Security News > 2021 > December

The UK government has officially included decapod crustaceans-including crabs, lobsters, and crayfish-and cephalopod mollusks-including octopuses, squid, and cuttlefish-in its Animal Welfare Bill. This means they are now recognized as "Sentient beings" in the UK. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

The US government's Cybersecurity and Infrastructure Security Agency on Friday escalated its call to fix the Apache Log4j vulnerability with an emergency directive requiring federal agencies to take corrective action by 5 pm EST on December 23, 2021. "Since Log4Shell is a critical flaw with a huge attack surface and is very simple to exploit, threat actors are actively using it to launch their attacks even with a patch already released, said Felipe Tarijon, a malware analyst at AppGate Security, in an email to The Register."Several state-sponsored groups are exploiting the flaw in the wild and making modifications to the Log4j exploit.

Threat actors have revived an old and relatively inactive ransomware family known as TellYouThePass, deploying it in attacks against Windows and Linux devices targeting a critical remote code execution bug in the Apache Log4j library. KnownSec 404 Team's Heige first reported these attacks on Twitter on Monday after observing that the ransomware was dropped on old Windows systems using exploits targeting the flaw tracked as CVE-2021-44228 and known as Log4Shell.

The spyware industry spreads far beyond the infamous Israeli spyware company NSO Group, Meta said, it being "Only one piece of a much broader global cyber-mercenary ecosystem." Facebook sued NSO Group, maker of the notorious, industrial-grade spyware Pegasus, in 2019 over an alleged attack that exploited a zero-day vulnerability in WhatsApp's messaging platform to inject spyware onto victims' phones in targeted campaigns. The Israeli firm markets spyware that Meta's report said has been used in "Frequent targeting of activists, opposition politicians and government officials in Hong Kong and Mexico." Its clients reportedly include the Department of Homeland Security, the Internal Revenue Service, and Saudi Arabia.

Simply put, some internal errors in OpenSSL - a genuine but unlikely error, for example, such as running out of memory, or a flaw elsewhere in OpenSSL that provokes an error where there wasn't one - don't get reported correctly. Instead of percolating back to your application precisely, these errors get "Remapped" as they are passed back up the call chain in OpenSSL, where they ultimately show up as a completely different sort of error.

Friday's release of Spider-Man: No Way Home is the first post-pandemic premiere to really have all the Hollywood blockbuster accessories: superheroes, Zendaya, a healthy dose of comic book nostalgia - even its own phishing scam. Researchers at Kaspersky warned that the release of Spider-Man: No Way Home is being used by cybercriminals to spread malware and steal banking information.

The Joker malware is back again on Google Play, this time spotted in a mobile application called Color Message. Joker apps subscribe victims to unwanted, paid premium services controlled by the attackers - a type of billing fraud that researchers categorize as "Fleeceware." Often, the victim is none the wiser until the mobile bill arrives.

Four affiliated online sports gear sites have disclosed a cyberattack where threat actors stole credit cards for 1,813,224 customers. While not much is known about the attack, a law firm representing the four websites stated that personal information and credit card information, including full CVV, were stolen on October 1st, 2021.

CISA has asked VMware admins and users today to patch a critical security vulnerability found in the Workspace ONE UEM console that threat actors could abuse to gain access to sensitive information. Workspace ONE Unified Endpoint Management is a VMware solution for over-the-air remote management of desktops, mobile, rugged, wearables, and IoT devices.

Defenders will once again be busy beavers this weekend: There's an alternative attack vector for the ubiquitous Log4j vulnerability, which relies on a basic Javascript WebSocket connection to trigger remote code-execution on servers locally, via drive-by compromise. "This newly discovered attack vector means that anyone with a vulnerable Log4j version can be exploited through the path of a listening server on their machine, or local network through browsing to a website, and triggering the vulnerability," researchers said in a Friday note to Threatpost.