Cyber Security Headlines – December 15, 2021

Kronos ransomware outage drives widespread payroll chaos

On Saturday, Workforce-management provider, Kronos, whose customers include companies such as Tesla, Puma, and YMCA, had its private cloud services knocked offline by a ransomware attack, leaving customers frustrated and panicked as they confront end-of-year HR activities such as bonuses and vacation tracking. Kronos indicated Monday that the issue with their cloud services may take several weeks to resolve but clarified that on-premise deployments as well as UKG Pro, UKG Dimensions and UKG Ready offerings are not affected. Nick Tausek, security solutions architect at Swimlane, noted that details of the breach have not yet been disclosed, adding, “Although Kronos Private Cloud was secured by firewalls, encrypted transmissions and multi-factor authentication, cybercriminals were still able to breach and encrypt its servers.”

(Threatpost)

Log4j vulnerability update

On Monday, BitDefender reported that they found the first ransomware family, named ‘Khonsari,’ being installed directly via exploits which are loaded and executed by the Log4j application. Ransomware expert Michael Gillespie said that Khonsari uses valid encryption and is secure, meaning that it is not possible to recover files for free, however, it does not appear to include a way to contact the threat actor to pay a ransom. 

And on Tuesday, a second vulnerability involving Apache Log4j, which could be exploited to launch a denial of service (DOS) attack, was identified by cybersecurity experts while attempting to mitigate the initial vulnerability. The description of the new vulnerability, tagged CVE 2021-45046, states that the fix to address the initial bug in Apache Log4j 2.15.0 was “incomplete in certain non-default configurations.”

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal civilian executive branch agencies to mitigate the initial maximum severity Log4Shell remote code execution flaw (CVE-2021-44228), on internet-facing and non-internet-facing federal information systems by December 24, 2021. The vulnerability has been under active attack since exploits were publicly released on Friday. 

(Bleeping Computer and ZDNet)

Microsoft Patch Tuesday addresses zero-day exploited to spread Emotet malware

Microsoft’s final 2021 Patch Tuesday release includes 67 software fixes including seven critical issues and a zero-day flaw under active exploitation. The zero-day vulnerability is a Windows AppX Installer Spoofing vulnerability, rated a 7.1 severity, and is being exploited to spread the Emotet/Trickbot/Bazaloader malware families. Microsoft has also fixed Remote Code Execution (RCE), privilege escalation, spoofing, and denial-of-service flaws in Microsoft Office, PowerShell, the Chromium-based Edge browser, the Windows Kernel, Print Spooler, and Remote Desktop Client.  According to the Zero Day Initiative (ZDI), Microsoft has patched a total of 887 CVE-assigned vulnerabilities in 2021 which represents a 29% decrease from 2020 (not including Chromium-based Edge).

(ZDNet)

Thanks to our episode sponsor, Tines

Tines was founded by experienced security practitioners who cared about their teams. When they couldn’t find an automation platform that delivered, they founded a company and built their own. A few years later, customers like Coinbase, McKesson, and GitLab run their most important security workflows on Tines – everything from phishing response to employee onboarding. To learn more, visit tines.com.

Adobe joins security Patch Tuesday frenzy

On Tuesday, software maker Adobe issued critical warnings for security vulnerabilities in multiple products running on Windows and macOS machines. Adobe called special attention to patches which address three critical memory safety vulnerabilities in Photoshop 2021 and 2022, that could be exploited for code execution or memory leaks that could be used in exploit chains. Adobe also warned of at least 16 vulnerabilities in Adobe Premiere Rush, which could lead to arbitrary code execution, application denial-of-service, and privilege escalation. The company also patched multiple code execution issues in the Adobe Experience Manager and an arbitrary file system write bug in its Adobe Connect product. Adobe said it was not aware of in-the-wild exploitation but urges users to immediately apply the available fixes.

(SecurityWeek)

$135 million stolen from users of crypto gaming company

Hackers have stolen $135 million from users of  VulcanForge’s blockchain games such as VulcanVerse and a card game called Berserk. Hackers stole the private keys to access 96 wallets, siphoning off 4.5 million PYR, which is VulcanForge’s token that can be used across its ecosystem. This is the third major theft of cryptocurrency in the last eleven days resulting in roughly $404 million in stolen crypto. VulcanForge has advised users to remove their liquidity in order to make it difficult or impossible for the attacker to cash out. The company tweeted Monday that it had already refunded the majority of stolen PYR and claimed to have “isolated” all tokens stolen on centralized exchanges.

(Vice)

Homeland Security launches bug bounty program

The Homeland Security Department has launched a bug bounty program, dubbed “Hack DHS,” which will pay hackers between $500 and $5,000 for each flaw uncovered. The program will run in three phases throughout fiscal year 2022 starting with hackers performing assessments on select external DHS systems. The next phase will entail participants taking part in a live, in-person hacking event followed by the department identifying and reviewing lessons learned and planning for potential future bug bounties. Homeland Security Secretary Alejandro Mayorkas stated, “We’re focused not only on protecting and enhancing the cybersecurity of the private sector and of the federal government at large, but of course, we as a department have to lead by example.”  

(The Record)

Employees feel safe from cyberthreats when using company devices

A study of 2,000 employees in the US and UK conducted by Menlo Security reveals increasing threats to corporate devices and networks, with more than half of respondents (56% U.S.; 53% U.K.) reporting performing non-work-related tasks, such as online shopping, on company devices. 58% of respondents in the U.S. and 48% U.K. observed an increase in scams and fraudulent messages this holiday season with 80% of respondents indicating they are somewhat to very concerned about their personal data being stolen while online shopping. However, over 60% of respondents still believe they’re secure from cyberthreats if they’re using a company device. Mark Guntrip, senior director, cybersecurity strategy at Menlo Security notes that, “Workers are becoming increasingly aware of the threats that loom while browsing the web, however they have a false sense of security about the level of protection they have when using corporate devices. As a result, they are unintentionally exposing their corporate networks to a slew of vulnerabilities.” 

(Help Net Security)

Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.