Log4j is a Java-based, ubiquitous logging tool that is said to be used by nearly 13 billion devices world-wide. Late last year, in December 2021,...
Spring4Shell Might Grab Headlines, But Log4j Exploits Swamped Enterprises, Finds Cato Threat Report Log4j is a Java-based, ubiquitous logging tool that is said to be used by nearly 13 billion devices world-wide. Late last year, in December 2021, the Apache Software Foundation announced the discovery of a software vulnerability (CVE-2021-44228 a.k.a. Log4Shell) that allows unauthenticated users to remotely execute or update software code on multiple applications via web requests. As soon as the vulnerability was announced, researchers at Cato Networks noted over 3 million attempts (in Q4 2021) aimed at exploiting this vulnerability.
Fast forward to Q1 2022 and the number of attempts to exploit this vulnerability have increased to a whopping 24 million. According to the Cato Networks SASE Threat Research Report, Log4j vulnerabilities were leveraged all across the world, including cyber-attacks on Ukrainian organizations.
Interestingly, number two on the list of the top five CVE exploit attempts was a Java vulnerability (CVE-2009-2445) that has been around for more than a decade. Threat actors made almost 900,000 attempts (double than previous quarter) to exploit this vulnerability for initial access. Above research highlights the fact that while certain zero-day vulnerabilities (like Spring4Shell or CVE-2022-22965) grabbed news headlines, it is the legacy vulnerabilities that put enterprises at the most risk.
[boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink]
Majority of Exploitation Events Originated in the U.S.
Understanding where attacks originate from or who (or where) the malware communicates to is a critical part of any organization's threat response strategy. Attackers are aware of the fact that traffic to or from certain countries may be blocked, inspected or investigated and that’s the reason why a majority of them ensure that their command and control (C&C) infrastructure is hosted in a country that is labeled as “safe”. While the U.S. is the most favored destination (hosts 17.3 billion C&C servers), China comes second (with 2 billion C&C servers), followed by Germany (1.66 billion), UK (1.29 billion) and Japan (1 billion).
Reputation-based Threats, Brute Force and Remote Code Execution Attacks Skyrocket
After analyzing 26 billion security events across 350 billion network flows, Cato researchers noted a 33% decline in attackers attempting to perform network scans. That being said, network scans still reign as the number one threat type (10 billion plus attempts), followed by reputation-based threats (1.5 billion attempts) or security events that are triggered by inbound or outbound communications to known malicious destinations.
Reputation-based threats grew more than 100% over the previous quarter. In addition to this, the Cato Threat Hunting System also observed that crypto-mining numbers continue to climb, while brute force attacks and remote code execution attacks have nearly tripled in comparison to the previous quarter.
Attackers Are Frequently Scanning Network Hardware and Software For Initial Access
Cato carried out an analysis based on the MITRE ATT&CK framework and concluded that network-based scanning is the most frequently used attack vector to gain initial access in an enterprise environment. Active Scanning (T1595 - 6.9 billion flows), Network Discovery (T1046 - 4.1 billion flows) and Remote System Discovery (T1018 - 2.7 billion flows) are the top three techniques employed by attackers. That’s not all, once adversaries have initial access they actively search data from local systems (T1005 - 9.5 million incidents), look for valid accounts (T1078 - 6.9 million incidents) and try to brute force access if credentials are not accessible (T1110 - 6.9 million incidents).
Risks Are Also Originating from Popular Consumer Apps Like Telegram and TikTok
While many governments have raised privacy concerns around the use of TikTok and even attempted to censor its use, Cato research finds that most enterprises still continue to allow TikTok flows. In fact, use of this short form video-haring app grew by 10% over the previous quarter. In addition to this, use of the instant-messaging app Telegram more than tripled, probably due to the Ukraine-Russia crisis, and YouTube grew by 25%. Growth in such non-business, consumer apps operating on enterprise networks significantly widens the attack surface, exposing organizations and people to greater risk of being targeted with phishing and other social engineering schemes.
What Can Organizations Do To Protect Themselves?
While security isn’t one-size-fits-all, below are some general recommendations and best practices that can help:
Execute a detailed audit of every website, system and application on a regular basis. Prioritize critical risks and plug those loopholes proactively.Patch all applications regularly and ensure they are running the most up-to-date software.Replace security point solutions and legacy network services with a solution that is more converged (or holistic) like SASE. A convergence of networking and security provides unique visibility into network usage, hostile network scans, exploitation attempts and malware communication to C&C servers.When organizations encounter zero-day vulnerabilities like Log4j, they must immediately implement virtual patching so that security teams can neutralize the threat and buy additional time till they are able to apply necessary and permanent fixes.Train staff regularly so they do not fall prey to phishing and social engineering scams.Try and restrict use of consumer applications (e.g., TikTok, Telegram) in enterprise environments as this can significantly minimize risk and lower possibility of infectious lateral movement.Be vigilant, have reporting and monitoring processes in place and be on guard for any changes in the attack surface.
Follow the link to get the full Q122 Cato Networks SASE Threat Research Report.
Network data from hundreds of Cato customers suggests malware communication persists despite the use of legacy security controls, services, and detection methods Cato Research Labs...
Threat Intelligence Feeds and Endpoint Protection Systems Fail to Detect 24 Malicious Chrome Extensions Network data from hundreds of Cato customers suggests malware communication persists despite the use of legacy security controls, services, and detection methods
Cato Research Labs released new findings today identifying 24 malicious Chrome extensions and 40 malicious domains, all previously thought to be benign. Some extensions simply introduced adware, but others stole user credentials and may allow attackers to exfiltrate data or manipulate search results to lure users into downloading malware. None of the extensions or the domains had been reported as malicious by endpoint protection systems (EPPs) or threat intelligence (TI).
The fact these malicious extensions and domains went undetected underscores the limitations of legacy protection systems. Attackers can employ a wide range of techniques to avoid detection by EPPs and TI. As such, enterprises cannot assume updated defenses will protect them. Putting into place the security measures to detect the C&C server communications of a malicious Chrome extension, or any malware for that matter, will fill this gap.
Browsers: Today's Security Frontier
Everyone uses browsers, and it's this popularity that makes them particularly enticing targets for adversaries. Browser extensions provide fertile ground for attackers to access resources on client computers, often with the same permissions as the browser itself.
Many researchers consider malicious extensions as simply PuPs (Potentially unwanted Programs) or Adware, but malicious extensions can be far riskier than just showing ads. From manipulating search results to luring users to download malware to exfiltrating clipboard data or screenshots, malicious Chrome extensions pose a huge and growing risk for every enterprise. We saw this last fall with the Razy malware outbreak that also involved a Chrome extension.
How Malicious Chrome Extensions Make Their Way Into Your Browser
Google does a good job identifying and blocking malicious Chrome extensions. The process of uploading a new extension to Google's Chrome Web Store typically takes several weeks while the extension code and activity are reviewed automatically and manually by Google. Using the Chrome browser's standard security settings will block the installation of extensions from outside Google's Chrome Web Store. However, users can change this setting in the browser configuration.
Google also reviews abuse notifications from users and removes extensions identified as malicious from the Chrome Web Store. In those cases, the Chrome browser will mark the extension as malware; users are expected to remove the extension.
[caption id="attachment_14066" align="aligncenter" width="411"] Figure 1: The Great Suspender is flagged as an extension that contains malware.[/caption]
Endpoint Protection and Threat Intelligence Research Alone Do Not Detect Malicious Chrome Extensions
With those security controls in place and companies already investing heavily in endpoint protection, you might think that users would be safe from malicious extensions. However, our research shows this is not the case.
Overall, we discovered 85 malicious Chrome extensions on our customer networks. Some had never appeared in the Google Chrome Web Store, while others had been removed by Google. Nevertheless, they were still found operating on customer networks.
How can users continue to run malicious extensions despite the many security controls? During our research, we identified four approaches attackers use to introduce malicious extensions into user browsers:
Browser Configuration and Third-Party Sites: Some extensions enter browsers due to poor browser configuration and downloading CRX (Chrome extension installation file) from malicious sites, i.e., not Google's official web store. One malicious site we identified that distributes malicious CRXs is http://extore[.]space/inspire. Some of the extensions are real and benign, while others might be fake with malicious code.
Malicious Code Injection During Update: In other cases, Google might have approved the extensions, but attackers later injected malicious code in one of the extension's updates after the extension becomes popular.
Extension Rights Acquisition: Other ways are by adversaries purchasing a popular extension's rights from the developer and then injecting malicious code. Taking over the key (which generates the extension ID) and credentials from the developer might also be a way to get plugged into a popular extension.
Independent Code Downloads: We've also identified other Malwares/PUPs or malicious extensions that would download and install additional (other) malicious extensions.
Network-Based Discovery Is Critical for Spotting Malicious Extensions
Cato made these discoveries by analyzing five days of data from hundreds of Cato customers' networks. Rather than hunting for specific malware signatures, Cato uses a network-based approach that identifies the network traffic patterns indicative of all malware. As such, this methodology is not only useful for identifying these specific extensions but for continuously hunting for any malware communicating with a C&C server.
The research had two phases. First, we automatically correlated network traffic with extension behavior and then preliminarily classified extensions as malicious or benign. The result: 97 of 551 unique extensions from our data were identified as likely being malicious. The second phase was to manually inspect each extension, definitively classifying them as malicious or benign. The final result was 85 malicious extensions, representing an 87% success rate for our initial automated phase.
We achieved this remarkably successful approach by analyzing and correlating networking and security information across multiple dimensions, including looking for:
Traffic to Parked or Malicious Domains. Identifying traffic generated by extensions to parked domains or malicious domains typically yielded known malicious extensions. What's more, by checking the network behavior and other traffic data, such as the URL and other HTTP parameters, we were able to identify other malicious extensions that were using the same behavior and communicating with domains previously not classified as malicious.
[caption id="attachment_14072" align="aligncenter" width="660"] Figure 2: Parked domain used as a C&C server[/caption]
Identical Extensions Communicating with Different Domains: Attackers have identical extensions (as defined by their unique extension ID) communicating with many different domains. They'll target a particular area (creating PDFs was particularly popular), labeling each extension differently and having them communicate with a different domain, mimicking a benign extension's behavior. Using the same approach, we analyzed different extensions that communicate to the same domain. This behavior was suspicious, and after analyzing the specific extensions, they were identified as malicious.
Unencrypted Extension IDs: Having the extension ID in clear-text or encoded to base64 in the URL, headers or payload is also suspicious. It may be evidence of the adversaries trying to understand the traffic origin (as sometimes they share the same domain across many extensions). It might also be used as an access-control function on the server-side to allow traffic only from the extension and not from security researchers or automatic web-classification algorithms trying to investigate and classify the domain.
Fake Postman Extension Leads to Credential Theft
While our approach identified many extensions that were believed to be benign, of particular note was one extension that disguised itself as the popular Postman application.
Postman allows developers to test and use APIs, typically using their credentials in the process. The fake Postman extension enables attackers to exploit those credentials to access the company's application. To make matters worse, the malicious extension closely mimics the real Postman extension, even using the same icon and offering the same capabilities.
[caption id="attachment_14074" align="aligncenter" width="452"] Figure 3: Fake Postman extension download[/caption]
[caption id="attachment_14076" align="aligncenter" width="192"] Figure 4: Obfuscated JS code in the Postman copycat extension. The variable p returns https://secure.browser-status[.]com/__utm.gif, which is a tracking pixel.[/caption]
Recommendations for Organizations
Cato recommends taking several actions to protect your users from these and other malicious extensions:
Define and maintain a whitelist policy of extensions ID allowed in your organization. Ensure whitelisted extensions are from Google's Chrome Web Store only.
Monitor for browsers with poor security settings (lower than "Standard").
Monitor network traffic to identify periodic communication with C&C servers.
Despite their investment in EPP and TI, enterprises continue to be infected by malicious Chrome extensions. Attackers introduce the extensions through a range of techniques bypassing legacy protection approaches. However, rather than hunting for a specific malicious extension, enterprises can best protect themselves by identifying the unique network patterns indicative of all malware.
djdcfiocijfjponepmbbdmbeblofhfff (Fake Postman)
mfdcjdgkcepgfcfgbadbekokbnlifbko (Fake Postman)
mgkmlkgpnffmhhfallpoknfmmkdkfejp (QuickNewsWorld Promos)
pdlfbopkggkgdmgkejgjgnbdbmfcnfjn (EZPackageTracking Promos)
ljnppgaebjnbbahgmjajfbcoabdpopfb (Search Manager)
nofdiclilfkicekdajkiaieafeciemlh (Your Docs To PDF)