NHS digital cyber team has alerted of Log4Shell attacks on VMware software. The cyber alert service says an unknown threat group targeted the unpatched Horizon systems in order to establish a presence within affected networks. If successful, attackers could steal data or deploy ransomware. This isn’t good timing as NHS just like other health care systems worldwide are being overwhelmed by the Omicron variant of COVID. Though when is it a good time to get pwned.
I have two comments on this. The first is from Albert Zhichun Li, VP of Engineering of Stellar Cyber:
“Overall, Log4j vulnerabilities are relatively easy to exploit and not too hard to defend. The bar is low, and any attacker is capable of using Log4Shell. Every vendor needs to scan their potential java components, especially web services, in this case Tomcat, and offer urgent patches. All businesses need to keep security hygiene by patching the service or restricting the access.”
The second comment is from Saryu Nayyar, CEO and Founder, Gurucul:
“As we have seen over the past 30days, the Log4J vulnerability continues to be a challenge as new exploits are developed, making it essential to detect the threat activity both as the vulnerability is exploited or as attackers have successfully inserted themselves in an environment. Static signatures and rule-based ML must be constantly updated for certain variants to be detected. Dynamic and adaptable behavioral analytics that prioritize and escalate the specific anomalous activity attempting to exploit Log4j is the best approach to determining whether a new or unknown attack is actively attempting to compromise systems based on Log4j or execute a campaign post-initial compromise.”
Log4j/Log4Shell is the one thing that is making life miserable for sysadmins everywhere. The best way for them to put themselves out of their misery is to ensure all the thing are patched, and then double check to make sure all the things are patched.
UPDATE: I got additional commentary from Stephanie Simpson who is the VP Product Management of SCYTHE
Ransomware gangs, like CONTI, will continue to try to use Log4Shell vulnerabilities, especially as companies need to continue product development in the aftermath of this vulnerability being discovered. To protect customers from these new TTPs, companies need to test and validate there are no holes in the software before it is pushed to production.
Grass Valley CA Pwned… Data Stolen
Posted in Commentary with tags Hacked on January 10, 2022 by itnerdAn investigation into a data breach attack of Grass Valley, California, has discovered city employee and citizen information was exposed. The breach, which occurred between April 13th and July 1st, 2021, resulted in an attacker transferring files outside of the network, including financial and personal info of “individuals associated with Grass Valley”.
I have some commentary from Saryu Nayyar, CEO and Founder of Gurucul on this attack:
“The ability to understand users, access and entitlements are essential in determining anomalous behaviors for determining whether access to and transmissions of sensitive data is actually the work of a malicious threat actor. Moving from traditional SIEMs and XDR tools to a next generation SIEM with XDR capabilities is critical as the initial activity, before data theft occurs, can be prioritized as a high-risk event based on a baseline of what is normal as well as monitoring for deviations that are indicative of an attack campaign, especially with adaptable Machine Learning (ML) models.”
It’s pretty clear that prevention and detection are the best ways to avoid being the next Grass Valley. Thus hopefully organizations of all sizes take note of this incident and plan their defences accordingly.
UPDATE: Elizabeth Wharton who is the VP Operations of SCYTHE
Municipalities struggle to identify and respond to data breaches, as I’ve experienced first-hand in the past. They suffer significantly from the cybersecurity skills gap, often with limited budgets. The cybersecurity industry needs to give them tools that help their teams gain experience with real-world threats so that they can continuously validate their processes and technologies, but it needs to provide them at a price-point that makes sense.
Leave a comment »