Last Friday a super critical Java flaw called “Log4Shell” came to light and sent sysadmins scrambling to patch all the things. Websites around the world have gone down to patch this flaw for example. And now we know why. According to Bleeping Computer, threat actors have been using the vulnerability to deliver crypto-miners, botnet, and penetration tools that could be used to deploy ransomware on affected systems:
As soon as the vulnerability was released, we saw threat actors exploiting the Log4Shell vulnerability to execute shell scripts that download and install various cryptominers, as shown below.
The threat actors behind the Kinsing backdoor and cryptomining botnet are heavily abusing the Log4j vulnerability with Base64 encoded payloads that have the vulnerable server download and execute shell scripts.
And:
Netlab 360 reports that the threat actors exploit the vulnerability to install the Mirai and Muhstik malware on vulnerable devices.
These malware families recruit IoT devices and servers into their botnets and use them to deploy cryptominers and perform large-scale DDoS attacks.
And:
The Microsoft Threat Intelligence Center reported that the Log4j vulnerabilities are also being exploited to drop Cobalt Strike beacons.
Cobalt Strike is a legitimate penetration testing toolkit where red teamers deploy agents, or beacons, on “compromised” devices to perform remote network surveillance or execute further commands.
However, threat actors commonly use cracked versions of Cobalt Strike as part of network breaches and during ransomware attacks.
And finally:
In addition to using the Log4Shell exploits to install malware, threat actors and security researchers are using the exploit to scan for vulnerable servers and exfiltrate information from them.
So if you haven’t patched your infrastructure, you should get to it as it clearly is being exploited.
Posted in Commentary with tags Amazon on December 12, 2021 by itnerd
On Tuesday, AWS had a massive outage that took down a lot of the Internet in the process. Amazon has published a post-event summary that details why they went down. It’s a very detailed explanation that is very technical:
To explain this event, we need to share a little about the internals of the AWS network. While the majority of AWS services and all customer applications run within the main AWS network, AWS makes use of an internal network to host foundational services including monitoring, internal DNS, authorization services, and parts of the EC2 control plane. Because of the importance of these services in this internal network, we connect this network with multiple geographically isolated networking devices and scale the capacity of this network significantly to ensure high availability of this network connection. These networking devices provide additional routing and network address translation that allow AWS services to communicate between the internal network and the main AWS network. At 7:30 AM PST, an automated activity to scale capacity of one of the AWS services hosted in the main AWS network triggered an unexpected behavior from a large number of clients inside the internal network. This resulted in a large surge of connection activity that overwhelmed the networking devices between the internal network and the main AWS network, resulting in delays for communication between these networks. These delays increased latency and errors for services communicating between these networks, resulting in even more connection attempts and retries. This led to persistent congestion and performance issues on the devices connecting the two networks.
Two leading U.S. Senators “are urging federal regulators to investigate Facebook over allegations the company misled advertisers, investors and the public about public safety and ad reach on its platform,”:
On Thursday, Warren urged the heads of the Department of Justice and Securities and Exchange Commission to open criminal and civil investigations into Facebook or its executives to determine if they violated U.S. wire fraud and securities laws.
A day earlier, [Senator Maria] Cantwell, chair of the Senate Commerce Committee, encouraged the Federal Trade Commission to investigate whether Facebook, now called Meta, violated the agency’s law against unfair or deceptive business practices. Cantwell’s letter was made public on Thursday.
Facebook hasn’t responded to this, but this can’t be going over well with Zuckerberg and company. The last thing that they want is even more scrutiny above and beyond what they are already under. And seeing that 2022 is an election year in the US, I fully expect more calls for investigations into Facebook will be made. And one of those is sure to stick.
Today, at The Game Awards 2021, Remedy Entertainment announced Alan Wake 2, the long-awaited sequel to the studio’s award-winning 2010 psychological thriller. Alan Wake 2 is being published by Epic Games and will be available in 2023 for PC on the Epic Games Store, PlayStation 5, and Xbox Series X|S.
Remedy Entertainment will reveal more on Alan Wake 2 in summer 2022.
The original Alan Wake followed the titular protagonist on a desperate search for his missing wife, Alice. As he discovered pages of a horror story he had supposedly written, author Alan Wake was forced to question his sanity as, page by page, the story came true before his eyes. Earlier this year, Remedy and Epic Games Publishing released a modern remaster of the title, Alan Wake Remastered, for PC on the Epic Games Store, and via physical and digital editions on PlayStation 5, PlayStation 4, Xbox Series X|S, and Xbox One consoles.
A new actively exploited vulnerability has been discovered and sysadmins around the world are scrambling to patch all the things. MalwareBytes has a very good description of this here, but here’s the highlights:
If you’re running a service that relies on Apache Struts or uses the popular Apache Log4j utility we hope you haven’t made plans for the weekend.
An exploit listed as CVE-2021-44228 was made public on December 9, 2021. The exploit is simple, easy to trigger, and can be used to perform remote code execution (RCE) in vulnerable systems, which could allow an attacker to gain full control of them. All an attacker has to do is get the affected app to log a special string. For that reason, researchers have dubbed the vulnerability “Log4Shell”.
The vulnerability has a CVSS score of 10.0 out of a possible 10. It impacts Apache Log4j versions 2.0-beta9 to 2.14.1. Mitigations are available for version 2.10 and higher.
Log4j is an open source logging library written in Java that was developed by the Apache Software Foundation. Millions of applications use it, and some of them are enormously popular—such as iCloud, Steam, and Minecraft—so the potential reach of this problem is enormous.
I can say that many companies are scrambling to patch the vulnerability via asking my friends “off the record”. I have to assume that it includes Steam and Apple as they are specifically called out as being vulnerable. That’s because it is being actively exploited. Thus making this is as non trivial as “non trivial” gets.
Tonight at The Game Awards, Iron Galaxy Studios unveiled Rumbleverse, an all-new, free-to-play, 40-person Brawler Royale being published by Epic Games.
Players will get launched from a cannon and drop into Grapital City, where there’s chaos around every corner and on top of the tallest skyscrapers. Rumbleversewill have players leaping from rooftop to rooftop and smashing open crates looking for weapons, upgrades, new moves, and perks, in their quest for glory!
Rumbleverse also features extensive brawler customization, allowing players to mix and match hundreds of unique items so they can stand out from the crowd.
Additionally, Iron Galaxy will be hosting a Rumbleverse“First Look” gameplay event on PC, PlayStation 5, and Xbox Series X|S on Friday, December 10. This limited-time event will be open to a select number of lucky players who will be among the first drop into Grapital City. Interested players can head over to www.rumbleverse.com to sign up.
Early access to Rumbleverse begins on February 8, 2022 on PC via the Epic Games Store, PlayStation 5, PlayStation 4, Xbox Series X|S, and Xbox One consoles. The game will fully support crossplay and cross-progression, making it easy to team up or battle it out with your friends no matter where you choose to play.
The holidays are here and Creative got you covered. Your readers can choose on select items for the whole family, just in time for the festive season.
SXFI CARRIER Soundbar by Creative – Creative SXFI CARRIER heralds a new dimension in Dolby Atmos® soundbar technology with built-in Super X-Fi® Headphone Holography to create a new multi-speaker cinema experience on headphones. The SXFI CARRIER carries on the engineering marvel of the award-winning Sonic Carrier which has been dubbed by industry experts as the “soundbar of the gods”. MSRP $999.99
Sound Blaster Katana V2 Gaming Soundbar – Explore uncharted audile territories and achieve elevated sound experiences with Sound Blaster Katana V2! Bringing back not only the finest features of its predecessor such as the revolutionary tri-amplified design, the Sound Blaster Katana V2 now sports an all-new sleek, matte black build, upgraded list of comprehensive connectivity options, and further engineered to deliver 68% more power than before! Immerse yourself in rich and flawless audio dynamics, and even stronger bass reproduction of this fantastic gaming soundbar. MSRP 329.99
Stage 360 Soundbar – Fill the halls of your home with cinematic audio and real-life atmospheric simulation for an elevated home entertainment experience! Now offering the integration of Dolby Atmos®, an acclaimed surround sound technology, Creative Stage 360 sports our brand-new upgraded system drivers and a host of new connectivity options for an all-in-one home audio upgrade. MSRP $229.99
Outlier Air V3 Earbuds – wireless earbuds equipped with Ambient Mode and Active Noise Reduction! Boosted to power up to 40 hours of total playtime with 10 hours of battery life per charge, Creative Outlier Air V3 tops the series in its battery performance. Creative have raised the stakes with their newest Noise Control features, customizable touch control buttons, and quad mics for calls clarity. MSRP $69.99
Pricing and Availability
All products are available on Creative.com as well as Amazon US and Canada.
Posted in Commentary with tags Parry on December 9, 2021 by itnerd
Changing the technology space for women’s safety, Parry, announces the launch of the app designed to give young women the tools and support to feel secure in every situation. The founder, Claire Guentz, is a self-proclaimed true crime junkie and the daughter of two FBI agents who has seen how women’s safety is often overlooked or discounted as being paranoid. The app is available today for iPhone users providing a subtle way to get out of uncomfortable situations. Parry is designed for a woman who finds herself on a date that is going south, hopes the creepy guy at the gym will finally take a hint, or to avoid unwanted attention at a college party before it escalates into something serious.
The app works by selecting a pre-set timer that will call the mobile phone providing a fake, but realistic sounding phone call to answer as an excuse to move away from an uncomfortable situation. Timers can be set for thirty, sixty, or ninety seconds, or thirty and sixty minutes in advance to delay the phone call as needed. Parry users also have the choice to select from several pre-recorded calls, or they can record their own for a more personalized touch. For an added layer of safety, the user can select emergency contacts to be texted and alerted with their exact location to let their emergency contacts know a situation may be escalating.
Parry is available to download today through the Apple Store with a 7-day free trial or to purchase at $1.49 per week, $2.99 per month, or $29.99 per year.
While small businesses continue to be faced with challenges as we head into 2022, new data from Intuit QuickBooks Canada shows that small business (SMB) wages and workforces have grown in almost all industries over the past 12 months.
Key findings on SMB wages and employment from QuickBooks Online Payroll data include:
Wages
Personal care (+5.5%), hospitality (+4.6%) and retail (+4.6%) industries have seen the most wage growth over the past 12 months
Mining & energy (-3.54%), professional services (+1.1%) have seen the least wage growth
Employment
Accounting & legal (+8.6%), retail (+5.5%) and education & public administration (+4.2%) have seen the most jobs growth over the past 12 months
Finance & real estate (-3.8%), personal care (+0.6%) and mining & energy (+0.8%) have seen the least jobs growth
For the full data set and findings from three recent surveys, including insights on SMB confidence, hiring difficulty, and inflation concerns visit here.
Data Sources and Methodology
1. QuickBooks Online Payroll data
This is not survey data but anonymized, aggregate data from small businesses that use QuickBooks Online Payroll to manage their payroll between January, 2019 and November, 2021. Businesses that have used QuickBooks Online Payroll for less than two months were excluded from the dataset. All hourly wages are expressed as median values. Contractors and salaried employees were excluded from hourly wage calculations. Contractors and salaried employees are included in average employee calculations. Workforce growth rates are calculated by comparing the average number of paid employees per business for the current month against the average number of paid employees per business for the same month in the previous year (i.e. November 2021 vs November 2020). For example, if the average number of employees goes up from 5 to 6 from one period to the next, the increase is 20%. The data is not seasonally adjusted. The pre-pandemic benchmarks used in this report are from February 2020, the month prior to the first lockdowns being announced.
2. Small Business Survey
QuickBooks commissioned a 10-minute online survey among 725 small business owners in Canada from November 1 to 30, 2021. Respondents’ businesses have up to 100 employees and more than $5,000 in annual revenue. 57 of the 725 respondents answered the survey in French. More than one in three (34%) are brick-and-mortar businesses. The remainder are omni-channel, multi-channel or primarily online. Almost one in four (24%) are product-based businesses, close to one in two (45%) are service-based, and the remainder sell both products and services. Roughly one in seven (13%) are located in rural areas while the remainder are in urban or suburban locations. Percentages have been rounded to the nearest decimal place. Respondents received remuneration.
3. Employee Survey
Commissioned by QuickBooks in November 2021, Pollfish surveyed 2,500 employees aged 18+ throughout Canada, with a 50:50 split between male and female respondents. 500 of the 2,500 respondents answered the survey in French. Responses were collected via Pollfish’s audience pools and partner network using double opt-ins and random device engagement sampling methodology to ensure accurate targeting.
For the last two years of the pandemic, my wife has been on my case about having a proper desk that is ergonomic to work from. Now I do have a desk, but it is an ergonomic nightmare. And seeing as I use a laptop, I felt that I can work from anywhere in our condo even if that meant that I wasn’t in the best ergonomic position. But I think I have changed my mind on that thanks to the folks at FlexiSpot who sent me one of their Electric Height Adjustable Standing Desks. Model EC1-V2-42″ W in black to be precise. The whole idea behind these desks is that because you can adjust the height of the desk to where you need it to be, it is more ergonomically correct, and you can avoid things like back issues as a result.
Now the desk comes disassembled in a well designed box that is meant to keep the desk safe during transport.
I have to applaud FlexiSpot for this as they clearly took the time and effort to make sure that your desk is well protected during transport. And it comes with most of the tools that you need along with the screws nicely labeled in this bag:
Missing is a Phillips screwdriver or power driver which you will need later in the assembly process.
Now moving it around and assembling it is best done by two people. So my advice to you would be to find a friend to help you if order one of these. The other thing is that you should set aside 90 minutes of your time to assemble this desk.
Speaking of the assembly, let me walk you through assembling this desk which I did with the assistance of my wife:
First we assembled the legs, put the crossbeam on to connect the legs, and the transmission rod which allows the desk to move up and down.
Then it’s time to add the support arms. My wife and I didn’t pay attention to the diagram in the manual and put these on backwards. So don’t be us and make sure that you put these on right.
You then need to assemble the desk top which is dead easy as it slides together using three wooden pegs.
Here’s where things get interesting. You have to flip the legs and everything attached to them onto the desk top. Then you need a power driver or a lot of muscle to screw in the 12 screws that hold everything together. You also get to screw in the switch that moves the desk up and down. Not to mention that you have to wire everything together. Finally, you have to put the guard that protects the moving parts.
At that point you’re done and this is the finished product.
The end product is very solid and feels like a quality product. The desk is 42″ x 24″ and can have a minimum height of 28″, or raised to a height of 47.6″ as pictured here:
So for me the minimum height is the perfect height for me to sit at, and at something just below the maximum height, I can stand and still work which is perfect for achieving my stand goal on my Apple Watch. What that means is that the desk will have no issues accommodating a person on the taller side. My wife who is 5′ 6″ also tried this desk, and she could find positions on both ends of the spectrum that worked for her as well as well. The bottom line is that regardless of your size, if you combine this desk with a quality office chair, you can dial in a position that works well for you to do your job and not have back issues or any other ergonomic related issues. On top of that, you can raise the desk up so that you can stand up and keep working. One other point is that the raising and lowering of the desk is rated at 50 db or less which is fairly quiet. Testing it with my Apple Watch I can confirm that this claim is accurate.
Here’s a couple of other things that I would like to point out:
The desk can be raised and lowered with these simple controls on the right side of the desk.
There are two holes for cable management. One in each back corner of the desk.
Because the FlexiSpot desk has no storage, I’m going to have to get some other items to fully utilize it. So expect to see a follow up in about a week where I will show you my desk setup. But in the here and now, I have to say that this desk will seriously up your work from home game. Or if you have returned to the office, it will take your office game to the next level. It retails for $449.99 CAD but it is currently on sale for $389.99 CAD. It’s well worth the time to have a look at this desk as it’s a top shelf product.
“Log4Shell” Java Flaw Being Used To Deliver Malware & Crypto-Miners
Posted in Commentary with tags Security on December 13, 2021 by itnerdLast Friday a super critical Java flaw called “Log4Shell” came to light and sent sysadmins scrambling to patch all the things. Websites around the world have gone down to patch this flaw for example. And now we know why. According to Bleeping Computer, threat actors have been using the vulnerability to deliver crypto-miners, botnet, and penetration tools that could be used to deploy ransomware on affected systems:
As soon as the vulnerability was released, we saw threat actors exploiting the Log4Shell vulnerability to execute shell scripts that download and install various cryptominers, as shown below.
The threat actors behind the Kinsing backdoor and cryptomining botnet are heavily abusing the Log4j vulnerability with Base64 encoded payloads that have the vulnerable server download and execute shell scripts.
And:
Netlab 360 reports that the threat actors exploit the vulnerability to install the Mirai and Muhstik malware on vulnerable devices.
These malware families recruit IoT devices and servers into their botnets and use them to deploy cryptominers and perform large-scale DDoS attacks.
And:
The Microsoft Threat Intelligence Center reported that the Log4j vulnerabilities are also being exploited to drop Cobalt Strike beacons.
Cobalt Strike is a legitimate penetration testing toolkit where red teamers deploy agents, or beacons, on “compromised” devices to perform remote network surveillance or execute further commands.
However, threat actors commonly use cracked versions of Cobalt Strike as part of network breaches and during ransomware attacks.
And finally:
In addition to using the Log4Shell exploits to install malware, threat actors and security researchers are using the exploit to scan for vulnerable servers and exfiltrate information from them.
So if you haven’t patched your infrastructure, you should get to it as it clearly is being exploited.
2 Comments »