Insight into Log4j, Q3 2021 ransomware, APT, and top sector targets
Welcome to our new threat report and our new company.
As we look ahead in this new year, we must acknowledge a threatscape that left us all exhausted from a particularly challenging end to 2021. In our new company’s first threat report, we acknowledge the issue that dominated not only headlines, but the focus of defenders and enterprise security teams. We also look back at the third and fourth quarters of 2021, but let’s first detail our wealth of resources available to help you combat Log4j.
Fundamentally, as more details of the Log4j threat emerge, it’s imperative to connect to our research and updated resources for help. Beyond the product status, we continuously monitor for any active campaigns leveraging this vulnerability and detailing the coverage status for the new payloads.
When details of the Log4j vulnerability appeared we very quickly responded with the availability of network-based signatures and a write-up of the vulnerability. We quickly followed up with additional assets detailed in this report.
To understand more about current Log4j threat activity, as well as, other prevalent threats, please see our valuable threat dashboard.
In addition, please check out our Trellix Threat Labs blog featuring our latest threat content, videos and links to the security bulletin.
Of course, Log4j isn’t the only threat to your enterprise’s security. This report also spotlights the looming shadow and disruption of ransomware, and other prevalent threats and attacks observed in the wild.
Happy 2022 and welcome to a new company.
In what is becoming a threatening tradition, Log4j, a new vulnerability affecting a widely used Log4j library was released just in time for the holidays. What has been described as the most serious cybersecurity flaw in decades called Trellix and the cybersecurity industry to action in the fourth quarter of 2021. The Log4j vulnerability threatened a potentially massive impact on any product which has integrated the Log4j library into its applications and websites including products and services from Apple iCloud, Steam, Samsung Cloud storage and many others.
Our team has been closely tracking Log4j since its discovery. We released a network signature KB95088 for customers leveraging Network Security Platform (NSP). The signature detects attempts to exploit CVE-2021-44228 over LDAP. This signature may be expanded to include other protocols or services, and additional signatures may be released to complement coverage.
Here’s a quick timeline of Log4j and our research:
Consult our Threat Labs blog and threats dashboard for our latest research on defending against Log4j. Our team gathers and analyzes information from multiple open and closed sources before disseminating reports.
Our team quicky researched and outlined what happens in the execution of a common web-based Log4j attack:
To protect an environment against attacks like Log4j, a layered strategy comprised of network security coupled by targeted endpoint memory scans allows defenders to effectively detect and prevent the attack execution flow against vulnerable systems exposed via network vectors. Our ENS Expert Rules and Custom Scan reactions are designed to enable defenders with such capabilities so they can apply precise countermeasure against these emerging threats.
CISA.gov also provides a Log4j scanner to help organizations identify potentially vulnerable web services affected by the Log4j vulnerabilities.
In the third quarter of 2021, high-profile ransomware groups disappeared, reappeared, reinvented, and even attempted to rebrand, while remaining relevant and prevalent as a popular and potentially devastating threat against an increasing spectrum of sectors.
Even though ransomware activity was denounced and banned from numerous cybercriminal forums in Q2 2021, our team has observed activity among the same threat actors on several forums using alternate personas.
In December 2021, Trellix provided research that assisted FBI and Europol in the arrest of REvil affiliates and the seizure of $2 million in ransom.
Notable Q3 2021 ransomware trends and campaigns included:
In Q3, the U.S. government initiated a proactive campaign to reduce ransomware’s prevalence with the launch of StopRansomware.gov hub offering rewards up to $10 million for information identifying or locating state-sponsored threat actors involved in cyber activities against critical U.S. infrastructure.
For more on how these ransomware and new campaigns could threaten enterprise in the coming months, see our Trellix 2022 Threat Predictions.
To help enterprises better understand and defend against ransomware attacks in the threatscape, our team presents research and findings into the prevalence of a wide variety of ransomware threats including families, techniques, countries, sectors, and vectors.
Jump to Ransomware Client Countries, Customer Sectors, and MITRE ATT&CK Techniques.
The team tracks and monitors APT campaigns and its associated indicators and techniques. Our team research reflects APT Threat Actors, Tools, Client Countries, Customer Sectors and MITRE ATT&CK Techniques from Q3 of 2021.
The team has identified indicators of compromise that belong to tracked APT campaigns with the following tools associated with them. APT groups are known for using common system utilities to bypass security controls and perform their operations:
Jump to APT Client Countries, Customer Sectors, and MITRE ATT&CK Techniques.
Our team tracked threat categories in the third quarter of 2021. The research reflect reflect percentages of detections in the type of ATR Malware used, Client Countries, Customer Sectors, MITRE ATT&CK techniques used in attacks and industry sectors.
Jump to ATR Client Countries, Customer Sectors, and MITRE ATT&CK Techniques.
Notable country and continent increases of publicly reported incidents in the third quarter of 2021 include:
Notable publicly reported incidents against sectors in the third quarter of 2022 include:
Notable publicly reported incidents against vectors in the third quarter of 2021 include:
Cybercriminals use Living off the Land (LotL) techniques that use legitimate software and functions in a system to perform malicious actions on that system. Based on third quarter events, Trellix has identified a trend in tools used by adversaries who are attempting to remain undetected. While state-sponsored threat groups and larger criminal threat groups have resources to develop tools in house, many turn to binaries and administratively installed software that may already be present on a target system to carry out distinct phases of an attack.
To identify native binaries or administratively used software during a reconnaissance phase for a high-profile target, adversaries may gather information on technologies used from job postings, customer testimonials advertised by vendors, or from an inside accomplice.
Powershell (41.53%)
T1059.001
Powershell is often used to execute scripts and Powershell commands.
Windows Command Shell (CMD) (40.40%)
T1059.003
Windows Command Shell is the primary CLI utility for Windows and is often used to execute files and commands in an alternate data stream.
Rundll32 (16.96%)
T1218.011, T1564.004
Rundll32 can be used to execute local DLL files, DLL files from a share, DLL files obtained from the internet and alternate data streams.
WMIC (12.87%)
T1218, 1564.004
WMIC is a command line interface for WMI and may be used by adversaries to execute commands or vpayloads locally, in alternate data streams or on a remote system.
Excel (12.30%)
T1105
While not natively installed, many systems contain spread sheet software, adversaries may send attachments to user that contain malicious code or scripts that, when executed, may be used to retrieve payloads from a remote location.
Schtasks (11.70%)
T1053.005
An adversary may schedule tasks that maintain persistence, execute additional malware, or perform automated tasks.
Regsvr32 (10.53%)
T1218.010
Regsvr32 may be used by adversaries to register dll files, execute malicious code and bypass application whitelisting.
MSHTA (8.78%)
T1218.005
MSHTA may be used by adversaries to execute JavaScript, JScript and VBScript files that may be hidden in HTA files locally and in alternate data streams or retrieved from a remote location.
Certutil (4.68%)
T1105, 1564.004, T1027
Windows command utility is used to obtain certificate authority information and configure certificate services. Alternatively, adversaries may use certutil to gather remote tools and content, encode and decode files as well as access alternate data streams.
Net.exe (4.68%)
T1087 & Sub-techniques
Windows command line utility that allows an adversary to perform reconnaissance tasks such as identifying users, network, and services functionality of a victim machine.
Reg.exe (4.10%)
1003.002, 1564.004
Reg.exe may be used by adversaries to add, modify, delete, and export registry values which may be saved to alternative data streams. Additionally, reg.exe may be used to dump credentials from a SAM file.
Remote Services (15.21%)
T1021.001, T1021.004, T1021.005
AnyDesk
ConnectWise Control
RDP
UltraVNC
PuTTY
WinSCP
Remote services tools, both native to Windows and third-party software may be used by adversaries along with valid accounts to gain access to a machine or infrastructure remotely, perform ingress transfer of tools and malware as well as exfiltrate data.
Archive Utilities (4.68%)
T1560.001
7-Zip
WinRAR
WinZip
Adversaries may use archive utilities to compress collected data in preparation to be exfiltrated as well as to decompress files and executables.
PsExec (4.68%)
T1569.002
PsExec is a tool used to execute commands and programs on a remote system.
BITSAdmin (2.93%)
T1105, T1218, T1564.004
BiTSAdmin is often used to maintain persistence, clean up artifacts and for invoking additional actions once a set criterion is met.
fodhelper.exe (1.17%)
T1548.002
Fodhelper.exe is a Windows utility that may be used by adversaries to run malicious files with elevated privileges on a victim machine.
ADFind (.59%)
T1016, T1018, T1069 & Sub-Techniques, T1087 & Sub-techniques, T1482
Command line utility that may be used by adversaries to discover active directory information such as Domain Trusts, Permission Groups, Remote Systems and Configurations.
As the world attempted to drive 100 mph through the end of 2021, many “bugs” were splattered on our proverbial windshield. Some cleaned off easily, while some left a lasting stain. The team tracks and evaluates new vulnerabilities, aka bugs, each month upon their release and reports what we “feel” are going to be the most important. That’s right, not CVSS score or OWASP ranking, but an old-fashioned gut check based on years of experience.
Looking at our top reported bugs from the last several months, a few stand out from the rest. Apache had a rough year with both its webserver (CVE-2021-41773) and Log4j component (CVE-2021-44228) hit hard with impactful bugs. Palo Alto also deserves an honorable mention with a bug found in their Global Protect VPN (CVE-2021-3064), having a unique impact during a global pandemic. Hold up, let’s be real for a minute. The Apache Log4j vulnerability deserves more than an “impactful” rating as it is by far the biggest bug of 2021 and has potential to defend its title, for years to come. If you live under a rock and haven’t heard of these I highly suggest reading our December Bug Report. Don’t forget to check back every month for the latest and greatest vulnerability news.
So, what makes these bugs the worst of the bunch? Simply put, they can be leveraged remotely, without authentication on tools that sit on the edge of your network. These bugs can be the initial entry point to a network without requiring an attacker to “phish their wish,” but instead be a gateway to a larger scale attack.
If your CISO likes playing Russian roulette and says you can only patch one product, we recommend prioritizing the Log4j vulnerability hands down as it is easy to execute and has seen active exploitation across malicious actors. Although the Palo Alto VPN flaw is serious, and VPNs have seen an increase in exploitation since 2020, it takes a back seat to Log4J and the other Apache vulnerabilities since it affects an older version of the VPN software and has yet to see active exploitation in the wild.
Some bugs, like termites, can slip through the cracks, but have a devastating effect.
A Microsoft Windows Installer Service local privilege escalation bug labeled as CVE-2021-41379, was the proverbial termite of November. Microsoft disclosed the bug as requiring local access and allegedly fixed it with an official patch, but the strategy backfired when the patch didn’t work as expected.
With a failed patch and a publicly available POC, bad actors did not wait to compile this into their playbooks, as seen in Insights. Compounding the issue, our team has seen weaponized versions of this exploit being sold on the dark web.
To keep track of the latest threats and research, see our team’s resources:
Threat Center — Today’s most impactful threats have been identified by our team.