Security News

The disclosure of the critical Log4Shell (CVE-2021-44228) vulnerability and the release of first one and than additional PoC exploits has been an unwelcome surprise for the entire information...

Workforce management solutions provider Kronos has suffered a ransomware attack that will likely disrupt many of their cloud-based solutions for weeks. Kronos is a workforce management and human resources provider who provides cloud-based solutions for managing timekeeping, payroll, employee benefits, analytics, and more.

Romanian law enforcement authorities arrested a ransomware affiliate suspected of hacking and stealing sensitive info from the networks of multiple high-profile companies worldwide, including a large Romanian IT company with clients from the retail, energy, and utilities sectors. The apprehended ransomware affiliate stole a wide range of sensitive info from its targets' systems according to the Romanian National Police, including companies' financial information, employees' personal information, and customers' details.

"The JNDI lookup feature of log4j allows variables to be retrieved via JNDI - Java Naming and Directory Interface. This is an API that that provides naming and directory functionality to Java applications. While there are many possibilities, the log4j one supports LDAP and RMI. In other words, when a new log entry is being created, and log4j encounters a JNDI reference, it will actually literally go to the supplied resource and fetch whatever it needs to fetch in order to resolve the required variable. And in this process, it might even download remote classes and execute them!".Don't underestimate the attack surface of the Remote code injection in Log4j.

A new² study provides insights for cybersecurity professionals into the minds of C-suite executives and how they perceive their organisations' readiness for ransomware attacks. The survey of 750 C-level executives across the United States and the United Kingdom reveals that the high-profile ransomware attacks of 2021 have created an opportunity for cybersecurity leaders to proactively address their organisational readiness by providing more detailed updates and actionable intelligence to the C-suite.

Threat actors are actively weaponizing unpatched servers affected by the newly disclosed "Log4Shell" vulnerability in Log4j to install cryptocurrency miners, Cobalt Strike, and recruit the devices into a botnet, even as telemetry signs point to exploitation of the flaw nine days before it even came to light. The latest development comes as it has emerged that the vulnerability has been under attack for at least more than a week prior to its public disclosure on December 10, and companies like Auvik, ConnectWise Manage, and N-able have confirmed their services are impacted, widening the scope of the flaw's reach to more manufacturers.

Threat actors and researchers are scanning for and exploiting the Log4j Log4Shell vulnerability to deploy malware or find vulnerable servers. Below we outline the known attacks currently exploiting the Log4j vulnerability.

Over the past few years, Qbot has grown into widely spread Windows malware that allows threat actors to steal bank credentials and Windows domain credentials, spread to other computers, and provide remote access to ransomware gangs. Victims usually become infected with Qbot through another malware infection or via phishing campaigns using various lures, including fake invoices, payment and banking information, scanned documents, or invoices.

Issued today, the report from PWC said that the hugely harmful Conti ransomware infection was caused because of the simplest attack vector known to infosec: spam. Even worse, PWC said HSE personnel had spotted the WizardSpider crew behind the infection operating on HSE networks - yet "These did not result in a cybersecurity incident and investigation initiated by the HSE".

A new phishing campaign that targets German e-banking users has been underway in the last couple of weeks, involving QR codes in the credential-snatching process. If the embedded button is clicked, the victim arrives at the phishing site after passing through Google's feed proxy service 'FeedBurner.