Threat Actor Is Using Log4Shell Vulnerability to Plant Web Shells on VMWare Horizon Servers

Polish leader admits country purchased Pegasus spyware, Log4Shell-like flaw afflicts H2 database consoles, FIN7 has been sending malicious USB devices, Power struggles arise in WH cyber circles, more

Jan 10

Check out my latest CSO column, which recaps the FTC’s warning on Log4j and highlights how another government agency, the SEC, is taking a dim view regarding failures to remediate Log4j vulnerabilities.

In the second known instance of a VMWare product targeted via the Log4Shell vulnerability, the UK National Health Service (NHS) security team said that it detected an unknown threat actor using the Log4Shell vulnerability to hack VMWare Horizon servers and plant web shells for future attacks.

VMWare issued a patch for the vulnerability, but the NHS says it is now seeing attacks trying to identify VMWare Horizon servers that haven’t been patched. The NHS released instructions on how to detect possible signs of exploitation. (Catalin Cimpanu / The Record)

Poland’s most powerful politician, Jaroslaw Kaczynski, the leader of the ruling conservative party, has acknowledged that the country bought Pegasus spyware from the Israeli surveillance software maker NSO Group but denied that it was being used to target his political opponents.

He also said that the spyware is used in many countries to combat crime and corruption and that the use of such spyware arose in response to the growing use of encryption to mask data in transit, which defeated earlier monitoring technologies. (Vanessa Gera / Associated Press)

Researchers at Jfrog disclosed a security flaw, CVE-2021-42392, affecting H2 database consoles that could result in remote code execution in a manner that echoes the Log4j Log4Shell vulnerability that came to light last month.

The flaw is the "first critical issue published since Log4Shell, on a component other than Log4j, that exploits the same root cause of the Log4Shell vulnerability, namely JNDI remote class loading,” the researchers say. The flaw affects H2 database versions 1.1.100 to 2.0.204 and has been addressed in version 2.0.206 shipped on January 5, 2022. (Ravie Lakshmanan / The Hacker News)

Internet appliance company SonicWall confirmed that some of its email security and firewall products had been hit by the Y2K22 bug, causing message log updates and junk box failures starting with January 1st, 2022.

Email users and administrators will no longer be able to access the junk box or un-junk newly received emails on affected systems, nor will they trace incoming/outgoing emails using the message logs because they're no longer updated. SonicWall deployed updates to North American and European instances of Hosted Email Security, its cloud email security service, and released fixes for its on-premises Email Security Appliance (ES 10.0.15) and customers using firewalls with the Anti-Spam Junk Store functionality toggled on (Junk Store 7.6.9). (Sergiu Gatlan / Bleeping Computer)

Related: Neowin, SonicWall

The developer of open-source libraries colors.js and faker.js, Marak Squires, intentionally introduced an infinite loop that bricked thousands of projects that depend on colors and faker, causing applications to break and print gibberish data.

Squires corrupted the libraries in part because he believes mega-corporations and commercial consumers of open-source projects extensively rely on cost-free and community-powered software but do not give back to the community. Github has reportedly suspended Squires account. (Ax Sharma / Bleeping Computer)

Related: The Verge, Silicon Republic

Singapore’s OG department stores said a data breach leaked customers' personal information such as names, mobile numbers, dates of birth, and encrypted national registration identity card numbers and passwords.

OG said its preliminary investigations indicated that the database, which had been stored and managed by an external third-party membership portal service provider, had been compromised. The company urged customers who have reused their OG membership passwords across different websites or platforms to change their passwords immediately to avoid any possible compromise of their other accounts. (Rosalind Ang / The Straits Times)

In a security alert, the FBI says that FIN7, an infamous cybercrime group behind the Darkside and BlackMatter ransomware operations, has sent malicious USB devices to US companies over the past few months in the hopes of infecting their systems with malware and carrying out future attacks. The group targeted a defense industry company as recently as November 2021.

If plugged in the devices execute a BadUSB attack, where the USB drive registers itself as a keyboard instead and sends a series of preconfigured automated keystrokes to the user’s PC. The keystrokes run PowerShell commands that download and install various malware strains that act as backdoors for the attackers into the victims’ networks. (Catalin Cimpanu / The Record)

Tensions are mounting in the Biden administration for control over cybersecurity, with Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology viewed by some as an exclusionary and sharp-elbowed power player, sources say. However, Neuberger has a track record of being a change agent at the NSA and, now, at the top echelon of the executive branch’s security apparatus, both still male-dominated, although the latter arena increasingly less so.

Chris Inglis, a former mentor of Neuberger’s, is the nation’s first national cyber director and reports directly to the president. Inglis is viewed as a rival power center, leaving two people in charge of cybersecurity in the administration. Senator Mark Warner (D-VA), Chairman of the Senate Intelligence Committee, has expressed frustration in figuring out how the pieces of the administration’s cybersecurity policy fit. (William Turton / Bloomberg)

Jan Lemnitzer @JanLemnitzer

'The White House has “created an awkward situation from having nobody in charge of cyber to having two people in charge of cyber” Bloomberg - Are you a robot?bloomberg.com

Trump supporter and Cyber Ninjas founder Doug Logan, who was hired to run a now-excoriated review of the 2020 election in Arizona, told the state Senate president he’s starting a new company with some of the same employees as Cyber Ninjas and closing the old firm as it faces massive court fines for refusing to release public records.

Logan said he couldn’t sell his firm because of “too much negativity around the name,” but he plans to sell off all its assets to pay debts and eventually file for bankruptcy. He also says he can’t fulfill a court order to release public records because the company has no money, even though Trump allies raised millions of dollars for the unprecedented partisan election review. (Jonathan Cooper / Associated Press)

Related: Zero Day, Gizmodo

Kim Zetter @KimZetter

New: Yesterday Cyber Ninjas said it was insolvent & was closing shop & firing workers rather than comply w/ court order to provide records related to election review in AZ and pay fines. But CEO Doug Logan actually has a 2nd company he created last year

Cyber Ninjas CEO Launched Second Company Last YearA spokesman for the controversial company said Thursday that it was dissolving and laying off the CEO and all employees, after a court levied heavy fines against it. But the CEO has a second company.zetter.substack.com

Like Norton antivirus, Avira antivirus is also shipping a program that allows 500 million worldwide customers to make money through cryptocurrency mining.

Avira was recently bought by the same company that owns Norton 360 and is introducing its customers to a service called Avira Crypto. Some indications suggest that Avira uses the same crypto mining code as Norton Crypto. (Brian Krebs / Krebs on Security)

Related: reddit TECH NEWS, Slashdot

briankrebs @briankrebs

Norton360 isn't the only antivirus product installing cryptominers. Avira, a "free" antivirus product w/ > 500M users, recently introduced users to Avira Crypto. Avira is now owned by NortonLifeLock, which also just bought Avast antivirus (500M users)

500M Avira Antivirus Users Introduced to CryptominingMany readers were surprised to learn recently that the popular Norton 360 antivirus suite now ships with a program which lets customers make money mining virtual currency. But Norton 360 isn’t alone in this dubious endeavor: Avira antivirus -- which…krebsonsecurity.com

Victims of the $200 million BitMart hack say that five weeks have passed since the crypto exchange vowed to return their money, but many still haven’t seen a dime, causing at least one victim of the hack to become suicidal.

The exchange’s lack of communication about when victims will receive their money has fired the so-called “Safemoon Army,” a term given to the community of safemoon token holders, who have historically proven to be a formidable force when they coalesce around a cause. A hefty portion of the stolen currency was safemoon tokens. (MacKenzie Sigalos / CNBC)

In what some experts say is a naked bid to generate media stories, the ransomware group Ragnar_Locker spread claims of a successful hack of telecom analytics firm Subex and its Broomfield, CO-based cybersecurity subsidiary, Sectrio. Ragnar_Locker’s leak site on the dark web showed a ‘.onion’ link purportedly containing vital information about the company and its employees.

An unconfirmed online report stated the firewall, router and VPN configuration data, company passwords, and employee documents were published in the link. (Logan Smith / CBS Denver)

Will | Bushido @BushidoToken

⚠️ There are multiple Twitter bots sharing links to a recent ransomware leak replying to tweets of @BleepinComputer and @vxunderground. This is potentially a tactic to get a story written about them in the media to pressure the victim. They have done Facebook adverts in the past.

Biometric face authentication and verification technology start-up iProov announced a $70 million growth investment from Sumeru Equity Partners.

Several organizations use iProov’s biometric authentication technology, including the U.S. Department of Homeland Security, the UK Home Office, the UK National Health Service (NHS), the Australian Taxation Office, GovTech Singapore, Rabobank, ING, and others. (Ingrid Lunden / TechCrunch)