Log4Shell: Apache Log4j 2 CVE-2021-44228

If you haven’t been living under a rock for the past few hours, you’ll know that last Friday a critical vulnerability in the Log4j 2 package, a massively used Java log library, started to go viral.

This vulnerability, dubbed Log4Shell and discovered by Chen Zhaojun (software engineer at Alibaba), has been assigned the CVE CVE-2021-4428, with a CVSS of 10.0.

Although by now there is tons of public information about it, let’s give a few hints about it.

The actors

Log4j 2: the Lookup plugin

As we have already mentioned, Log4j 2 is a log library for Java applications used by developers to log application information. Using it is as simple as including something like log.debug(“Test message”); in the code, which will generate a log entry. Often, the information that is logged is related to the application itself and its execution context.

One of the capabilities of the library, called Lookups, is the ability to use variables when writing to the log, which will be replaced by the corresponding value, with a specific syntax: ${variable}. For example, if we use ${java:runtime}, when the application logs, it will record the Java runtime version.

[Read more…]

De-constructing risk management (I): the inherent risk

Living beings are experts at managing risks. It’s something we have done over millions of years. It’s called, among other things, survival instinct. We wouldn’t be here if we were bad at it.

We avoid them, we mitigate them, we externalize them, we take them on.

For example, is it going to rain today? If it rains, how much is it going to rain? Do I take my umbrella? Do I stay home? Will I run into a traffic jam on the way to work? Will I be late for the meeting? Do I call to let you know? Do I try to postpone the meeting? Will I puncture a tire on the way home? When was the last time I checked the spare tire? Have I paid the insurance premium? What is the roadside assistance coverage?

All these everyday processes of risk identification and risk assessment are carried out unconsciously all the time, and we apply risk management measures without even realizing it. We grab an umbrella, call the office to inform them of a delay, attend the meeting by phone, leave home earlier or decide to take public transport. Obviously, it’s not always that easy.

However, when we move to the corporate environment, we start with risk tolerance, probability, impact and vulnerability criteria, threat catalogs (standard), strategies, risk registers, inherent, residual and projected risk, mitigation ratios. And we get lost for months in concepts, documents and methodologies, moving further and further away from the reality we have to analyze and protect.

The orthodoxy of (cybersecurity) risk management

As a result of this, a few months ago, in the middle of the pandemic, I came across an interesting article that contrasted two very different visions of risk management, which it called RM1 vs RM2.

Basically, and quoting directly from the article, RM1 would be focused on “risk management for external stakeholders (Board, auditors, regulators, government, credit rating agencies, insurance companies and banks)“, while RM2 would be “risk management for decision makers within the company“.

A few weeks or months later, Román Ramírez published an entry in a similar vein, criticizing the prevailing orthodoxy in cybersecurity risk management and the problems it generated.

[Read more…]

TrustedInstaller, stopping Windows Defender

Often, during an intrusion process it can be useful to have the ability to disable the defense measures of the target computer. For those pentesters who have already tasted the joys of Microsoft’s default on-board security solution, Windows Defender, you will agree with me that it has improved substantially since its first releases, especially the latest cloud-enabled versions for Windows 10. Therefore, it is very likely that we will face this antivirus during an intrusion process, sooner or later.

Very briefly, the main component of Windows Defender is the “WinDefend” service, in charge of launching the continuous monitoring process “MsMpEng.exe” and loading its engine “mpengine.dll“, so if we are able to stop that service, we will be stopping its execution to a large extent.

read more

Ransomware ate my network (IV)

A brief explanation of this series with some clarifying notes can be read at the beginning of the first part.
Series entries: First part, Second part, Third part, Fourth part, Fifth part

[Editor’s note: Clicking on many images – those whose detail is not fully visible with the size of the main page – shows an enlarged version]

In the previous article we saw how Angela had deduced that the attackers had entered the computer used to connect to the DC from another computer using the PsExec tool. Determined to find the PsExec, Angela begins by converting the MFT extracted by CyLR with mftdump.exe to .csv, and searching for activity around the time she saw the connection on the other computer (about 2:16 p.m. 1:16 p.m. in UTC which is what the MFT shows us).

There is no clear target, but that stalin.exe Prefetch looks suspicious (remember that Prefetches are created the first time the software is run, with a delay of a few seconds).

[Read more…]

Ransomware ate my network (III)

A brief explanation of this series with some clarifying notes can be read at the beginning of the first part.
Series entries: First part, Second part, Third part, Fourth part, Fifth part

In the previous article, we left the investigation with the IP as the source of the connections to the DC (and with connections to the C2 as well as the antivirus disabled prior to the generalized attack).

Since we are talking about connections and considering that we have the RAM memory, the first thing Angela does is to use the Volatility netscan plugin to remove the network connections (the memory profile is Win10x64_17134) and confirm the connections with the C2:

Netscan returns a few additional results:

A connection to a remote SSH?

What is this computer doing providing a service on port 443/TCP? Has it gone mad? Clearly we need to dig deeper into these connections to find out what is behind them.

Angela decides to check the Sysmon logs, which should show the network connections… but it seems that the FFP (remember, the Federation of Patron Festivities) did not correctly apply the standard MINAF Sysmon configuration, so no such data is being collected (grrrrrrr).

[Read more…]

Ransomware ate my network (II)

A brief explanation of this series with some clarifying notes can be read at the beginning of the first part.
Series entries: First part, Second part, Third part, Fourth part, Fifth part

In the previous article, we saw how MINAF narrowly avoided a ransomware attack, but we still have a lot of questions to answer. First, finding out the identity of the ransomware group that had affected MINAF.

To do this, Angela converts the MFT of the DC with mftdump.exe and performs a quick search of the v2.exe and v2c.exe files, which seemed a priori those in charge of deploying the ransomware. She hits the spot because she finds the files in the c:\temp\scheduler folder:

Quickly calculates her hashes:

5994df288813a7d9588299c301a8de13479e3ffb630c49308335f20515ffdf57  v2c.exe
b2a304e508415d96f417ed50d26e0b987b7cbd9a77bb345ea48e803b5a7afb49 v2.exe
ffa8722a09829acd7ef8743688947f6ccb58d2ef v2c.exe
7320b34c07206fcaf1319d6ce9bef2b29648a151 v2.exe
eddc0e293b0f0ee90bab106f073a41c9 v2c.exe
91438699bed008be9405995f0a158254 v2.exe

The next thing is to check if they are known. VirusTotal gives you a quick answer:

[Read more…]

Ransomware ate my network (I)

A brief explanation of this series with some clarifying notes can be read below.
Series entries: First part, Second part, Third part, Fourth part, Fifth part

Note 1: This series of posts is a narration of a forensic analysis of a totally fictional incident response case study (but told, we hope, in a didactic and humorous way). If you want a version with the same technical dose but with less narrative, you can check the video of the talk that the author gave at the XIV CCN-CERT STIC Conference, or take a look at the slides of the presentation.

Note 2: These posts reveal a forensic analysis workshop encompassed within the incident response. There will be some things that could be done more efficiently and elegantly, but the idea was to make them simple so that they are easy to understand. And like any practical workshop, you can take advantage of it in several ways: you can download from LORETO the evidence  already worked to follow the case step by step, you can download the raw evidence to do your own investigation… or you can play the CTF DFIR that we have prepared and that will be unfolding the case as you respond to the various challenges.

There are few good months for cybersecurity in a Public Administration, and November is not one of them: projects must be closed, status reports must be made, and it is necessary to make sure that the entire budget is executed (and justified with the corresponding invoices).

Angela de la Guarda, CISO of the MINAF (Ministerio of Alegría y Felicidad, Joy and Happiness in English) has not had a particularly happy year: the pandemic forced the deployment of teleworking for a large part of the personnel, which caused a significant overload on all ICT personnel… and even more so on her and her team, responsible for ensuring the security of all systems.

To make things worse, in the usual restructuring with each change of government, the MINAF has been entrusted with the mission of “unifying all state agencies with skills on joy and happiness.” This has led to the absorption of several entities of different sizes, among which the FFP (Federation of Patron Festivities, in charge of managing all town festivals in Spain) stands out. The FFP has, so to speak… a rather relaxed view of cybersecurity, which made assimilation highly conflictive. In the end, the upper echelons have ruled, and the MINAF finally absorbed the FFP.

It’s 5:00 p.m., and Angela is checking emails to finish the first of a week full of reports and go home, when Salvador Bendito (MINAF security analyst) calls her on her mobile: “Boss, we have a very serious problem. One of the canaries has jumped: we are losing the goalkeepers. All of them”.

[Read more…]

The supply chain and the elephant in the room

A few days ago, in the wake of ransomware attacks “related” to the Kaseya remote IT management product, I posted on LinkedIn a short post in which I said the following:

Supply chain is the elephant in the room and we need to talk more about it.

Yes, let’s talk a little bit about prevention and leave detection and management for another time. As the saying goes, better safe than sorry. To develop it a bit further, I added that:


we should start thinking that third-party software and hardware are insecure by default and that an obligation should be imposed on software manufacturers to perform and publish, to some extent, serious, regular, in-depth pentesting for the critical applications they sell (and their updates). And even then, any third-party software or device should be considered insecure by default, unless proven otherwise.


In a comment, Andrew (David) Worley referred to SOC 2 reports, which should be able to minimally prevent these kinds of “problems”, and commented on a couple of initiatives I was unaware of: the Software Bill of Materials (SBoMs) and the Digital Bill of Materials (DBoMs).

I promise to talk about it in another post, but for now let’s move on.

[Read more…]

OSEP certificate (Offensive Security Experienced Penetration Tester)

La imagen tiene un atributo ALT vacío; su nombre de archivo es image-35.png
PEN-300 and the OSEP Certification | Offensive Security

In this post we are going to talk about one of the new certifications offered by Offensive Security, specifically OSEP (Offensive Security Experienced Penetration Tester).

This certification is part of the new OSCE along with the, also new, OSED (Offensive Security Exploit Developer) and OSWE (Offensive Security Web Expert).

Like all Offensive Security certifications, it is mandatory to take the course associated with the certification, called “Evasion techniques and breaching defenses” which we will talk about later as well.

As of today, the price of the course is $1299, which includes 2 months of lab access and the exam sitting (of 48 fantastic hours :P).

I guess, if you’re reading this post, you already knew all of the above, so let’s dig into what you probably don’t know!

[Read more…]

Do Math or Windows Dies! – customizing a .NET ransomware

NOTE: the content of this article is educational and informative. The goal is to learn how malware works and how can we identify its capabilities. The author is not responsible for any bad actions derived from the information of the post. The author does NOT ENCOURAGE to execute the sample OUTSIDE OF AN ISOLATED LABORATORY.

In this article we are going to analyze, gut and customize a little screen-locker (a member of ransomware family that locks the machine without encrypt the data). This is a clumsy but effective sample that we will alter to create our own ScreenLocker.

SSHBOT, the cr*ppy ScreenLocker

SSHBOT, also known as P4YME, is an old and unsophisticated malware from ransomware family.

We will use a public sample submited to VirusTotal, where is detected by 54 Anti-virus:

When executed, it restarts the machine and shows this message:

[Read more…]