Quarter Four Report 2021

Log4j is widely used in software applications, which means the vulnerability immediately put thousands of businesses and organisations in New Zealand at risk. An update was quickly made available, however any lag in discovering the software’s use on systems and applying the update provided a window for attackers to seek access to systems.

Log4j is part of a software supply chain which means it is used in many software applications.

A software supply chain is similar in function to a physical supply chain. For example, Log4j is like a component in car manufacturing, such as an airbag. The car manufacturer buys the airbags from another supplier and installs them into every car across various models. In day-to-day use you won’t notice it’s there, but if there’s a critical fault with the airbag, the manufacturer may need to do a mass recall. If you don’t hear about the recall, or take appropriate action, you could be at risk.

With so many software applications and services using Log4j, many companies still may not know it’s bundled together into the software they use.

Log4Shell is relatively easy for attackers to exploit, for example some of the first public activity noticed was the malicious code executed in the chat functions of the video game Minecraft.

Any applications that use Log4j could be affected. The vulnerability works by running code logged to the system. This means attackers can send lines of code and instead of logging the text, the system will execute it. This is also known as code injection or execution vulnerability.

Attackers may access systems but don’t always take advantage of the access immediately, meaning the compromise may not be discovered until they decide to carry out an attack.

Exploitation of the Log4j vulnerability may be difficult to detect because it allows attackers to carry out various types of compromise, making it more difficult to identify the root cause.

• Contact your software vendors to find out if they use Log4j, and implement the fixes they provide. This may include updating software to the latest version.
• If solutions aren’t available from the vendor, manually updating or applying mitigations for Log4j may be an option.
• Otherwise, isolate the affected devices as much as possible or restrict outbound traffic from the device.
• Keep all software up-to-date.
• Catalogue software you use.

If you know Log4j is in your systems but haven’t been affected, it’s still important to follow these recommendations. There is a possibility that attackers are quietly monitoring compromised systems.

Because of these factors, CERT NZ anticipates that impacts from this vulnerability will continue and encourages all businesses and organisations to implement and maintain good cyber security practices.

For more information

Top 11 cyber security tips for your business

Critical Controls

New Zealand’s National Cyber Security Council (NCSC) comprehensive guidance on supply chain cyber security [PDF, 6.46 MB] External Link  

Key takeaways on Log4j

Log4j is a software component used by millions of systems around the globe.

Attackers are actively scanning for the vulnerability.

Larger organisations are likely to be targeted first. Due to ease of exploitation, attackers will likely target smaller businesses once larger organisations have patched all systems and are no longer easy to exploit.

The extensive use of Log4j means some vulnerable software may still be undiscovered, leading to a potential “long-tail” of attacks.

It may be difficult to determine if a compromise originated through exploitation of the Log4j vulnerability, because: attackers can hide on systems for long periods of time before being discovered the exploit allows attackers to carry out other malicious activity.

During that time, CERT NZ updated the Flubot advisory as the content of the text message used to spread the malware varied. We also continued to work with the Department of Internal Affairs (DIA) responding to reports and supplying ISPs with information on the affected URLS.

Flubot malware infecting android phones

Across both Q3 and Q4, no direct financial loss was reported as a result of the Flubot campaign. However, those who received the text messages, even if they didn’t download the malware, had their phone number logged by the attackers and many are now the targets of further text-scam campaigns.

These subsequent text scams use similar content to the initial Flubot messages, for example parcel deliveries that prompt the recipient to click on a link to confirm delivery.

During Q4, CERT NZ received over 150 reports of follow-on text scams. The key difference in the new text scam is the website link goes to a phishing page instead of a page that attempts to trick the recipient into downloading malware.

The phishing page prompts the recipient to enter their personal details and a credit card number in to pay to have the parcel released (typically less than $5). If the recipient pays the fee, they are unknowingly signed up to a subscription that will charge them a higher amount (approximately $85) usually within 3 days.

How to spot a text scam

Text scams usually contain a website link and the message will try to convince the recipient to click the link.

In most cases, legitimate businesses and organisation won’t send direct links and ask you to click on them.

The text contains a website link and is from a number you don’t recognise.

If you suspect a legitimate business has sent you a genuine website link, make sure it matches the business’s own website. You can also check with the business’s contact centre to confirm the legitimacy of a text message and its contents.

Text scam example

Text scam message example displaying the text:

"Morning, your order was delivered on 2021/11/08 to our drop-off point. Approve your pickup here: https://bad.domain/example"

If you think you’ve received a text scam

• don’t click on any website links or follow any instructions
• block the sender’s numbers, either through your phone or with the assistance of your telecommunications company,
• report the text message by forwarding it free-of-charge to 7726. This is a service from the DIA that allows them to investigate the messages further.

If you think you’ve been affected, please report to:

www.cert.govt.nz/report

This quarter, CERT NZ continued to see many reports of scams about websites operating from overseas that pretend to be legitimate New Zealand-based businesses.

A common example involves scammers outside of New Zealand setting up an e-commerce website using a .nz website address and advertising well-known or expensive products at reduced prices, like popular shoe brands. When people make purchases from the website, they end up receiving a lesser product, a different product or in some cases, nothing at all.

When a .nz website is identified as a scam site, CERT NZ contacts the Domain Name Commission and the hosting provider, with a request for it to be taken down. In some cases, CERT NZ also reports the website to the Financial Markets Authority to issue a warning.