FTC Warns That Failure to Fix Log4j Flaw Could Trigger Legal Repercussions
Zloader campaign affects victims in 111 countries, Brightcove player used to breach Sotheby's, UScellular discloses another data breach, Norton 360 now comes with cryptomining software, more
The Federal Trade Commission warned companies that there could be legal repercussions if they fail to remedy a significant recent software vulnerability in open-source software tool Log4j.
The Commission’s notice cites Equifax’s $700 million settlement with the agency in 2019 as a cautionary tale. The FTC’s complaint alleged that Equifax’s failure to patch a known flaw led to the exposure of the personal information of 147 million customers. (Tonya Jo Riley / Cyberscoop)
Tech@FTC @TechFTCFTC warns companies to remediate Log4j security vulnerability: https://t.co/zKinPUJd0G
Researchers at Check Point say that a new Zloader campaign orchestrated by a threat group known as MalSmoke exploits Microsoft's digital signature verification to deploy malware payloads and steal user credentials from thousands of victims from 111 countries.
The campaign, which started in November and is still ongoing, uses a "Java.msi" file that is a modified installer of Atera. When the file is executed, it gives attackers full remote access to the system, which allows them to run scripts and upload or download files, most notably Zloader malware payloads. (Bill Toulas / Bleeping Computer)
Researchers at Palo Alto Networks issued a report indicating that threat actors have breached the Brightcove account of Sotheby’s and, using the Brightcove video player, deployed code capable of stealing and collecting payment card details on more than 100 websites operated by Sotheby’s real estate division.
The incident took place last year. Although Palo Alto Networks didn’t share the name of the two companies, it shared a list of domains where the malicious code was deployed, which indirectly identified Sotheby’s as the real estate company. The report also contained code samples that allowed researchers at Malwarebytes to identify Brightcove as the cloud video platform. (Catalin Cimpanu / The Record)
Microsoft warned Windows and Azure customers to remain vigilant after observing state-sponsored and cyber-criminal attackers probing systems for the Log4j Log4Shell flaw through December.
"Exploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks," the Microsoft 365 Defender Threat Intelligence Team and the Microsoft Threat Intelligence Center (MSTIC) said. (Liam Tung / ZDNet)
UScellular, self-described as the fourth-largest wireless carrier in the US, disclosed a data breach after the company's billing system was hacked in December 2021, allowing the attackers to gain access to customer data, which they attempted to use to port numbers fraudulently.
The customer account data accessed included name, address, PIN code, cellular telephone number(s), and information about wireless services, including service plan, usage, and billing statements. The carrier reset the impacted customers' security questions, answers, and personal identification numbers (PINs) linked to their accounts following the breach discovery. (Sergiu Gatlan / Bleeping Computer)
Related: Security Affairs
The cracked passwords for almost 7.5 million mixtape hosting service DatPiff members are being sold online. Users can check if they are part of the data breach through the Have I Been Pwned notification service.
It’s unclear when the breach occurred, but the DatPiff database was first sold privately and then publicly on hacking forums in July 2020. (Bill Toulas / Bleeping Computer)
Lenovo’s new ThinkPad Z13 and Z16 are the first PCs unveiled with Microsoft’s new Pluton security architecture since Microsoft announced Pluton in November 2020.
Pluton takes security technologies that otherwise exist in a separate hardware component in Windows PCs and integrates them directly into the central processing unit. The new Lenovo machines come with AMD Ryzen PRO 6000 Series processor, the first to incorporate Pluton. (Todd Bishop / Geekwire)
Microsoft released an emergency out-of-band update to address a Windows Server bug leading to Remote Desktop connection and performance issues. Affected platforms include Windows Server 2022, Windows Server 2019, Windows Server 2016, and Windows Server 2012 R2.
The updates that address this issue are not available from Windows Update and will not install automatically on affected systems. Fixes are available via a standalone package or by downloading the update from the Microsoft Update Catalog. (Sergiu Gatlan / Bleeping Computer)
The Cyberspace Administration of China (CAC) issued draft rules governing mobile apps, including a requirement for security reviews of apps whose functions could influence public opinion.
The proposals will require application providers to conduct a security assessment before launching "new technologies, new applications, and new functions" capable of influencing opinion or mobilizing the public. (Josh Horwitz / Reuters)
Hackers interrupted a lawyer's video briefing for relatives of those who died when Iran shot down a Ukrainian airliner, playing clips of loud music and sometimes showing violent images for more than two minutes.
Images of a doll with sharp teeth and a dog with shining eyes then popped up on the screen, followed by a clip of a man singing a rap song with obscene lyrics and then repeated images of a man running towards a camera and pretending to kick it. (David Ljunggren / Reuters)
France’s CNIL regulatory body ordered subscription payment services company SlimPay to pay 180,000 Euros (around $203,494) after the company was found to have held sensitive customer data on a publicly accessible server for five years.
SlimPay undertook a research project using actual customer data but left the data in place on a server that was freely accessible from the public internet without any security procedures in place. (Dan Robinson / The Register)
Antivirus and cybersecurity company Norton released Norton Crypto as part of Norton 360 that installs cryptomining software.
Norton doesn’t allow users to uninstall the mining program, although users can manually switch it on and off. (Caleb Clark / Digital Trends)
paul @paul_eubanksNorton A/V is now a cryptominer. Will it detect itself as malware, or is malware only defined by having a ToS now? https://t.co/9O5YMBkHU7
Documents reviewed by Motherboard show that Anom, an encrypted phone company marketed to criminals, which the FBI secretly took over, collected users' precise GPS location and transferred that information to authorities.
In its marketing messages, Anom said its phones had location services disabled and that all code governing their use was removed from Anom’s custom operating system called ArcaneOS. (Joseph Cox / Motherboard)
Anti-bot and anti-fraud technology company Human Security announced it raised $100 million in a growth funding round.
WestCap led the round, with participation from NightDragon and other current investors. (Maria Deutscher / Silicon Angle)