Sat.Dec 11, 2021 - Fri.Dec 17, 2021

Microsoft Patch Tuesday, December 2021 Edition

Krebs on Security

Microsoft , Adobe , and Google all issued security updates to their products today. The Microsoft patches include six previously disclosed security flaws, and one that is already being actively exploited.

The Log4J Vulnerability Will Haunt the Internet for Years

WIRED Threat Level

Hundreds of millions of devices are likely affected. Security Security / Cyberattacks and Hacks

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

GUEST ESSAY: Why the arrests of cyber criminals in 2021 will incentize attackers in 2022

The Last Watchdog

In 2021, law enforcement continued making a tremendous effort to track down, capture and arrest ransomware operators, to take down ransomware infrastructure, and to claw back ransomware payments. Related: The targeting of supply chains. While some of these efforts have been successful, and may prevent more damage from being done, it is important to realize that headline news is a lightning rod for more attacks. Successful attacks breed copycats, and their arrests make room for replacements.

Time to Reset the Idea of Zero Trust

Dark Reading

CISOs are increasingly drawn to the zero trust security model, but implementing a frictionless experience is still a challenge

100 Pipeline Plays: The Modern Sales Playbook

For the first time, we’re sharing the winning plays that took us from scrappy startup to a publicly traded company. Use our proven data-driven plays to grow your pipeline and crush your revenue targets.

NY Man Pleads Guilty in $20 Million SIM Swap Theft

Krebs on Security

A 24-year-old New York man who bragged about helping to steal more than $20 million worth of cryptocurrency from a technology executive has pleaded guilty to conspiracy to commit wire fraud.

More Trending

ROUNDTABLE: Cybersecurity experts reflect on 2021, foresee intensifying challenges in 2022

The Last Watchdog

Privacy and cybersecurity challenges and controversies reverberated through all aspect of business, government and culture in the year coming to a close. Related: Thumbs up for Biden’s cybersecurity exec order. Last Watchdog sought commentary from technology thought leaders about lessons learned in 2021– and guidance heading into 2022. More than two dozen experts participated. Here the first of two articles highlighting what they had to say. Comments edited for clarity and length.

How Risky Is the Log4J Vulnerability?

Dark Reading

Security teams around the world are on high alert dealing with the Log4j vulnerability, but how risky is it, really

Inside Ireland’s Public Healthcare Ransomware Scare

Krebs on Security

The consulting firm PricewaterhouseCoopers recently published lessons learned from the disruptive and costly ransomware attack in May 2021 on Ireland’s public health system.

Hackers exploit Log4Shell to drop Khonsari Ransomware on Windows systems

Security Affairs

Bitdefender researchers discovered that threat actors are attempting to exploit the Log4Shell flaw to deliver the new Khonsari ransomware on Windows machines.

Optimize the Performance of Your Serverless Functions

Run mission-critical applications on serverless without sacrificing visibility.

SHARED INTEL: LogJ4 vulnerability presents a gaping attack vector companies must heed in 2022

The Last Watchdog

As we close out 2021, a gargantuan open-source vulnerability has reared its ugly head. Related: The case for ‘SBOM’ This flaw in the Apache Log4J logging library is already being aggressively probed and exploited by threat actors — and it is sure to become a major headache for security teams in 2022. This vulnerability is so dangerous because of its massive scale.

Log4Shell: The Big Picture

Dark Reading

A look at why this is such a tricky vulnerability and why the industry response has been good, but not great

114
114

How to Guard Against Smishing Attacks on Your Phone

WIRED Threat Level

“Smishing" is an attempt to collect logins or other sensitive information with a malicious text message—and it's on the rise. Security Security / Security Advice

IT 105

Flaws in Lenovo laptops allow escalating to admin privileges

Security Affairs

The ImControllerService service of Lenovo laptops is affected by a privilege elevation bug that can allow to execute commands with admin privileges.

IT 112

The Importance of PCI Compliance and Data Ownership When Issuing Payment Cards

This eBook provides a practical explanation of the different PCI compliance approaches that payment card issuers can adopt, as well as the importance of both protecting user PII and gaining ownership and portability of their sensitive data.

Cybersecurity ‘Vaccines’ Emerge as Ransomware, Vulnerability Defense

eSecurity Planet

Cybersecurity vaccines are emerging as a new tool to defend against threats like ransomware and zero-day vulnerabilities. Cybersecurity firms have released “vaccines” in recent days to protect against the widely used STOP ransomware strain and the new Apache Log4Shell vulnerability.

Why Log4j Mitigation Is Fraught With Challenges

Dark Reading

The Log4j flaw exists in a component that is not always easy to detect and is widely used beyond an organization's own networks and systems

113
113

Google Warns That NSO Hacking Is On Par With Elite Spy Groups

WIRED Threat Level

ForcedEntry is “one of the most technically sophisticated exploits” Project Zero security researchers have ever seen. Security Security / Cyberattacks and Hacks

A phishing campaign targets clients of German banks using QR codes

Security Affairs

Cofense researchers discovered a new phishing campaign using QR codes targeting German e-banking users in the last weeks. Threat actors continue to use multiple techniques to avoid detection and trick recipients into opening phishing messages, including the use of QR codes.

Your Guide to Using Conversational Marketing to Drive Demand Generation

What is conversational marketing really about? This guide will examine the market forces at play, shifting buyer trends, how to leverage conversation marketing, and the tactics involved in adopting it for a B2B demand generation strategy.

When is a Scrape a Breach?

Troy Hunt

A decade and a bit ago during my tenure at Pfizer, a colleague's laptop containing information about customers, healthcare providers and other vendors was stolen from their car.

Combat Misinformation by Getting Back to Security Basics

Dark Reading

One volley of fake news may land, but properly trained AI can shut down similar attempts at their sources

What are the benefits of cyber security as a service?

IT Governance

With organisations’ cyber security requirements becoming more complex and the threat of cyber attacks growing each year, many decision-makers are turning towards cyber security as a service. This approach, also known as managed cyber security, works by outsourcing cyber security to a third party.

Two Linux botnets already exploit Log4Shell flaw in Log4j

Security Affairs

Immediately after the disclosure of the Log4Shell flaw in Log4j library threat actors started including the exploit code in Linux botnets.

Monitoring AWS Container Environments at Scale

In this eBook, learn how to monitor AWS container environments at scale with Datadog and which key metrics to monitor when leveraging two container orchestration systems (ECS and EKS).

Weekly Update 274

Troy Hunt

As I start out by saying this week's video, it's very summer here and not a day goes by without multiple pool visits.

IT 92

Executive Partnerships Are Critical for Cybersecurity Success

Dark Reading

One leader alone can't protect an organization from cyber threats, C-suite leaders agree

Log4Shell Exploitation Grows as Cybersecurity Firms Scramble to Contain Threat

eSecurity Planet

Cybercriminals are quickly ramping up efforts to exploit the critical flaw found in the widely used Log4j open-source logging tool, targeting everything from cryptomining to data theft to botnets that target Linux systems.

While attackers begin exploiting a second Log4j flaw, a third one emerges

Security Affairs

Experts warn that threat actors are actively attempting to exploit a second bug disclosed in the popular Log4j logging library.

Make Payment Optimization a Part of Your Core Payment Strategy

Everything you need to know about payment optimization – an easy-to-integrate, PCI-compliant solution that enables companies to take control of their PSPs, minimize processing costs, maximize approval rates, and keep control over their payments data.

The Next Wave of Log4J Attacks Will Be Brutal

WIRED Threat Level

So far, Log4Shell has resulted mostly in cryptomining and a little espionage. The really bad stuff is just around the corner. Security Security / Cyberattacks and Hacks

Cisco's Ash Devata on Securing the Hybrid Workforce With Zero Trust

Dark Reading

Hybrid work is here to stay, and organizations can apply zero trust's three core principles to ensure a secure workforce, Devata says

On the Log4j Vulnerability

Schneier on Security

It’s serious : The range of impacts is so broad because of the nature of the vulnerability itself. Developers use logging frameworks to keep track of what happens in a given application.

IT 89