Hp, we have a problem

[PeachGr]

Summary

Hackers took advantage of log4j known vulnerability and hacked a company's servers -the company's name remains unknown-, to mine the cryptocurrency raptoreum. Servers were made by HP, and it is important to clear out that HP wasn't hacked. The numbers of the coins mined, in the limited time are significant, as it is the amount of value, which is estimated at about 110,000$

 

Quotes

Quote

Between December 9 and 17, a data center of HP servers was the largest contributor to the Raptoreum cryptocurrency’s blockchain. At its peak, the center’s output exceeded that of every other mining system combined. A later investigation found that the servers were most likely under the control of hackers during the period, who would have made approximately $110,000.

 

My thoughts

A bit of yesterday news, but still important. Yes, we leave in cyberpunk. Log4J is known to be important and a reason for many headaches in the present and the near future, and by combining with cryptocurrency's state of today doesn't make things better. Hack for mining is not new, and answers to some questions about the "decentralized awesomeness", safety, stability and the dystopic nature of it.

At least those hackers didn't directly steal from individuals, instead they stole energy and resources of a big company, and even though that doesn't justify much, it's not as gloomy.

 About the source, I wanted to include more than one page, but the others are in Greeks, so I didn't bother 

 

Sources

 https://www.google.com/amp/s/www.techspot.com/amp/news/92745-hackers-made-110000-mining-remotely-hijacked-hp-servers.html

[Lightwreather]

11 minutes ago, PeachGr said:

 About the source, I wanted to include more than one page, but the others are in Greeks, so I didn't bother 

Here's one from Tom's hardware btw: https://www.tomshardware.com/news/hacker-hijacks-hp-epyc-servers-raptoreum-crypto-mining

And umm, non-amp links would be appreciated

[leadeater]

btw it's HPE not HP, actually entirely different companies. Also if the fact they were running HPE servers is incidental I'm not sure why it's worth mentioning? I guess because there's so little known about this story?

 

Quote

This likely prompted the hackers to target the HP servers, which were found in an informal investigation conducted by Raptoreum’s developers to be 9000-series and using Epyc processors.

I hate to break it to the Raptoreum devs but HPE doesn't have any current 9000 series servers. Sure they did decades ago when they were still a joint company known as HP. Going to have a real hard time doing anything useful with RISC CPUs from 2005 lol.

 

Good luck spotting those 9000 series servers 

[Mark Kaine]

Hey, umm, i already asked in the other thread, what even is this l9gj4x7 thing () and how suspectible is the average user, or is this really only something that affects "servers"?

 

And yes i understand its a vulnerability,  but not how and when and who it affects (except HP *not actually HP...)

 

(and yeah,  i definitely clicked because i have a HP printer... and now im none the wiser lol)

[Levent]

23 minutes ago, Mark Kaine said:

Hey, umm, i already asked in the other thread, what even is this l9gj4x7 thing () and how suspectible is the average user, or is this really only something that affects "servers"?

 

And yes i understand its a vulnerability,  but not how and when and who it affects (except HP *not actually HP...)

 

(and yeah,  i definitely clicked because i have a HP printer... and now im none the wiser lol)

log4j is a logging framework. Log4shell is the exploit. Log4j is used on Java applications. It is not really easy to explain, it affects every single application that uses vulnerable version of log4j. For more information, this video does go in quite a bit of detail.

[Mark Kaine]

oh yeah, i did see a list of applications floating around... it seemed like a *huge* mess. And i don't actually know if i have java installed or why... hmm i have flash player installed - but i see no java ... doesn't mean some applications wouldn't install/ use it on their own obviously. 

[leadeater]

3 hours ago, Mark Kaine said:

And yes i understand its a vulnerability,  but not how and when and who it affects (except HP *not actually HP...)

 

(and yeah,  i definitely clicked because i have a HP printer... and now im none the wiser lol)

It's a software vulnerability, one high level enough it's not realistically going to be found in firmware running on low power processors and BMCs, so hardware is basically irrelevant.

 

I'm actually quite suspect of this entire story btw. Details are too incorrect and since crypto exchanges and the crypto coins themselves are all unregulated and not audited thoroughly and independently for all we know the story was manufactured to hide the exchange of money because now was a convenient time with a believable distraction.

[Mark Kaine]

20 minutes ago, leadeater said:

I'm actually quite suspect of this entire story btw

Yeah, im surprised there isnt a huge fuss like it was with spectre/meltdown etc, its all really confusing and dare i say vague...? E.g. with spectre you got all the necessary info easily and soon enough fixes from Microsoft and co.

 

^but i do not know the backstory, ill try to read up on it...

 

Edit: it seems to be "fixed" kinda,  in a way... (for windows/perhaps linux)?

https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/

 

 

*except none Microsoft Minecraft ?(so not fixed , uh-oh...)

 

[leadeater]

40 minutes ago, Mark Kaine said:

Yeah, im surprised there isnt a huge fuss like it was with spectre/meltdown etc, its all really confusing and dare i say vague...? E.g. with spectre you got all the necessary info easily and soon enough fixes from Microsoft and co.

 

^but i do not know the backstory, ill try to read up on it...

 

Edit: it seems to be "fixed" kinda,  in a way... (for windows/perhaps linux)?

https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/

 

 

*except none Microsoft Minecraft ?(so not fixed , uh-oh...)

The info has actually been well documented etc, it's just that outside of a few software like Minecraft Log4J isn't running on that many consumer devices and the fix can only come from application updates for those anyway. So basically those that do need to know about it know about it and those that don't have no idea lol.

 

If you go to the original CVE there are links to many of the major vendors and their articles on it and what to do, these are ones that have Log4J part of their software and systems. Log4J is also heavily used in many custom developed software and websites along with lesser known about software, as these utilize Apache/Tomcat/Log4J etc etc you really only need to talk about the components affected rather than the entire software stack.

 

The Log4J is the only vulnerability I've seen with a 10.0 rating in anything close to recent for such a widely used and core piece of software. Meltdown and Spectre for example are only 5.6.

[BuckGup]

On 12/28/2021 at 4:02 AM, leadeater said:

btw it's HPE not HP, actually entirely different companies. Also if the fact they were running HPE servers is incidental I'm not sure why it's worth mentioning? I guess because there's so little known about this story?

On a sidenote in the past 4 years 11 people have been fired from HPE for mining on 3 separate occasions. It makes sense if you are going to leave or want to get fired. They won't press charges and you can safely walk away with 200K of crypto within a weekend

[leadeater]

5 minutes ago, BuckGup said:

On a sidenote in the past 4 years 11 people have been fired from HPE for mining on 3 separate occasions

Geeeezzz..... Hope they were retiring or leaving the IT field. Good luck getting hired anywhere else.

[BuckGup]

5 minutes ago, leadeater said:

Geeeezzz..... Hope they were retiring or leaving the IT field. Good luck getting hired anywhere else.

If they did it right they should be having an early retirement 

[leadeater]

5 minutes ago, BuckGup said:

If they did it right they should be having an early retirement 

I guess, but 200K isn't doing it right 

 

Err.. also not advice lol

[StDragon]

1 hour ago, leadeater said:

Geeeezzz..... Hope they were retiring or leaving the IT field. Good luck getting hired anywhere else.

There's been multiple cases documented where IT staff in government (municipalities) have been caught using resources to mine crypto. It's theft of electricity and puts the network at risk.

 

"The difference between stupidity and genius is that genius has its limits." -Albert Einstein

[PeachGr]

6 hours ago, Mark Kaine said:

HP printer

I have one at work as well. Those are bad without any hack. Even if the best hacking group gets their hands on it, they'd quit trying to take advantage of it.

[Mark Kaine]

2 hours ago, leadeater said:

Log4J part of their software and systems. Log4J is also heavily used in many custom developed software and websites along with lesser known about software,

That's what im wondering about,  I often use stuff like mod injectors such as "3Dmigoto" etc, but also even more customized ones... and i don't really know what kind of program/language those use... probably visual C++, Phyton etc, but it'll also depend on the engine etc... Ultimately all I know is that some of them are pretty sophisticated and compute intensive. 

 

 

15 minutes ago, PeachGr said:

I have one at work as well. Those are bad without any hack. Even if the best hacking group gets their hands on it, they'd quit trying to take advantage of it.

well this one is actually pretty solid, 15+ years still going strong and I only had to change ink like 3 times (and also the cheap one not the original one lol) but the software is still trash lol.

 

[leadeater]

14 hours ago, Mark Kaine said:

Ultimately all I know is that some of them are pretty sophisticated and compute intensive. 

Highly unlikely any of these need advanced logging capabilities. Anyway you can just search for *.jar files and you should see something with *log4j* in it then you'll know if is an included module that is being used. However the absence of one is not a perfect indicator because it can be named anything, sane people use logical names however.

[Mark Kaine]

52 minutes ago, leadeater said:

Highly unlikely any of these need advanced logging capabilities. Anyway you can just search for *.jar files and you should see something with *log4j* in it then you'll know if is an included module that is being used. However the absence of one is not a perfect indicator because it can be named anything, sane people use logical names however.

Hmm, i see... but wouldn't it need to be a specific "log4j" version/ file or would the mere existence of such mean i have it? (note: i *am* certainly a bit paranoid,  but in this case its more curiosity tbh... )

 

Also, since im just taking a closer look at this stuff (in case of some "unpack tool"... but most of these look similar anyways) these are apparently almost always either a bunch of .dll or .bat files... or.ini (thats a Nvidia/shader thing afaik) i cant "search" those, or can I?

 

i also have a "crypto.json" ( sounds legit  ) and a .modules ... wth is that...? (sus!)

oh and "readme.md" cant open that either!

 

i guess i can look for a .jar file...  but otherwise i just have to trust the upright chinese/japanese modder chans to be upright modder chans!?   : D

 

Another one is apparently just "installmod.bat" and 1 or 2 very custom looking exes (one has a icon, cute!)

 

(i mean i trust them though,  mostly, they do have a reputation to do these things right after all..., but they would possibly not have known about issues at the time)

 

EDIT: I found only 3 .jar files on the whole PC

 

looks to be something about flash (i know unsafe, but seemingly  i need it?) ie video / bluray playback? 

 

 

[mr moose]

On 12/28/2021 at 9:02 PM, leadeater said:

Also if the fact they were running HPE servers is incidental I'm not sure why it's worth mentioning?

 

Also it was reported that one of the cleaners in the centre where the HP's were installed was the son of a single mum recovering from alcohol abuse,  we are still investigating how these are linked but it is a alleged money was transferred to the sons account for services rendered to the company.

 

[Kisai]

On 12/30/2021 at 3:01 AM, Mark Kaine said:

Hmm, i see... but wouldn't it need to be a specific "log4j" version/ file or would the mere existence of such mean i have it? (note: i *am* certainly a bit paranoid,  but in this case its more curiosity tbh... )

 

I don't think you really understand the issue. "log4j" is a Java-based logging framework. The only reason you'd ever have this on your system is if you were running some enterprise-level software that was entirely based on Java. Most home users will never see a Java program at all unless they play Java-edition of Minecraft.

 

https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition

https://www.pcmag.com/opinions/critical-exploit-for-apache-log4j2-could-be-far-reaching-proves-real-in

That second link shows that it's exploitable in Minecraft Java edition.

 

The Jar files you found on your PC are part of a Blueray player, and that's an entirely different animal, and unlikely to contain log4j since they would also not be running unless you were playing a BD disc.

 

Also, I do think the entire thing is "overblown", and needlessly panicing people who don't understand what Java is. There is no reason for you to have installed Java on a home PC. The only software that people tend to have that is Java is Minecraft, and various piracy-adjacent (eg bittorrent) tools, and that is not something the OS comes with.

 

The most likely target of log4j, of end-users is in fact Minecraft servers that are "public". Everything else? BMC controllers on enterprise servers, and KVM systems. Basically things that are hard to fix and patch. But with minecraft, not only is the server vulnerable, so are connected game clients. This has apparently been fixed by Microsoft, but if you know anything about the "culture" of minecraft, nobody in their right mind updates their server or game clients because they don't want to break them, so it's very likely that there's going to be a whole lot of "hacked minecraft" servers in the wild for some significant time.

 

And the reason it's overblown, is that no sane company would mix-and-match programming tools, because of the maintenance headache. You build your tools in one language, and your scripting tools only in the scripting language of choice, and you don't mix-and-match, because you will be making the maintenance exponentially harder to do and time consuming. So who runs Java? Mostly enterprise systems that run things like hadoop or apache tomcat.  So end-users are unlikely to run into it. It's more likely to show it's ugly head in places that wrote their main tools in Java (like eb*y), and the employee competence for not doing stupid things like clicking on links emailed to them is rather low, like government agencies.

 

So for MOST people at home, who aren't playing Minecraft, you will never run into this. This is primarily a headache for governments and corporations who continue to rely on tools built in Java.

[LAwLz]

17 hours ago, Kisai said:

And the reason it's overblown, is that no sane company would mix-and-match programming tools, because of the maintenance headache. You build your tools in one language, and your scripting tools only in the scripting language of choice, and you don't mix-and-match, because you will be making the maintenance exponentially harder to do and time consuming. So who runs Java? Mostly enterprise systems that run things like hadoop or apache tomcat.

I strongly recommend you do not say things are "overblown" when you clearly don't know the first thing about it or enterprise software.

No, this does not just affect "software entirely written in Java".

Yes, mixing and matching programming languages and tools is very common. It's called "using the right tool for the right job". And no, it doesn't make it a "maintenance headache" if you organize it and build it in a well thought out and modular fashion.

 

I agree that it's not something most home users will run into though. Not for the reason you stated (I think a lot of home users will run into Java applications), but because they are not that likely to run software that uses log4j, and even if they are they will most likely be protected by their firewall and NAT.

[Kisai]

3 hours ago, LAwLz said:

I strongly recommend you do not say things are "overblown" when you clearly don't know the first thing about it or enterprise software.

I have worked for billion dollar businesses, ones that have used Java as their CRM tools. You haven't. 

 

It's overblown, and just like how a "home user" might be protected by their firewall, so will users on the enterprise network by their corporate firewall. What you're not understanding is that this exploit propagates through java programs that communicate with each other. So again, The most likely target in the wild, are minecraft servers. All other targets are going to be misconfigured servers that are exposed to the internet, and complete idiots working for enterprises who click on things and probe the enterprise network from the inside for other exploitable services, because yes, enterprises are slow to roll out patches.

 

https://www.washingtonpost.com/technology/2021/12/20/log4j-hack-vulnerability-java/

Quote

The descriptions used by security experts to describe the new vulnerability in an extremely common section of code called log4j border on the apocalyptic.

 

“The log4j vulnerability is the most serious vulnerability I have seen in my decades-long career,” Jen Easterly, U.S. Cybersecurity and Infrastructure Security Agency director, said in a Thursday interview on CNBC.

Yes, this is exactly the wrong language to communicate to people who don't know the difference between Java and Javascript. Again, absolutely no home user is going to run into this unless they play an old modded version of minecraft on an unpatched server, or they are required to install Java because their bank or some other thing they need on a daily bases was written in Java. Because believe me, I've seen corporate banking apps written in Java, and corporate payroll written in Java.

[leadeater]

31 minutes ago, Kisai said:

It's overblown

It really isn't though, multiple organizations were compromised due to this. 

 

31 minutes ago, Kisai said:

so will users on the enterprise network by their corporate firewall

That's not a given no. Unless the firewall has application level filtering, something most firewalls do not have or limit capability compared to an Application Gateway Firewall, then there will be a rule allowing traffic to the system and interactions with it are entirely normal for this exploit. Normal in the sense that it's not an application layer attack exploiting a flaw in the code to cause something like a memory out of bounds or the similar. It's just a regular usage of the log framework, which is why it's so easy to exploit and makes it so serious.

 

31 minutes ago, Kisai said:

Again, absolutely no home user is going to run into this

Who cares, that in no way makes it any less serious. A home user will run in to this right when their bank is compromised, or the employers systems, or anything else you can think of that will impact you personally, just not directly at your home for your computer.

 

31 minutes ago, Kisai said:

All other targets are going to be misconfigured servers that are exposed to the internet, and complete idiots working for enterprises who click on things and probe the enterprise network from the inside for other exploitable services, because yes, enterprises are slow to roll out patches.

Nope this was exploitable without direct access to the log4j module endpoint via attacks through applications by crafting messages to cause errors what would contain the attack vector that would get forwarded to the log4j module.

 

That's why so many immediately took their applications offline, my work place included. Everything that used Log4J we took offline immediately and did not bring back online until Log4J was updated and this was under the advice of our national cyber security agency.

 

Jen Easterly was absolutely not overstating the seriousness of the issue. They don't hand out CVSS 10.0 scores for no reason and there is a proper framework to rate vulnerabilities, if it's a 10.0 it's a 10.0. To be frank compared to many other 10.0 this Log4J needed to be 11.0 but CVSS doesn't allow for that.

 

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

 

At the time this is what the situation looked like, it got better from there only as workarounds and patches got released

[Mark Kaine]

ITT: Minecraft is "Enterprise software" UwU

[Kisai]

1 hour ago, leadeater said:

It really isn't though, multiple organizations were compromised due to this. 

I'm not downplaying the severity, I'm downplaying the kneejerk "oh amigonnagethacked cause i saw someone on the teevee talk about it?"

 

This is the fable of the "child who cried wolf", or "chicken little", if you keep overplaying the problem, people will stop taking it seriously. See how quickly people ignore Microsoft's warnings about sideload. If you download something unknown from the internet, you are prompted no less than 4 times if you want to run it. Twice from the web browser, once from windows defender, and again when it shows you the signature. Pretty much no home user knows what any of this means and the amount of times I see "just run it in admin" on game forums tells me the damage has already been done. People either ignore warnings because they are fatigued from too many of them, or they aren't tech-savvy enough to know the difference between "Java" and "Javascript".

 

 

 

1 hour ago, leadeater said:

That's not a given no. Unless the firewall has application level filtering, something most firewalls do not have or limit capability compared to an Application Gateway Firewall, then there will be a rule allowing traffic to the system and interactions with it are entirely normal for this exploit. Normal in the sense that it's not an application layer attack exploiting a flaw in the code to cause something like a memory out of bounds or the similar. It's just a regular usage of the log framework, which is why it's so easy to exploit and makes it so serious.

Which doesn't downplay anything. If the corporate firewall is working, then they would have just cut off "normal" access until they patched things. A home user does not have that option, and if they download or run something that can exploit it from the inside of their home network.

 

1 hour ago, leadeater said:

Who cares, that in no way makes it any less serious. A home user will run in to this right when their bank is compromised, or the employers systems, or anything else you can think of that will impact you personally, just not directly at your home for your computer.

Do a google search limited to your neck of the woods on who shutdown what. In Canada the federal government shut down some things. Things that obviously aren't critical enough to grind government to a halt. No bank in Canada uses Java in their front end systems that end-users see, so it has no impact on them. Business banking? Absolutely. Because they use java or proprietary browser extensions to access these sites.

 

 

1 hour ago, leadeater said:

Nope this was exploitable without direct access to the log4j module endpoint via attacks through applications by crafting messages to cause errors what would contain the attack vector that would get forwarded to the log4j module.

What are you Nope'ing about. I already said this was exploited in Minecraft clients by compromising the server. Please dial back the knee-jerk responses to things that have already been said.

 

 

1 hour ago, leadeater said:

That's why so many immediately took their applications offline, my work place included. Everything that used Log4J we took offline immediately and did not bring back online until Log4J was updated and this was under the advice of our national cyber security agency.

And how many companies lack people who even know what log4j is? You work for a University, I'd assume there are people who are actually on the ball in the IT department. Think about all the businesses that have things like point of sale terminals, or bookkeeping software that communicate with cloud-hosted backends written in Java. The average person, is either not going to be affected, or not going to be in a position to. You are more likely to get a rootkit or malware from simply owning an Android phone.

 

1 hour ago, leadeater said:

Jen Easterly was absolutely not overstating the seriousness of the issue. They don't hand out CVSS 10.0 scores for no reason and there is a proper framework to rate vulnerabilities, if it's a 10.0 it's a 10.0. To be frank compared to many other 10.0 this Log4J needed to be 11.0 but CVSS doesn't allow for that.

 

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

 

At the time this is what the situation looked like, it got better from there only as workarounds and patches got released

 

 

Which is fine. CVSS however does not translate to the average home user watching TV and knows nothing about it. Remember Y2K? It was extremely overblown, but we all got through it with barely more than a few scratches, because people actually worked behind the scenes and solved it in the most critical software before Dec 31 1999. Yet, even today, there are still "Y2K+" bugs, and the year 2038 problem is still going to be a thing.

 

You accomplish nothing by screaming that some software bug is going to be the end of civilization, and that's what the "highest score" should reflect. 95% of the population is not going to be affected in any significant manner, and the remaining people work for businesses in roles that deal with it every day and would be immediately impacted if exploited. This is not like the CIH (Chernobyl) virus was more likely to impact 95% of computers out there, and believe me AT THE TIME, every single Windows 9x PC in the college was infected with it, because the college didn't/couldn't update their AV products. That virus can kill the PC outright, and that is a far worse problem.

 

Every time something exploitable is reported by mundane news organizations, they turn it into a "is your computer infected with the (thing to fear)?" alarmist nonsense.  

 

Nobody other than IT nerds, care what the CVSS score is or means, the media treats everything with the same seriousness, and equating log4shell with the same seriousness as Y2K and CIH does a disservice to IT people wanting to fix log4j, because now everything thing "is as bad as log4j" when it's not.