It feels like the world has many Pandora’s boxes open at once at the moment. Last week another crisis arose by revealing a vulnerability in the widely used open source Apache registration library Log4j. Since then, system administrators, incident response services and governments have been trying to install fixes and reduce the threat. The error is easy to use by attackers and can lead to a complete server takeover. The fixes are on the rise, but Apache had to release additional fixes that now need to be installed. After some preliminary research and exploitation by attackers around the world, the defenders are preparing for a brutal next wave. And they say that vulnerable systems will lurk in networks for years, just waiting to be discovered and exploited.
Meanwhile, researchers have set the industry on hold this week against hiring Meta took down the infrastructure on its platforms of seven companies aimed at more than 50,000 users of the company and others. And Google’s Project Zero conducted an in-depth technical analysis of NSO Group’s ForcedEntry iOS exploit, highlighting how complex the hacking tools of a private organization can be. WIRED also looked at growth tactics the world’s largest site for the abuse of deep counterfeits which uses AI to generate fake nude images.
With all this targeted hacking and misinformation floating around, check it out The WIRED guide on how to protect yourself from “crazy” or SMS phishing attacks, deployed by everyone from the most elite hackers to ordinary spammers.
And there is more. Every week we gather all the security news that WIRED has not covered in depth. Click on the headlines to read the full stories.
The Homeland Security Cybersecurity and Infrastructure Security Agency issued an urgent directive Friday that all federal civilian agencies must evaluate their systems and implement fixes and other mitigations related to the Log4j vulnerability by December 23rd. The order also requires agencies to provide CISA with a report by December 28 of the names and versions of all their affected systems and details of the protections they have introduced for each application.
“CISA has identified this vulnerability as an unacceptable risk to the agencies of the Federal Civil Enforcement Branch and requires urgent action,” CISA said in the directive. “This decision is based on the ongoing exploitation of this vulnerability to wildlife threats, the likelihood of further exploitation of the vulnerability, the spread of the affected software in the federal enterprise and the high potential for compromising the agency’s information systems.”
The Patent and Trademark Office took external access to its systems offline for 12 hours, starting on Wednesday night, as a precautionary measure in response to the Log4j vulnerability. CISA says there have been no confirmed compromises with Log4j on federal civic networks, and that no other agency has so far made an exclusion like the Patent Office’s. But temporary removal reflects the extreme risk and urgency of correcting the defect. Interior Minister Alejandro Mayorkas said on Thursday that he was “extremely concerned” about the vulnerability.
Following an investigation last month by Reveal of the Center for Investigative Reporting and WIRED, lawmakers called for both an investigation by the Federal Trade Commission into poor data protection on Amazon and a federal privacy law. The WIRED and Reveal report showed that Amazon has allowed many domestic employees to search for customer orders at will, and that a data company in China may have gained access to the personal data of millions of customers, among other loopholes. Amazon said the incidents did not reflect current practices. But Senators Ron Widen (D-OR) and John Tester (D-MT), along with several representatives, cited a series of failures as evidence that US companies need to do more to protect their customers’ data.
Former Defense Secretary John Murray Rowe Jr. was arrested on Wednesday on espionage charges after the Justice Department said he had tried to provide classified information about the Russian government’s national defense. Rowe, 63, faces a maximum sentence of life in prison if convicted. He reportedly worked as a test engineer for a number of defense executives over a 40-year career and had various security clearances during that time, from “Secret” to “Top Secret” and “Sensitive Information with Parts”. Among other things, Rowe worked on aerospace technology for the Air Force. A series of security breaches that showed potential loyalty to Russia led officials to identify Rowe as an internal threat and terminate him as an executor in 2018. From there, the FBI launched an investigation and in March 2020, Rowe allegedly met with an officer to the FBI undercover pretending to be a Russian civil servant. Prosecutors say he and the undercover agent corresponded in more than 300 emails, during which Rowe revealed that he would be willing to work for the Russian government to discuss his previous work and steal US secrets.
French police have arrested an unidentified man from southeastern France for allegedly laundering ransom payments worth more than $ 21.4 million. Authorities also did not name the ransom gang or the gang he is accused of collaborating with. The action comes from the heels of a concerted global effort to deter ransomware attacks and hold perpetrators accountable.
More great WIRED stories