Log4j: List of vulnerable products and vendor advisories

News about a critical vulnerability in the Apache Log4j logging library broke last week when proof-of-concept exploits started to emerge on Thursday. [...]

https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/

CISA orders federal agencies to patch Log4Shell by December 24th

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch systems against the critical Log4Shell remote code execution vulnerability and released mitigation guidance in response to active exploitation. [...]

https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-patch-log4shell-by-december-24th/

Cyberattack on BHG opioid treatment network disrupts patient care

Opioid treatment network Behavioral Health Group suffered a cyberattack that led to an almost week-long disruption of IT systems and patient care. [...]

https://www.bleepingcomputer.com/news/security/cyberattack-on-bhg-opioid-treatment-network-disrupts-patient-care/

Anubis Android malware returns to target 394 financial apps

The Anubis Android banking malware is now targeting the customers of nearly 400 financial institutions in a new malware campaign. [...]

https://www.bleepingcomputer.com/news/security/anubis-android-malware-returns-to-target-394-financial-apps/

EU Parliament adopts Digital Services Act, but concerns persist

The European Parliament's Internal Market and Consumer Protection Committee has adopted the Digital Services Act (DSA) proposal by 36 votes to 7 and 2 abstentions. [...]

https://www.bleepingcomputer.com/news/legal/eu-parliament-adopts-digital-services-act-but-concerns-persist/

Hackers steal Microsoft Exchange credentials using IIS module

Threat actors are installing a malicious IIS web server module named 'Owowa' on Microsoft Exchange Outlook Web Access servers to steal credentials and execute commands on the server remotely. [...]

https://www.bleepingcomputer.com/news/security/hackers-steal-microsoft-exchange-credentials-using-iis-module/

Microsoft rolls out end-to-end encryption for Teams calls

Microsoft announced today the general availability of end-to-end encryption (E2EE) support for one-to-one Microsoft Teams calls. [...]

https://www.bleepingcomputer.com/news/microsoft/microsoft-rolls-out-end-to-end-encryption-for-teams-calls/

Windows 10 KB5008212 & KB5008206 updates released

Like the November release, this month's security updates include security fixes for November 2021 Update, May 2021 Update, October 2020 Update (version 20H2), and May 2020 Update (version 2004). It's also the last security update for version 2004, which has been retired today. [...]

https://www.bleepingcomputer.com/news/microsoft/windows-10-kb5008212-and-kb5008206-updates-released/

Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flaws

Today is Microsoft's December 2021 Patch Tuesday, and with it comes fixes for six zero-day vulnerabilities and a total of 67 flaws. These updates include a fix for an actively exploited Windows Installer vulnerability used in malware distribution campaigns. [...]

https://www.bleepingcomputer.com/news/microsoft/microsoft-december-2021-patch-tuesday-fixes-6-zero-days-67-flaws/

Microsoft fixes Windows AppX Installer zero-day used by Emotet

Microsoft has patched a high severity Windows zero-day vulnerability exploited in the wild to deliver Emotet malware payloads. [...]

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-appx-installer-zero-day-used-by-emotet/

Windows 11 KB5008215 update released with application, VPN fixes

Microsoft has released the Windows 11 KB5008215 cumulative update to fix security vulnerabilities and bugs introduced in previous versions. [...]

https://www.bleepingcomputer.com/news/microsoft/windows-11-kb5008215-update-released-with-application-vpn-fixes/

DHS announces 'Hack DHS' bug bounty program for vetted researchers

The Department of Homeland Security (DHS) has launched a new bug bounty program dubbed "Hack DHS" that allows vetted cybersecurity researchers to find and report security vulnerabilities in external DHS systems. [...]

https://www.bleepingcomputer.com/news/security/dhs-announces-hack-dhs-bug-bounty-program-for-vetted-researchers/

New ransomware now being deployed in Log4Shell attacks

The first public case of the Log4j Log4Shell vulnerability used to download and install ransomware has been discovered by researchers. [...]

https://www.bleepingcomputer.com/news/security/new-ransomware-now-being-deployed-in-log4shell-attacks/

Telecom operators targeted in recent espionage hacking campaign

Researchers have spotted a new espionage campaign targeting telecommunication and IT service providers in the Middle East and Asia. [...]

https://www.bleepingcomputer.com/news/security/telecom-operators-targeted-in-recent-espionage-hacking-campaign/

Sites hacked with credit card stealers undetected for months

Threat actors are gearing up for the holidays with credit card skimming attacks remaining undetected for months as payment information is stolen from customers. [...]

https://www.bleepingcomputer.com/news/security/sites-hacked-with-credit-card-stealers-undetected-for-months/

Microsoft fixes bug blocking Defender for Endpoint on Windows Server

Microsoft has addressed a known issue that plagued Windows Server customers for weeks, preventing the Defender for Endpoint enterprise security platform from launching on some systems. [...]

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-bug-blocking-defender-for-endpoint-on-windows-server/

Log4j vulnerability now used by state-backed hackers, access brokers

As expected, nation-state hackers of all kinds have jumped at the opportunity to exploit the recently disclosed critical vulnerability (CVE-2021-44228) in the Log4j Java-based logging library. [...]

https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-by-state-backed-hackers-access-brokers/

AWS down again, outage impacts Twitch, Zoom, PSN, Xbox Live

Amazon AWS is experiencing an outage that has impacted numerous online services, including Twitch, Zoom, PSN, Xbox Live, Doordash, Quickbooks Online, and Hulu. [...]

https://www.bleepingcomputer.com/news/technology/aws-down-again-outage-impacts-twitch-zoom-psn-xbox-live/

State-sponsored hackers abuse Slack API to steal airline data

A suspected Iranian state-supported threat actor is deploying a newly discovered backdoor named 'Aclip' that abuses the Slack API for covert communications. [...]

https://www.bleepingcomputer.com/news/security/state-sponsored-hackers-abuse-slack-api-to-steal-airline-data/

CISA warns critical infrastructure to stay vigilant for ongoing threats

The Cybersecurity and Infrastructure Security Agency (CISA) warned critical infrastructure organizations today to strengthen their cybersecurity defenses against potential and ongoing threats. [...]

https://www.bleepingcomputer.com/news/security/cisa-warns-critical-infrastructure-to-stay-vigilant-for-ongoing-threats/

Large-scale phishing study shows who bites the bait more often

A large-scale phishing study involving 14,733 participants over a 15-month experiment has produced some surprising findings that contradict previous research results that formed the basis for popular industry practices. [...]

https://www.bleepingcomputer.com/news/security/large-scale-phishing-study-shows-who-bites-the-bait-more-often/