Cybersecurity News of the Week, December 26, 2021

Individuals at Risk

Cyber Privacy

How to Tell Which Apps Can See Your Private iPhone Data: Every year, Apple releases new features that both improve data privacy on the iPhone, and set a new benchmark for the industry as a whole. With iOS 15, it’s all about transparency. iOS 15.2 brings a new feature called App Privacy Report that provides a visual, easy-to-read report of all the ways an app is using or transmitting your private data. LifeHacker, December 17, 2021

Cyber Defense

10 ways to prevent becoming a cyber crime statistic: While many of us look forward to some time off, the combination of relaxation and increased spending during the festive season heightens cybercrime activities and the 2021 year-end season will likely be a bonanza for online criminals because we are spending much more online than before, says Brendan Kotze, chief development officer at information security firm Performanta. BusinessTech, December 24, 2021

Cyber Warning

Illegal copies of ‘Spider-Man: No Way Home’ infected with cryptocurrency mining malware: People trying to download an illegal copy of “Spider-Man: No Way Home” are in for an unpleasant surprise, as copies on “torrent” sites that point to illicit copies of movies were found to include a persistent cryptocurrency miner as an unwanted bonus. SiliconAngle, December 23, 2021

Fake Christmas Eve termination notices used as phishing lures: A phishing campaign using a well-known malware families is employing a pair of particularly devious methods to trick targets into opening an infected file: fake employee termination notices and phony omicron-variant exposure warnings. CyberScoop, December 23, 2021

Google Play app with 500,000 downloads sent user contacts to Russian server: Joker malware, which surreptitiously signs up users to pricey services, strikes again. ars technica, December 16, 2021

Cyber Surveillance

Beware the Elf on the Shelf, Privacy Watchdogs Warn: Privacy organizations acknowledge that the elf isn’t the biggest security threat, but they say that he teaches children the wrong lessons about accepting surveillance. The New York Times, December 24, 2021

Cyber Humor

Information Security Management for the Organization

Information Security Management – Log4j / log4shell

Log4j: A CISO’s Practical Advice: Working together is going to make getting through this problem a lot easier. DarkReading, December 24, 2021

CISA, FBI and NSA Publish Joint Advisory and Scanner for Log4j Vulnerabilities: Cybersecurity agencies from Australia, Canada, New Zealand, the U.S., and the U.K. on Wednesday released a joint advisory in response to widespread exploitation of multiple vulnerabilities in Apache’s Log4j software library by nefarious adversaries. TheHackerNews, December 23, 2021

Log4j Reveals Cybersecurity’s Dirty Little Secret: Once the dust settles on Log4j, many IT teams will brush aside the need for the fundamental, not-exciting need for better asset and application management. DarkReading, December 22, 2021

New Log4j Attack Vector Discovered: Meanwhile, Apache Foundation releases third update to logging tool in 10 days to address yet another flaw. DarkReading, December 20, 2021

Information Security Management

The Future of Work Has Changed, and Your Security Mindset Needs to Follow: When businesses first sent employees to work from home in March 2020 — thinking it’d only be for two weeks — they turned to quick fixes that would enable remote work for large numbers of people as quickly as possible. While these solutions solved the short-term challenge of allowing distributed workforces to connect to a company’s network from anywhere, they’re now becoming a security vulnerability that is putting organizations at risk of growing cyberattacks. DarkReading, December 23, 2021

Cybersecurity spending trends for 2022: Investing in the future: As security budgets continue to rise, where is the money going? Recent surveys offer insight into CISO spending for the year ahead. CSO, December 20, 2021

Zero Trust Shouldn’t Mean Zero Trust in Employees: Some think zero trust means you cannot or should not trust employees, an approach that misses the mark and sets up everyone for failure. DarkReading, December 20, 2021

Cyber Defense

The NCA shares 585 million passwords with Have I Been Pwned: The UK National Crime Agency has shared a collection of more than 585 million compromised passwords it found during an investigation with Have I Been Pwned, a website that indexes data from security breaches. TheRecord, December 20, 2021

Cyber Update

Microsoft warns of easy Windows domain takeover via Active Directory bugs: Microsoft warned customers today to patch two Active Directory domain service privilege escalation security flaws that, when combined, allow attackers to easily takeover Windows domains. BleepingComputer, December 20, 2021

FBI: State hackers exploiting new Zoho zero-day since October: The Federal Bureau of Investigation (FBI) says a zero-day vulnerability in Zoho’s ManageEngine Desktop Central has been under active exploitation by state-backed hacking groups (also known as APTs or advanced persistent threats) since at least October. BleepingComputer, December 20, 2021

Cybersecurity in Society

Cyber Crime

Global IT services provider Inetum hit by ransomware attack: Less than a week before the Christmas holiday, French IT services company Inetum Group was hit by a ransomware attack that had a limited impact on the business and its customers. BleepingComputer, December 24, 2021

Logistics giant warns of BEC emails following ransomware attack: Hellmann Worldwide is warning customers of an increase in fraudulent calls and emails regarding payment transfer and bank account changes after a recent ransomware attack. BleepingComputer, December 17, 2021

Cyber Attack – Log4j / log4shell

Belgian defense ministry hit by cyberattack: State-backed hacking groups including those with ties to China, Iran, North Korea and Turkey have been using a vulnerability in Log4j software. Politico, December 20, 2021

Cyber Attack

Lights Out: Cyberattacks Shut Down Building Automation Systems: Security experts in Germany discover similar attacks that lock building engineering management firms out of the BASes they built and manage — by turning a security feature against them. DarkReading, December 20, 2021

Cyber Surveillance

The secret Uganda deal that has brought NSO to the brink of collapse: Things changed once US diplomats in Uganda got hacked by Pegasus. ars technica, December 21, 2021

A UAE agency put Pegasus spyware on phone of Jamal Khashoggi’s wife months before his murder, new forensics show: The new analysis challenges NSO claims that the murdered journalist’s wife, Hanan Elatr, ‘was not a target’ The Washington Post, December 21, 2021

Know Your Enemy – Log4J / log4shell

Conti ransomware group adopts Log4Shell exploit: The Conti gang has become the first professional ransomware operation to adopt and incorporate the Log4Shell vulnerability in their daily operations. TheRecord, December 17, 2021

National Cybersecurity

Why Wall Street is worried about state and local government cybersecurity: Wall Street and the insurance markets are worried about the cybersecurity risks that state and local governments face, including a cascade of ransomware attacks targeting a public sector that is still navigating how to manage more and more services online during the COVID-19 pandemic. TheRecord, December 23, 2021

National Cyber Defense – Log4j / log4shell

What is Log4j? A cybersecurity expert explains the latest internet vulnerability, how bad it is and what’s at stake: Log4Shell, an internet vulnerability that affects millions of computers, involves an obscure but nearly ubiquitous piece of software, Log4j. The software is used to record all manner of activities that go on under the hood in a wide range of computer systems. TheConversation, December 22, 2021

CISA director: The LOG4J security flaw is the ‘most serious’ she’s seen in her career : Cybersecurity and Infrastructure Security Director Jen Easterly tells CNBC’s Eamon Javers that the LOG4J security flaw is the “most serious” vulnerability she’s seen in her decades-long career and it could take years to address. Her message to business leaders: Do not delay in making sure that you are protected from this vulnerability. CNBC, December 20, 2021

National Cyber Defense

White House to discuss software development with tech executives, calling it ‘key national security concern’: (CNN)White House national security adviser Jake Sullivan has invited the CEOs of major software firms to discuss ways to improve software security following the emergence of a critical vulnerability that US officials have said could affect hundreds of millions of devices around the world, a senior Biden administration official told reporters Thursday. CNN, December 23, 2021

NIST Cyber-Resiliency Framework Extended to Include Critical Infrastructure Controls: The latest NIST publication outlines how organizations can build systems that can anticipate, withstand, recover from, and adapt to cyberattacks. DarkReading, December 14, 2021

US government to offer up to $5,000 ‘bounty’ to hackers to identify cyber vulnerabilities: (CNN)The Department of Homeland Security is launching a “bug bounty” program, potentially offering thousands of dollars to hackers who help the department identify cybersecurity vulnerabilities within its systems. CNN, December 14, 2021

Cyber Lawsuit

Capital One settles a class-action lawsuit for $190 million in a 2019 hacking.: Capital One has agreed to pay $190 million to settle a class-action lawsuit filed by customers of the bank after a hacker stole the personal data of more than a 100 million people in 2019. The New York Times, December 23, 2021

Cyber Misc – Log4j / log4shell

China suspends deal with Alibaba for not sharing Log4j 0-day first with the government: China’s internet regulator, the Ministry of Industry and Information Technology (MIIT), has temporarily suspended a partnership with Alibaba Cloud, the cloud computing subsidiary of e-commerce giant Alibaba Group, for six months on account of the fact that it failed to promptly inform the government about a critical security vulnerability affecting the broadly used Log4j logging library. TheHackerNews, December 22, 2021

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge