1700 IPs and counting. [Research Saturday]

00:17:27
https://www.youtube.com/watch?v=cSssEwKRrDE

Resumo

TLDRThe podcast episode from Cyberwire Network centers on the challenges facing enterprise security, especially around identity management complexities caused by growth through acquisitions. Strata Identity provides solutions to streamline this process by allowing the consolidation of identity management systems without disrupting users. Additionally, the episode discusses a new security threat detected by Upticks, involving the Log4j vulnerability, which was a major security concern since its discovery in 2021. It was found to be still exploited by attackers to deploy coin miners, despite available patches. Geographical analysis suggests these attacks might originate mainly from Europe and Russia. Protective measures include patch management and network monitoring. Additionally, cybersecurity company Critical Start offers solutions for better managing security risks. The episode emphasizes the need for continuous vigilance in cybersecurity practices.

Conclusões

  • 🚀 Enterprise security growth through acquisitions increases complexity.
  • 🔒 Strata Identity helps simplify identity management without disruptions.
  • 🛡️ Log4j vulnerability still poses risks through exploitation for coin mining.
  • 🌍 Attacks are traced primarily to Europe and Russia region.
  • 🔍 Patch management and monitoring are crucial protective measures.
  • 🌟 Critical Start provides risk management and visibility solutions.
  • ⚡ Continuous vigilance in cybersecurity is emphasized.
  • 👁️ Routine sandbox analysis is vital in detecting ongoing threats.
  • 📊 Intelligence systems help track and mitigate cybersecurity threats.
  • 🔗 Integration with existing systems is key to identity management solutions.

Linha do tempo

  • 00:00:00 - 00:05:00

    In the dynamic realm of enterprise security, identity architects and IT leaders grapple with complexities stemmed from repeated acquisitions. This results in the coexistence of multiple IDPs, MFA providers, and policy engines, leading to fragmented user identities and policies, increasing security vulnerabilities and access friction. Strata Identity offers a solution by enabling the decommissioning of unnecessary IDPs and consolidation of desired ones without the need for app rewriting or user disruption. Its modular architecture supports easy integration with any identity provider without requiring manual maintenance or coding.

  • 00:05:00 - 00:10:00

    The conversation delves into how Log4j, a widely used logging framework written in Java, became infamous in December 2021 due to a zero-day exploit. At that time, multiple attackers exploited this vulnerability using coin miners and ransomware to target vulnerable servers, notable due to the widespread use of Log4j. The research and threat detection team at Upticks identified an ongoing campaign exploiting older Log4j vulnerabilities through routine sandbox analysis, wherein coin mining malware, like XM rig, was found extensively used, highlighting many still vulnerable systems.

  • 00:10:00 - 00:17:27

    Emphasis is on the necessity of patch management to mitigate vulnerabilities like those in Log4j, especially when it's been a significant threat since 2021, yet many systems remain exposed. The conversation covers the nature of the threats as largely opportunistic, targeting outdated systems with open-source coin mining utilities without much effort to hide activities, primarily originating from Europe and Russia. Continuous network monitoring and visibility are suggested as preventive measures against such exploits, alongside urging awareness and action for system updates and patches.

Mapa mental

Vídeo de perguntas e respostas

  • What challenge do identity architects and IT leaders face?

    They face challenges with multiple identity providers and policies leading to security vulnerabilities and access issues.

  • How does Strata Identity help organizations?

    Strata Identity helps by consolidating identity providers and managing user identities without rewriting apps or disrupting users.

  • What ongoing threat was detected by upticks?

    A new threat was discovered involving the Log4j campaign and its associated XM rig malware.

  • What is the Log4j vulnerability?

    Log4j is a widely used logging framework that had a zero-day exploit detected in December 2021, posing significant security risks.

  • What was the main utilization of the vulnerability by attackers?

    Attackers were primarily using the vulnerability to deploy coin miners and ransomware binaries on affected systems.

  • What geographical origins have been traced for these attacks?

    The attacks have been traced to IP addresses originating from Europe and Russia.

  • How can organizations protect themselves against these threats?

    Organizations should manage patches, monitor network traffic, and implement logging to detect any exploitation attempts.

  • What kind of solutions does Critical Start offer for cybersecurity?

    Critical Start offers solutions that go beyond threat monitoring by managing vulnerability and risk, providing expert guidance and continuous visibility.

Ver mais resumos de vídeos

Obtenha acesso instantâneo a resumos gratuitos de vídeos do YouTube com tecnologia de IA!
Legendas
en
Rolagem automática:
  • 00:00:00
    [Music]
  • 00:00:02
    you're listening to the cyberwire
  • 00:00:03
    network powered by
  • 00:00:09
    [Music]
  • 00:00:11
    n2k in the dynamic world of Enterprise
  • 00:00:13
    security identity Architects and it
  • 00:00:16
    leaders face a major challenge growth by
  • 00:00:19
    repeated Acquisitions multiplies the
  • 00:00:21
    complexity of everything multiple idps
  • 00:00:24
    MFA providers policy engines that all
  • 00:00:27
    need to coexist this can lead to
  • 00:00:30
    fragmented user identities and policies
  • 00:00:32
    that create security vulnerabilities and
  • 00:00:34
    add access friction strata identity
  • 00:00:37
    solves this now you can decommission
  • 00:00:40
    unneeded idps and consolidate the ones
  • 00:00:43
    you'd like to keep without rewriting
  • 00:00:45
    apps or disrupting users engineers and
  • 00:00:47
    app owners plus strata's modular
  • 00:00:50
    architecture makes it easy to integrate
  • 00:00:52
    with any identity provider without
  • 00:00:55
    manual maintenance and coding join the
  • 00:00:57
    ranks of cyber security leaders using
  • 00:01:00
    identity orchestration visit strat. i/
  • 00:01:04
    cyberwire share your top identity
  • 00:01:06
    security priorities and receive a pair
  • 00:01:09
    of complimentary airpods Pro offer valid
  • 00:01:12
    for organizations with over 5,000
  • 00:01:14
    employees step into a new era of
  • 00:01:17
    identity management at strat. i/
  • 00:01:21
    cyberwire
  • 00:01:28
    [Music]
  • 00:01:33
    hello everyone and welcome to the Cyber
  • 00:01:35
    wies research Saturday I'm Dave Bitner
  • 00:01:38
    and this is our weekly conversation with
  • 00:01:40
    researchers and analysts tracking down
  • 00:01:42
    the threats and vulnerabilities solving
  • 00:01:45
    some of the hard problems and protecting
  • 00:01:47
    ourselves in a rapidly evolving
  • 00:01:49
    cyberspace thanks for joining
  • 00:01:51
    [Music]
  • 00:01:56
    us L forj is very WI used application
  • 00:02:01
    and it came into the light in December
  • 00:02:04
    2021 right because there was a zero day
  • 00:02:07
    explor that was available for this
  • 00:02:10
    application that's ID Malik director of
  • 00:02:13
    threat research at upticks the research
  • 00:02:15
    we're discussing today is titled new
  • 00:02:17
    threat detected inside our discovery of
  • 00:02:20
    the log forj campaign and its XM rig
  • 00:02:23
    malware
  • 00:02:25
    [Music]
  • 00:02:32
    now it's a loging framework and used by
  • 00:02:35
    pretty much all of the open source
  • 00:02:38
    applications and there are many uh
  • 00:02:40
    internal and external uh applications
  • 00:02:42
    that company uses they use this loging
  • 00:02:45
    framework uh library and it's written in
  • 00:02:48
    Java during that time in 2021 it make a
  • 00:02:52
    really big impact because since it is
  • 00:02:55
    very widely used application and
  • 00:02:57
    something like this in this type of
  • 00:02:59
    application could create a catastrophic
  • 00:03:01
    event right so uh from that point in
  • 00:03:05
    time we were actually looking into this
  • 00:03:08
    uh the the story how the story play out
  • 00:03:10
    for this uh log forg explorate and at
  • 00:03:13
    that time also in
  • 00:03:14
    20221 we published uh blogs and
  • 00:03:18
    Publications saying how the attackers
  • 00:03:20
    are using it and suddenly uh in our uh
  • 00:03:24
    intelligence system uh that we call
  • 00:03:26
    internally as a global threat
  • 00:03:28
    intelligence system where we collect
  • 00:03:29
    data from all closed and open source uh
  • 00:03:33
    sources you know the thread data uh we
  • 00:03:36
    collect into our system and um you know
  • 00:03:39
    we were going through the analysis and
  • 00:03:40
    then we suddenly uh you know our eye
  • 00:03:43
    popped into this attach chain for L
  • 00:03:46
    forchain and then we realized that this
  • 00:03:48
    is a much larger campaign than uh you
  • 00:03:51
    know just one or two machines involed
  • 00:03:53
    there so that's how it came into the
  • 00:03:56
    light well well let's dig into it here I
  • 00:03:58
    mean reading through the research you
  • 00:04:00
    all mentioned that uh you were doing
  • 00:04:03
    some routine sandbox hunting analysis
  • 00:04:06
    and uh you discovered this ongoing live
  • 00:04:08
    campaign what what was going on here
  • 00:04:12
    yeah so so basically what really happens
  • 00:04:13
    is that we collect all of this
  • 00:04:15
    information into our uh intelligence
  • 00:04:17
    systems right and uh then there there
  • 00:04:20
    are multiple components to the
  • 00:04:21
    intelligence systems one of the
  • 00:04:23
    component it sandbox that process the
  • 00:04:25
    the malicious samples and we have honeyb
  • 00:04:28
    server also that that are part of this
  • 00:04:30
    intelligence system so normally what
  • 00:04:32
    really happens is like when we get
  • 00:04:34
    something inside our honey uh you know
  • 00:04:37
    the servers then we redirect that to the
  • 00:04:39
    sandbox so to understand uh if it is
  • 00:04:43
    really a malware or not right and in in
  • 00:04:45
    the sandbox we have our tooling running
  • 00:04:47
    to detect if something is malicious uh
  • 00:04:49
    inside a particular piece of code right
  • 00:04:52
    so essentially what happened is that our
  • 00:04:55
    Honeypot servers uh were getting hit by
  • 00:04:58
    these request that that were like you
  • 00:05:01
    know used to exploit the log 4G exploit
  • 00:05:05
    and when we redirected those to our
  • 00:05:07
    sandbox then we got an alert that there
  • 00:05:09
    are a couple of coin miners uh alerts
  • 00:05:11
    that we got and uh our team the analysis
  • 00:05:15
    team looks at this data on daily basis
  • 00:05:17
    doing a regular stuff right so this is
  • 00:05:20
    their job to identify if something is uh
  • 00:05:22
    is going on not just specific to log
  • 00:05:25
    forj but to in general to identify the
  • 00:05:28
    new things that are coming into our
  • 00:05:30
    systems and that's where uh we
  • 00:05:32
    identified that okay this is something
  • 00:05:34
    that is specific to log forj which is
  • 00:05:37
    basically two more than two years old
  • 00:05:39
    stuff and it is very widely used well
  • 00:05:44
    let's dig into some of the details here
  • 00:05:45
    I mean what what can you tell us about
  • 00:05:47
    this particular
  • 00:05:48
    campaign so I think when when we look at
  • 00:05:52
    this campaign from from the origin of
  • 00:05:54
    log for the exploit in 2021 right so
  • 00:05:57
    there is not much change in terms of the
  • 00:06:00
    strategy of the attackers so that time
  • 00:06:02
    also we saw uh you know the attackers
  • 00:06:05
    use the coin Miners and the ransomware
  • 00:06:07
    uh uh specific binaries to basically
  • 00:06:11
    infect the the vulnerable servers and in
  • 00:06:14
    this campaign also we see that the
  • 00:06:16
    attackers are using heavily the coin
  • 00:06:18
    Miners and primarily what we see is that
  • 00:06:21
    XM rig is being used as as the major uh
  • 00:06:25
    utility to to M the coins right and uh
  • 00:06:28
    this is in line with with the the
  • 00:06:30
    previous attacks that we have seen the
  • 00:06:33
    the eye-catching thing for us was that
  • 00:06:35
    you know since this is a very
  • 00:06:37
    widespread application and it created
  • 00:06:40
    lots of noise in 2021 but there are
  • 00:06:42
    still so many servers that are
  • 00:06:45
    vulnerable to this uh this vulnerability
  • 00:06:47
    and attackers are using this
  • 00:06:49
    vulnerability to infect those systems
  • 00:06:51
    and and deploy these coin miners
  • 00:06:55
    [Music]
  • 00:06:59
    we'll be right
  • 00:07:06
    back and now a word from our sponsor
  • 00:07:09
    zscaler the leader in Cloud security
  • 00:07:12
    cyber attackers are using AI in creative
  • 00:07:15
    ways to compromise users and breach
  • 00:07:17
    organizations in a security landscape
  • 00:07:20
    where you must fight AI with AI the best
  • 00:07:23
    AI protection comes from having the best
  • 00:07:25
    data zscaler has extended its zero trust
  • 00:07:28
    architecture with powerful AI engines
  • 00:07:31
    that are trained and tuned by 500
  • 00:07:33
    trillion daily signals learn more about
  • 00:07:36
    zscaler zero trust plus AI to prevent
  • 00:07:39
    ransomware and AI attacks experience
  • 00:07:42
    your world secured visit Z scaler.com
  • 00:07:46
    zrust aai
  • 00:07:56
    [Music]
  • 00:07:59
    do you have any sense for where this is
  • 00:08:01
    coming from so we we have done the
  • 00:08:07
    analysis on the command and control IP
  • 00:08:09
    addresses it's hard to say if the
  • 00:08:11
    attackers are based in that region but
  • 00:08:13
    normally it is Europe and
  • 00:08:15
    Russia uh so one of the the major Comm
  • 00:08:18
    and control for for these uh this
  • 00:08:21
    activity which contributed around 60% of
  • 00:08:23
    the total uh total campaign activity uh
  • 00:08:26
    that we have highlighted in our blog
  • 00:08:28
    post as well uh is is based in a ISP in
  • 00:08:32
    Europe so uh it's hard to say if the
  • 00:08:35
    attackers are basically of the same
  • 00:08:37
    origion uh but the activity is orig
  • 00:08:39
    originating from Europe and
  • 00:08:41
    Russia and and does this seem to be
  • 00:08:44
    largely opportunistic that they're you
  • 00:08:47
    taking advantage of vulnerable systems
  • 00:08:49
    to to do as you say just crypto mining
  • 00:08:52
    exactly I I mean this is not a very
  • 00:08:54
    sophisticated attack it is just that uh
  • 00:08:57
    you know they are looking for log forg
  • 00:08:59
    vable applications and uh you know they
  • 00:09:02
    deploying the dequin miners to just mine
  • 00:09:05
    the de coins right uh it's not very uh I
  • 00:09:09
    would say it's very sophisticated attack
  • 00:09:11
    because it's a 2year old very popular
  • 00:09:14
    vity uh but again as you know it's very
  • 00:09:17
    surprising why there are so many
  • 00:09:19
    vulnerable systems out there for this
  • 00:09:22
    very popular vulner are they making any
  • 00:09:25
    attempt to hide their actions here or
  • 00:09:27
    are they being pretty noisy
  • 00:09:30
    yeah uh we haven't really seen any
  • 00:09:32
    effort to hide the tracks it's it's just
  • 00:09:34
    that they they are you know coming into
  • 00:09:38
    into the system and then taking the
  • 00:09:39
    advantage of vulnerability just to
  • 00:09:41
    deploy the The xmri Miner which is which
  • 00:09:44
    is also an open source xming is also uh
  • 00:09:46
    it's not something that is very uh you
  • 00:09:49
    know uh very private tool used by the
  • 00:09:52
    attackers but um uh yeah well let's go
  • 00:09:56
    through some of the the ways that folks
  • 00:09:59
    protect themselves against this I mean
  • 00:10:02
    two years out I suppose uh you know
  • 00:10:05
    patch management would be the Tope of
  • 00:10:07
    the
  • 00:10:08
    list exactly I mean uh as I said like
  • 00:10:11
    it's it's a and you probably also know
  • 00:10:14
    that it it was very big uh thing in 2021
  • 00:10:17
    when it came out and um Apache
  • 00:10:19
    Foundation also released the patch for
  • 00:10:21
    for this one uh at that time and u p
  • 00:10:25
    management is the only solution like we
  • 00:10:27
    have to you know upgrade the application
  • 00:10:30
    version to to mitigate
  • 00:10:33
    this is this something also where
  • 00:10:36
    monitoring your network traffic would
  • 00:10:38
    would be
  • 00:10:39
    beneficial yeah definitely it will be uh
  • 00:10:41
    helpful in order to if you have
  • 00:10:44
    basically let's say if it is an Apache
  • 00:10:45
    server or some type of other server that
  • 00:10:47
    is you know uh storing the logs that the
  • 00:10:51
    each type of request that are coming uh
  • 00:10:53
    to that particular server then that can
  • 00:10:55
    give an indication that hey you know
  • 00:10:57
    somebody's trying to exploit the water
  • 00:10:59
    so uh so definitely if there are network
  • 00:11:02
    uh you know related uh or the Security
  • 00:11:07
    Solutions that are deployed then they
  • 00:11:09
    should be able to catch it or if there
  • 00:11:11
    is logging enabled on the servers that
  • 00:11:14
    basically uh capture the request that
  • 00:11:16
    are coming to to the servers then that
  • 00:11:18
    should also help to identify this attack
  • 00:11:21
    yeah it it really is remarkable I I
  • 00:11:24
    think that you know it's it's been so
  • 00:11:26
    long since log for J Came Upon the scene
  • 00:11:29
    here um and we've still got this these
  • 00:11:32
    ongoing issues um you know from a high
  • 00:11:36
    level what do you suppose is is going on
  • 00:11:39
    here do you suppose there's just a lot
  • 00:11:40
    of systems that folks aren't aware of
  • 00:11:43
    that that should be patched that haven't
  • 00:11:45
    been yet I I think that what uh it looks
  • 00:11:48
    like Dave that uh you know even though
  • 00:11:51
    it was very widespread uh issue and you
  • 00:11:54
    know lots of people uh you know were
  • 00:11:56
    were very aware of it the people that
  • 00:11:58
    deals with with these Technologies but
  • 00:12:00
    it looks like that uh there is some uh
  • 00:12:03
    part of the portion of the world that is
  • 00:12:05
    not really uh either they do not know
  • 00:12:09
    like they they are running these
  • 00:12:10
    applications or for these servers and
  • 00:12:12
    these servers are internet facing or or
  • 00:12:15
    they might not really have looked or
  • 00:12:17
    given much care to those servers uh that
  • 00:12:21
    these servers are you know exposed to
  • 00:12:23
    the internet
  • 00:12:26
    [Music]
  • 00:12:34
    our thanks to emit Malik from uptic for
  • 00:12:37
    joining us the research is titled new
  • 00:12:39
    threat detected inside our discovery of
  • 00:12:42
    the log for J campaign and its XM rig
  • 00:12:44
    malware we'll have a link in the show
  • 00:12:56
    notes don't struggle to align your
  • 00:12:59
    organization's cyber security with
  • 00:13:01
    business risk get the only solution that
  • 00:13:04
    goes beyond reacting to threats with
  • 00:13:06
    vulnerability and risk monitoring you
  • 00:13:08
    need the next evolution of MDR and only
  • 00:13:11
    critical start delivers it critical
  • 00:13:14
    start doesn't just Monitor and respond
  • 00:13:16
    to threats they put you in control by
  • 00:13:19
    detecting suspicious activities quickly
  • 00:13:21
    responding to contain threats and
  • 00:13:23
    identifying your most critical assets
  • 00:13:25
    and protecting them against
  • 00:13:26
    vulnerabilities and exposures with
  • 00:13:29
    continuous visibility expert guidance
  • 00:13:31
    and measurable risk reduction critical
  • 00:13:33
    start has redefined what it means to
  • 00:13:36
    manage cyber risk demonstrate provable
  • 00:13:39
    security maturity to your leadership
  • 00:13:41
    while positioning your program to
  • 00:13:43
    achieve the greatest risk reduction per
  • 00:13:45
    dollar spent stop fearing risk and start
  • 00:13:48
    managing it with critical start visit
  • 00:13:51
    critical start.com and request a demo
  • 00:13:53
    today that's critical start.com
  • 00:13:57
    [Music]
  • 00:14:09
    and that's research Saturday brought to
  • 00:14:11
    you by n2k cyberwire our thanks to emit
  • 00:14:15
    Malik from uptic for joining us the
  • 00:14:17
    research is titled new threat detected
  • 00:14:20
    inside our discovery of the log forj
  • 00:14:22
    campaign and its XM rig malware you can
  • 00:14:25
    find a link and additional resources in
  • 00:14:27
    the show notes we'd love to know what
  • 00:14:29
    you think of this podcast your feedback
  • 00:14:32
    ensures we deliver the insights that
  • 00:14:33
    keep you a step ahead in the rapidly
  • 00:14:35
    changing world of cyber security if you
  • 00:14:37
    like the show please share a rating and
  • 00:14:39
    review in your podcast app please also
  • 00:14:41
    fill out the survey and the show notes
  • 00:14:43
    or send an email to cyberwire nk.com
  • 00:14:47
    we're privileged that n2k cyberwire is
  • 00:14:50
    part of the daily routine of the most
  • 00:14:51
    influential leaders and operators in the
  • 00:14:53
    public and private sector from The
  • 00:14:54
    Fortune 500 to many of the world's
  • 00:14:57
    preeminent intelligence and law
  • 00:14:58
    enforcement agencies n2k makes it easy
  • 00:15:01
    for companies to optimize your biggest
  • 00:15:03
    investment your people we make you
  • 00:15:05
    smarter about your teams while making
  • 00:15:07
    your team smarter learn how at nk.com
  • 00:15:10
    this episode was produced by Liz Stokes
  • 00:15:13
    we're mixed by Elliot pelman and Trey
  • 00:15:15
    Hester our executive producer is
  • 00:15:17
    Jennifer Ian our executive editor is
  • 00:15:19
    Brandon karf Simone patella is our
  • 00:15:21
    president Peter kpy is our publisher and
  • 00:15:24
    I'm Dave Bitner thanks for listening
  • 00:15:26
    we'll see you back here next time
  • 00:15:45
    hi everybody it's Maria varm mases here
  • 00:15:47
    your host over at T-minus Space daily
  • 00:15:50
    and sometimes a guest on hacking humans
  • 00:15:52
    too we here at n2k cyberwire work hard
  • 00:15:56
    to bring you concise intelligence-driven
  • 00:15:58
    new and commentary and we'd like to know
  • 00:16:01
    how we're doing please take a few
  • 00:16:03
    minutes to complete our audience survey
  • 00:16:06
    and share your feedback to help us
  • 00:16:08
    continue to grow and meet your needs
  • 00:16:12
    visit cyber wire.com
  • 00:16:14
    survey that's cyberwire tocom SLS survey
  • 00:16:19
    to get started thanks so much for your
  • 00:16:22
    input as we reach for the stars it means
  • 00:16:24
    the universe to us
  • 00:16:34
    and now a word from our sponsor six
  • 00:16:36
    cents six sense provides award-winning
  • 00:16:39
    cloud-based automated endpoint and
  • 00:16:41
    vulnerability Management Solutions to
  • 00:16:43
    streamline it and security operations
  • 00:16:47
    with its Advanced platform businesses
  • 00:16:49
    gain complete visibility and control
  • 00:16:51
    over their infrastructure reducing it
  • 00:16:54
    and security risks and optimizing
  • 00:16:56
    operational efficiency with six sense
  • 00:16:59
    you'll get realtime alerts risk-based
  • 00:17:01
    vulnerability prioritization and
  • 00:17:03
    remediations and an intuitive Automation
  • 00:17:06
    and orchestration engine so you can
  • 00:17:08
    focus on your core business goals
  • 00:17:10
    confident in the knowledge that your
  • 00:17:12
    Enterprise is secure compliant and
  • 00:17:14
    running smoothly to learn why
  • 00:17:17
    Enterprises choose six sense visit six
  • 00:17:20
    sense.com
  • 00:17:22
    [Music]
Etiquetas
  • Enterprise Security
  • Identity Management
  • Log4j
  • Cybersecurity
  • Vulnerability Management
  • Coin Miners
  • Ransomware
  • Patch Management
  • Network Monitoring
  • Critical Start