Dateline the Internet: the Log4j vulnerabilities.
Log4j update: a Federal deadline, Conti sightings, and the scanning challenge. (The CyberWire) As the holidays approach, so does a US Federal remediation deadline. Scanning for Log4j vulnerabilities proves challenging, and the Conti gang is exploiting Log4shell aggressively.
Mitigating Log4Shell and Other Log4j-Related Vulnerabilities (CISA) The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) to provide mitigation guidance on addressing vulnerabilities in Apache’s Log4j software library:
Five Eyes issue joint advisory for defending against Log4Shell (The Record by Recorded Future) Government agencies in the United States, United Kingdom, Australia, Canada, and New Zealand issued a joint Cybersecurity Advisory Wednesday
CISA Confirms No Feds Breached Yet Via Log4j Vulnerability (MeriTalk) With the Dec. 24 deadline approaching for Federal agencies to remediate the Log4j vulnerability, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed to MeriTalk that there have still been no compromises of Federal agencies via the Apache Log4J vulnerability.
The Apache Log4j vulnerabilities: A timeline (CSO Online) The Apache Log4j vulnerability has impacted organizations around the globe. Here is a timeline of the key events surrounding the Log4j exploit as they have unfolded.
‘Most serious cyber risk Australia has faced’ (news) Millions of Australians are under threat of being “hunted” by hackers exploiting vulnerabilities in commonly-used software across more than 100,000 devices, apps and online games.
CISA releases Apache Log4j scanner to find vulnerable apps (BleepingComputer) The Cybersecurity and Infrastructure Security Agency (CISA) has announced the release of a scanner for identifying web services impacted by& two Apache Log4j remote code execution vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046.
CISA's New Log4j Scanner Aims to Find Vulnerable Apps (Dark Reading) The open-sourced scanner was derived from scanners built by members across the open source community, CISA reports.
GitHub - cisagov/log4j-scanner (GitHub) log4j-scanner is a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities. ...
CISA, Five Eyes issue guidance meant to slow Log4Shell attacks (CyberScoop) The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released Wednesday an advisory offering vendors and affected organizations a detailed guide on how to deal with potential risks to IT and cloud services posed by an exploit in Apache Log4j’s software library.
Cybereason Government Inc. Warns of Log4Shell Exploits over Holidays (Cybereason) Cybereason Government Inc. Warns of Log4Shell Exploits over Holidays
Log4j Blindspots: What Your Scanner Is Still Missing (Rezilion) Rezilion’s vulnerability research team conducted a survey where multiple open source and commercial scanning tools were assessed against a dataset of packaged Java files where Log4j was nested and packaged in various formats. No scanner was able to detect all formats. The scanners that were assessed include tools by Qualys, Tenable, Rapid7, JFrog, Aqua Security, and others.
Threat Spotlight: Log injection attacks (Barracuda Journey Notes) While SQL injection, command injection, and cross-site scripting (XSS) attacks are common, log injection can present a risk and may be overlooked.
Log4j 2.17.0 fixes newly discovered exploit (Tech Target) The Log4j 2.17.0 update is the third of its kind since Log4Shell was disclosed and the mass exploitation began. Versions 2.15.0 and 2.16.0 patched remote code execution bugs.
What is Log4j? A cybersecurity expert explains the latest internet vulnerability, how bad it is and what's at stake (The Conversation) Log4Shell is the latest hacker exploit rocking the internet, and it’s arguably the worst yet. The vulnerability is in an obscure piece of software used on millions of computers.
Computer security experts scramble to fix ‘vulnerability of the decade’ (Rochester Post Bulletin) In early December, a security researcher at Chinese online retailer Alibaba discovered and reported the software flaw in a widely used tool called log4j.
Log4j flaw gets big attention from ‘ruthless’ ransomware gang (VentureBeat) The Apache Log4j vulnerability has prompted a major ransomware gang, Conti, to launch attacks using the flaw, known as Log4Shell.
Conti ransomware is exploiting the Log4Shell vulnerability to the tune of millions (TechRepublic) Log4Shell is a dangerous security concern — and now Conti, a prominent ransomware group, is exploiting it to attack vulnerable servers to extort millions of dollars.
China regulator suspends cyber security deal with Alibaba Cloud (Reuters) Chinese regulators on Wednesday suspended an information-sharing partnership with Alibaba Cloud Computing, a subsidiary of e-commerce conglomerate Alibaba Group , over accusations it failed to promptly report and address a cybersecurity vulnerability, according to state-backed media reports.
Apache Log4j bug: China’s industry ministry pulls support from Alibaba Cloud for not reporting flaw to government first (South China Morning Post) The Ministry of Industry and Information Technology said it will suspend work with Alibaba Cloud as a cybersecurity threat intelligence partner for six months. Notifying vendors first about security flaws is a cybersecurity industry norm, but a new law encourages Chinese companies to first notify the government.
Alibaba Employee First Spotted Log4j Software Flaw but Now the Company Is in Hot Water With Beijing (Wall Street Journal) The technology ministry suspended work with Alibaba Cloud for six months over what it said was untimely reporting of the Log4j2 software flaw, which is affecting businesses and governments world-wide.
How SASE protects from Log4j (Check Point Software) By Mor Ahuvia, Product Marketing Manager and Bob Bent, Partner Solutions Engineer LOG4J lessons – How SASE protects from 0-day exploits Log4J shows why
Log4j vulnerability Protection for Endpoints (Check Point Software) By Noa Goldstein, Product Marketing Manager, Shlomi Gvili, Senior Product Manager and Gal Carmeli, Harmony Endpoint R&D Group Manager. Learn how Harmony
DerScanner’s vulnerability database now includes Log4Shell zero-day threats (DerScanner) DerSecur has updated the vulnerability database of the DerScanner SAST analysis tool: it now includes the recently discovered zero-day vulnerabilities in the Apache Log4j library.
CrowdStrike Launches Free Targeted Log4j Search Tool (CrowdStrike) CrowdStrike has developed a community tool that can be used to quickly scan file systems looking for versions of the Log4j code libraries.
LEFT TO MY OWN DEVICES: The hackers’ Christmas gift: Log4j (The Times-Tribune.com) First off, I’m not alluding to a gift from the hackers. They’re continually generous by sharing their talents with the internet’s billions of users. Since Day Two, or so, of
Attacks, Threats, and Vulnerabilities
Nation-States Exploiting Critical Flaw in Zoho UEM (Bank Info Security) An authentication bypass vulnerability in Zoho's widely used unified endpoint management tool, ManageEngine Desktop Central, is being used by advanced persistent
Microsoft Teams bug allowing phishing unpatched since March (BleepingComputer) Microsoft said it won't fix or is delaying patches for several security flaws impacting Microsoft Teams' link preview feature reported since March 2021.
New Exploit Lets Malware Attackers Bypass Patch for Critical Microsoft MSHTML Flaw (The Hacker News) Hackers are using a new exploit in malware attacks to bypass security patches for a critical RCE vulnerability affecting Microsoft MSHTML.
Microsoft notifies customers of Azure bug that exposed their source code (The Record by Recorded Future) Microsoft has notified earlier this month a select group of Azure customers impacted by a recently discovered bug that exposed the source code of their Azure web apps since at least September 2017.
Threat actors behind SolarWinds compromise are still active, warns Mandiant (IT World Canada) Just over one year ago, researchers discovered that the update mechanism of SolarWinds' Orion network management platform had been compromised by what are believed to be Russian-based groups, leading to the hack of some 100 organizations around the world out of the 18,000 that had downloaded an infected update. These victim firms included managed and […]
How NSO Group's iPhone-Hacking Exploit Works (Gizmodo) Frightening exploits sold by the embattled Israeli spyware vendor have been used to hack people all over the world. Now researchers have unpacked how it works.
As 3G dies, old phones aren’t the only victims (Boston Globe) Home security systems, medical devices, and Internet-connected cars could be impacted by wireless carriers shutting off 3G data networks in 2022.
Dark web marketplace ToRReZ shuts down (The Record by Recorded Future) The operators of ToRReZ, a dark web underground marketplace for the trade of illegal goods, have shut down their operation last week, the third such marketplace to shut down on its own this year.
Another information leak related to Bkav website reported (SGGP English Edition) A member of Raidforums nicknamed seasalt123 has lately posted a user database supposedly belonging to Breport.vn of Bkav. The database contains sensitive information like user IDs and emails, full names and phone numbers.
Sennheiser Responds After Customer Data from 2018 Was Exposed Online (My TechDecisions) Audio equipment maker is working to investigate how some customer data was exposed on the internet two months ago.
Report: Audio Tech Giant Exposed Thousands of Customers’ Data (vpnMentor) Led by Noam Rotem and Ran Locar, vpnMentor’s research team recently discovered that consumer audio giant Sennheiser had accidentally left an old cloud account full of customer
Monongalia Health System, Inc. Investigates and Addresses Data Security Incident (PR Newswire) Today, Monongalia Health System, Inc., and its affiliated hospitals, Monongalia County General Hospital Company and Stonewall Jackson Memorial...
BEC Attack on Monongalia Health System (Infosecurity Magazine) Cyber-thieves steal from West Virginia-based healthcare provider by impersonating vendor
Phishing incident causes data breach at West Virginia hospitals (ZDNet) Attackers accessed email accounts containing Social Security numbers, medical treatment information, and more.
N.J. volunteer EMS agency says patient data was breached (EMS1) Lincoln Park First Aid Squad alleges that the state health department’s office of EMS gave the New Jersey State Police Fatal Accident Reporting System access to medical records
Report: US Logistics Company Exposes Fortune 500 Clients (Website Planet) Company name and location: D.W. Morgan, headquartered in the USA
Size (in GB and amount of records): 100+ GB of data, over 2.5 million files
Dat
Hong Kong NFT project Monkey Kingdom loses $1.3M in phishing hack, launches compensation fund (Coin Telegraph) The exploited nonfungible token project is looking to make things right before the holidays with the help of a compensation fund.
What WHOIS History Reveals about 3,800+ Verified Phishing Hosts (CircleID) The ability to retrieve historical WHOIS information can be essential for the cybersecurity community, particularly when it comes to threat hunting and cybercrime investigation. This investigative capability is highlighted in our latest downloadable white paper "Digging Up Zombie Domains: What WHOIS History Reveals about 3,800+ Verified Phishing Hosts" where we analyzed thousands of verified phishing hosts and their historical WHOIS records.
‘It’s incessant’: Bolton couple almost taken in by ‘sophisticated’ UPS email scam (CaledonEnterprise.com) Jerry and Clare Gorman were waiting for a delivery, so it wasn’t completely unexpected when they got an email from UPS.
Honolulu Transit Putting Services Back Online After Hack (GovTech) Honolulu’s public transportation officials have their hands full with the task of bringing back myriad digital services that were lost after a Dec. 9 ransomware attack. An investigation into the attack continues.
An apparent cyberattack downed Maryland’s health department and COVID data. Here’s what we know and don’t know. (Baltimore Sun) Officials haven’t yet explained what caused the cybersecurity breach or the extent of its impacts.
Trends
When the next pandemic is a cyber attack (New Statesman) At a round-table event, politicians and industry experts discussed the prospect of a global cyber attack.
Norton Names Tech Support Phishing Scams Top Threat (Security Intelligence) Tech support scams were the top phishing threat in the third quarter of 2021, says NortonLifeLock. See how to protect yourself against pop-ups.
Hackers attacked businesses over 700 million times in last 30 days globally (Business Matters) According to new data threat actors attacked businesses more than 722 million times during the last 30 days worldwide.
Is the IT sector beset by fear-mongering? (ComputerWeekly.com) The ongoing technological arms race between hackers and security teams has led to a plethora of new security technologies being developed, but it can be hard to differentiate between sensible cyber purchases and those that are unnecessary, but promoted by exaggerating risk.
Marketplace
McKinney cybersecurity startup raises $2 million seed funding round (North Texas Inno) A local startup is ending the year with fresh funding to bring cybersecurity protection to small- and mid-sized businesses. McKinney-based ContraForce, a no-code security automation startup, announced landing a $2 million seed round investment from Maryland cyber foundry and investor DataTribe.
RSA Cybersecurity Conference Delayed Until June as Omicron Rages (Bloomberg) The RSA Conference, a major cybersecurity event that takes place annually in San Fransisco, is being delayed until June due to an increase in Covid-19 cases. The event was originally scheduled to take place in February.
AhnLab Earns Frost & Sullivan's 2021 Company Of The Year Award In The South Korean Endpoint Security Industry For The Third Consecutive Year (AiThority) Based on its recent analysis of the South Korean endpoint security industry, Frost & Sullivan recognizes AhnLab
This Infamous Russian Hacker Wants Your Crypto Investment (Time) The first interview with former 'Spam King' Peter Levashov
Offensive Security’s Ning Wang: Following Her Passion From Physics To Cybersecurity CEO (Forbes) There's a tremendous shortage of talent in cybersecurity. Our vision is to be the world's leading continuous cyber security workforce development and education place.
Products, Services, and Solutions
Cvent Announces Partnership With ID.me to Enhance Event Health and Safety (ID.me Insights) New tool equips meeting and event professionals with flexible, confidential health and vaccination screening solutions to bring peace of mind to planners and attendees
Technologies, Techniques, and Standards
Researchers shared insights on how strong a password can be (Digital Information World) Data shows how adding different letters to a password can make it almost impossible to crack.
The Immediate Advantages of Attribute-Based Access Control (JumpCloud) Attribute-based access control (ABAC) provides an instant cross-check of users within a group to the apps and resources they need.
US Army conducts first tactical cyber exercise readying teams for operations (C4ISRNet) The first expeditionary cyber and electromagnetic activities team under the 915th Cyber Warfare Battalion stressed its capabilities as part of a validation exercise.
Drawing Connections Between Security and Employee Personalities (ISACA) An enterprise’s employees are often regarded as its biggest weakness in terms of cybersecurity. Though some threats are posed inadvertently by employees with certain personality traits, an organization can also be targeted intentionally by an employee acting as an insider threat.
Legislation, Policy, and Regulation
US, UK send cyberwarfare teams to Ukraine amid concerns over Russia (Business Standard) The United States and the United Kingdom sent cyberwarfare teams to Ukraine over concerns Russia could potentially launch a cyber attack
OSCE says ceasefire agreement reached for eastern Ukraine (Reuters) Negotiators from Ukraine, Russia and the Organisation of Security and Cooperation in Europe (OSCE) agreed to restore a full ceasefire between the Ukrainian government forces and Russia-backed separatists in eastern Ukraine, the OSCE said on Wednesday.
EU received no information from Russia on cybersecurity dialogue, ready for discussions (TASS) The EU expects from Russia concrete constructive steps on a large number of irritants in bilateral relations, Lead Spokesperson for EU External Affairs Peter Stano informed
Amid Ukraine invasion scare, U.S. and Europe lean on sanctions threat to stop Putin (Washington Post) The United States has marshaled support from its European allies for significant sanctions but heavy reliance on economic measures faces challenges and limitations.
American cyber hegemony: Science fiction turned into reality (CGTN) Since 2009, the NSA has spied on 122 heads of foreign states and stored collected information in a database exclusively for them, where the number of reports on Angela Merkel alone is over 300.
Harris calls for 'cyber doctrine' to address increasing attacks (TheHill) Vice President Harris is calling for a “cyber doctrine” and greater international coordination to address cybersecurity concerns after a year of mounting attacks.
National Cyber Director Unveils New Approach at Cyber War College Conference (U.S. Department of Defense) Chris Inglis, the first National Cyber director, used the Cyber Beacon forum at the Cyber War College conference to explain his new approach to cyber warfare.
Opinion | What the U.S. Should Learn From U.K. Cyber Strategy (Wall Street Journal) Despite what Defense Secretary Lloyd Austin says, cyber operations neither trigger perilous conflict nor do they make conflict more violent.
Is the US crackdown on spyware firms just getting started? (Al Jazeera) The Biden administration blacklisted Israeli spyware firm NSO in November, but experts say more needs to be done.
As the official Cyberspace Solarium comes to an end, its chairs look to what’s next (SC Media) Around 40 measures suggested by the commission were codified into law, including creating the national cyber director position.
FTC 2022 Regulatory Priorities to Include Privacy and Security (The National Law Review) As we look to 2022, a question on many companies' minds is what actions we will see from the FTC. Two recent developments are important on that front.
First, the FTC recently...
Litigation, Investigation, and Law Enforcement
Covid-19 Relief Fraud Potentially Totals $100 Billion, Secret Service Says (Wall Street Journal) Unemployment-insurance programs are among the pandemic-benefits targets for fraudsters and organized crime, the agency says.
NSA Declassifies Internet Surveillance Files from 2011 Case (New York Times) In response to a Freedom of Information Act lawsuit by The New York Times, the National Security Agency has declassified these previously secret documents from the docket of a 2011 case before the Foreign Intelligence Surveillance Court.
20 'anti-India' YouTube channels, two websites banned under new IT rules (The Economic Times) Officials said the decision to ban and block these channels and websites will be presented before the Inter Departmental Committee (IDC) within 48 hours, following which it will be ratified by a committee under the IT Rules, 2021.
Democrats push Mark Zuckerberg on Meta's actions prior to January 6th Capitol attack (Engadget) Democratic senators have called on Meta CEO Mark Zuckerberg to answer questions on how Facebook handled misinformation enforcement ahead of the January 6th US Capitol attack..
Plundered bitcoins recovered by FBI – all 3,879-and-one-sixth of them! (Naked Security) Phew! An audacious crime… that didn’t work out.
United States Files Civil Action to Return $150 Million in Embezzled Funds to Sony; FBI Tracks Money to Bitcoin (Department of Justice, U.S. Attorney’s Office for the Southern District of California) The United States took action in federal court today to protect and ultimately return more than $154 million in funds that were allegedly stolen from a subsidiary of Tokyo-based Sony Group Corporation and then seized by law enforcement during the FBI’s investigation of the theft.
U.S. fights bail for Russian businessman accused of insider trading through hacking (Reuters) A U.S. prosecutor on Wednesday argued a Russian businessman accused of insider trading using hacked corporate information could use his wealth and Kremlin connections to flee the United States if he was granted bail.
Meta Lawsuit Cracks Down on Facebook Phishing Scams (Decipher) A new lawsuit from Meta seeks to uncover the operators behind 39,000 phishing sites that have attempted to steal Facebook, Instagram and WhatsApp users’ credentials.
Uber Ex-Security Chief Faces Additional Charges of Wire Fraud (Bloomberg) Grand jury handed down a superseding indictment Wednesday. Sullivan’s lawyer accuses U.S. of recycling same allegations.
NSA cloud contract in trouble after Microsoft’s successful bid protest (Federal News Network) The case shows how carefully agencies need to tread, especially when price is not the main criterion.
If Your Disclosure of a Data Breach Was “Late,” You May Have to Litigate (JD Supra) A professional accounting firm in Illinois received an unwanted holiday “gift” in the form of a class action complaint stemming from its alleged...
Pain and Suffering for a Data Breach? German Court Issues First Decision of Its Kind in Europe. (JD Supra) A German Court has ordered pain and suffering damages as a result of a data breach, the first decision of its kind in Europe. According to the...
Phishing victim can't claim $5 mln loss for money it never ‘held’ (Reuters) A commercial-crime insurance policy didn’t cover RealPage for a $5 million phishing loss because the property-management service provider never “held” any of the purloined money, a federal appeals court held.
No Insurance Coverage for RealPage in $5 Million Phishing Loss (Bloomberg Law) National Union Fire Insurance Co. was right to not reimburse RealPage Inc. for nearly $5 million stolen in a phishing scheme, the Fifth Circuit said Wednesday, affirming that the loss isn’t covered because the technology company never “held” the funds.