Weekly News Roundup December 13-17, 2021


Posted on by Kacy Zurkus

The end of the year has delivered no shortage of cybersecurity headlines, with the Log4j vulnerability grabbing much attention since being disclosed. CISA’s Director, Jen Easterly, released a statement last weekend urging organizations to upgrade to the latest version of Log4j, adding, “To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.” For its part, CISA also shared a list of affected databases via GitHub.

As the week went on, industry experts pontificated about the potential fallout of the disclosure, with some suggesting concerns of a potential Log4j worm. While the threat of a weaponized worm could be debated, the real security risks posed by this vulnerability continue to rattle experts in the trenches, as researchers discovered a second exploit, Log4Shell. A patch is available—but upgrading isn’t always an easy fix.

Recognizing the importance of identifying security vulnerabilities before they are exploited, the Department of Homeland Security (DHS) announced its Hack DHS Bug Bounty Program for 2022. Additionally, Congress has passed the National Defense Authorization Act, which will allocate $768 billion toward expanding “research and development budgets and make some changes to IT and cybersecurity policy,” Fed Scoop reported.

To learn more about the benefits of bug bounty programs or responsible vulnerability disclosure, explore our Library of educational content.

Now let’s look at what else made industry headlines this week.

Dec. 17: Gadgets Now reported Kaspersky researchers have warned of a phishing scam involving fraudulent links based on the new Spider Man: No Way Home film.

Dec. 16: Threatpost reported, “Researchers have tracked new spyware – dubbed “PseudoManuscrypt” because it’s similar to “Manuscrypt” malware from the Lazarus advanced persistent threat (APT) group – that’s attempted to scribble itself across more than 35,000 targeted computers in 195 countries.”

Dec. 16: A new study by Armis revealed that despite the majority of employees in the UK having been victims of a cyberattack, security awareness remains alarmingly low.

Dec. 16: “Russia on Thursday proposed holding collective consultations on cybersecurity with the European Union, after successful talks with the Netherlands, France and Germany, the TASS news agency cited a special presidential envoy on cyber security as saying,” Reuters reported.

Dec. 15: As investors search for the next big technology craze that will drive change, some wonder if the internet itself, Web 3.0, will be the crypto-wave of the future.

Dec. 14: Microsoft released “fixes for six zero-day vulnerabilities and a total of 67 flaws” in its December 2021 Patch Tuesday.

Dec. 14: Alex Stamos of the Krebs Stamos Group reportedly called for executive action mandating that any cloud product purchased by a federal agency include security features as part of the basic package.

Dec. 14: According to Ars Technica, new job listings at Google suggest that the company could be rekindling its efforts to develop augmented reality products.  

Dec. 13: Politico connected with former administration officials and industry influencers to understand what is on the US government’s cybersecurity wish list for 2022.

Dec. 13: Europol announced the arrest of a 41-year-old Romanian national alleged to be the cybercriminal behind a ransomware attack.

Dec. 13: NPR’s Morning Edition examined The State of US Cybersecurity a Year After the SolarWinds Hack

Contributors
Kacy Zurkus

Content Strategist, RSA Conference

DevSecOps & Application Security Policy & Government

hackers & threats zero day vulnerability phishing security awareness software integrity

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community