Information Technology

There’s never a good time for an organisation to fall victim to a ransomware attack, but for Matthew Day, CIO of Langs Building Supplies, a phone call on May 20, 2021 came at perhaps the worst possible time – before dawn, just as he was about to take time off for the first time in a long time. “I was going on my holidays. But I got a phone call at four o’clock in the morning, saying basically ‘I can’t log in, what’s going on?'” he says. Day got up and made the 30-minute drive to his office in Brisbane, Australia where the construction, building supplies and home-building company is based, all the while thinking about what the problem could be, perhaps a hardware failure or an unplanned outage? 

ZDNet Recommends

The answer became obvious when he arrived and tried to bring up the systems – a ransom note appeared and said: “You’ve been hacked.” SEE: A winning strategy for cybersecurity (ZDNet special report) Langs had fallen victim to Lorenz ransomware and the cyber criminals who had encrypted multiple servers and thousands of files were demanding a payment of $15 million in Bitcoin in exchange for the decryption key. Like many ransomware attacks, the cyber criminals also said they’d stolen information and threatened to leak it if the ransom wasn’t paid. “The reality is that’s a pretty scary proposition – but we were quickly able to isolate the attack and disconnect it from the network,” says Day.

He suspects that Langs was specifically targeted by the criminals behind the attack because of the nature of the business. At the time, the Queensland government was operating a response plan to keep the trade and construction industries in business, while much of Australia was still facing lockdown because of COVID-19. And if a building supplier like Langs was unable to do business, that could affect the whole programme for the regional construction industry. “It’s a macro-level event – it’s not just limited to Langs because if we can’t supply a builder their goods because we’re offline, they can’t build that house. That just ratchets up more pressure,” he says. Many victims of ransomware opt to pay the ransom, either because they feel they don’t have any other choice or they perceive it as the easiest way to restore the network – although, even with the decryption key, it can be a long, drawn-out process. For Langs and Day, however, the idea of paying the ransom wasn’t an option – and they had recovery software that allowed them to analyse what data had been encrypted or modified and restore the network from backups stored separately to the rest of the network within a matter of hours, with minimal disruption to services. “I was pretty confident about the data side of things – we use Rubrik. We make sure it’s got multi-factor authentication (MFA) on it and doesn’t have any shared credentials, so it’s a walled garden,” says Day. “These people immediately want to go after your backups because that ratchets up pressure, so if they can’t get to your backups, you’re in a good place.” But this didn’t stop the cyber criminals from attempting to extort a ransom payment – they emailed all the staff at Langs, claiming they’d stolen data and threatened to sell it on the dark web if a payment wasn’t received by a particular date. While 13 gigabytes of data had left the network, it turned out to be ping traffic, so nothing that could be a security or privacy risk to Langs’ customers or employees. Receiving the emails was a shock to staff, but Day was able to explain the situation and reassure people that, even though cyber criminals had contacted them, there was nothing to worry about. “You’ve got to communicate with people, explain it to them. We were able to show the business that they’re [the cyber criminals] playing chicken and we’re not going to blink first. So we didn’t pay the ransom, the day came – and nothing happened,” says Day. The investigation into the incident revealed that hackers initially gained access to the network via a phishing email. But this wasn’t a run-of-the-mill basic phishing email; the attackers had done their research and sent it to a Langs employee from the legitimate email account of a real employee at a supplier that they’d already compromised. SEE: Cloud security in 2021: A business guide to essential tools and best practices Langs had set up allow lists to verify emails coming from known suppliers – and the attackers were able to take advantage, after examining emails sent and received by the compromised account and specifically tailoring the email that was sent to victims who opened it and unintentionally triggered the attack. “They responded to an order that we had sent them in the exactly correct manner; this was a really smart play for these guys. It came from a verified account, from a person at a time and in a way that was expected by the user, my staff member, with the correct formatting and quoted the correct valid number, so it wasn’t a fake account, it wasn’t a spoofed account, it was the real deal,” explains Day. The email asked the user to visit a portal that looked exactly like the website of the supplier, except this one asked for a username and password – and because the victim had been duped into thinking they were responding to a message from a legitimate contact, they entered the information, inadvertently providing cyber criminals with login credentials that they exploited for initial access to the network. But Day doesn’t place blame on the user, because the sophisticated and targeted nature of the phishing email means it would be difficult for most people to identify it as a suspicious message. “We can land planes, 99.9995% of the time, no worries, but it only takes that one decimal place to cause a massive incident, and this is no different – so I can’t be too hard on my user for falling for this, because it looked legit,” he says. That initial access with legitimate credentials allowed the attackers to snoop around the network without being noticed, laying down the foundations to encrypt as much as possible before triggering the ransomware attack. The data recovery and backup software meant that the impact of the ransomware attack was relatively mild, but it could have been much worse – and Day used the incident to examine how cyberscurity at Langs could be improved. SEE: Cybersecurity: Let’s get tactical (ZDNet special feature) One of those tactics was ensuring that multi-factor authentication (MFA) was applied to a wider range of accounts. Day had previously pushed for it to be applied to users, but it was seen as a barrier to productivity. Looking back, he believes if the company had listened to his advice and applied multi-factor authentication, the attack could have been prevented from happening. “I should have stuck to my guns more about external access and MFA. Because we’ve been talking about it for quite a while and I was pushing for it, but the company pushed back because it was seen as an onerous burden on the users; one more thing that they have to learn and deal with,” Day says. “If I’d had MFA, we could have stopped this particular attack in its tracks and I’m happy to say we can now have MFA on those external desktops.” The way in which the attack originated via the compromised email of a supplier has also resulted in Langs taking a more hands-on approach to the security of its supply chain, helping the suppliers and customers it deals with most to make their networks more resilient to cyberattacks. “We don’t exist in our own little bubble, our bubble has to include our customers and suppliers in that supply chain life-cycle and make sure we secure it end to end,” Day explains. Ransomware is one of the most significant cybersecurity threats facing businesses today, but even when organisations successfully fight off a ransomware attack without paying a ransom to cyber criminals, few are willing to talk about what happened. So, why is Day willing to speak about it when so few others are? “Talking about it is a bit of an ‘up yours’ thing. I also want to empower other people to speak out about these things. If I speak about it, nothing bad happens – it just encourages other people to do it,” he says. Day hopes speaking about the incident, how it happened and what was learned can help other businesses defend against ransomware, and crucially, help them persuade boardrooms about the importance of taking cybersecurity threats seriously. “If, by coming forward and talking about these things, I encourage another CIO, IT manager or IT professional to go and have a conversation about how to protect their data, how they handle data governance, or cybersecurity planning and processes, so that they can protect the livelihoods of their their employees and their colleagues, it feels better,” he says.
MORE ON CYBERSECURITY More

IT recruitment firm Finite Recruitment has confirmed it experienced a cyber incident in October, which resulted in a “small subset” of the company’s data being downloaded and published on the dark web. The Finite Group incident response team confirmed with ZDNet that when the incident occurred, business operations were not disrupted. “Our security monitoring systems identified and closed down the threat quickly,” they said. “Since then, remedial works have been undertaken and the business has been fully operational.”The company’s incident response team added it has been reviewing what data was stolen due to the incident. “Following conclusion of this investigation, we will take steps to immediately contact any impacted stakeholders/individuals in accordance with our privacy obligations. Early indications suggest that only a relatively small number of individuals are impacted,” it said. Finite Recruitment is listed on a leak site as one of the victims of the Conti ransomware for the purposes of double extortion. The listing shows the attackers claimed to have stolen more than 300GB of data, including financial data, contracts, customer databases with phone numbers and addresses, contracts with employees’ passport details, phone numbers, mail correspondence, and other information. The recruitment firm currently provides casual support staff to several agencies across the NSW government.  

“The Department of Customer Service is aware of an incident impacting Finite Recruitment’s IT environment and has engaged with the company on the issue,” a NSW Department of Customer spokesperson told ZDNet.”The incident has not impacted any NSW government agencies or services.” Just last week, the South Australian government confirmed the state government employee data was exfiltrated as part of a ransomware attack on payroll provider Frontier Software. Treasurer Rob Lucas said the company informed government that some of the data have been published online, with at least 38,000 employees and up to 80,000 government employees possibly having their data accessed.   The data contained information on names, date of birth, tax file number, home address, bank account details, employment start date, payroll period, remuneration, and other payroll-related information.Since November, Queensland government-owned energy generator CS Energy has been battling with a Conti infection on its corporate network. In an update provided last week, the company said it was continuing to progressively restore its systems.Related Coverage More

The US Senate on Thursday unanimously passed a Bill banning the import of all goods, including technology, produced in the Chinese region of Xinjiang to penalise the Chinese government for its heinous treatment of Uyghurs and other Muslim minority groups. The Bill, titled Uyghur Forced Labor Prevention Act, explains that it was made specifically to blast the Chinese government for the international human rights violations it has committed against those minority groups. It accuses China of arbitrarily detaining 1.8 million Uyghurs, Kazakhs, Kyrgyz, and members of other Muslim minority groups in mass internment camps and subjecting them to forced labour, torture, political indoctrination, and other severe human rights abuses. China has faced growing condemnation for its treatment of Uyghur Muslims and other Muslim minorities, with numerous reports stating that Chinese authorities have been tracking the movements of these people. There have also been reports of other human rights abuses, such as the installation of spyware on the phones of Uyghur Muslims and placing Uyghur Muslims into “re-education” camps. In addition to the ban, the Bill’s passage will see the US coordinate with Canada and Mexico to prohibit the importation of goods made in the Xinjiang region. The only exception to the ban are goods determined by the US Customs and Border Protection commissioner, “by clear and convincing evidence”, to be not from convict, forced, or indentured labour. The import ban will potentially see a myriad of tech companies change their supply chains, with an Australian Strategic Policy Institute report last year alleging that the supply chains of 83 global brands at the time had used forced Uyghur labour.

“The president welcomes the agreement by Congress on the bipartisan Uyghur Forced Labor Prevention Act. We agree with Congress that action can and must be taken to hold the People’s Republic of China accountable for genocide and human rights abuses and to address forced labour in Xinjiang,” White House secretary Jen Psaki said. Earlier on Thursday, the Treasury department announced it had slapped eight Chinese technology firms, including drone maker DJI, with trading sanctions on the grounds that they actively supported the biometric surveillance and tracking of Uyghur and other Muslim minority groups in the Xinjiang region. The sanctions will prohibit US persons from purchasing or selling any publicly traded securities connected with these entities. Alongside DJI, the other seven organisations slapped with the sanctions are Cloudwalk Technology, Dawning Information Industry, Leon Technology Company Limited, Megvii Technology, Netposa Technologies, Xiamen Meiya Pico Information, and Yitu. “Today’s action highlights how private firms in China’s defense and surveillance technology sectors are actively cooperating with the government’s efforts to repress members of ethnic and religious minority groups,” said Treasury for Terrorism and Financial Intelligence under secretary Brian Nelson. “Treasury remains committed to ensuring that the US financial system and American investors are not supporting these activities.” On the same day, the Commerce Department also announced it would add another 34 Chinese organisations to its Entity List, banning them from buying parts and components from US companies without government approval.  The 34 entities were banned for various reasons, ranging from supporting the Chinese military through research biotechnology, including “purported brain-control weaponry”, to supplying US-origin items to support Iran’s advanced conventional weapons and missile programs. The eight companies that received the trading sanctions from Treasury, meanwhile, were already on the Entity List.  Related Coverage More

Cybersecurity company NCC Group is warning users of MobileIron products to patch their systems since finding exploitations through the Log4j vulnerability. 

more coverage

NCC Group researchers have so far seen five instances in their client base of active exploitation of Log4Shell in MobileIron, noting that the “global scale of the exposure appears significant.”In a blog post updated on Wednesday, the company shared a screenshot of a Shodan search showing 4,642 instances around the world. NCC Group Global CTO Ollie Whitehouse told ZDNet that Shodan isn’t real-time but that there has been a small drop in total systems since yesterday.
NCC Group
Ivanti, which acquired MobileIron in December 2020, told ZDNet that customers using MobileIron were provided with mitigation steps and guidance this weekend.Ivanti VP of security Daniel Spicer said that after a review of their products, they found the Log4j vulnerability impacting all versions of MobileIron Core, MobileIron Sentry, Core Connector, and Reporting Database (RDB). Those using the MobileIron Cloud are not affected by the issue. “Over the weekend, we informed our customers and highly recommended that they follow the tested mitigations outlined in our Community Forum. Since then, we have stayed in regular communication with our customers,” Spicer said. 

“Patching all systems for known vulnerabilities and ensuring the latest versions of Ivanti solutions are running is the best way for our customers to protect their environments from threats. Unfortunately, security threats across the industry will persist.” Ivanti released an advisory and said the risk associated with CVE-2021-44228 is high “because these products sit in the DMZ and are vulnerable to a RCE attack due to the CVE.” The mitigation instructions provided involve the removal of a vulnerable Java class (JNDILookUp.class) from the affected Log4J Java library, which removes the ability to perform the RCE attack, Ivanti explained. Cerberus Sentinel vice president Chris Clements said the number of vulnerable applications was not a ton at internet scale but he noted the larger concern that the successful exploitation of these systems could allow an attacker to potentially compromise tens of thousands of mobile and computing devices managed by the MobileIron systems.”That is a big deal. We are going to be dealing with the fallout from the Log4j vulnerability for a long time I’m afraid,” Clements said. The UK’s National Cyber Security Centre (NCSC) issued an alert warning in December 2020 that a number of state-backed hackers and criminal gangs were using a vulnerability in MDM software from MobileIron. The company’s MDM servers were previously targeted by hackers through other vulnerabilities. Last December, Ivanti purchased outstanding MobileIron stock for roughly $872 million, representing a 27% premium on the firm’s share price at the time.  More

Citizen Lab has released a new report highlighting widespread government use of the “Predator” spyware from North Macedonian developer Cytrox.Researchers found that Predator was used to attack two people in June 2021. The spyware “was able to infect the then-latest version (14.6) of Apple’s iOS operating system using single-click links sent via WhatsApp,” according to Citizen Lab. The researchers added that Predator persists after reboot using the iOS automations feature. Apple did not respond to requests for comment about the spyware, but Citizen Lab said they have been notified and are investigating the issue. Because WhatsApp is involved, Citizen Lab also told Meta about Predator’s action. Meta announced it is taking enforcement action against Cytrox and is removing approximately 300 Facebook and Instagram accounts linked to the spyware company. The security team at Meta found “an extensive list of lookalike domains used as part of social engineering and malware attacks.””The Meta report states that they believe Cytrox customers include entities in Egypt, Armenia, Greece, Saudi Arabia, Oman, Colombia, Côte d’Ivoire, Vietnam, Philippines, and Germany, and that they identified additional abusive targeting initiated by Cytrox customers around the world,” Citizen Lab explained. Meta also took down accounts linked to six other cyber surveillance firms including Cobwebs Technologies, Cognyte, Black Cube, Bluehawk CI, BellTroX and an unnamed company from China. Meta’s report said the companies created more than 1,500 fake accounts that targeted 50,000 users in at least 100 countries.

Exiled Egyptian politician Ayman Nour was one of the two who had devices infected with Predator and Citizen Lab noted that his phone was also infected with Pegasus, the headline-grabbing spyware from troubled spyware company NSO Group. Citizen Lab said two different governments were spying on Nour at the same time during parts of 2021. Citizen Lab’s reports about Pegasus and NSO Group have caused international outrage and prompted global conversations about the proliferation of powerful spyware. NSO Group was blacklisted by the US government last month and this week faced calls for even harsher sanctions. Cytrox, according to the report, is part of NSO Group rival Intellexa, which is based in the European Union. The company was purchased in 2018 by Israeli firm WiSpear, Citizen Lab found.Through scanning for Predator spyware servers, Citizen Lab researchers found “likely” customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia and Serbia.  “We confirmed the hacking of the devices of two individuals with Cytrox’s Predator spyware: Ayman Nour, a member of the Egyptian political opposition living in exile in Turkey, and an Egyptian exiled journalist who hosts a popular news program and wishes to remain anonymous,” Citizen Lab explained. “Nour first became suspicious after observing that his iPhone was ‘running hot.’ We learned of Nour’s case and reviewed logs from his phone. We attribute the attacks on the two targets to the Egyptian Government with medium-high confidence. We conducted scanning that identified the Egyptian Government as a Cytrox Predator customer, websites used in the hacks of the two targets bore Egyptian themes, and the messages that initiated the hack were sent from Egyptian WhatsApp numbers.”Further investigation into Nour’s phone revealed that he had been hacked with Pegasus in March 2021 and there was another attempt to hack his phone in June 2021 using the NSO Group’s FORCEDENTRY exploit. “This report is the first investigation to discover Cytrox’s mercenary spyware being abused to target civil society. NSO Group has received outsized publicity in recent years, thanks to a growing customer list, spiraling abuse problems, and groundbreaking investigative work by civil society,” Citizen Lab said.  “Cytrox and its Predator spyware, meanwhile, are relatively unknown. The targeting of a single individual with both Pegasus and Predator underscores that the practice of hacking civil society transcends any specific mercenary spyware company. Instead, it is a pattern that we expect will persist as long as autocratic governments are able to obtain sophisticated hacking technology. Absent international and domestic regulations and safeguards, journalists, human rights defenders, and opposition groups will continue to be hacked into the foreseeable future.” More

Multiple ad blockers topped Firefox’s list of the most popular and innovative add-on browser extensions of 2021. Firefox determines which add-ons are “most popular” by calculating their average daily users (ADU) throughout the entire year. Adblock Plus averaged 6,134,231 daily users while uBlock Origin averaged 5,011,974 throughout 2021. Firefox notes that uBlock Origin is hot on Adblock Plus’ heels, closing the gap between the two as the year progressed. Firefox estimates that the add-on may pass Adblock Plus at some point in 2022. Privacy appears to be a significant issue for Firefox users. Other top extensions in 2021 include Mozilla’s Facebook Container (1,740,395 ADU) and tracking add-on Ghostery (1,167,938 ADU). 
Firefox
Firefox data shows that of the 133 million visits to addons.mozilla.org in 2021, most came from people based in China and the US. Germany, France, and Russia filled out the rest of the top five. Firefox also says that 60% of Russian users have installed an add-on, far surpassing the percentage for any other region. One-third of all users have installed an add-on, says Firefox, and there were 127 million total Firefox add-on installs in 2021 alone. Firefox also highlighted several extensions that met Mozilla’s “standards of security, utility, and user experience.” The list includes tab organizer add-ons like Sidebery and Tab Stash as well as website design tools like Stylebot and automaticDark.In October, Mozilla’s Firefox browser team cracked down on malicious add-ons. The team blocked ones that were misusing the browser’s proxy API, which software uses to manage how the browser connects to the internet.

Enterprise Software More

This is the year you’re going to go to the gym three times a week, and you’re going to get organized, and you’re going to live life to its fullest, and …

Aw, who are we kidding? Everyone makes those resolutions, and they’re usually just a distant memory by Super Bowl Sunday. So instead of those unrealistic promises to yourself, how about if we start with something that’s a little more achievable? I’ve got some recommendations for smart things you can resolve to do with your technology in the new year to make you happier, more productive, and maybe even less anxious.I wrote the original version of this column back in 2019, but the advice is still timely. Even if you only check one or two of these items off your 2022 to-do list, I promise you’ll be better off.Back up to the cloudNo matter how many times well-meaning advice columnists tell us to back up, we find excuses to not do that task. And so, when (not if) some horrible catastrophe renders the data on our PC or smartphone completely inaccessible, there’s no backup available. Or there’s a backup from several months ago that’s missing everything you’ve done lately.This is where the cloud becomes a digital life saver, capturing the bits that document your digital life. It is easy to configure your smartphone so that every photo and video on your camera roll is backed up to whichever cloud you call home: Google Photos, Dropbox, Microsoft OneDrive, or Apple’s iCloud.Meanwhile, on your PC or Mac, sync your important data files to that same cloud. It’s particularly easy to do this with a consumer OneDrive account. After signing in, open OneDrive Settings, click the Backup tab, click Manage Backup, and follow the instructions. Just make sure to save important files to the Desktop, Documents, and Pictures folders, which are then backed up automatically.Also: Get smart about passwords

Using a bad, easy-to-guess password can turn your life upside down. Just ask anyone who’s ever had a bank account compromised. Reusing any password, even a strong one, is just as bad. If a sloppy website allows your credentials to be stolen, a determined thief will try them at other sites.So, how do you generate a strong, unique password for every account, and how do you keep track of them all? Use a password manager. I prefer to store my heavily encrypted password file in the cloud using 1Password, but you have plenty of other choices, as I explain in this article.Also, don’t use “correct horse battery staple” as your password. It’s almost as bad as “123456.”Also:Turn on 2FA everywhereIf, despite your best precautions, an online thief steals your credentials for an important website or service, you have another roadblock to put in their way. Add multi-factor authentication (often called two-factor authentication, or 2FA) to every important online account. This is especially important for email credentials, any kind of banking or payment service, and all your social media accounts. In fact, if an important service doesn’t offer 2FA as a security option, you should perhaps ask them why not.Both Google and Microsoft make simple, elegant authenticator apps for smartphones. If you’re the independent sort, try the free Authy app. I’ve put together a 2FA explainer that can get you started. Do it today.See also: Better than the best password: How to use 2FA to improve your securityStop tweaking thingsIn the early days of the PC revolution, computers were like the Ford Model T. If you took one out on the road, you’d better have a full toolkit handy and be prepared to get very greasy while tinkering under the hood.The heyday of the Model T was almost exactly a century ago. In the 21st Century, when cars are mostly code, you are not going to make your Tesla go faster by going in and editing some config files. The same is true with PCs. I routinely see people who insist that they can make their computing machines go at warp speed with a few registry edits.But when I look deeper into those magical tweaks, I almost never find that any of these trivial changes truly make a difference, and each one involves the risk of unintended, performance-sapping consequences. Most of modern computing is just physics, after all. You want a faster computer? Add more memory, or replace that old spinning disk with an SSD.Also: Take your updatesAmong the tinfoil-hat set, it is fashionable to argue that true experts focus their energy on preventing software developers from installing updates. They believe, after all, that the best version of your OS was the one released three years ago (or five years ago, or even ten) and everything that has happened since has been an unmitigated disaster.Meanwhile, here on Earth-1, every major software platform updates itself continuously. Problems with updates are relatively rare and generally solved within days or, very rarely, a week or two.If you’d prefer to take a conservative approach, it’s easy enough to defer updates for up to a month while you wait for others to identify any issues. But spending energy trying to override built-in update code is time you’ll never get back.Also: Uninstall your antivirusThere might have been a case for installing third-party antivirus software on a Windows PC a decade or two ago, but today? Not so much. Windows Defender, which is part of every Windows 10 installation, is good enough.That’s not just damning with faint praise, either.These days, the only reason that third-party antivirus exists is so that PC makers can actually squeeze out a profit from the bounties they get for preinstalling this crap on cheap new PCs for consumers. The overwhelming majority of malicious software should be shut off long before it gets to your PC, using the built-in protections provided by your email provider, your ISP, and your web browser.In fact, that third-party software is just as likely to get in the way of an update or accidentally quarantine a crucial system file. Save your money and just get rid of it. If you’ve got a PC on which one of the large third-party security programs came preinstalled, you might have to use a special tool to get rid of it completely. Here are some handy links for Norton, McAfee, and Trend Micro products.Also: The 5 best VPN services More

The Cybersecurity and Infrastructure Security Agency and the White House have released warnings to companies and organizations across the country, urging them to be on alert for cyberattacks ahead of the Christmas holiday. 

more coverage

CISA has released “CISA Insights: Preparing For and Mitigating Potential Cyber Threats” to provide critical infrastructure leaders with steps to proactively strengthen their organization’s operational resiliency against sophisticated threat actors.In a letter sent out on Thursday, White House Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger and National Cyber Director Chris Inglis said there are typically breaches around national holidays because cybercriminals know that security operations centers are often short-staffed.Cyber officials released a similar message earlier this year after major attacks on Colonial Pipeline and Kaseya took place on Memorial Day Weekend and July 4 Weekend respectively. “Beyond the holidays, though, we’ve experienced numerous recent events that highlight the strategic risks we all face because of the fragility of digital infrastructure and the ever-present threat of those who would use it for malicious purposes,” Neuberger and Inglis said. “There are specific steps that you, as leaders, can initiate now to reduce the risk of your organizations during this time of heightened risk and into the New Year. In many cases, criminals plan and actually begin an intrusion before the holiday itself — they infiltrate a network and lie in wait for the optimal time to launch an attack. It is therefore essential that you convene your leadership team now to make your organization a harder target for criminals.”The two urged organizations to make sure all patches are up-to-date, enable logs, back up data, investigate incidents quickly, change passwords, mandate multi-factor authentication, manage IT security schedules and make employees aware of phishing.

CISA’s warning focused on critical infrastructure owners and operators, telling them that security personnel coverage needs to be sketched out now in light of the coming Christmas holiday, and incident response plans need to be updated. Organizations should also make sure all the cybersecurity best practices are being followed and that the current cybersecurity threats and malicious techniques are being monitored. CISA even said the threshold for information sharing should be lowered, and any cybersecurity incidents and anomalous activity should be reported to CISA or the FBI Immediately. The FBI sent out its own notice on Wednesday notifying potential victims of the Log4j vulnerability that they “may be unable to respond to each victim individually, but all information we receive will be useful in countering this threat.”While some cybersecurity experts have said cybercriminal interest in Log4j is waning, Microsoft said nation states and other groups are exploiting the bug, including Chinese government-linked group Hafnium as well as groups from North Korea, Turkey and Iran. VMware head of cybersecurity strategy Tom Kellermann told ZDNet that he was very concerned about the organizations that haven’t followed the “very specific and holistic advice” given by CISA and the Joint Cyber Defense Collaborative (JCDC).As a member of the JCDC, VMware has worked alongside Google, Microsoft, Verizon to help address the threat posed by Log4j. “Ever since the first proof of concept exploit was made available, attackers around the world — from cybercrime cartels to rogue nation states — have been actively exploiting the vulnerability, and that’s been going on for days. Everyone uses Apache in some form and it’s really a question of them updating immediately,” Kellermann said. “But in addition to that, I think people should apply outbound micro-segmentation rules to prohibit new connections from being established from workloads. They should be scanning their environment and code bases for vulnerable systems employing Log4j. They should be monitoring their workloads for abnormal traffic flow, and they should be reviewing their log files to look for unauthorized configuration changes.”Kellermann added that if an organization doesn’t know where Apache ends and begins in their environment, they need to “dramatically expand their threat hunt game” because, more than likely, they’ve already been compromised given the level of scanning and exploitation occurring. More