Log4j. Pt.2.  Mars is safe (for now).  Don't know about Earth.

ED NOTE: As the digerati attempts to get the rest of the world to come to grips with what might be the very serious long-term implications of the Log4j vulnerability, the digerati is learning what I learned a long time ago.  To quote that late great Philosopher King, Phil Ochs,

But Monopoly is so much fun, I'd hate to blow the game
And I'm sure it wouldn't interest anybody
Outside of a small circle of friends.

12/14/2021

Both the short-term and long -term fallout from the Log4j vulnerability cannot be underestimated.  The best description I have come across that explains why Log4j is the worst Internet attack yet comes from, remarkably The Hill, which is the newspaper of Congress.  You see, Log4j is in millions of not just PCs, but all kinds of devices that you might not at first think are connected devices.  The writer likens the wide prevalence of Log4j to the prevalence of salt.

“If I asked you, ‘hey show me the salt you have in your house,’ you would probably walk up to the salt you have sitting on the table, maybe some you have hidden in the cabinet,” Cofrancesco said. “What you probably wouldn’t do is show me ‘hey, here’s my Panera sandwich, or here’s the soup I have, or here’s the juice I have, my powerade.’ All those other things have salt in it, it’s just obscured by the fact that there are a bunch of other ingredients. That is precisely what is going on here.”

Before you do anything today, BACKUP!  BACKUP! BACKUP!  And then DISCONNECT YOUR BACKUP DRIVE FROM YOUR COMPUTER.
If your only backup is cloud based, you really need to revaluate that.
And then....

Tuesday, December 14, was Patch Tuesday for Windows Users.  PATCH! PATCH! PATCH!  Become HABIT to Run Windows Update manually daily. Verify that you have all suggested updates for your version of Windows.

Update Adobe Reader.  Open Adobe Reader → Help → Bottom of List: Check for Updates
Update Google Chrome. Open Chrome → Click the 3 dots in top Right Corner → Mouse Over Help →Click About Goggle Chrome

A list of all the vulnerable software has been produced by the cybersecurity cops of the Netherlands.  The list is so long it is indexed alphabetically.  Relevant to my readers is recent SonicWall firewalls do not use any of version Adobe Log4j.xxx, and are therefore not vulnerable; although other SonicWall products are vulnerable.  A few Microsoft products are vulnerable, but none that usual Windows user employ.  Well, not really. Read on.

Bleeping Computer has published another extensive list of vulnerable products, both hardware and software.  Both of these lists put to rest the myth, or marketing lie, that if you want to have real computer security simply switch to Apple's macOS or the Linux operating systems and all your worries about computer security will simply evaporate.
 
It is challenging to discuss Log4j without being overly technical; but I will try.  For those who wish a greater understanding of the Log4j problem and all its potential impacts, simply follow the links herein.

12/20/2021

As the tech world tries to come to grips with the long term fallout from the Log4j vulnerability, the search for embedded Java Libraries, in too my applications to mention here, continues.  Consumer products from both Apple and Microsoft are vulnerable to a remote execution attack to a JAR file handler in their products.  A Microsoft posting of Dec. 16 is most illustrative of the JAR file issue.  JAR files and their remnants are hard to find.

As of this writing (12/16/2021), discoverability [in Microsoft 365 Defender] is based on the presence of vulnerable Log4j Java Archive (JAR) files on Windows 10, Windows 11, and Windows Server 2008, 2012, and 2016. Cases where Log4j is packaged into an Uber-JAR or shaded are currently not discoverable, but coverage for these instances and other packaging methods is in-progress. Support for Linux and macOS is also in-progress and will roll out soon.

The similarities with Covid have also not gone unnoticed.  The linked article is worth reading to gain some clarity on the how and why of spread. "It's not unreasonable to suggest that immunology and cybersecurity could learn a lot if they talked more.  Sometimes, though, the parallels are far too close for comfort."  Every new patch fails to permanently fix the problem; as does each new covid mitigation.  At the time of the announcement, we were at Apache Log4j Version 2.14.  In less than a week, it is now up to version 2.17.  But, hey, who's counting? 

Several new attack vectors have been identified over the past few days.  Of particular concern to us consumers of IT is the discovery that a vulnerability exits in Websockets.  Websockets exist in all web browsers. 

WebSockets have been a part of most common browsers over the last 10 years and are used for a number of tasks as users browse. Commonly used for applications like chat and alerts on websites, WebSockets are great at passing timely information back to the browser and allowing the browser to quickly send data back and forth. 

All it takes to exploit the WebSockets vulnerability is a simple Javascript.  The WebSockets vulnerability requires no user interaction to be exploited.  The Websocket vulnerability will infect systems that are known to the OS as "localhost."  "The client itself has no direct control over WebSockets connections. They can silently start when a webpage loads. Don't you love the word "silently" in this context? I know I do."   I am not the only snarky writer in the digerativerse.  (I can make up new tech terms, too.)

The greatest risk to everyday computer users is the ability of a server affected by Log4j to be a means to distribute malware otherwise unrelated to Log4j itself.  Cryptominers are hard at work exploiting Log4j because every cryptominer always needs more of yours and my computing power to fund hidden monies where none apparently exists.  I deliberately chose an Apple related article here.  No snark, just the facts.

Our friends the Chinese and Iranians, among others, are involved in exploits.  Ransomware is being distributed via the Log4j vulnerability.  And it is the ransomware attacks that have the most direct impact of just plain folks.  A ransomware attack on payroll and HR services company, Kronos, was the first major company to be hit with a ransomware attack stemming from Log4j.

A major payroll provider used by thousands of businesses in the United States, including government agencies, is reporting that it expects to be down for “weeks” due to a devastating ransomware attack.

Kronos, known to be used by several thousand companies ranging from Tesla to National Public Radio (NPR), had its Private Cloud service go offline on Monday. This element is central to its UKG Workforce Central, UKG TeleStaff, and Banking Scheduling Solutions services used to track employee hours and process paychecks. The company confirmed that it had discovered an ongoing ransomware attack on December 11 and had taken the services hosted in Kronos Private Cloud offline as part of its mitigation measures. Kronos did not give a timetable for recovery but said that it expects it to be at least several days, if not weeks, before the services are fully online again.

A good survey of the many ransomware attacks that are being facilitated by the Log4j vulnerabillity can be read here.  Ransomware attacks usually tick up during the holiday season for a variety of reasons.  Log4j has made this a much easier proposition for the crooks, though.

Whatever the vulnerability source, Erich Kron (security awareness advocate at KnowBe4) notes that the holiday vacation period for many companies is when cyber criminals can be expected to pull double shifts: “Ransomware gangs often time attacks to take place when organizations are short staffed due to holidays, or when they are extremely busy, with the hope that the attack will take longer to spot and response times will be much slower. In addition, the pressure to service customers during these crucial times can be very high, making it more likely that the victim will pay the ransom in an effort to get operations back up and running quickly … Unfortunately, the Grinch has impacted Christmas for a lot of people using the KPC services (ed. Kronos Payroll Service). Hopefully, this does not result in a subscription to the ‘Jelly of the Month Club’ in lieu of the annual bonuses.”

So you see, none of this is propeller head theoretical nonsense.  Real people are experiencing real pain in real time.  Kids that had little Christmas morning joy last year may now have even less joy this Christmas.  And why is this?  The reason is that so many companies were too cheap and too short sighted and too ignorant and too uncaring to really educate or concern themselves about the real world dangers of real world malware.  Just as those who refuse to be vaccinated are primarily responsible for the continuing scourge of Covid, these IT professionals who implemented in their applications software well known to be vulnerable to exploitation of these well known vulnerabillities are responsible for what is happening now.

So while some here on Earth are wondering if they will get their Christmas bonus or year end profit sharing, the Martians can rest assured that the Earthlings' contraptions will not be crashing their computers, at least not any time soon.  NASA has released a statement concerning Log4j and the Martian helicopter.  You can read the NASA statement about Log4j here.  Or you can take my take on it.

What! You think we're stupid? We're NASA.  What we do is Rocket Science.

So, is the inverse of that statement true?

Gerald Reiff