00:00:00
[Music]
00:00:02
you're listening to the cyberwire
00:00:03
network powered by
00:00:09
[Music]
00:00:11
n2k in the dynamic world of Enterprise
00:00:13
security identity Architects and it
00:00:16
leaders face a major challenge growth by
00:00:19
repeated Acquisitions multiplies the
00:00:21
complexity of everything multiple idps
00:00:24
MFA providers policy engines that all
00:00:27
need to coexist this can lead to
00:00:30
fragmented user identities and policies
00:00:32
that create security vulnerabilities and
00:00:34
add access friction strata identity
00:00:37
solves this now you can decommission
00:00:40
unneeded idps and consolidate the ones
00:00:43
you'd like to keep without rewriting
00:00:45
apps or disrupting users engineers and
00:00:47
app owners plus strata's modular
00:00:50
architecture makes it easy to integrate
00:00:52
with any identity provider without
00:00:55
manual maintenance and coding join the
00:00:57
ranks of cyber security leaders using
00:01:00
identity orchestration visit strat. i/
00:01:04
cyberwire share your top identity
00:01:06
security priorities and receive a pair
00:01:09
of complimentary airpods Pro offer valid
00:01:12
for organizations with over 5,000
00:01:14
employees step into a new era of
00:01:17
identity management at strat. i/
00:01:21
cyberwire
00:01:28
[Music]
00:01:33
hello everyone and welcome to the Cyber
00:01:35
wies research Saturday I'm Dave Bitner
00:01:38
and this is our weekly conversation with
00:01:40
researchers and analysts tracking down
00:01:42
the threats and vulnerabilities solving
00:01:45
some of the hard problems and protecting
00:01:47
ourselves in a rapidly evolving
00:01:49
cyberspace thanks for joining
00:01:51
[Music]
00:01:56
us L forj is very WI used application
00:02:01
and it came into the light in December
00:02:04
2021 right because there was a zero day
00:02:07
explor that was available for this
00:02:10
application that's ID Malik director of
00:02:13
threat research at upticks the research
00:02:15
we're discussing today is titled new
00:02:17
threat detected inside our discovery of
00:02:20
the log forj campaign and its XM rig
00:02:23
malware
00:02:25
[Music]
00:02:32
now it's a loging framework and used by
00:02:35
pretty much all of the open source
00:02:38
applications and there are many uh
00:02:40
internal and external uh applications
00:02:42
that company uses they use this loging
00:02:45
framework uh library and it's written in
00:02:48
Java during that time in 2021 it make a
00:02:52
really big impact because since it is
00:02:55
very widely used application and
00:02:57
something like this in this type of
00:02:59
application could create a catastrophic
00:03:01
event right so uh from that point in
00:03:05
time we were actually looking into this
00:03:08
uh the the story how the story play out
00:03:10
for this uh log forg explorate and at
00:03:13
that time also in
00:03:14
20221 we published uh blogs and
00:03:18
Publications saying how the attackers
00:03:20
are using it and suddenly uh in our uh
00:03:24
intelligence system uh that we call
00:03:26
internally as a global threat
00:03:28
intelligence system where we collect
00:03:29
data from all closed and open source uh
00:03:33
sources you know the thread data uh we
00:03:36
collect into our system and um you know
00:03:39
we were going through the analysis and
00:03:40
then we suddenly uh you know our eye
00:03:43
popped into this attach chain for L
00:03:46
forchain and then we realized that this
00:03:48
is a much larger campaign than uh you
00:03:51
know just one or two machines involed
00:03:53
there so that's how it came into the
00:03:56
light well well let's dig into it here I
00:03:58
mean reading through the research you
00:04:00
all mentioned that uh you were doing
00:04:03
some routine sandbox hunting analysis
00:04:06
and uh you discovered this ongoing live
00:04:08
campaign what what was going on here
00:04:12
yeah so so basically what really happens
00:04:13
is that we collect all of this
00:04:15
information into our uh intelligence
00:04:17
systems right and uh then there there
00:04:20
are multiple components to the
00:04:21
intelligence systems one of the
00:04:23
component it sandbox that process the
00:04:25
the malicious samples and we have honeyb
00:04:28
server also that that are part of this
00:04:30
intelligence system so normally what
00:04:32
really happens is like when we get
00:04:34
something inside our honey uh you know
00:04:37
the servers then we redirect that to the
00:04:39
sandbox so to understand uh if it is
00:04:43
really a malware or not right and in in
00:04:45
the sandbox we have our tooling running
00:04:47
to detect if something is malicious uh
00:04:49
inside a particular piece of code right
00:04:52
so essentially what happened is that our
00:04:55
Honeypot servers uh were getting hit by
00:04:58
these request that that were like you
00:05:01
know used to exploit the log 4G exploit
00:05:05
and when we redirected those to our
00:05:07
sandbox then we got an alert that there
00:05:09
are a couple of coin miners uh alerts
00:05:11
that we got and uh our team the analysis
00:05:15
team looks at this data on daily basis
00:05:17
doing a regular stuff right so this is
00:05:20
their job to identify if something is uh
00:05:22
is going on not just specific to log
00:05:25
forj but to in general to identify the
00:05:28
new things that are coming into our
00:05:30
systems and that's where uh we
00:05:32
identified that okay this is something
00:05:34
that is specific to log forj which is
00:05:37
basically two more than two years old
00:05:39
stuff and it is very widely used well
00:05:44
let's dig into some of the details here
00:05:45
I mean what what can you tell us about
00:05:47
this particular
00:05:48
campaign so I think when when we look at
00:05:52
this campaign from from the origin of
00:05:54
log for the exploit in 2021 right so
00:05:57
there is not much change in terms of the
00:06:00
strategy of the attackers so that time
00:06:02
also we saw uh you know the attackers
00:06:05
use the coin Miners and the ransomware
00:06:07
uh uh specific binaries to basically
00:06:11
infect the the vulnerable servers and in
00:06:14
this campaign also we see that the
00:06:16
attackers are using heavily the coin
00:06:18
Miners and primarily what we see is that
00:06:21
XM rig is being used as as the major uh
00:06:25
utility to to M the coins right and uh
00:06:28
this is in line with with the the
00:06:30
previous attacks that we have seen the
00:06:33
the eye-catching thing for us was that
00:06:35
you know since this is a very
00:06:37
widespread application and it created
00:06:40
lots of noise in 2021 but there are
00:06:42
still so many servers that are
00:06:45
vulnerable to this uh this vulnerability
00:06:47
and attackers are using this
00:06:49
vulnerability to infect those systems
00:06:51
and and deploy these coin miners
00:06:55
[Music]
00:06:59
we'll be right
00:07:06
back and now a word from our sponsor
00:07:09
zscaler the leader in Cloud security
00:07:12
cyber attackers are using AI in creative
00:07:15
ways to compromise users and breach
00:07:17
organizations in a security landscape
00:07:20
where you must fight AI with AI the best
00:07:23
AI protection comes from having the best
00:07:25
data zscaler has extended its zero trust
00:07:28
architecture with powerful AI engines
00:07:31
that are trained and tuned by 500
00:07:33
trillion daily signals learn more about
00:07:36
zscaler zero trust plus AI to prevent
00:07:39
ransomware and AI attacks experience
00:07:42
your world secured visit Z scaler.com
00:07:46
zrust aai
00:07:56
[Music]
00:07:59
do you have any sense for where this is
00:08:01
coming from so we we have done the
00:08:07
analysis on the command and control IP
00:08:09
addresses it's hard to say if the
00:08:11
attackers are based in that region but
00:08:13
normally it is Europe and
00:08:15
Russia uh so one of the the major Comm
00:08:18
and control for for these uh this
00:08:21
activity which contributed around 60% of
00:08:23
the total uh total campaign activity uh
00:08:26
that we have highlighted in our blog
00:08:28
post as well uh is is based in a ISP in
00:08:32
Europe so uh it's hard to say if the
00:08:35
attackers are basically of the same
00:08:37
origion uh but the activity is orig
00:08:39
originating from Europe and
00:08:41
Russia and and does this seem to be
00:08:44
largely opportunistic that they're you
00:08:47
taking advantage of vulnerable systems
00:08:49
to to do as you say just crypto mining
00:08:52
exactly I I mean this is not a very
00:08:54
sophisticated attack it is just that uh
00:08:57
you know they are looking for log forg
00:08:59
vable applications and uh you know they
00:09:02
deploying the dequin miners to just mine
00:09:05
the de coins right uh it's not very uh I
00:09:09
would say it's very sophisticated attack
00:09:11
because it's a 2year old very popular
00:09:14
vity uh but again as you know it's very
00:09:17
surprising why there are so many
00:09:19
vulnerable systems out there for this
00:09:22
very popular vulner are they making any
00:09:25
attempt to hide their actions here or
00:09:27
are they being pretty noisy
00:09:30
yeah uh we haven't really seen any
00:09:32
effort to hide the tracks it's it's just
00:09:34
that they they are you know coming into
00:09:38
into the system and then taking the
00:09:39
advantage of vulnerability just to
00:09:41
deploy the The xmri Miner which is which
00:09:44
is also an open source xming is also uh
00:09:46
it's not something that is very uh you
00:09:49
know uh very private tool used by the
00:09:52
attackers but um uh yeah well let's go
00:09:56
through some of the the ways that folks
00:09:59
protect themselves against this I mean
00:10:02
two years out I suppose uh you know
00:10:05
patch management would be the Tope of
00:10:07
the
00:10:08
list exactly I mean uh as I said like
00:10:11
it's it's a and you probably also know
00:10:14
that it it was very big uh thing in 2021
00:10:17
when it came out and um Apache
00:10:19
Foundation also released the patch for
00:10:21
for this one uh at that time and u p
00:10:25
management is the only solution like we
00:10:27
have to you know upgrade the application
00:10:30
version to to mitigate
00:10:33
this is this something also where
00:10:36
monitoring your network traffic would
00:10:38
would be
00:10:39
beneficial yeah definitely it will be uh
00:10:41
helpful in order to if you have
00:10:44
basically let's say if it is an Apache
00:10:45
server or some type of other server that
00:10:47
is you know uh storing the logs that the
00:10:51
each type of request that are coming uh
00:10:53
to that particular server then that can
00:10:55
give an indication that hey you know
00:10:57
somebody's trying to exploit the water
00:10:59
so uh so definitely if there are network
00:11:02
uh you know related uh or the Security
00:11:07
Solutions that are deployed then they
00:11:09
should be able to catch it or if there
00:11:11
is logging enabled on the servers that
00:11:14
basically uh capture the request that
00:11:16
are coming to to the servers then that
00:11:18
should also help to identify this attack
00:11:21
yeah it it really is remarkable I I
00:11:24
think that you know it's it's been so
00:11:26
long since log for J Came Upon the scene
00:11:29
here um and we've still got this these
00:11:32
ongoing issues um you know from a high
00:11:36
level what do you suppose is is going on
00:11:39
here do you suppose there's just a lot
00:11:40
of systems that folks aren't aware of
00:11:43
that that should be patched that haven't
00:11:45
been yet I I think that what uh it looks
00:11:48
like Dave that uh you know even though
00:11:51
it was very widespread uh issue and you
00:11:54
know lots of people uh you know were
00:11:56
were very aware of it the people that
00:11:58
deals with with these Technologies but
00:12:00
it looks like that uh there is some uh
00:12:03
part of the portion of the world that is
00:12:05
not really uh either they do not know
00:12:09
like they they are running these
00:12:10
applications or for these servers and
00:12:12
these servers are internet facing or or
00:12:15
they might not really have looked or
00:12:17
given much care to those servers uh that
00:12:21
these servers are you know exposed to
00:12:23
the internet
00:12:26
[Music]
00:12:34
our thanks to emit Malik from uptic for
00:12:37
joining us the research is titled new
00:12:39
threat detected inside our discovery of
00:12:42
the log for J campaign and its XM rig
00:12:44
malware we'll have a link in the show
00:12:56
notes don't struggle to align your
00:12:59
organization's cyber security with
00:13:01
business risk get the only solution that
00:13:04
goes beyond reacting to threats with
00:13:06
vulnerability and risk monitoring you
00:13:08
need the next evolution of MDR and only
00:13:11
critical start delivers it critical
00:13:14
start doesn't just Monitor and respond
00:13:16
to threats they put you in control by
00:13:19
detecting suspicious activities quickly
00:13:21
responding to contain threats and
00:13:23
identifying your most critical assets
00:13:25
and protecting them against
00:13:26
vulnerabilities and exposures with
00:13:29
continuous visibility expert guidance
00:13:31
and measurable risk reduction critical
00:13:33
start has redefined what it means to
00:13:36
manage cyber risk demonstrate provable
00:13:39
security maturity to your leadership
00:13:41
while positioning your program to
00:13:43
achieve the greatest risk reduction per
00:13:45
dollar spent stop fearing risk and start
00:13:48
managing it with critical start visit
00:13:51
critical start.com and request a demo
00:13:53
today that's critical start.com
00:13:57
[Music]
00:14:09
and that's research Saturday brought to
00:14:11
you by n2k cyberwire our thanks to emit
00:14:15
Malik from uptic for joining us the
00:14:17
research is titled new threat detected
00:14:20
inside our discovery of the log forj
00:14:22
campaign and its XM rig malware you can
00:14:25
find a link and additional resources in
00:14:27
the show notes we'd love to know what
00:14:29
you think of this podcast your feedback
00:14:32
ensures we deliver the insights that
00:14:33
keep you a step ahead in the rapidly
00:14:35
changing world of cyber security if you
00:14:37
like the show please share a rating and
00:14:39
review in your podcast app please also
00:14:41
fill out the survey and the show notes
00:14:43
or send an email to cyberwire nk.com
00:14:47
we're privileged that n2k cyberwire is
00:14:50
part of the daily routine of the most
00:14:51
influential leaders and operators in the
00:14:53
public and private sector from The
00:14:54
Fortune 500 to many of the world's
00:14:57
preeminent intelligence and law
00:14:58
enforcement agencies n2k makes it easy
00:15:01
for companies to optimize your biggest
00:15:03
investment your people we make you
00:15:05
smarter about your teams while making
00:15:07
your team smarter learn how at nk.com
00:15:10
this episode was produced by Liz Stokes
00:15:13
we're mixed by Elliot pelman and Trey
00:15:15
Hester our executive producer is
00:15:17
Jennifer Ian our executive editor is
00:15:19
Brandon karf Simone patella is our
00:15:21
president Peter kpy is our publisher and
00:15:24
I'm Dave Bitner thanks for listening
00:15:26
we'll see you back here next time
00:15:45
hi everybody it's Maria varm mases here
00:15:47
your host over at T-minus Space daily
00:15:50
and sometimes a guest on hacking humans
00:15:52
too we here at n2k cyberwire work hard
00:15:56
to bring you concise intelligence-driven
00:15:58
new and commentary and we'd like to know
00:16:01
how we're doing please take a few
00:16:03
minutes to complete our audience survey
00:16:06
and share your feedback to help us
00:16:08
continue to grow and meet your needs
00:16:12
visit cyber wire.com
00:16:14
survey that's cyberwire tocom SLS survey
00:16:19
to get started thanks so much for your
00:16:22
input as we reach for the stars it means
00:16:24
the universe to us
00:16:34
and now a word from our sponsor six
00:16:36
cents six sense provides award-winning
00:16:39
cloud-based automated endpoint and
00:16:41
vulnerability Management Solutions to
00:16:43
streamline it and security operations
00:16:47
with its Advanced platform businesses
00:16:49
gain complete visibility and control
00:16:51
over their infrastructure reducing it
00:16:54
and security risks and optimizing
00:16:56
operational efficiency with six sense
00:16:59
you'll get realtime alerts risk-based
00:17:01
vulnerability prioritization and
00:17:03
remediations and an intuitive Automation
00:17:06
and orchestration engine so you can
00:17:08
focus on your core business goals
00:17:10
confident in the knowledge that your
00:17:12
Enterprise is secure compliant and
00:17:14
running smoothly to learn why
00:17:17
Enterprises choose six sense visit six
00:17:20
sense.com
00:17:22
[Music]
![Dinah Davis: Building your network. [R&D] [Career Notes]](https://ruhnrawpgxrzdrgaohnf.supabase.co/storage/v1/object/public/images/video/soy6p-ImDhg/thumbnail.jpg)
