Ransomware Gang Is Exploiting Log4Shell Flaw on Vulnerable VMWare Horizon Machines
CISA warns of attacks using Log4Shell flaw, Marlinspike steps down as Signal CEO, European carriers seek to block Apple's Private Relay, UK regulator seeks more resilience in cloud providers, more
Check out my latest CSO column that recaps CISA’s briefing yesterday on the Log4j vulnerability.
Microsoft says the Night Sky ransomware gang has started to exploit the Log4Shell vulnerability in the Log4j logging library to gain access to VMware Horizon systems.
The gang targets vulnerable machines exposed on the public web from domains that impersonate legitimate companies, some of them in the technology and cybersecurity sectors, including Sophos, Trend Micro, technology companies Nvidia and Rogers Corporation. Microsoft published a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the internet and deploy Night Sky ransomware. (Ionut Ilascu / Bleeping Computer)
Officials at the Cybersecurity and Infrastructure Security Agency (CISA) say they have not yet seen significant disruptive or destructive cyberattacks, such as ransomware attacks, linked to the Log4Shell flaw in the Log4j library discovered one month ago. But they warned that the bug could aid the nefarious activity of criminals and foreign governments for months or years to come.
CISA Director Jen Easterly said the flaw had so far led to “widespread criminal activity” that mainly consisted of installing cryptocurrency mining software or botnet code on vulnerable devices. But, she said, attackers may be waiting undetected after entering networks to do more damage and said there were limits to what CISA may know about because victimized organizations often don’t report intrusions to the government. (Dustin Volz / Wall Street Journal)
Brian Acton, a co-founder of WhatsApp and financier of Signal, is becoming Signal’s interim CEO as Moxie Marlinspike steps down as Signal’s CEO over the next month.
“After a decade or more, it’s difficult to overstate how important Signal is to me, but I now feel very comfortable replacing myself as CEO based on the team we have, and also believe that it is an important step for expanding on Signal’s success,” Marlinspike wrote in a blog post. (Joseph Cox / Motherboard)
Related: Signal, The Verge, Gizmodo, Daring Fireball, VICE News, Financial Times, TechSpot, 9to5Mac, protocol, The Verge, Slashdot,PCMag.com, ZDNet Security, Android Police, WebProNews, Benzinga, Android Central, Business Insider, The Register, iTnews - Security, TechDator, WCCFtech, Engadget, Pocket-lint, CyberNews, The Hacker News
European mobile operators including Vodafone, Telefonica, and T-Mobile signed an open letter voicing their opposition to the rollout of a new iCloud feature, Private Relay, which seamlessly sets up an encrypted VPN-like tunnel for all iPhone Safari traffic.
The carriers say that “vital network data and metadata” will be lost and have “significant consequences undermining European digital sovereignty.” They say it will also impact “operator’s ability to efficiently manage telecommunication networks.” (Benjamin Woods and James Titcomb / Telegraph)
Related: Philip Elmer DeWitt's Apple 3.0, MacRumors, MacRumors, Cult of Mac, iMore, Cult of Mac, 9to5Mac, AppleInsider, Cult of Android, 9to5Mac, AppleInsider, The Mac Observer, iThinkDifferent, Android Central, xda-developers, iPhone Hacks, xda-developers, Slashdot, Gizmodo, Input, Daring Fireball
Cado Security says that an emerging DDoS botnet named Abcbot has "clear" links with a cryptocurrency-mining botnet attack that came to light in December 2020.
Mapping all known Indicators of Compromise (IoCs), including IP addresses, URLs, and samples has revealed Abcbot's code and feature-level similarities to that of a cryptocurrency mining operation dubbed Xanthe that exploited incorrectly-configured Docker implementations to propagate the infection. (Ravie Lakshmanan / The Hacker News)
The UK’s Prudential Regulation Authority is preparing to step up its scrutiny of cloud computing providers amid growing fears that an outage or hack of their services could severely disrupt a banking system increasingly reliant on them.
The authority is reportedly exploring ways to access more data from cloud providers Amazon, Microsoft, and Google, including on the operational resilience of their services. According to sources, the regulator is also considering the introduction of more robust outage and disaster recovery tests. (Stephen Morris and Laura Noonan / Financial Times)
The European Data Protection Supervisor (EDPS) ordered Europol to delete its massive database of information on EU citizens that it collected in recent years if the agency did not link subjects to any ongoing criminal activity.
EDPS said it tried to negotiate with Europol on a common strategy of dealing with its massive data collection and storage procedures, but the two agencies did not reach a common point of view. Europol has one year to comply with its decision. During this time, the law enforcement agency must filter its database and delete any information on EU citizens that are not part of criminal investigations. (Catalin Cimpanu / The Record)
Related: Euronews, Gizmodo, RT News, Reddit cybersecurity, Bleeping Computer, Computing.co.uk, MediaNama, The Register - Security, Techradar, Silicon Republic, European Data Protection Supervisor, The Cybersecurity Times
Researchers at Malwarebytes shed light on the tactics, techniques, and procedures used by an Indian-origin hacking group called Patchwork as part of a renewed campaign that commenced in late November 2021. That campaign targets Pakistani government entities and individuals with a research focus on molecular medicine and biological science.
"Ironically, all the information we gathered was possible thanks to the threat actor infecting themselves with their own [remote access trojan], resulting in captured keystrokes and screenshots of their own computer and virtual machines," Malwarebytes said. (Ravie Lakshmanan / The Hacker News)
The Federal Investigation Agency (FIA) of Pakistan sent an inquiry to Binance as part of a criminal investigation into a scam that allegedly used Binance wallets and integrated applications to defraud about $100 million from Pakistani users.
The investigation so far found fraudulent accounts on 11 applications: MCX, HFC, HTFOX, FXCOPY, OKIMINI, BB001, AVG86C, BX66, 91FP, UG, TASKTOK. The investigation found 26 Binance wallets linked to the applications. The fraudsters asked Pakistani users to register an account with Binance and then transfer funds from their Binance wallet to the application. The FIA seeks records on the 26 wallets and other operational questions, including the process with which the fraudulent applications were linked to Binance. (Aislinn Keely / The Block)
Sports nonfungible token (NFT) minting platform and Animoca Brands subsidiary Lympo suffered a hot wallet security breach and lost 165.2 million LMT tokens worth $18.7 million at the time of the hack.
According to Lympo, ten different project wallets were compromised in the attack. It appears that most of the stolen tokens were sent to a single address, swapped for Ether (ETH) on Uniswap and SushiSwap, then sent elsewhere. (Brian Newar / Cointelegraph)
Polish opposition senator Krzysztof Brejza, whose phone was hacked with NSO Group’s Pegasus spyware, has filed a civil suit against Poland’s ruling party leader, Jaroslaw Kaczynski, for slander over comments suggesting that he was placed under surveillance in connection to wrongdoing.
Hours after the case was reported, Polish prosecutors informed Brejza’s father, a city mayor, that he was under investigation as a suspect and needed to appear for questioning. Brejza said the decision to summon his father is “revenge targeting the family” for the lawsuit and for revealing “crimes related to illegal surveillance of the opposition.” (Associated Press)
Microsoft researchers say threat actors could use a macOS vulnerability called powerdir to bypass Transparency, Consent, and Control (TCC) technology to access users' protected data.
Even though Apple has restricted TCC access only to apps with full disk access and set up features to automatically block unauthorized code execution, the researchers found that attackers could plant a second, specially crafted TCC database that would allow them to access protected user info. Apple fixed the vulnerability in security updates released last month. (Sergiu Gatlan / Bleeping Computer)
Related: AppleInsider, MacRumors, The Mac Observer, Microsoft Security, iPhone in Canada Blog, iPhone in Canada Blog, iPhone Hacks, Bleeping Computer, Reddit, Dark Reading, Neowin, The Hacker News, TechRadar
Microsoft Security Intelligence @MsftSecIntelA vulnerability in macOS, identified as CVE-2021-30970 and fixed by Apple in December, could allow an attacker to bypass Transparency, Consent, and Control (TCC) and gain unauthorized access to protected data. Read our analysis via @yo_yo_yo_jbo: https://t.co/vkkIw2HdZp
CyberScoop identified more than 20 federal law enforcement contracts with a total overall ceiling of over $7 million that included facial recognition in the award description or to companies whose primary product is facial recognition technology since June.
The latest deal by the federal law enforcement to use facial recognition technology was signed by the FBI on November 30. The contract calls for an $18,000 subscription license to the company’s facial recognition technology. (Tonya Jo Riley / Cyberscoop)
About 39 million purported VIP patient records allegedly from Siriraj Hospital in Thailand have been offered for sale on an internet database-sharing forum in what appears to be the latest hack of the country's public health sector.
The data supposedly comprises names, addresses, Thai IDs, phone numbers, gender details, dates of birth, and other information, according to the poster, who used the name "WraithMax.” (SUCHIT LEESA-NGUANSUK / Bangkok Post)
Related: Bangkok Post
Japanese tech giant Panasonic confirmed that hackers accessed personal information belonging to job candidates and interns during a November cyberattack.
The company confirmed the data breach on November 25 but couldn’t say then whether hackers accessed sensitive information. Now Panasonic says some personal information relating to candidates who applied for employment or participated in internships at certain company divisions was accessed during the incident. Panasonic said it was notifying those affected. (Carly Page / TechCrunch)
Cybersecurity firm Proofpoint said it had acquired Singapore-based artificial intelligence-powered data protection firm Dathena Science for an undisclosed sum.
Proofpoint said the acquisition reinforces its commitment to innovation and growth as a private company and increase its presence and investment in Asia. (Duncan Riley / Silicon Angle)