my team’s job to dig through that enormous amount of data and to identify any changes in attacker behavior. Any change inspires our hunt for new and emerging threats.
That’s been the case recently for Mac OS malware. It’s becoming more of an attractive attack surface, and in 2021, we discovered some new types of Mac OS malware that were a cause for concern.
Can you show an example of a malware you discovered in 2021 which targets Mac OS?
AB: One of our most interesting discoveries in August 2021 was the McSnip Backdoor malware.
We identified a change in an existing dropper technique, which was one of the ways a particular group of malware actors uses to get the initial binary on a system before exploitation.
We grabbed all the malicious files that we could find that were associated with this campaign, and then ripped them apart. We found some interesting things.
Although this particular binary had the capability to exfiltrate sensitive information, we didn’t see those capabilities being leveraged. That set off alarm bells for us.
We found that, in the case of McSnip, the malicious binary was impersonating a screenshot tool that could be downloaded directly from a website, rather than from the actual legitimate App Store.
In November, small updates had been made to the malware from what we saw in August, and it started leveraging these new malicious capabilities for data exfiltration. It moved from a test campaign to an active campaign.
We’re still seeing McSnip being leveraged, or attempting to be leveraged, against customers in the wild. But because of our active hunting efforts and the work that we do on my team, we’re able to block actual execution of these malicious files.
For more resources on how to deal with critical threats, head to cisco.com/go/critical-threats.
Check out other blogs in this series here:
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels