‘The Internet Is on Fire’ A vulnerability in the Log4j logging framework has security teams scrambling to put in a fix.

A VULNERABILITY IN a widely used logging library has become a full-blown security meltdown, affecting digital systems across the internet. Hackers are already attempting to exploit it, but even as fixes emerge, researchers warn that the flaw could have serious repercussions worldwide. 

The problem lies in Log4j, a ubiquitous, open source Apache logging framework that developers use to keep a record of activity within an application. Security responders are scrambling to patch the bug, which can be easily exploited to take control of vulnerable systems remotely. At the same time, hackers are actively scanning the internet for affected systems. Some have already developed tools that automatically attempt to exploit the bug, as well as worms that can spread independently from one vulnerable system to another under the right conditions.

Log4j is a Java library, and while the programming language is less popular with consumers these days, it’s still in very broad use in enterprise systems and web apps. Researchers told WIRED on Friday that they expect many mainstream services will be affected. 

For example, Microsoft-owned Minecraft on Friday posted detailed instructions for how players of the game’s Java version should patch their systems. “This exploit affects many services—including Minecraft Java Edition,” the post reads. “This vulnerability poses a potential risk of your computer being compromised.” Cloudflare CEO Matthew Prince tweeted Friday that the issue was “so bad” that the internet infrastructure company would try to roll out a least some protection even for customers on its free tier of service. 

“It’s a design failure of catastrophic proportions.”

All an attacker has to do to exploit the flaw is strategically send a malicious code string that eventually gets logged by Log4j version 2.0 or higher. The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.

“It’s a design failure of catastrophic proportions,” says Free Wortley, CEO of the open source data security platform LunaSec. Researchers at the company published a warning and initial assessment of the Log4j vulnerability on Thursday. 

Minecraft screenshots circulating on forums appear to show players exploiting the vulnerability from the Minecraft chat function. On Friday, some Twitter users began changing their display names to code strings that could trigger the exploit. Another user changed his iPhone name to do the same and submitted the finding to Apple. Researchers told WIRED that the approach could also potentially work using email.

The United States Cybersecurity and Infrastructure Security Agency issued an alert about the vulnerability on Friday, as did Australia’s CERT. New Zealand’s government cybersecurity organization alert noted that the vulnerability is reportedly being actively exploited.

“It’s pretty dang bad,” says Wortley. “So many people are vulnerable, and this is so easy to exploit. There are some mitigating factors, but this being the real world there will be many companies that are not on current releases that are scrambling to fix this.”

Apache rates the vulnerability at “critical” severity and published patches and mitigations on Friday. The organization says that Chen Zhaojun of Alibaba Cloud Security Team first disclosed the vulnerability.

The situation underscores the challenges of managing risk within interdependent enterprise software. As Minecraft did, many organizations will need to develop their own patches or will be unable to patch immediately because they are running legacy software, like older versions of Java. Additionally, Log4j is not a casual thing to patch in live services because if something goes wrong an organization could compromise their logging capabilities at the moment when they need them most to watch for attempted exploitation.

There’s not much that average users can do, other than install updates for various online services whenever they’re available; most of the work to be done will be on the enterprise side, as companies and organizations scramble to implement fixes.

“Security-mature organizations will start trying to assess their exposure within hours of an exploit like this, but some organizations will take a few weeks, and some will never look at it,” a security engineer from a major software company told WIRED. The person asked not to be named because they are working closely with critical infrastructure response teams to address the vulnerability. “The internet is on fire, this shit is everywhere. And I do mean everywhere.”

While incidents like the SolarWinds hack and its fallout showed how wrong things can go when attackers infiltrate commonly used software, the Log4j meltdown speaks more to how widely the effects of a single flaw can be felt if it sits in a foundational piece of code that is incorporated into a lot of software.

“Library issues like this one pose a particularly bad supply chain scenario for fixing,” says Katie Moussouris, founder of Luta Security and a longtime vulnerability researcher. “Everything that uses that library must be tested with the fixed version in place. Having coordinated library vulnerabilities in the past, my sympathy is with those scrambling right now.”

For now, the priority is figuring out how widespread the problem truly is. Unfortunately, security teams and hackers alike are working overtime to find the answer. 


Article from: https://www.wired.com/story/log4j-flaw-hacking-internet/

U.S. offers $10 million reward in hunt for DarkSide cybercrime group

Nov 4 (Reuters) – The U.S. State Department on Thursday announced a reward of up to $10 million for information leading to the identification or location of anyone with a key leadership position in DarkSide, a cybercrime organization the FBI has said is based in Russia.


The FBI has said DarkSide was responsible for the May cyber attack targeting the Colonial Pipeline, causing a days-long shutdown that led to a spike in gas prices, panic buying and localized fuel shortages in the U.S. Southeast. read more


The State Department also said it is offering a reward of up to $5 million for information leading to the arrest or conviction in any country of any person attempting to participate in a DarkSide ransomware incident.


“In offering this reward, the United States demonstrates its commitment to protecting ransomware victims around the world from exploitation by cyber criminals,” the department said in a statement.


Colonial Pipeline has said it paid the hackers nearly $5 million in Bitcoin to regain access to its systems. The U.S. Justice Department in June recovered about $2.3 million of the ransom.


The State Department in July offered a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participated in malicious cyber activities against U.S. critical infrastructure.


Reporting by Kanishka Singh in Bengaluru and David Ljunggren in Ottawa; Editing by Rosalba O’Brien and Will Dunham


Original Article Link: https://www.reuters.com/technology/us-offers-reward-up-10-mln-information-darkside-cybercrime-group-2021-11-04/

360 SOC Jumps Up to Number 34 on the MSP 501

We are excited to announce that 360 SOC and HTG 360 Inc have been named to the MSP 501 list for 2021.  This is the third year in the last four years that 360 SOC has been named to the MSP 501 list.  The MSP 501 in 2021 had its largest turnout of applicants in 2021.  This included Global companies like Insight, Optiv, TPX, Konica, SIRIUS and many others.  This year 360 SOC moved up 126 spots and was named #34 on the list.  In 2020, 360 SOC was 180th on the list.


Want to learn more about how to manage your cybersecurity or technology services more efficiently and with higher security levels?  Contact us at info@360soc.com


“The MSP 501 is the IT Channel’s first, largest, and most comprehensive survey and ranking of managed service providers and Managed Security Service Providers (MSP/MSSPs) worldwide. Each year, the MSP 501 recognizes some of the biggest and most successful managed service providers in the world.”


Link to the rankings:  https://www.channelfutures.com/msp-501/2021-msp-501-winners-day-5-part-3-50-26

Welcome to the Team!

Excited to announce our 4 New Hires for April.  Vicky Ross, Robert Schull, Natalie Yarbourgh will be joining our SOC Analyst Development Program at our Prescott office and Connor Mindak started as Business Development Representative in our Phoenix Office. Soon we will also announce our 2021 Board Member Additions. We are growing…Looking to Join an Award Winning Team? Located in Phoenix or Prescott? Please reach out to us at info@360soc.com.

10 Things We Learned About the Solarwinds Breach (FireEye)

Ten things we learned or were reminded of with the Solarwinds breach:

1. Without Searchable Logs “you were screwed” or no logs at all…..made it impossible to historically investigate.

2. Cloud SOC Platforms made it nearly impossible to go outside of 30-90 days to find the breach. Huge dilemma for the hosting providers. This incident happened March – August ( some now say October of 2019 ) which makes sense…..

3. Without multiple layers of security with long term storage, these attacks would have gone unnoticed or unrecallable/reconstructable since like 99% went unnoticed.

4. Solutions without HEX make it really hard to see Certificate Infections

5. Updates don’t always make you less vulnerable

6. The whole industry and our customers of this industry have problems with implementing and managing controls and the checks and balances behind them. ( think of an airplane here, someone is always double and triple checking, lives are on the line, why is this not the case in cyber)

7. Supply chain risk is not going away

8. Using technology or partially implementing technology can be a huge risk… understand what you are putting in your environment

9. Beacons can tell the story, don’t leave a beacon uncovered

10. Malware and forms of it CAN LIVE ANYWHERE!

Solarwinds Breach Information

Cyber security firm FireEye recently disclosed an incident that was reported to have resulted in the inadvertent disclosure of various internally developed offensive security tools (OSTs) that were used across FireEye red-team engagements.

Some of these tools appear to be based on well-known offensive frameworks like Cobalt Strike. This is even evident in the naming convention used in the coverage designated by FireEye.

The use of Cobalt Strike beacons is popular among red teams and adversaries. In 2020, Cisco Talos released a research paper detailing the large amount of coverage for the Cobalt Strike framework. We have concluded the coverage is still applicable and can reliably detect FireEye red team beacons and other activity.


360 SOC Announces the 6 PILLARS to 360 SOC’s MDR SUCCESS!



6 Pillars:  Alert Ingested, Advanced Alert Enrichment, Automated Triage, SOC Team Triage, Advanced Threat Hunting and Reporting

Cybersecurity experts come together to fight coronavirus-related hacking

An international group of nearly 400 volunteers with expertise in cybersecurity formed on Wednesday to fight hacking Called the COVID-19 CTI League, for cyber threat intelligence, the group spans more than 40 countries and includes professionals in senior positions at such major companies as Microsoft Corp (MSFT.O) and Amazon.com Inc (AMZN.O).


One of four initial managers of the effort, Marc Rogers, said the top priority would be working to combat hacks against medical facilities and other frontline responders to the pandemic. It is already working on hacks of health organizations.


Also key is the defense of communication networks and services that have become essential as more people work from home, said Rogers, head of security at the long-running hacking conference Def Con and a vice president at security company Okta Inc OKTA.


The group is also using its web of contacts in internet infrastructure providers to squash garden-variety phishing attacks and another financial crime that is using the fear of COVID-19 or the desire for information on it to trick regular internet users.


“I’ve never seen this volume of phishing,” Rogers said. “I am literally seeing phishing messages in every language known to man.”  Phishing messages try to induce recipients to enter passwords or other sensitive information on websites controlled by the attackers, who then use the data to take control of bank, email or other accounts.


Rogers said the group had already dismantled one campaign that used a software vulnerability to spread malicious software. He declined to provide details, and said that in general the group would be reluctant to reveal what it was fighting.


Rogers said law enforcement had been surprisingly welcoming of the collaboration, recognizing the vastness of the threat.


Rogers is a UK citizen based in the San Francisco Bay Area. Two other group coordinators are American, and one is Israeli.


“I have never seen this level of cooperation,” Rogers said. “I hope it continues afterwards, because it’s a beautiful thing to see.”




Coronavirus Is a New Challenge for Cybersecurity

By Silviu Stahie on Apr 20, 2020

If you think the COVID-19 epidemic means a respite from cyberattacks against companies, you’d be wrong. If anything, the situation is worse, as organizations divert resources to other parts of the business, leaving their infrastructure exposed. And the proof of that is the flurry of attacks against hospitals.


It’s unhealthy for a company to believe hackers will pass up the opportunity to attack infrastructures or to compromise valuable data. Even if other concerns might seem more important right now, protecting a company’s assets has never been more vital, especially when cybercriminals lack any scruples.


From a security point of view, having most or all employees working from home is a challenge. Once a terminal leaves the protective shell of the corporate infrastructure, it becomes more exposed. Sure enough, all emails still flow through the same filters, but much network security is absent.


People still need to work and, in some situations, they need to use VPN and RDP connections (remote desktop protocol) — not a happy scenario for security teams. RDP is the preferred infiltration vector for ransomware, followed by phishing.


Don’t think you’re out of the woods


Since pretty much everyone in the world is now focused on the global Covid-19 pandemic, it’s easy to lose sight of other aspects. Where feasible, people have started to work from home, but people are usually a weak link in the cyberchain and prone to making bad security decisions.


The global pandemic has proven a useful carrier for phishing, with emails touting messages from officials, selling high-quality protections masks, or promoting so-called advice to people looking for more information.


This is just one scenario: Someone is tricked by a phishing email and either offers a user name and a password for some bogus website or inadvertently installs a piece of malware that starts syphoning data.. Now, with all that information, possibly even legitimate credentials, in the hands of attackers, they can start going after the corporate network. For instance, they could even try dialing in using RDP connections and then easily move inside the corporate network.


Cybercriminals won’t back down just because a global crisis is in the making. If anything, they will attack the more vulnerable industries to capitalize on the urgency of the situation. Healthcare is obviously on the frontlines now.


Just recently, the University Hospital Brno was hit by an unspecified cyberattack, forcing to shut down their IT network. For hospitals, an inability to treat incoming or existing patients in critical condition would be the absolute worst-case scenario, which makes healthcare all that much more valuable than it already was. Now more than ever, it’s essential to have the proper protection in hospitals and all other healthcare-related facilities.


Just because it’s not healthcare, doesn’t mean you’re safe


Right now, the bulk of attacks seem focused on healthcare providers and adjacent verticals, and they involve all sorts of Coronavirus phishing scams. But the masses of people or employees now working from home will soon become a focus for attackers.


Just because the Coronavirus appears to be the only affliction today, it doesn’t mean that all other illnesses and diseases are taking a break. By the same token, just because everyone is watching ransomware and hospitals right now, doesn’t mean that all the other attackers looking to steal databases, infiltrate critical infrastructure, or simply to create mayhem will take a breather.


If cybersecurity wasn’t on many companies’ agendas, especially in a work from home scenario, it’s becoming a growing priority. The challenges of keeping all employees safe, wherever they may be in the world, mustn’t be taken lightly, and measures need to be undertaken before it becomes a real problem.



Cybersecurity company Webroot has released its third annual Nastiest Malware list which shows ransomware making a comeback in addition to other threats.

Phishing and botnets are still popular attack methods and threats across the board are also becoming more sophisticated and harder to detect.
Topping the list of worst ransomware threats is Emotet, Trickbot and Ryuk (dubbed the ‘Triple Threat’) delivered via the Emotet botnet. This is one of the most successful of 2019 in terms of financial damage. These strains have shifted their focus to more reconnaissance-based operations. They assign a value to the targeted network post infection and then send the ransom for that amount after moving laterally and deploying the ransomware.
Ryuk is the second stage payload for Emotet, infections that are typically delivered by Trickbot resulting in the mass encryption of entire networks. Dridex is also now being used as an implant in the Bitpaymer ransomware infection chain and is also being delivered as a second stage payload of Emotet.
Phishing attacks continue to impersonate big brands including Microsoft, Facebook, Apple, Google and PayPal. But campaigns have also become more personal, with extortion emails using compromised passwords claiming to have captured inappropriate behavior.
The growth of cryptominers has slowed, thanks to a drop in currency values, but they haven’t gone away. Major campaigns in 2019 include Hidden Bee — which has now evolved into payloads inside JPEG and PNG images through stenography and WAV media formats flash exploits. There’s also Retadup — a cryptomining worm with over 850,000 infections, Retadup was removed in August by Cybercrime Fighting Center (C3N) of the French National Gendarmerie after they took control of the malware’s command and control server.
“It comes as no surprise that we continue to see cybercriminals evolve their tactics. They may be using the same strains of malware, but they are making better use of the immense volume of stolen personal information available to craft more convincing targeted attacks,” says Tyler Moffitt, security analyst at Webroot. “Consumers and organizations need to adopt a layered security approach and not underestimate the power of consistent security training as they work to improve their cyber resiliency and protection.”