Hello and welcome back to the GlobalSign blog! Hoping everyone enjoyed the holidays. And now…back to reality.
First up, on Tuesday the United States Federal Trade Commission (FTC) issued a stern warning to companies that have not yet patched the Log4j vulnerability: We will find you. The agency explained it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future." It added, "Failure to identify and patch instances of this software may violate the FTC Act."
According to Gizmodo - which describes Log4j as “a big, terrible security vulnerability” - the FTC has the power to sue companies for sub-standard security practices that endanger customer data.
Log4j caused plenty of trouble late last year which is why the FTC is clamping down. For example, just before the holiday break, CrowdStrike’s Falcon OverWatch team found that a China-linked cyberespionage group, Aquatic Panda, was exploiting the Log4Shell vulnerability to compromise a large academic institution. To date, the institution has not been named.
Tracked as CVE 2021-44228 and also referred to as Log4Shell and LogJam, the security hole affects the Apache Log4j Java logging framework and has been exploited in targeted attacks since early December.
Another important, ongoing story is related to last month’s ransomware attack on payment software provider, Kronos. Due to the timing, it was initially thought to possibly be related to Log4j. But that hasn’t panned out.
What is true, however, is that some of Kronos’ customers - especially those in healthcare and in the public sector - are still being impacted nearly a month later.
According to SCMagazine, healthcare providers such as Penn Highlands Healthcare, University of Missouri Health Care, the University of Florida Health, OhioHealth, and Care New England have all been impacted by the hack.
The Stack discusses the impact on the public sector. The story explains that the New York Metropolitan Transportation Authority, the City of Cleveland, the state of West Virginia, the Oregon Department of Transportation, the University of California system, and Honolulu’s EMS and Board of Water Supply, along with scores of smaller local authorities, have been affected.
The ransomware attack has also impacted customers of Kronos such as materials science company Corning. The New York-based company gave some employees who use the Kronos system a one-time $500 cash gift and a $1,000 advance of their annual bonus. Good on Corning!
In other news this week, Google rolled out an update for Chrome this week on Windows, Mac and Linux that included 37 security fixes, one of which was rated critical.
Also, a Zloader malware campaign has been exploiting Microsoft’s digital signature verification to steal cookies, passwords and sensitive information, according to researchers. The malware exploits Microsoft’s digital signature verification method by injecting a payload into a signed system DLL to evade the system’s defenses.
That’s a wrap for this week. Wishing everyone a great weekend!
Top Global Security News
ZDNet (January 5, 2022) Google Chrome update includes 37 security fixes
"Google rolled out an update for Chrome this week on Windows, Mac and Linux that included 37 security fixes, one of which was rated critical.
Google Chrome's Prudhvikumar Bommana thanked dozens of security researchers for helping them find bugs, many of which were given a high severity rating.
Chrome 97.0.4692.71 includes fixes for CVE-2022-0096 -- a critical use-after-free (UAF) vulnerability -- as well as other UAF's like CVE-2022-0098, CVE-2022-0099, CVE-2022-0103, CVE-2022-0105 and CVE-2022-0106. There are also three heap buffer overflow issues rated high severity.
Google did not say if exploits exist for any of the vulnerabilities, but BreachQuest CTO Jake Williams said he was not aware that any of these vulnerabilities are being actively exploited in the wild."
DataBreachToday (January 5, 2022) ZLoader Malware Exploits Microsoft Signature Verification
"A Zloader malware campaign has been exploiting Microsoft’s digital signature verification to steal cookies, passwords and sensitive information, according to researchers.
The threat actor, likely MalSmoke, used legitimate remote management software to gain initial access to the target machine says Golan Cohen, malware analyst at Check Point Research, which published the research report. The Israeli cybersecurity company's cyber threat intelligence unit says that it has been tracking the infection chain since early November 2021.
The malware exploits Microsoft’s digital signature verification method by injecting a payload into a signed system DLL to evade the system’s defenses, which, according to Cohen, shows how the Zloader campaign authors put effort into defense evasion and are updating their methods on a weekly basis."
ZDNet (January 4, 2022) FTC to pursue companies that expose customer data due to not patching Log4j
"The United States Federal Trade Commission has issued a warning that it will chase companies that do not remedy the vulnerability in the Java logging package Log4j.
'The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,' the agency said on Tuesday.
'Failure to identify and patch instances of this software may violate the FTC Act.'"
SC Mag (January 4, 2022) Cyberattack on payroll vendor Kronos disrupting healthcare workforce paychecks
"The ongoing ransomware attack and recovery efforts on HR and payroll vendor Kronos is affecting payroll services at some health systems, which includes reduced paychecks for some healthcare employees, according to local news reports. The human resource and payroll vendor is widely used across the healthcare sector.
On Dec. 13, Kronos began notifying its clients that it was facing the impacts of a ransomware attack on its private cloud platform, which hosts the vendor’s Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling solutions. The attack left those platforms unavailable, while Kronos worked to restore system availability for clients.
Companies have been forced to manually track and estimate employee hours, in addition to issuing employees paper checks. On Dec. 21, Fitch Ratings noted the incident could possibly result in paycheck delays and determined healthcare would be most impacted by the Kronos disruption, given the widespread use of Kronos for payroll and workforce solutions across the sector."
Bleeping Computer (January 2, 2022) Microsoft releases emergency fix for Exchange year 2022 bug
"Microsoft has released an emergency fix for a year 2022 bug that is breaking email delivery on on-premise Microsoft Exchange servers.
As the year 2022 rolled in and the clock struck midnight, Exchange admins worldwide discovered that their servers were no longer delivering email. After investigating, they found that mail was getting stuck in the queue, and the Windows event log showed one of the following errors.
These errors are caused by Microsoft Exchange checking the version of the FIP-FS antivirus scanning engine and attempting to store the date in a signed int32 variable.
However, this variable can store only a maximum value of 2,147,483,647, which is less than the new date value of 2,201,010,001 for January 1st, 2022, at midnight.
Due to this, when Microsoft Exchange attempts to check the AV scanning version, it would generate a bug and cause the malware engine to crash."
SecurityWeek (December 29, 2021) Chinese Spies Exploit Log4Shell to Hack Major Academic Institution
"China-linked cyberespionage group Aquatic Panda was recently observed exploiting the Log4Shell vulnerability to compromise a large academic institution, CrowdStrike’s Falcon OverWatch team reports.
Tracked as CVE 2021-44228 and also referred to as Log4Shell and LogJam, the security hole affects the Apache Log4j Java logging framework and has been exploited in targeted attacks since early December.
As part of a recent campaign, the OverWatch security researchers observed Aquatic Panda leveraging a modified version of the Log4j exploit for initial access, and then performing various post-exploitation operations, including reconnaissance and credential harvesting.
In their attempt to compromise the unnamed academic institution, the attackers targeted a VMware Horizon instance that employed the vulnerable Log4j library. The exploit used in this attack was initially published on GitHub on December 13."
Other Industry News
France hits Facebook and Google with $210 million in fines – Bleeping Computer
NY AG notifies 17 companies of breaches, says 1.1 million accounts compromised in attacks - ZDNet
Lapsus$ ransomware gang hits SIC, Portugal's largest TV channel - The Record by Recorded Future
Companies Face Stricter Cyber Rules in 2022 - Wall Street Journal
FBI Arrests Suspect in Unpublished Book Manuscript Phishing Scam – Variety
Log4j Highlights Need for Better Handle on Software Dependencies - Dark Reading
Serious Vulnerability Allows Phishing Emails Exploiting Uber Domain - Latest Hacking News
Diagnostic Artificial Intelligence Models Can Be Tricked By Cyberattacks – HealthITSecurity
CISOs Plan What to Buy With Funds From the Infrastructure Bill – Dark Reading
