Roughly a year after we experienced Solar Winds, we have the Apache Log4j flaw. ZDnet tells us that “A flaw in Log4j, a Java library for logging error messages in applications, is the most high-profile security vulnerability on the internet right now and comes with a severity score of 10 out of 10.” Here is link to ZDnet’s FAQ on the the Log4j flaw and the patches available.
ZDnet adds
If there ever was any doubt over the severity of the Log4j vulnerability, director of US cybersecurity and infrastructure agency CISA, Jen Easterly, immediately quashed those doubts when she described it as “one of the most serious that I’ve seen in my entire career, if not the most serious”.
Not surprisingly therefore, Federal News Network reports that
The Cybersecurity and Infrastructure Security Agency issued an emergency directive today [December 17] requiring civilian executive branch agencies to determine all Internet-facing assets with the critical “Log4j” vulnerability and either patch or mitigate any vulnerable software within a week.
By Dec. 23 at 5 p.m., agencies are directed to “enumerate all solutions stacks accepting data from the internet” and then check whether any of them have the Log4j vulnerability using a CISA-managed Github repository available on the agency’s website, according to the new directive.
By the same deadline, agencies are given three options for how to address any vulnerable software: “immediately” update assets where patches are available; mitigate the risk of exploitation using another mitigation measure listed on CISA’s website; or remove the affected asset from their networks.
Bleeping Computer’s The Week in Ransomware focuses its attention on cybercriminal exploitation of this flaw.
Health IT Security adds
At least 39 ransomware groups have attacked the healthcare sector across 27 countries in the past 18 months, data from the CyberPeace Institute’s Cyber Incident Tracer revealed. Despite explicitly saying that they would not target healthcare, 12 groups singled out the sector.
Some healthcare organizations may simply be collateral damage, an accompanying blog post explained. Some ransomware operators used vague terms like “medical organizations” when describing which entities were off limits. Others saw pharmaceutical companies as fair game. Half of the 12 ransomware operators targeted hospitals specifically, despite saying that they would not target healthcare. * * *
Other groups target healthcare by choice. The FIN12 affiliate group has a reputation for going after healthcare organizations. Threat intelligence firm Mandiant discovered that nearly 20 percent of the group’s attacks were targeted at healthcare entities, and over 70 percent were aimed at US-based entities.
Sometimes, healthcare organizations may be targeted out of indifference. Usually, this means that the healthcare organizations fell victim to “spray and pray” tactics, where ransomware operators will execute phishing campaigns or Remote Desktop Protocol (RDP) brute force attacks with the hopes of getting some organizations to fall for the attack.
The Wall Street Journal aptly describes 2021 as “the year that hackers went wild and changed everything.”
The U.S. government in 2021 began to take a more decisive—and prescriptive—role in how digital defenses are constructed, on the back of a string of high-profile cyberattacks against the nation’s critical infrastructure.
Jingle Bells.