Lots of software still has log4j2 vulnerabilities, hackers took only days to exploit a VMware vulnerability and more.
Welcome to Cyber Security Today. It’s Wednesday April 27th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Four months after the log4j2 open-source logging vulnerability called Log4Shell was revealed many developers have yet to install security updates in their applications. That’s according to researchers at Rezilon. (Registration required to get report) It estimates that only 40 per cent of the almost 18,000 open-source packages that use log4j2 have been patched. Even if your application or server that uses log4j2 isn’t connected to the internet it is vulnerable. For example, Java applications on an internal server can be hit by logs received from a compromised externally-connected server. Rezilion believes many IT departments don’t know their applications use log4j2, particularly if it’s in their third-party software. Rezilion argues IT departments and developers have to get better at scanning their applications for vulnerabilities, especially in third-party code.
Threat actors move fast. According to researchers at Morphisec, the latest example is the attempt to exploit a vulnerability in VMware’s Workspace One Access. It’s an identity management suite. Earlier this month — a week after VMware released a patch for the hole — Morphisec detected threat groups trying to exploit the vulnerability. The patch was released April 6th. Five days later a proof-of-concept exploit was seen, and three days after that threat actors were trying to exploit the hole. And what were attackers trying to do? Install backdoors into systems. That could lead to the installation of any type of malware, including ransomware. IT administrators who are slow to patch critical applications are a hacker’s dream.
Last month I reported that a new threat actor has been depositing malware packages in the NPM open source library. Their goal apparently is to infect applications created with open-source material, and use them to hack into organizations. This week researchers at Checkmarx followed up on their original report to say this person or group is still at it. The number of infected packages is over 1,500. So Checkmarx created a website that tracks infected packages added by this hacker. Application developers can use it to check against anything they download from NPM. Checkmarx has named that attacker Red-Lili, so the site is red-lili.info.
Wireless solutions can solve many problems — and they can create many cybersecurity openings for attackers. Here’s an example as reported by SecurityWeek: A number of years ago the trucking industry created a short-range wireless way of linking the brakes on heavy trucks so a signal light can alert drives the anti-lock braking system had failed. However, an advisory sent out last month by the U.S. Cybersecurity and Infrastructure Security Agency noted vulnerabilities in the brake controller could in theory allow a hacker to launch a cyberattack and impair brake performance. This is because the wireless standard around which products are built doesn’t have a user authorization protocol. All an attacker would need to compromise a system is a transmitter about 12 feet away at a place where trucks have to slow down or stop. There’s a way to solve this for the trucking industry: Make sure developers creating wireless brake warning applications only allow the ABS warning light to be triggered. They shouldn’t allow other commands to the system. There’s also a lesson for developers of any wireless solution: User authorization and authentication has to be built into every application.
Finally, big tech companies this month continued to pressure Congress to pass a national U.S. privacy law. The latest was Google. This week Kent Walker, Google’s president of Global Affairs, made the plea at a conference in Washington. Earlier this month Apple and Microsoft did the same at a conference run by the International Association of Privacy Professionals. There have been several attempts at federal legislation, but so far there has been no consensus.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.