Freight Trains, Russia-Ukraine, Log4J And Supply Chain Attack Madness

The current conflict between Russia and Ukraine has undeniably captured the attention of countries all around the world. Our thoughts and prayers go out to the people of Ukraine, and we hope that there will soon be peace. It is crucial that we promote cybersecurity best practices always, but especially now as cyberattacks have increased drastically due to this conflict. This piece by Ntirety CEO Emil Sayegh was originally published in Forbes on February 1, 2022.  

 Freight Trains, Russia-Ukraine, Log4J, And Supply Chain Attack Madness 

We have all seen the images of the train tracks in California littered with boxes due to the systemic attacks by organized gangs of criminals. These attacks on our supply chain left train tracks resembling third-world garbage dumps as cargo containers were being raided with impunity, leaving a heap of strewn boxes in their wake. The train attacks delayed much-needed shipments to stores with empty shelves, as well as essential packages needed by businesses and consumers from all walks of life, at the exact moment when all of us were trying to deal with the resurgent Omicron virus. 

In the same way that physical attacks on trains have been on law enforcement minds, cyber-attacks against the software supply chain are on many cyber security professionals’ minds. These threats are perhaps not as visible, but nonetheless are a sleeping national disaster if left unchecked. A variety of factors have created a growing and consistent attack vector for the enterprise to deal with, especially considering the Russia and Ukraine geopolitical tension. Rumor is that if the US imposes sanctions on Russia, Russia will retaliate by mounting a concerted cyber-attack on US supply chain infrastructures. Regardless of the geopolitical situation, we are on the horizon of a hyper-escalated future of supply chain attacks, and it is critical that security strategies focus on comprehensive security and not point solutions.  

A Very Big Attack Hammer 

The enterprise is still stinging from recent high-profile supply chain attacks such as the SolarWinds breach. It did not take long for this threat condition to evolve. Successful attacks against SolarWinds caught significant attention in a supply chain attack that allowed the hackers to further select and target some of SolarWinds’s specific client targets such as Microsoft, FireEye, and US government agencies. Later, a ransomware attack against Kaseya, an IT management software tool, disrupted operations for many managed service providers and their clients. Even more recently, even more commotion emerged when a vulnerability was found in Log4j, a ubiquitous but obscure piece of monitoring software. The trend of one attack to many victims is a theme that continues in the headlines.  

What has happened in these and many other cases, is significant. By compromising the virtual supply chain, criminal threat actors have managed to breach centralized services, software, and platforms to get a foothold into target organizations causing considerably more damage than the California physical train attacks, and without even getting out of their chair. Once there, the cyber threat actor goes on to widespread infiltration of customers and clients of the original victim. For the attacker, one successful breach means that the economy of impact can be scaled out to hundreds, even thousands of victims, saving time and effort making it more lucrative, and less risky than physically raiding freight trains. 

Simple Attacks, Big Results 

Even scarier, most of these incidents happen through very basic attacks. While many of the high-profile attacks were sophisticated in their planning and execution, the technical measures used to achieve the attacks were not sophisticated at all. These attacks exploit common weaknesses including: 

  • Certificate comprise
  • Open-source vulnerabilities
  • Exploiting unpatched libraries and executables
  • Compromised accounts
  • Exploited firmware
  • Malware and Ransomware
  • Phishing

Further, with an arsenal of well-established and easily consumable nefarious methodologies, most cyber supply chain attacks are easily replicated. Simple and cheap, the characteristics of novel supply chain attacks are a significant problem that is bound to grow because as you will see, cyber chaos success begets imitation, and it will not be long before significant numbers of cybercriminal groups get on board the supply chain attack train.  

Standing Up to the Threats 

The ultimate takeaway from this growing threat breaks down to a highlight of focus. First, recognize that every organization and industry are stacked up against very different challenges. Then, recognize that slowly, the supply chain industry is working to update systems and platforms to help address this threat – using the latest dynamic principles of comprehensive security in a cloudified age. These organizations must escalate their efforts to defend their products in a coming storm of activity. There is a staggering amount of interdependence between all the components of a cyber supply chain. These companies must also position themselves to provide rapid response when needed, on behalf of their clients.  

Protect Your House 

As individual as organizations can be, every organization has a unique digital supply chain. We are all in this boat together, and so we must also focus on analyzing and protecting against these threats. We have built upon services, platforms, software, and other digital components that came from somewhere.  

The prescription for these threat conditions is a comprehensive security strategy and implementing the protections of continual analysis, introspective monitoring, and integrity enforcement of our own digital systems as well as the realm of digital outside our clouds that have been allowed into the organization. Focus on threat modeling, adaptive strategy, and risk-focused assessment. Increase security presence, monitoring, and controls at every phase of the software life cycles as well as throughout the library of digital platforms and tools. 

The Must-Do Mission of our Times 

There is no excuse for enterprise systems to linger unpatched, unreviewed, and unmonitored or for security systems to depend on outdated missions and technology. Considering the technology and services available today, actionable security data must be “in-the-moment” because stale information can only provide weak, ineffective and potentially misguided benefits. Preparation for the unknowable means investment in technology, investment in people and investment in robust services that can blunt these nefarious threats. 

The historical precedent is out there. The significant breach events have occurred. It cannot be ignored that the market for simple attack tools and methods are cheap and easy to implement, and are actually much easier than a freight train heist. Everybody likes a winning program (including hackers), and a boon of cyber disruption success means that shifting attack efforts onto the supply chain will continue to be a top mission. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn.

Our Response to Log4Shell, the Log4J Vulnerability

A recent storm of cybersecurity activity hit the internet over the last week as a highly dangerous vulnerability known as Log4Shell was publicly disclosed. Also known as Log4j (the name of the affected utility) this zero-day vulnerability allows attackers to gain full system control with little technical effort. The use of this tiny bit of software is rarely documented but it is widespread on the order of hundreds of millions of devices. Another major cause for concern is the trivial effort required to exploit the vulnerability and gain access to everything from consumer technologies to web servers.  

Across the industry, IT departments have been in overdrive as initial mitigations focus on patching systems as updates are made available. The phases ahead are where the true impact of this event will emerge. A history of recent attacks against critical industries and an escalating cybercrime environment mean that the vulnerability arrives with a heavy future cost and the potential for breach, data leakage, DDoS attacks, ransomware, botnets, and a spectrum of threats that cannot be estimated.  

Ntirety has been actively responding to the Log4shell vulnerability as outlined by our response plans for Managed Security Services Stack customers and our general ecosystem. After thorough scanning and review of internal and vendor applications, we have mitigated every instance of Log4j through continuing updates and enforced controls on access levels.  

Affected Version 

Apache Log4j 2.x <= 2.15.0-rc1 

Affected Software 

A significant number of Java-based applications are using log4j as their logging utility and are vulnerable to this CVE. To the best of our knowledge, at least the following software may be impacted: 

  • Apache Struts
  • ApacheSolr
  • Apache Druid
  • Apache Flink
  • ElasticSearch
  • Flume
  • Apache Dubbo
  • Logstash
  • Kafka
  • Spring-Boot-starter-log4j2

Additionally, as part of our holistic security approach, our advanced intelligence and monitoring systems are on the lookout for intrusions, analogous behaviors, account privilege tracking, and any lateral behaviors that may indicate a novel attack is occurring. Across our datacenters, Ntirety has also performed discovery and advisory for potentially vulnerable customers.  

Our response planning is continually updated, and what comes next is equally as important to initial responses, as this vulnerability is destined to haunt the internet for years to come. Our 24/7 Security Operations Center is up to speed on tracking new potential threats and trained on how to recognize and respond appropriately. Exploits are just getting started and we are on high alert.  

We highly recommend that organizations upgrade to the latest version (2.17.0) or higher of Apache log4j 2 for all systems, along with the addition of a managed security service to proactively protect your systems. 

Schedule a consultation with Ntirety to learn about how we can help protect you from vulnerabilities through our Comprehensive Security approach.