Dateline the Internet: the Log4j vulnerabilities.
Log4j update: more crime, and a Five Eyes advisory. (The CyberWire) More criminal attacks exploit Log4j vulnerabilities, and the Five Eyes issue a joint alert on how to handle Log4shell and other issues related to Log4j.
Mitigating Log4Shell and Other Log4j-Related Vulnerabilities (CISA) The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) to provide mitigation guidance on addressing vulnerabilities in Apache’s Log4j software library:
New Log4J Flaw Caps Year of Relentless Cybersecurity Crises (Wall Street Journal) Cyber experts warn that attacks are likely to continue, as log4j and other major hacks show how technological dependency creates new vulnerabilities.
As Holidays Approach, Log4j Vulnerability Exploitations Continue Unabated (Channel Futures) As the holidays swiftly approach, cybercriminals remain actively exploiting the log4j vulnerability with distributed scans and attacks globally.
Second ransomware family exploiting Log4j spotted in U.S., Europe (VentureBeat) The Log4j vulnerability has been exploited for attempted attacks using the TellYouThePass ransomware in the U.S. and Europe, not just China.
Belgian defence ministry suffers cyber attack through Log4j exploitation (Computing) Multiple threat groups are currently leveraging Log4j bugs in their operations
Log4j exploit takes down Ministry of Defense email servers in Belgium (SC Media) The Log4j vulnerability made its first known attack in Belgium – and security experts say it’s just the tip of the iceberg.
Cyber Daily: Hackers Exploit Log4j Flaw at Belgian Defense Ministry (Wall Street Journal) Belgium’s defense ministry said it shut down parts of its computer network after attackers triggered the Log4j vulnerability
Le Centre pour la Cybersécurité Belgique met en garde contre la vulnérabilité de Log4j (DataNews-FR) Le Centre pour la Cybersécurité Belgique (CCB) prévoit des problèmes majeurs pour les entreprises et les organisations qui ne prennent pas de mesures contre la vulnérabilité du logiciel Apache Log4j, avertit-il mardi dans un communiqué.
La faille dans Log4j piège le ministère belge de la Défense (Le Monde Informatique) Le ministère belge de la Défense joue la transparence en admettant avoir été victime d'un piratage reposant sur la faille Log4Shell. L'exploitation...
Alertes Vulnérabilité Critique dans Apache Log4j activement exploitée (CERT Santé (Cellule ACSS)Accueil) La vulnérabilité permet à un attaquant distant, à partir d’un serveur LDAP, d'appeler la brique JNDI de log4j d’un serveur Apache à travers un serveur exposé afin d'exécuter du code malveillant. Cela est dû à un manque de contrôle des commandes reçues par l’API JNDI permettant d’effectuer des connexions LDAP vers des annuaires.
Multiples vulnérabilités dans Apache httpd (CERT-FR) RISQUE(S)
Déni de service
Contournement de la politique de sécurité
Die hochgefährliche Log4j-Sicherheitslücke lässt intelligente Messsysteme kalt (Netzpraxis) Die in Softwaresystemen verbreitete Java-Protokollierungsbibliothek Log4j stellt nach Einschätzung des BSI eine extrem kritische Bedrohungslage dar.
Arbeitspapier Detektion und Reaktion Log4j Schwachstelle, Version 1.4 (Bundesamt für Sicherheit in der Informationstechnik) Hinweise zur Log4j Schwachstelle ("Log4Shell") Detektion und Reaktion, Version 1.4
Neuer lokaler Angriffsvektor erweitert die Angriffsfläche der Log4j-Sicherheitslücke (CSOC) Neuer lokaler Angriffsvektor erweitert die Angriffsfläche der Log4j-Sicherheitslücke Cybersicherheitsforscher haben einen völlig neuen Angriffsvektor entdeckt, der es Angreifern ermöglicht, die Log4Shell-Sicherheitslücke auf Servern lokal über eine JavaScript-WebSocket-Verbindung auszunutzen.
Log4J Attacks Confirm Need for DevSecOps, Automation, SBOM (InformationWeek) Federal agencies have until Dec. 23 to comply with an emergency directive that mandates mitigations. But patching 3rd-party open-source code is tough.
The Log4j flaw is the latest reminder that quick security fixes are easier said than done (CyberScoop) Cybersecurity professionals have spent weeks scrambling to address a bug in a widely used software library that could enable hackers to steal data, launch ransomware attacks or otherwise knock systems offline.
Log4j vulnerability: ‘It’s all-out warfare right now’ to combat cyberattacks, TrustedSec CEO says (Yahoo) TrustedSec CEO David Kennedy joins Yahoo Finance Live to explain the Log4j cybersecurity flaw, how agencies are combatting hacking attempts, and how long this vulnerability is expected to last.
'Worst internet security threat in decades' now being used to empty victims' bank accounts (Express) SECURITY experts have been busy recently battling against the 'worst internet security threat in decades' which affects hundreds of millions of devices. And now hackers have made this problem a whole lot more dangerous by using the flaw to spread an infamous bit of malware that can empty victims' bank accounts.
DHS expands bug bounty program to encourage hunting down Apache vulnerability (TheHill) The Department of Homeland Security (DHS) is expanding its recently announced bug bounty program for cyber vulnerabilities to include incentives for hackers to hunt down issues related to the Apache logging library
'Hack DHS' bug bounty expanded to include Log4j flaw (The Record by Recorded Future) Homeland Security Secretary Alejandro Mayorkas on Tuesday announced that his department would broaden its new bug bounty program to include vulnerabilities in its networks caused by the widely-used Log4j software.
Arctic Wolf Releases Open Source Log4Shell Detection Script (Arctic Wolf) Arctic Wolf's Log4Shell Deep Scan script—provided for Windows and macOS/Linux devices—conducts a deep scan of filesystems to identify Java applications and libraries with vulnerable Log4j code.
Attacks, Threats, and Vulnerabilities
PYSA ransomware behind most double extortion attacks in November (BleepingComputer) Security analysts from NCC Group report that ransomware attacks in November 2021 increased over the past month, with double-extortion continuing to be a powerful tool in threat actors' arsenal.
Entities Dealing With Email Breach, IT Systems/Phone Outage (GovInfoSecurity) A Kentucky-based medical specialty practice is notifying nearly 107,000 individuals that their information was potentially compromised in a recent email hack.
Denver Hit By Cyber Attack Targeting Kronos (CBS4 News) CBS4 News has learned the City of Denver is a victim of a large-scale cyber attack. The city uses Kronos, one of the largest human resources computer systems in the world.
Security Patches, Mitigations, and Software Updates
Apache’s other product: Critical bugs in ‘httpd’ web server, patch now! (Naked Security) The Apache web server just got an update – this one is nothing to do with Log4j!
Fresenius Kabi Agilia Connect Infusion System (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Fresenius Kabi
Equipment: Agilia Connect Infusion System
Vulnerabilities: Uncontrolled Resource Consumption, Use of a Broken or Risky Cryptographic Algorithm, Insufficiently Protected Credentials, Improper Access Control, Plaintext Storage of a Password, Files or Directories Accessible to External Parties, Exposure of Information Through Directory Listing, Cross-site Scripting, Injection, Use of Hard-coded Credentials, Use of Client-side Authentication, Use of Unmaintained Third-party Components
mySCADA myPRO (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: mySCADA
Equipment: myPRO
Vulnerabilities: Authentication Bypass Using an Alternate Path or Channel, Use of Password Hash with Insufficient Computational Effort, Hidden Functionality, OS Command Injection
2.
Horner Automation Cscape EnvisionRV (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Horner Automation
Equipment: Cscape EnvisionRV
Vulnerability: Improper Input Validation
2. RISK EVALUATION
Successful exploitation of this vulnerability could execute arbitrary code in the context of the current process.
WECON LeviStudioU (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: WECON
Equipment: LeviStudioU
Vulnerabilities: Stack-based Buffer Overflow, Heap-based Buffer Overflow
2. RISK EVALUATION
Successful exploitation of these vulnerabilities may allow remote code execution.
Emerson DeltaV (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 8.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Emerson
Equipment: DeltaV Distributed Control System Controllers and Workstations
Vulnerabilities: Missing Authentication for Critical Function, Uncontrolled Search Path Element
2.
Schneider Electric Rack PDU (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 5.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: Rack Power Distribution Unit (PDU)
Vulnerability: Cross-site Scripting
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to access the system with elevated privileges.
Trends
Why Wall Street is worried about state and local government cybersecurity (The Record by Recorded Future) Wall Street and the insurance markets are worried about the cybersecurity risks that state and local governments face, including a cascade of ransomware attacks targeting a public sector that is still navigating how to manage more and more services online during the COVID-19 pandemic.
Ransomware Study: Two Thirds of Security Professionals Believe Ransomware and Terrorism Threats are Equal (Business Wire) Ransomware Study: Two Thirds of Security Professionals Believe Ransomware and Terrorism Threats are Equal
Ransomware will remain the number one security threat - Barracuda (IT Brief) Attacks will range from extortions using stolen data to the penetration of critical supply chains.
Cybersecurity in 2022 and Beyond (The State of Security) Increasing third-party risk and a more integral role for the CDO. Gary Hibberd predicts what we need to focus on as we move into 2022.
Forcepoint reveals the top 5 cybersecurity trends to watch out for in 2022 (IT Brief) From prevention to jacking, we look at the top enterprise cyber secuerity trends to investigate.
IT execs now less likely to be fired after a cybersecurity breach (IT-Online) Amid a challenging cybersecurity environment and growing IT complexity, the demand for IT and cybersecurity specialists still remains high – and this means security executives are unlikely to be laid off in the event of a security breach. Kaspersky research shows that, in 2021, less than a fifth of organisations across the META region laid […]
Marketplace
PlainID raises $75 million in Series C led by Insight Partners (CTECH) The cybersecurity company offers an online authorization system that allows companies and organizations to monitor user identity and control web access in real time
Privacera Joins International Association of Privacy Professionals (PR Newswire) Privacera, the data access governance leader founded by the creators of Apache Ranger™, has joined the International Association of Privacy...
How crab pretzels helped close one of the biggest tech deals in Baltimore history (Maryland Inno) Could it get any more Baltimore than this?
Pegasus Spyware Maker NSO Group Throws Cash at New Ventures to Survive (Bloomberg) Israeli firm spent heavily to fund drones, big-data ventures. New businesses are key component of deal talks with U.S. funds.
KnowBe4 Launches Contest for The Biggest Fan of Popular Series “The Inside Man” (KnowBe4) KnowBe4 kicks off social media contest in preparation of the launch of season four to find the biggest fan of “The Inside Man” security awareness training series, contest ends January 13, 2022
Products, Services, and Solutions
Reflectiz’s Website Security Platform Expands NessPRO’s Cyber Protection Basket (Reflectiz) Reflectiz’s Website Security Platform Expands NessPRO’s Cyber Protection Basket
NS1 Announces Solution to Mitigate Internet Outages (Galveston Daily News) NS1, the leader in application traffic intelligence and automation, today unveiled a new offering that mitigates user impact in the event of outages.
Technologies, Techniques, and Standards
Op-Ed: Cybersecurity, the new pillar of business. (The CyberWire) Finance, operations, management, sales, and marketing everyone gets. But cybersecurity still can be overlooked. It’s a mistake to treat a potential business-killer as an afterthought.
CISA Hosts Election Cybersecurity Navigators Forum for State and Local Election Officials (Hstoday) DHS is currently in the midst of its “Election Security” sprint to cement the resilience of the nation’s democratic infrastructures.
How to have a CyberSafe Christmas (Salt | Secure Communications) Christmas is a time for rest, festivities, and…. cybercrime. Sadly, hackers will not be relaxing this holiday season. Bad actors all across the world are gearing up for the next ‘Christmas hacking season.’ As online shopping grows in popularity and businesses ‘wind down’ for the holidays, this period becomes a veritable feast for cybercriminals. Christmas […]
Zabbix Templates for Security Analysts and Systems Administrators – EOY 2021 (Black Hills Information Security) Kent Ickler // Background BHIS uses several tools for monitoring infrastructure. One of the most important tools for us that helps monitor systems health is Zabbix. It’s been a while since I went about creating Zabbix (https://www.zabbix.com/) monitoring templates. Long story short, I took a backseat role to Systems Administration a couple years ago when […]
A Tech To-Do List, if You’re the Family IT Department (Wall Street Journal) While you’re home for the holidays, sit your less tech-savvy family members down, have them take out their phones and run through these fixes and tweaks—to save them, and you, some headaches.
Legislation, Policy, and Regulation
Report on Use of Force in Cyberspace (USNI News) The following is the Dec. 10, 2021, Congressional Research Service In Focus report, Use of Force in Cyberspace. From the report There are no internationally accepted criteria yet for determining whether a nation state cyberattack is a use of force equivalent to an armed attack, which could trigger a military response. Likewise, no international, legally …
What’s happening in Ukraine, and will Russia really invade? (Washington Post) In early December, U.S. intelligence agencies warned that Russia was planning a massive military invasion of Ukraine. Here’s why Moscow would do that, and what would happen if they did.
Putin says Russia has 'nowhere to retreat' over Ukraine (Reuters) President Vladimir Putin said on Tuesday that Russia had no room to retreat in a standoff with the United States over Ukraine and would be forced into a tough response unless the West dropped its "aggressive line".
Russia’s draft agreements with NATO and the United States: Intended for rejection? (Brookings) Steven Pifer examines Russia's proposed draft agreements with NATO and the United States on security in Europe, and whether they could be an opening bid in serious negotiations or are intended to be rejected and used as a pretext for military action against Ukraine.
Analysis: 'No walkover': Ukraine could extract high price for any Russian attack (Reuters) Ukraine's armed forces are heavily outnumbered and outgunned by Russia's but could put up a level of resistance that would force Russian President Vladimir Putin to pay a price of many thousands of Russian lives for any new invasion.
Kamala Harris warns that Russia could see sanctions "like you've not seen before" if it invades Ukraine (CBS News) Vice President Kamala Harris who spoke with "Face the Nation" moderator Margaret Brennan in an interview Monday, declined to say whether these new sanctions would target Putin directly.
A Growing Army of Hackers Helps Keep Kim Jong Un in Power (Bloomberg) North Korea relies on cybercrime to fund its nuclear arms program and prop up the ailing economy.
Cooley Privacy Talks: UK Privacy Update (cyber/data/privacy insights) Post-Brexit, the UK is no longer a member state of the European Union, meaning that the data protection regime that applies to UK-related processing is separate from – but currently remains similar to – that which applies to EU-related processing.
There are certain impactful consequences of this
We're starting to see a national response to ransomware, says Mandiant CEO (CNBC) Companies are beginning to go on the offensive, actively seeking out cyber threats and disabling them before they can wreak havoc on systems and networks.
Commentary: We must do what it takes to achieve national security in the cyber age (Fortune) The U.S. must retaliate against states, non-state actors, and criminals who use cyberattacks to undermine its security.
How weather is playing a role in information warfare (Defense News) The military has begun to bring weather units into the fold for information warfare.
Litigation, Investigation, and Law Enforcement
China regulator suspends cyber security deal with Alibaba Cloud (Reuters) Chinese regulators on Wednesday suspended an information-sharing partnership with Alibaba Cloud Computing, a subsidiary of e-commerce conglomerate Alibaba Group , over accusations it failed to promptly report and address a cybersecurity vulnerability, according to state-backed media reports.
The secret Uganda deal that has brought NSO to the brink of collapse (Ars Technica) Things changed once US diplomats in Uganda got hacked by Pegasus.
New analysis further links Pegasus spyware to Jamal Khashoggi murder (The Verge) The US government has recently begun to take action against the Israeli company.
UAE put NSO's Pegasus on Khashoggi's wife's phone - report (Jerusalem Post) Jamal Khashoggi was killed by Saudi Arabian agents.
NSO Group's Sophisticated Spyware Connected to More Cases (GovInfoSecurity) The spyware of sanctioned Israeli firm NSO Group was reportedly detected on the smartphones of high-profile Polish figures associated with the nation's opposition
Ex-military arrested for gathering intelligence on Ukraine’s air defense systems for Russia (Ukrinform) In Dnipropetrovsk region, a former officer of an Air Force unit was exposed for stealing military secrets. — Ukrinform.
Russian hackers made millions by stealing SEC earning reports (BleepingComputer) A Russian national working for a cybersecurity company has been extradited to the U.S. where he is being charged for hacking into computer networks of two U.S.-based filing agents used by multiple companies to file quarterly and annual earnings through the Securities and Exchange Commissions (SEC) system.
How one of America’s largest employers leans on federal law enforcement (POLITICO) Amazon has increasingly tipped off the Justice Department and FBI to investigate its own employees and the sellers using its platform, according to a POLITICO analysis.