The Apache Software Foundation (ASF) has pushed out a new fix for the Log4j logging utility after the previous patch for the recently disclosed Log4Shell exploit was deemed as "incomplete in certain non-default configurations. (By Ravie Lakshmanan, The Hacker News)
Threat actors, including at least one nation-state actor, are attempting to exploit the newly disclosed Log4j flaw to deploy ransomware, remote access Trojans, and Web shells on vulnerable systems. All the while, organizations continue to download versions of the logging tool containing the vulnerability. (By Jai Vijayan, Dark Reading)
Microsoft has rolled out Patch Tuesday updates to address multiple security vulnerabilities in Windows and other software, including one actively exploited flaw that's being abused to deliver Emotet, TrickBot, or Bazaloader malware payloads. (By Ravie Lakshmanan, The Hacker News)
Ransomware is the flavor of the month for cybercriminals. The FBI reports that ransomware attacks rose 20% and losses almost tripled in 2020. And our increased use of the cloud may have played a part in that spike. A survey of CISOs conducted by IDC earlier this year found that 98% of their companies suffered at least one cloud data breach in the previous 18 months as opposed to 79% last year, and numbers got worse the more exposure they had to the cloud. (By Shai Morag, Dark Reading)
Kaspersky has discovered a malicious add-on for Microsoft's Internet Information Service (IIS) webserver software that it said is designed to harvest credentials from Outlook Web Access (OWA), the webmail client for Exchange and Office 365. (By Brandon Vigliarolo, TechRepublic)