Posted on

Log4Shell 0-Day Attacks Underway; Patch Immediately

CISA releases Apache Log4j scanner to find vulnerable apps, 5:31p.m., December 21, 2021 (Update)

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Log4Shell is a 0-day vulnerability in the Log4j Java library that allows attackers to download and run scripts on targeted servers, leaving them open to complete remote control. After a user posted a proof-of-concept (PoC) on Twitter, Bitdefender’s honeypots started to register attacks using the PoC, underlining just how severe this vulnerability is.

Log4j is not just another Java library. It’s embedded in servers and services from all over the world, used by companies such as Apple, Amazon, Cloudflare, Steam, various Apache server types, ElasticSearch, and many others.

As 0-day vulnerabilities go, Log4Shell (CVE-2021-44228) has a 10/10 rating, which means that attackers can remotely exploit it without any input from the victim, and it doesn’t require high-level technical expertise to pull it off.

The Apache Software Foundation issued an emergency patch, and now Log4j 2.15.0 is available to everyone.

Get the Log4j 2.15.0 Patch Now

/about-us/

“JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default,” explain the developers in the release notes.

It’s difficult to estimate the massive impact Log4Shell will have because historically patches (even for high-severity threats) take time for everyone to apply, if ever. We commonly see attacks successfully executed using fixed vulnerabilities that are two or three years old.

Immediately after the Log4Shell PoC was released, adversaries started scanning the Internet, looking for vulnerable targets. Bitdefender honeypots are seeing attackers trying to compromise different web services. The number of total scans using Log4Shell has increased three-fold in a single day meaning we most likely are just at the beginning. While most scans don’t have a particular target, around 20 percent of the attempts seem to search for vulnerable Apache Solr services.

When Bitdefender’s global honeypot network experiences a marked spike in activity, it usually means attackers are actively looking for ways to weaponize a newly discovered vulnerability as soon as possible. Most of the scans we are seeing now are coming from Russia-based IP addresses.

Bitdefender recommends all companies using the Log4j library upgrade as soon as possible to the latest version. The traffic generated in the honeypots indicates that attackers know about the vulnerability and how widespread the library is. We believe we’re witnessing only the start of a very long campaign.

Author: Silviu STAHIE for Bitdefender

Posted on

Lost files in Windows 10?

Windows File Recovery to the Rescue

If you can’t locate a lost file from your backup, then you can use Windows File Recovery, which is a command line app available from the Microsoft Store. Use this app to try to recover lost files that have been deleted from your local storage device (including internal drives, external drives, and USB devices) and can’t be restored from the Recycle Bin. Recovery on cloud storage and network file shares is not supported.

Note   This app requires Windows 10 build 19041 or later (See which version of Windows 10 you have).

Important

If you want to increase your chances of recovering a file, minimize or avoid using your computer. In the Windows file system, the space used by a deleted file is marked as free space, which means the file data can still exist and be recovered. But any use of your computer can create files, which may over-write this free space at any time. 

How to recover and restore lost files on Windows 10

General


Basic Steps

  1. If necessary, download and launch the app from the Microsoft Store.
  2. Press the Windows key, enter Windows File Recovery in the search box, and then select Windows File Recovery.
  3. When you are prompted to allow the app to make changes to your device, select Yes.
  4. In the Command Prompt window,enter the command in the following format:winfr source-drive: destination-drive: [/switches]
    The source and destination drives must be different. When recovering from the operating system drive (often C: ), use the /n <filter> and /y:<type<(s)> switches to specify the user files or folder.

    Microsoft automatically creates a recovery folder for you called, Recovery_<date and time> on the destination drive.

    There are three modes you can use to recover files: Default, Segment, and Signature.

    Default mode examples

    Recover a specific file from your C: drive to the recovery folder on an E: drive.winfr C: E: /n \Users\<username>\Documents\QuarterlyStatement.docx
    Recover jpeg and png photos from your Pictures folder to the recovery folder on an E: drive.winfr C: E: /n \Users\<username>\Pictures\*.JPEG /n \Users\<username>\Pictures\*.PNG
    Recover your Documents folder from your C: drive to the recovery folder on an E: drive.winfr C: E: /n \Users\<username>\Documents\
    Don’t forget the backslash (\) at the end of the folder.

    Segment mode examples (/r)

    Recover PDF and Word files from your C: drive to the recovery folder on an E: drive.winfr C: E: /r /n *.pdf /n *.docx
    Recover any file with the string “invoice” in the filename by using wildcard characters.winfr C: E: /r /n *invoice*
    Signature mode examples (/x)

    When using signature mode, it’s helpful to first see the supported extension groups and corresponding file types.winfr /#
    Recover JPEG (jpg, jpeg, jpe, jif, jfif, jfi) and PNG photos from your C: drive to the recovery folder on an E: drive.winfr C: E: /x /y:JPEG,PNG
    Recover ZIP files (zip, docx, xlsx, ptpx, and so on) from your C: drive to the recovery folder on an E: drive.winfr C: E:\RecoveryTest /x /y:ZIP 
  5. When you are prompted for confirmation to continue, enter Y to start the recovery operation.

    Depending on the size of your source drive, this may take a while.

    To stop the recovery process, press Ctrl+C.

About modes and file systems

The following information can help you decide which file system you have and which mode to use.

File systems​

There are several file systems supported by Windows that vary depending on the storage device or operating system. Recovering files from non-NTFS file systems is only supported in signature mode. To see which file system you have, right click a drive in File Explorer and select Properties.

File systemExamples
FAT and exFATSD cards, Flash or USB drives (< 4GB)
ReFSWindows Server and Windows Pro for Workstations
NTFSComputers (HDD, SSD), external hard drives, flash or USB drives (> 4GB)

Deciding which mode to use

Use the following table to help you decide which mode to use. If you’re not sure, start with the default mode.

 File SystemCircumstancesRecommended mode
 NTFSDeleted recentlyDefault
 Deleted a while agoFirst try Segment, then Signature
 After formatting a disk
 A corrupted disk
 FAT, exFAT, ReFSRecovery file type is supported (See following table)Signature

Signature mode extension groups and file types

The following table summarizes the extension groups and the supported file types for each group when you use the /y:<type(s)> switch:

Extension groupFile type
ASFwma, wmv, asf
JPEGjpg, jpeg, jpe, jif, jfif, jfi
MP3mp3
MPEGmpeg, mp4, mpg, m4a, m4v, m4b, m4r, mov, 3gp, qt
PDFpdf
PNGpng
ZIPzip, docx, xlsx, pptx, odt, ods, odp, odg, odi, odf, odc, odm, ott, otg, otp, ots, otc, oti, otf, oth

Command line syntax

The following table summarizes what each basic command line parameter and switch is used for.


Parameter or switchDescriptionSupported modes
Source-drive:Specifies the storage device where the files were lost. Must be different from the destination-drive.All
Destination-drive:Specifies the storage device and folder on which to put the recovered files. Must be different from the source-drive.All
/rUses segment mode, which examines File Record Segments (FRS).Segment
/n <filter>Scans for a specific file by using a file name, file path, or wildcards. For example:File name: /n myfile.docxFile path: /n /users/<username>/Documents/Wildcard: /n myfile.*
/n *.docx
/n *<string>*
Default
Segment
/xUses signature mode, which examines file types and works on all file systems.Signature
/y:<type(s)>Scans for files with specific file types. Separate multiple entries by using commas. For a list of extension groups and corresponding file types, see the table, “Signature mode extension groups and file types” in the section, “About modes and file systems”.Signature
/#Shows signature mode extension groups and corresponding file types in each group.All
/?Shows a quick summary of syntax and switches for general users.All
/!Shows a quick summary of syntax and switches for advanced users.All


Frequently asked questions

Can you give some tips to help me use correct syntax?

Here are some suggestions:

  • Always use drive letters in the source and destination path, don’t forget the colon (:) after the drive letter, and make sure there is a space between the source and destination.
  • If a switch has a colon, such as /y:, don’t add a space between the colon and the rest of the value.
  • When you specify just a folder name, such as /n \Myfolder\, add a backslash (\) at the end of it.
  • If a file or folder name has spaces, surround it with quotes. For example:
     winfr C: E: /n "\Users\<username>\Documents\Quarterly Statement.docx"
  • To stop the recovery process, press Ctrl+C.

What does <username> mean in the command examples?

In the File Explorer address bar, enter C:\users to see a list of potential users on your computer. There may be several users on your computer, including you, the administrator, and the default account. When you see <username> in a file path, it is a placeholder for the current username on your computer.

Why am I getting this message: “Source and Destination cannot refer to the same physical partition?”

The source and destination drive or partition path should not be the same. If you only have one drive, use a USB or external hard drive as your destination path. Don’t create a partition after losing data, because this reduces the chance of a successful recovery.

Why does the recovery operation take so long?

​Depending on the size of the disk, it may take some time to recover the file, especially if you are using signature mode.

Why are additional files recovered from my operating system drive?

Behind the scenes, Windows is constantly creating and deleting files. By default, Windows File Recovery filters out these files, but some slip through. To prevent this, use the /n <filter> switch in default and segment modes and the /y:<type(s)> switch in signature mode.

What is the $Recycle.Bin folder?

For default and segment modes, you may also see lost files recovered from the Recycle Bin (files either in the recycle bin or that were permanently deleted) with the name $files.xxx and stored in a folder called $RECYCLE.BIN.

What happens if the destination drive is full?

If you see the following message: “Destination disk is full, please free up space before resuming: (R)esume, (S)kip file, or (A)bort”, Free up drive space on the destination drive, and then choose one of the options.

I was not able to recover the file, now what?

If you used default or segment mode, try again in signature mode if the file type is supported. It’s possible that the free space was over-written, especially on a solid state drive (SSD). If you need help, contact your administrator.

Advanced


Command line syntax

The following table summarizes what each advanced switch is used for.

SwitchDescriptionSupported modes
/p:<folder>Saves a log file of the recovery operation in a different location than the default location on the recovery drive (for example, D:\logfile).All
/aOverrides user prompts, which is useful in a script file.All
/uRecovers undeleted files, for example, from the Recycle Bin.Default
Segment
/kRecovers system files.Default
Segment​​​​​
/o:<a|n|b>Specifies whether to always (a), never (n), orkeep both always(b) when choosing whether to overwrite a file. The default action is to prompt to overwrite.Default
Segment​​​​​
/gRecovers files without primary data streams.Default
Segment
/eTo keep your results manageable and focus on user files, some file types are filtered by default, but this switch removes that filter. For a complete list of these file types, see the information after this table.Default
Segment
/e:<extension>Specifies which file types are filtered. For a complete list of these file types, see the information after this table.Default
Segment
/s:<sectors>Specifies the number of sectors on the source device. To find sector information, use fsutil.Segment
Signature
/b:<bytes>Specifies the cluster size (allocation unit) on the source device. Segment
Signature
/f:<sector>Specifies the first sector on the source device to start the scan operation, for example, to bypass unusable sectors. To find sector information, use fsutil.Segment
Signature


File extension filter list

The following file types are filtered from results by default. Use the /e switch to disable this filter or the /e:<extension> filter to specify file types not to filter.

_, adm, admx, appx, appx, ascx, asm, aspx, aux, ax, bin, browser, c, cab, cat cdf-ms, catalogItem, cdxm, cmake, cmd, coffee, config, cp, cpp, cs, cshtm, css, cur, dat, dll, et, evtx, exe, fon, gpd, h, hbakedcurve, htm, htm, ico, id, ildl, ilpdb, iltoc, iltocpdb, in, inf, inf_loc, ini, js, json, lib, lnk, log, man, manifest, map, metadata, mf, mof, msc, msi, mui, mui, mum, mun, nls, npmignore, nupkg, nuspec, obj, p7s, p7x, pak, pckdep, pdb, pf, pkgdef, plist, pnf, pp, pri, props, ps1, ps1xm, psd1, psm1, py, resjson, resw, resx, rl, rs, sha512, snippet, sq, sys, t4, targets, th, tlb, tmSnippet, toc, ts, tt, ttf, vb, vbhtm, vbs, vsdir, vsix, vsixlangpack, vsixmanifest, vstdir, vstemplate, vstman, winmd, xam, xbf, xm, xrm-ms, xs, xsd, ym

Background concepts

As you use the Windows File Recovery app, it’s often helpful to understand what’s going on “under the hood” of a storage device.

The three modes of operation

The three modes work in the following way:

  • Default mode   This mode uses the Master File Table (MFT) to locate lost files. Default mode works well when the MFT and file segments, also called File Record Segments (FRS), are present.
  • Segment mode    This mode does not require the MFT but does require segments. Segments are summaries of file information that NTFS stores in the MFT such as name, date, size, type and the cluster/allocation unit index.
  • Signature mode    This mode only requires that the data is present and searches for specific file types. It doesn’t work for small files. To recover a file on an external storage device, such as a USB drive, you can only use Signature mode.

How a storage device is organized

The bytes on a storage device are organized into clusters and sectors. A cluster is the smallest amount of disk space that can be allocated for a file. A sector is a unit of storage on a storage device. NTFS organizes disks based on cluster size, which is determined by the number of sectors in a cluster. On NTFS, clusters start at 0 and are numbered sequentially from the beginning of the partition into logical cluster numbers.

How a storage device is organized

The default cluster size varies depending on the capacity of the storage device:

Device sizeCluster sizeSectors
7 to 512 MB512 bytes1
513 to 1,024 MB1 KB2
1,025 MB to 2 GB2KB4
2 GB to 2 TB4 KB8

The NTFS file system

New Technology File System (NTFS) is the default file system in Windows. NTFS organizes files by using a well-defined structure to describe how files are stored, what information to include, and how to locate the files. A critical element is the Master File Table (MFT), which is a table made up of one row for each file and several columns of file attributes. This row is the File Record Segment (FRS). The MFT is like a table of contents for every file on the storage device. NTFS also keeps a backup of the MFT in case the original MFT becomes unusable.

Overview of NTFS
MFT AttributeDescription
Standard informationSettings, such as read-only and archive, file creation and modification dates, and so on.
File nameThe name of the file including the MS-DOS short name.
DataThe contents of the file if it’s small.
IndexInformation about the file allocation.


Additional attributes include file type, permissions, size, and file path.

Thank you to Microsoft

Posted on

Electrical Grounding Of Network Infrastructure Ensures Its Survival And Integrity

Networks and Internet network engineered applications commonly communicate and transport data at speeds exceeding 10Gbps. In the case of virtualized networks, that speed can be 32 to 128 times that or faster.

Proper earthing or grounding of the key network infrastructure parts (catalysts) would ensure the reliability, availability and integrity of the functional operating ICT business support the LAN and wireless network are providing to all parts involved in the OSI levels. From infrastructure to system to application and to user presentation.

Sadly, it’s predominantly the small / medium size businesses that suffer by not getting it right the first time. Largely due to the misconception of saving money or reducing costs by trusting unqualified, cheaper, IT consultants and practitioners and paying dearly in starting over, data loss, operations lost time and in some cases, catastrophic failure.

Also, not realizing the importance of having a long term ICT strategy and business plan that’s flexible and that supports the business development vision and agenda of the business owner.

Electrical grounding does not only protect the network infrastructure. Connection to ground (earthing) also limits the build-up of static electricity when handling flammable products or electrostatic-sensitive devices. In some telegraph and power transmission circuits, the earth itself can be used as one conductor of the circuit, saving the cost of installing a separate return conductor (see single-wire earth return).

For information on this important subject, contact a Support911 consultant to schedule a free consultation and infrastructure assessment.