Cyber Security Headlines – December 14, 2021

New details on the Log4Shell attacks

Researchers at Cisco and Cloudflare report that the first attacks on the Log4J utility were actually observed on December 1st, although mass exploitation wasn’t seen until the vulnerability was publicly disclosed last week. Log4Shell has already been used by crypto-mining and DDoS botnets, as well as to deploy Cobalt Strike backdoors. An update to Log4J has been released, but large enterprises may not be able to update quickly. Given that the attack can be used to obtain network configuration and all sorts of other organizational data, it would not be surprising to see APTs exploiting this data for months to come.

(The Record)

Apple releases Android AirTag detector 

Apple released the Tracker Detect Android app. This will flag any nearby AirTags or Find My-compatible trackers separated from an owner as an “Unknown AirTag.” If the AirTag follows you for ten minutes, you can use the app to make it play a sound, and learn how to disable it once located. Apple bills this as a way to find AirTags “inadvertently” traveling with you, but it’s clear to see there are larger privacy issues at play with AirTags that this app helps mitigate. You don’t need an Apple account for the app.

(9to5Mac)

UKG hit with ransomware

The payroll and HRM software company said it may take several weeks to fully restore cloud systems after a ransomware attack over the weekend. This doesn’t impact just its operations but its service to customers, with some Kronos Private Cloud servers down. This is impacting a subset for Kronos cloud-hosted services. Self-hosted solutions are not impacted as they reside inside customer environments. The company recommends impacted customers “evaluate and implement alternative business continuity protocols.” UKG did not provide additional details on the attack or its potential cause. 

(The Record)

White House to order online modernization in federal agencies

A new US Executive Order directs 17 government agencies to modernize the way critical services are delivered to Americans, including bringing more services online. The order focuses on agencies that have the most interaction with individuals, outlining 30 updates, from  online passport renewal to disaster victims submitting photos of property damage by mobile phones. The order provides no new funding, with agencies expected to use existing technical resources and the White Houses’ United States Digital Service to meet these goals. While USDS resources have recently been expanded, the agencies will largely have to determine internally how to safely and quickly expand these services online.

(Protocol)

Thanks to our episode sponsor, Tines

Tines was founded by experienced security practitioners who cared about their teams. When they couldn’t find an automation platform that delivered, they founded a company and built their own. A few years later, customers like Coinbase, McKesson, and GitLab run their most important security workflows on Tines –  everything from phishing response to employee onboarding. To learn more, visit tines.com.

iOS update adds Message scanning feature

The release of iOS 15.2 includes the previously announced iMessage feature that will detect nude images on devices used by children. This will blur out detected images, provide a warning when clicking through to view, and provide the ability to contact parents about the image. In a change for the initial feature announcement, parents will not be automatically notified. iOS 15.2 does not include client-side scanning for child sexual abuse material in iCloud photos. Following concerns from privacy organizations, this CSAM scanning feature has been delayed indefinitely. 

(Bloomberg)

Malicious PyPI packages surprisingly popular

Security researcher Andrew Scott discovered three malicious packages hosted on the code repository. Collectively they’ve been downloaded over 12,000 times. One package looks like an AWS login tool, but installs a known trojan. This had only been uploaded on December 1st and downloaded less than 600 times The other two appear as part of a library import string, but look to be built for data exfiltration, resulting in the bulk of the downloads. The Python security team removed them on December 10th, but will live on in production on projects that imported them before that time.

(ThreatPost)

Mozilla becoming slightly less Google dependent

The Mozilla Foundation released its 2020 financial report, showing its for-profit arm, the Mozilla Corporation, generated $466 million in revenue from search partnerships, subscriptions, and advertising, roughly flat from 2019. 86% of Mozilla’s 2020 revenue came from its search deal with Google. Mozilla estimates 2021 revenue of over $500 million, with revenue from new products like Pocket, Relay Premium and Mozilla VPN, expected to grow 150% on the year to 14% of overall revenue. Mozilla VPN appears to be fueling a lot of this growth, with revenue from that service alone up 450% in 2021.

(TechCrunch)

Indian Prime Minister didn’t announce anything about Bitcoin

India isn’t known as the friendliest country toward cryptocurrency, so it was surprising to see Prime Minister Narendrea Modi tweet out that the country had adopted Bitcoin as legal tender. This was obviously a hack into Modi’s account, and pointed to a broken scam website. The Prime Minister’s office acknowledged the account was “briefly compromised,” but is now secured. This doesn’t appear to be part of a larger-scale campaign, like the social engineering-based attack that took over prominent Twitter accounts last year. No indication of who was responsible or how they got access. 

(Engadget)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.