Dateline the Internet: the Log4j vulnerabilities and related risks.
Log4j Risk mitigation (and the risks are both technical and regulatory). (The CyberWire) CISA says that large US Federal agencies met the risk mitigation deadlines of ED 22-02. The US FTC gives businesses a warning that they're at risk of regulatory and legal action if they're not comparably diligent in approaching the problem. And general remediation of the Log4j vulnerabilities continues to look like a long trip indeed.
CISA: All Large Federal Agencies Have Mitigated Log4j Vulnerability (MeriTalk) The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) said today that all large Federal agencies have successfully mitigated the Log4j critical vulnerability that the agency discovered in early December 2021.
FTC warns companies to remediate Log4j security vulnerability (Federal Trade Commission) Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer-facing products and services.
FTC warns legal action against companies who fail to mitigate Log4Shell (The Record by Recorded Future) The US Federal Trade Commission said on Tuesday that it intends to start legal actions and sue companies who leak consumer data by not patching applications vulnerable to the Log4Shell vulnerability.
FTC warns companies to secure consumer data from Log4J attacks (BleepingComputer) The US Federal Trade Commission (FTC) has warned today that it will go after any US company that fails to protect its customers' data against ongoing Log4J attacks.
Log4j Vulnerability: 100s of Exposed Packages in Maven Central (JFrog) Hundreds of Java packages in Maven Central repository were found exposed to hidden Log4j Log4Shell vulnerability - deep scanning used to detect affected code
Microsoft Sees Rampant Log4j Exploit Attempts, Testing (Threatpost) Microsoft says it’s only going to get worse: It’s seen state-sponsored and cyber-criminal attackers probing systems for the Log4Shell flaw through the end of December.
A Case Study in Appropriately Responding to the Log4J Cybersecurity Vulnerability (The National Law Review) Just in time for the holiday season, and at a time when cybercriminals are generally most active, industry experts discovered a critical vulnerability in a software commonly used by companies. The sof
Attacks, Threats, and Vulnerabilities
Skimmer Injected Into 100 Real Estate Websites via Cloud Video Platform (SecurityWeek) More than 100 real estate websites belonging to the same parent company were injected with web skimmer code via an unnamed cloud video platform.
Card-stealing code found on more than 100 Sotheby's luxury real estate sites (The Record by Recorded Future) Threat actors have breached the Brightcove account of Sotheby's and deployed code capable of stealing and collecting payment card details on more than 100 websites operated by Sotheby's real estate division.
Hackers use video player to steal credit cards from over 100 sites (BleepingComputer) Hackers used a cloud video hosting service to perform a supply chain attack on over one hundred real estate sites that injected malicious scripts to steal information inputted in website forms.
Unpatched HomeKit Vulnerability Exposes iPhones, iPads to DoS Attacks (SecurityWeek) Unpatched HomeKit vulnerability dubbed doorLock can be exploited to launch DoS attacks against iOS devices.
Portuguese media empire struck in the latest cyberattack on news outlets (CyberScoop) The websites of the top newspaper and TV station in Portugal remained down Tuesday after a cyberattack that began over the weekend, following in a string of recent attacks on media organizations. Impresa Group said its Expresso newspaper and SIC TV stations were the victim of a computer attack. A ransomware group suspected as the culprit, known as Lapsus$, initially defaced the websites with a ransom demand.
'Ruthless' Vice Society claims responsibility for Spar attack (Tech Monitor) Vice Society has claimed responsibility for a ransomware attack on supermarket chain Spar. The group is a rising force in ransomware.
Have I Been Pwned warns of DatPiff data breach impacting millions (BleepingComputer) The cracked passwords for almost 7.5 million DatPiff members are being sold online, and users can check if they are part of the data breach through the Have I Been Pwned notification service.
Saltzer Health Says Patient Data Exposed in Cyberattack (SecurityWeek) Intermountain Healthcare-owned Saltzer Health told patients that their personal information might have been compromised after an unauthorized party gained access to an employee email account
UScellular discloses data breach after billing system hack (BleepingComputer) UScellular, self-described as the fourth-largest wireless carrier in the US, has disclosed a data breach after the company's billing system was hacked in December 2021.
Cyber Attack Hits Agency That Oversees Illinois Insurance (GovTech) The cyber attack was carried out at the Office of the Special Deputy Receiver, a nonprofit that works with the state and exists largely to protect creditors and policyholders of troubled or insolvent insurance companies.
Montreal tourism agency confirms cyber attack (IT World Canada) Montreal’s tourism agency has acknowledged it was hit by a cyber attack early last month, one of a number of recent Canadian and American victim organizations claimed by the Karakurt hacking group.
Care New England has to manually pay workers after cyber attack | ABC6 (ABC6) PROVIDENCE, R.I. (WLNE)- Care New England had to pay employees manually last week, after a cyber attack on Kronos Private Cloud, according to a spokesperson at Care New England. Kronos is the company that handles paycheck services for Care New England, as well as other clients around the United States. About 7,500 Care New England employees had to be paid...
Vulnerability Summary for the Week of December 27, 2021 (CISA) The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Security Patches, Mitigations, and Software Updates
Microsoft releases fix for disruptive Exchange Y2K22 bug (Computing) Date validation issue caused flashbacks to Y2K
Trends
In 2022, hackers will have companies that fake social responsibility in the crosshairs (Newswire) Consumers and employees will be watching closely in 2022 to ensure that multinational corporations are checking all the boxes when it comes to the environment,
The Biggest CyberSecurity Threats to be Aware of in 2022! (The Technews) As experts continue to discover sophisticated technologies daily, their consumers, mainly organizations, are prone to cyber threats. Occurrences of such threats can be attributed to two significant factors; Threat attackers are continuing to be more innovative and external factors such as COVID-19. During the pandemic, according to recent stats, 70% of Americans have adopted working […]
8 Cybersecurity Trends You Must Watch Out For in 2022 (Latest Hacking News) In the past two years, the digital revolution is taking over the world at lightning…
Marketplace
Cyberspace Solarium Disbands, to Reform as Nonprofit (GovTech) The Cyberspace Solarium Commission terminated in late December 2021, with members reportedly planning to form a nonprofit that will continue efforts to develop and promote cybersecurity policy.
Bot mitigation company Human Security raises $100M (VentureBeat) Human Security, a bot mitigation and fraud detection company for enterprises, has raised $100 million in a growth round of funding.
Optiv, NightDragon Create Alliance to Accelerate Delivery of Game-Changing Technology to Cybersecurity Market (StreetInsider.com) Optiv, the cyber advisory and solutions leader, has announced an innovation-driven alliance with NightDragon, a dedicated cybersecurity, safety, security and privacy investment and advisory firm. Optiv and...
Palantir and Hyundai Heavy Industries Will Form Big Data Platform in $25 Million Deal (Bloomberg) Long-term deal positions Palantir to grow commercial business. Agreement with South Korean company valued at $25 million.
Cole Engineering Services, Inc. (CESI) awarded $957M Cyber TRIDENT Contract (Florida Newswire) Cole Engineering Services, Inc. (CESI), a By Light Company, has been awarded the Cyber Training, Readiness, Integration, Delivery and Enterprise Technology (Cyber TRIDENT) $957M Indefinite Delivery/Indefinite Quantity (IDIQ) contract. The Cyber TRIDENT contract is utilized by Department of Defense (DoD) organizations and other non-DoD agencies that have related cyber training needs.
OneSpan Appoints Technology Industry Leader Tom Aurelio as Chief People Officer (OneSpan) Former Symantec, Priceline.com, and Criteo executive joins OneSpan to help accelerate global growth by aligning people with business and customer objectives
Kivu Hires Shane Sims, as New Chief Executive Officer (PR Newswire) Kivu Consulting, a leading provider of cybersecurity and forensic services to organizations worldwide, announced Shane Sims has been chosen to...
Cyren Announces New Head of Marketing (StreetInsider.com) Cyren (NASDAQ: CYRN), a provider of email security and threat intelligence solutions, today announced it has...
Aqua Security Appoints Cybersecurity Leader Paul Calatayud as CISO (Aqua) Aqua announced the appointment of cybersecurity industry veteran Paul Calatayud as Chief Information Security Officer (CISO).
Databricks Appoints Naveen Zutshi as Chief Information Officer (PR Newswire) Databricks, the Data and AI company and pioneer of the data lakehouse architecture, today announced the appointment of transformative leader,...
Acronis appoints Michael Callahan as Chief Marketing Officer (Acronis) For information about Acronis and Acronis' products or to schedule an interview, please send an email or get through to Acronis' representative, using media contacts.
Vinnie Liu Has a Mission: Keeping People Safe Online and Offline (Dark Reading) Security Pro File: The years at the National Security Agency shaped Vinnie Liu's views on security. "We're missionaries, not mercenaries," he says.
Products, Services, and Solutions
New ‘Mr. Security Answer Person’ segment with John Pescatore to be a regular feature on the CyberWire Daily podcast. (The CyberWire) The CyberWire announced a new feature on its popular CyberWire Daily podcast. The new segment, ‘Mr. Security Answer Person,’ features industry veteran John Pescatore, Director of Emerging Security Trends at SANS. He’s well known to the community, and as Mr. Security Answer Person, he’ll share fresh, candid, and often humorous perspectives on the cybersecurity sector.
StrikeForce and Aite-Novarica Introduce Industry’s First Data Sensitivity Classification and Technology Framework for Locking Down Video Conference Security (GlobeNewswire News Room) Whitepaper Suggests New NIST-Informed Security Protocol with Priority Levels Based on Sensitivity of Information to Protect Privacy and Data in all...
Meow Selects Cognito Flow, First Complete No-Code Online Identity Verification Service to Easily Verify and Onboard Business Customers (GlobeNewswire News Room) Cognito, which provides the first easy and comprehensive online identity verification of global...
Ivanti Extends an Award‑Winning Velocity Product with the ‘Ivanti Neurons for IIoT’ Platform to Accelerate Supply Chain Operations with Digital Transformation (Ivanti) Ivanti Neurons for IIoT enables customers to rapidly automate warehouse processes and build innovative low-code or no-code applications to achieve peak operational efficiency.
Coming to a laptop near you: A new type of security chip from Microsoft (Ars Technica) AMD becomes the first CPU maker to integrate the Microsoft-designed chip into its wares.
SafeBreach: “Hackers keep finding ways because everything evolves” (CTECH) Edo Yahav, SafeBreach’s VP of R&D, joins CTech to discuss how the platform prevents attacks on enterprises
Here's a lesson we took from highly motivated hackers (ITWeb) EDR is a primary element and a low-hanging fruit to boost cyber security resilience, says Annestasia Whitehead, business unit manager at Cyber Security SA.
Technologies, Techniques, and Standards
The CISO's guide to third-party security management (Help Net Security) This comprehensive guide provides the direction you need to make your organization’s third-party security program efficient and scalable.
Here’s how DHS’s risk center responds to threats like ransomware (Federal News Network) Colonial Pipeline proved to be an important test of DHS’s new approach to managing threats and vulnerabilities to key U.S. sectors.
Your Law Firm Has Been Breached: Who Are You Going To Call? (Above the Law) Prepare, practice, and revise your Incident Response Plan regularly.
Maryland Air Guard counters real-world cyber adversaries (Air National Guard) The Maryland Air National Guard’s 175th Cyber Operations Group supported a task force under U.S. Cyber Command’s Cyber National Mission Force at Fort Meade, Maryland, from February to
Legislation, Policy, and Regulation
NATO schedules special meeting with Russia amid Ukraine crisis (Reuters) NATO Secretary-General Jens Stoltenberg has scheduled a special meeting of allied ambassadors and top Russian officials for next week as both sides seek dialogue to prevent open conflict over Ukraine, a NATO official said on Tuesday.
NATO to hold foreign ministers meeting over Ukraine (Military Times) President Joe Biden has warned Russian President Vladimir Putin that Washington could impose new sanctions against Moscow if it takes further military action against Ukraine.
China drafts rules on security reviews for apps influencing public opinion (Reuters) China's cyber regulatory body issued on Wednesday draft rules governing mobile apps, including a requirement for security reviews of apps whose functions could influence public opinion.
US, Japan to hold Security Consultative Committee '2+2' meeting, amid Chinese assertiveness (ANI News) Washington [US], January 5 (ANI): The US-Japan Security Consultative Committee "2+2" Meeting, 2022 will be held on January 6 to strengthen the alliance and to address global challenges amid Chinese assertiveness in the region.
Iranian Attacks Aim To Challenge Israel's Cyber Prowess (The Media Line) Early Monday morning, the homepage of The Jerusalem […]
VP Harris calls for “cyber doctrine” to address mounting attacks (Security Systems News) Vice President Kamala Harris has cited the need for a “cyber doctrine” and greater international efforts to address the rash of cybersecurity attacks that have occurred over the past year
Why the US should fight Russia, China in the ‘gray zone’ (C4ISRNet) Time for Washington to get more active in the 'gray zone,' especially cyber and information warfare, according to the Atlantic Council.
Seizing the advantage: A vision for the next US national defense strategy (Atlantic Council) In this latest installment of the Atlantic Council Strategy Papers series, Forward Defense’s Clementine Starling, Lt Col Tyson Wetzel, and Christian Trotti articulate their vision and recommendations for the next US National Defense Strategy, including clearer prioritization, investments and divestments, reposturing of US forces, a new warfighting concept, and a focus on transnational threats like hybrid warfare and climate change.
Feds Step Up Cybersecurity Support for State Governments (Nextgov.com) Forty-two advisers have been appointed or are in the process, with eight states still needing federal-level coordinators.
Arizona launches cyber command center to protect government and business (Chamber Business News) Arizona has launched a “Cyber Command Center”, which will serve as the state’s headquarters for organizing cybersecurity operations. The center will provide a central location for facilitating information sharing and cooperation between cyber experts, government agencies, and private-public partnerships.
FCC Restocks CSRIC Working Groups on 5G, Supply Chain Security (MeriTalk) The Federal Communications Commission on Dec. 30 released membership rosters for the six working groups of its Communications Security, Reliability, and Interoperability Council (CSRIC), which provides advice to the agency on how to improve security and reliability of U.S. communications systems.
Israeli cyber chief Unna steps down after four years in role (Jerusalem Post) "Despite the drastic and escalating efforts by different [cyber] attackers, we succeeded at blocking thousands of cyber attacks in time - and before they caused broad damage to the civilian sector."
Litigation, Investigation, and Law Enforcement
Federal Law Enforcement Seeks to Fill the Holes Revealed by Jan. 6 Attack (Wall Street Journal) Law-enforcement and intelligence agencies are grappling with violent online chatter, along with threats against lawmakers, inspired in part, officials say, by the attack on the U.S. Capitol.
FBI's Backdoored Anom Phones Secretly Harvested GPS Data Around the World (Vice) Documents reviewed by Motherboard, including thousands of pages of Anom messages, show that the FBI's backdoored Anom phones collected more data than the content of messages.
Google accused of paying Apple billions to keep it away from internet search market (Computing) Lawsuit also claims Apple gives preferential treatment to Google on all Apple devices
SlimPay fined for exposing bank data of 12 million (Register) French regulator's investigation finds multiple breaches of GDPR
Retail Store Let Off for Compliance with Its Data Protection Obligations (Lexology) A recent decision of the Personal Data Protection Commission (“PDPC”) demonstrates the importance of compliance with data protection obligations. On…
Facebook's Meta Rebrand Fuels Kids' Data Harvesting Suit (Law360) A group of parents has hit Facebook's parent company, Meta Platforms Inc., with a putative class action in Alabama federal court accusing it of engaging in a "digital conspiracy" to harvest minors' images, arguing that the tech giant's recent rebrand signaled the "culmination" of its plan to unlawfully profit from this valuable information.