Week in review: Log4Shell exploitation, DevSecOps myths, 56 vulnerabilities impacting OT devices


Here’s an overview of some of last week’s most interesting news, articles, interviews and videos:

QNAP NAS devices hit by DeadBolt and ech0raix ransomware
Taiwan-based QNAP Systems is warning consumers and organizations using their network-attached storage (NAS) appliances of a new DeadBolt ransomware campaign.

Fake voicemail notifications are after Office365, Outlook credentials
A phishing campaign using fake voicemail notifications has been and is still targeting various US-based organizations, in an attempt to grab employees’ Office365 and Outlook login credentials, Zscaler warns.

Attackers still exploit Log4Shell on VMware Horizon servers, CISA warns
If your organization is running VMware Horizon and Unified Access Gateway servers and you haven’t implemented the patches or workarounds to fix/mitigate the Log4Shell vulnerability (CVE-2021-44228) in December 2021, you should threat all those systems as compromised, the Cybersecurity and Infrastructure Security Agency (CISA) has advised on Thursday.

Board members and the C-suite need secure communication tools
Board members and the C-suite are key targets for cyber-threat actors, due to their access to highly sensitive information. Yet too many of them are putting their organizations in harm’s way with daily use of personal email to communicate sensitive topics.

After being breached once, many companies are likely to be hit again
Cymulate announced the results of a survey, revealing that two-thirds of companies who have been hit by cybercrime in the past year have been hit more than once, with almost 10% experiencing 10 or so more attacks a year.

How the blurring of the “supply chain” opens your doors to attackers—and how you can close them
There have been more than 200 dedicated supply chain attacks over the past decade. Some of these campaigns have affected countless supplier networks and millions of customers – SolarWinds, Kaseya and the recent Log4j debacle come to mind.

The price of stolen info: Everything on sale on the dark web
Privacy Affairs researchers concluded criminals using the dark web need only spend $1,115 for a complete set of a person’s account details, enabling them to create fake IDs and forge private documents, such as passports and driver’s licenses.

7 DevSecOps myths and how to overcome them
By including security and compliance processes in end-to-end automation, businesses can secure software throughout the whole software supply chain, significantly improve the developer experience, and accelerate safer delivery. To achieve this, enterprises need to overcome these seven common DevSecOps myths that are preventing them from making the shift.

How to keep your NFTs safe from scammers
According to Wikipedia, the first known non fungible token (NFT) was created in 2014 and the first NFT project was launched in late 2015. It took a few more years and more projects for the concept to trickle into the consciousness of the general public, and then a few more for the massive investments into NFTs to follow.

How to properly adopt and manage Kubernetes in production
In this video for Help Net Security, Alex Jones, Director of Kubernetes Engineering at Canonical, talks about properly adopting and managing Kubernetes in production.

Automotive hose manufacturer hit by ransomware, shuts down production control system
A US subsidiary of Nichirin Co., a Japan-based company manufacturing and selling automotive hoses and hose parts, has been hit with ransomware, which resulted in the shut down of the subsidiary’s network and production control system.

Data recovery depends on how good your backup strategy is
99% of surveyed IT decision makers state they have backup strategies in place, but just 26% have admitted they were unable to fully restore all data/documents when recovering from a backup, according to an annual survey conducted in April 2022 by Apricorn.

Researchers disclose 56 vulnerabilities impacting thousands of OT devices
In this video for Help Net Security, Daniel dos Santos, Head of Security Research, Forescout, talks about the 56 vulnerabilities, which impact ten vendors, including Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.

Solution to cybersecurity skills gap largely sits with hiring practices
(ISC)² published findings from its 2022 Cybersecurity Hiring Managers research that shed light on best practices for recruiting, hiring and onboarding entry- and junior-level cybersecurity practitioners.

Inside a large-scale phishing campaign targeting millions of Facebook users
In this video for Help Net Security, Nick Ascoli, VP of Threat Research, PIXM, discusses a massive phishing campaign has successfully stolen an estimated five million Facebook accounts.

What are the benefits of passwordless authentication?
In this video for Help Net Security, Christofer Hoff, Chief Secure Technology Officer at LastPass, talks about the benefits of passwordless authentication.

iPaaS: The latest enterprise cybersecurity risk?
In this video for Help Net Security, Alon Jackson, CEO of Astrix Security, talks about how as the variety of third-party platforms increases, and as it becomes easier to link data and workflows to one another, it’s high time for cybersecurity solutions to keep up.

Review: Enzoic for Active Directory
Data breaches now happen so often that we don’t even pause when reading yet another headline notifying us of the latest one. We react only if the breach happened to a service we use – and maybe not even then. But we should all be aware that once one of our passwords has been compromised and exposed, it should be considered compromised forever.

Webinar: What’s trending in email security?
In this webcast Sarah Happé, Echoworx’s Director Client Engagement, and Forrester’s Senior Analyst Jess Burn, dive into how security leaders are using email security to challenge the status quo and to build customer trust and business revenue.

Photos: Infosecurity Europe 2022, part 1
Infosecurity Europe 2022 opened its doors today at the ExCeL in London. Here’s a look at the event, the featured vendors are: Arctic Wolf Networks, Bridewell, Checkmarx, Cisco, CrowdStrike, Cybereason, Hornetsecurity, (ISC)², Mimecast, Netskope, OneTrust, and Splunk.

Photos: Infosecurity Europe 2022, part 2
It’s day two of Infosecurity Europe 2022 at the ExCeL in London. Here’s a look at the event, the featured vendors are: Akamai, SecurityScorecard, Edgescan, ManageEngine, Securonix, F5, ServiceNow, and Vade.

Infosecurity Europe 2022 video walkthrough
Infosecurity Europe 2022 opened its doors today at the ExCeL in London, here’s a look inside the event.

New infosec products of the week: June 24, 2022
Here’s a look at the most interesting products from the past week, featuring releases from Arcserve, Cavelo, ComplyCube, CompoSecure, and Hillstone Networks.

More about

Don't miss