Cyber Security Headlines – Week in Review – Dec 13-17, 2021

This week’s Cyber Security Headlines – Week in Review, Dec 13-17, is hosted by Rich Stroffolino with our guest, Patti Titus, Chief Privacy and Information Security Officer, Markel

Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion.

New details on the Log4Shell attacks

Researchers at Cisco and Cloudflare report that the first attacks on the Log4J utility were actually observed on December 1st, although mass exploitation wasn’t seen until the vulnerability was publicly disclosed last week. Log4Shell has already been used by crypto-mining and DDoS botnets, as well as to deploy Cobalt Strike backdoors. An update to Log4J has been released, but large enterprises may not be able to update quickly. Given that the attack can be used to obtain network configuration and all sorts of other organizational data, it would not be surprising to see APTs exploiting this data for months to come.

Log4J vulnerability used by APTs

Microsoft and the security firm Mandiant report they observed groups with ties to China, Iran, Turkey, and North Korea launching attacks with the exploit. This includes the China-backed group that was responsible for widespread attacks on Exchange servers earlier this year. These appeared to be both tests of the vulnerability’s effectiveness, as well as actual attacks against targets. Checkpoint Research reported its seen almost 600,000 attempts to use the vulnerability since disclosure. In related news, CISA ordered all federal civilian agencies to patch Log4J bv December 24th.

(WSJ, The Record)

Cyber incident reporting mandates suffer another congressional setback

A compromise version of the fiscal 2022 National Defense Authorization Act (NDAA) released Tuesday leaves out the language, which would set timeframes for when critical infrastructure owners and operators must report major incidents and some companies would have to report making ransomware payments. Supporters of the language ran out of time to reach an agreement on the final phrasing before NDAA sponsors moved ahead on their final compromise bill, a senior Senate aide said. Considered to be a big setback for backers of the reporting mandates, the reason for the block appeared to be the reluctance to agree to a bipartisan bill on the part of a particular high-ranking participant.

(Cyberscoop)

North American propane distributor ‘Superior Plus’ discloses ransomware attack

The company says it discovered the breach on Sunday, December 12, and that, as a response, it took steps to mitigate impact on corporate data and operations. Chris Clements, VP of Solutions Architecture, Cerberus Sentinel, points out that the attack was only detected after the ransomware was deployed, but that it’s unclear for how long the attackers actually had access to Superior Plus’ systems before that. “Normal attacker dwell time typically extends weeks or months before they trigger ransomware. During this time, the attackers pivot throughout the victim’s network and attempt to escalate their access level to gain complete control of all systems and data. Mass scale data exfiltration has also become the norm in these events that can trigger a secondary extortion demand from the attackers,” Clements says.

(SecurityWeek)

Thanks to our episode sponsor, Tines

Tines is no-code automation for security teams, trusted by the world’s best companies like Canva, Auth0, and Coinbase. This holiday season, book a 10 minute demo of Tines and we’ll donate $100 to your favorite charity – we’re that certain you’ll love what you see. Head over to tines.com/charity to book your 10 minute demo and send $100 to your favorite cause.

Researchers uncover new coexistence attacks on Wi-Fi and Bluetooth chips

Cybersecurity researchers have demonstrated a new attack technique that makes it possible to leverage a device’s Bluetooth component to directly extract network passwords and manipulate traffic on a Wi-Fi chip. The novel attacks work against the so-called “combo chips,” which are specialized chips that are equipped to handle different types of radio wave-based wireless communications, such as Wi-Fi, Bluetooth, and LTE. Coexistence refers to a mechanism wherein Bluetooth, Wi-Fi, and LTE share the same components and resources — e.g., antenna or wireless spectrum — necessitating that these communication standards coordinate the spectrum access to avoid collisions when operating in the same frequency. Chipset vendors use this principle to allow Wi-Fi and Bluetooth to operate virtually concurrently.

(The Hacker News)

U.S. airlines warn 5G wireless could wreak havoc with flights

Plans by wireless carriers to use spectrum for 5G wireless services starting Jan. 5 could disrupt thousands of daily flights and cost air passengers $1.6 billion annually in delays, according to United Airlines and other US carriers. Last week, the FAA issued new airworthiness directives warning that interference from 5G wireless spectrum could result in flight diversions, but did not quantify the impact. But according to United’s CEO Scott Kirby, “Coming Jan. 5 — unless something changes — we will not be able to use radio altimeters at 40-something of the largest airports in the country, meaning that at major U.S. airports in the event of bad weather, cloud cover or even heavy smog “you could only do visual approaches essentially.”

(Reuters)

Employees feel safe from cyberthreats when using company devices

A study of 2,000 employees in the US and UK conducted by Menlo Security reveals increasing threats to corporate devices and networks, with more than half of respondents (56% U.S.; 53% U.K.) reporting performing non-work-related tasks, such as online shopping, on company devices. 58% of respondents in the U.S. and 48% U.K. observed an increase in scams and fraudulent messages this holiday season with 80% of respondents indicating they are somewhat to very concerned about their personal data being stolen while online shopping. However, over 60% of respondents still believe they’re secure from cyberthreats if they’re using a company device. Mark Guntrip, senior director, cybersecurity strategy at Menlo Security notes that, “Workers are becoming increasingly aware of the threats that loom while browsing the web, however they have a false sense of security about the level of protection they have when using corporate devices. As a result, they are unintentionally exposing their corporate networks to a slew of vulnerabilities.” 

(Help Net Security)

Fear fatigue exploits cybersecurity of remote employees

The latest report from Malwarebytes revealed that 61% acknowledge that employees experience fear fatigue, with 27% feeling particularly overwhelmed by fear. Malwarebytes stated that nearly 80% of survey respondents reported some level of fear fatigue within their organization. Fear fatigue is defined as the demotivation to follow recommended protective behaviors, emerging gradually over time and affected by a number of emotions, experiences, and perceptions. Fear fatigue can often lead to employees’ negligent behavior, such as opening an email attachment without properly scrutinizing the sender or neglecting to turn on a VPN while using public Wi-Fi.

(CISO Magazine)