Weekly Recap: Log4Shell Exploit, DevSecOps Myths, 56 Vulnerabilities Affecting OT Devices – Help Net Security



Here’s a rundown of some of the most interesting news, articles, interviews and videos from the past week:

QNAP NAS devices affected by DeadBolt and ech0raix ransomware
Taiwan-based company QNAP Systems is warning consumers and organizations using their network-attached storage (NAS) devices about a new DeadBolt ransomware campaign.

Fake voicemail notifications are by Office365, Outlook credentials
Zscaler warns that a phishing campaign is targeting various US-based organizations using fake voicemail notifications to steal employees’ Office365 and Outlook credentials.

CISA warns that attackers are still using Log4Shell on VMware Horizon servers
If your company runs VMware Horizon and Unified Access Gateway servers and you have not implemented the patches or workarounds to fix/mitigate the Log4Shell vulnerability (CVE-2021-44228) in December 2021, you should threaten all these systems as compromised Cybersecurity and Infrastructure Security Agency (CISA) discussed on Thursday.

Board members and the C-suite need secure means of communication
Board members and the C-suite are key targets for cyber threat actors due to their access to highly sensitive information. Yet too many of them put their organizations at risk by using private email to communicate sensitive issues on a daily basis.

After a one-off breach, many organizations are likely to be affected again
Cymulate announced the results of a survey showing that two-thirds of organizations hit by cybercrime in the past year were hit more than once, with nearly 10% experiencing approximately 10 more attacks annually.

How blurring the “supply chain” opens your doors to attackers — and how to close them
Over the past decade, there have been more than 200 targeted attacks on the supply chain. Some of these campaigns have impacted countless supplier networks and millions of customers—SolarWinds, Kaseya, and the recent Log4j debacle spring to mind.

The price of stolen information: everything offered on the dark web
Privacy Affairs researchers concluded that criminals using the dark web only need to spend $1,115 for a full set of an individual’s account details so they can create fake IDs and forge private documents like passports and driver’s licenses.

7 DevSecOps myths and how to break them
By incorporating security and compliance processes into end-to-end automation, organizations can secure software throughout the software supply chain, vastly improving the developer experience and accelerating more secure delivery. To achieve this, organizations need to break these seven common DevSecOps myths that are preventing them from making the transition.

How to protect your NFTs from scammers
According to Wikipedia, the first known non-fungible token (NFT) was created in 2014 and the first NFT project started in late 2015. It would take a few more years and more projects for the concept to seep into the general public’s consciousness, and then a few more for the massive investments in NFTs that will follow.

How to properly deploy and manage Kubernetes in production
In this video for Help Net Security, Alex Jones, Director of Kubernetes Engineering at Canonical, talks about how to properly adopt and manage Kubernetes in production.

Auto hose maker hit by ransomware, shuts down production control system
A US subsidiary of Nichirin Co., a Japan-based company that manufactures and sells hoses and hose components for the automotive industry, was plagued by ransomware, resulting in the shutdown of the subsidiary’s network and production control system.

Data recovery depends on how good your backup strategy is
99% of IT decision makers surveyed say they have backup strategies in place, but only 26% admitted that when restoring from a backup they were unable to fully recover all data/documents, according to an annual survey conducted in April 2022 was carried out by Apricom.

Researchers disclose 56 vulnerabilities affecting thousands of OT devices
In this video for Help Net Security, Daniel dos Santos, Head of Security Research, Forescout, discusses the 56 vulnerabilities affecting ten vendors including Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens and other Yokogawa .

Much of the solution to the cybersecurity skills gap lies in hiring practices
(ISC)² released findings from its 2022 Cybersecurity Hiring Managers study, highlighting best practices for recruiting, hiring, and onboarding of entry-level and junior-level cybersecurity professionals.

Within a large-scale phishing campaign targeting millions of Facebook users
In this video for Help Net Security, Nick Ascoli, VP of Threat Research, PIXM, talks about a massive phishing campaign that successfully stole an estimated five million Facebook accounts.

What are the benefits of passwordless authentication?
In this video for Help Net Security, Christofer Hoff, Chief Secure Technology Officer at LastPass, talks about the benefits of passwordless authentication.

iPaaS: The latest corporate cybersecurity risk?
In this video for Help Net Security, Alon Jackson, CEO of Astrix Security, talks about how, with the increasing variety of third-party platforms and the ever easier linking of data and workflows, it’s high time for cybersecurity solutions to move on.

Webinar: What are the trends in email security?
In this webcast, Echoworx Director Client Engagement Sarah Happé and Forrester Senior Analyst Jess Burn discuss how security professionals are using email security to challenge the status quo and build customer trust and business revenue.

Photos: Infosecurity Europe 2022 Part 1
Infosecurity Europe 2022 opened its doors today at ExCeL in London. Here’s a look at the event, featured vendors are: Arctic Wolf Networks, Bridewell, Checkmarx, Cisco, CrowdStrike, Cybereason, Hornetsecurity, (ISC)², Mimecast, Netskope, OneTrust, and Splunk.

Photos: Infosecurity Europe 2022 Part 2
It’s day two of Infosecurity Europe 2022 at ExCeL in London. Here’s a look at the event, the featured vendors are: Akamai, SecurityScorecard, Edgescan, ManageEngine, Securonix, F5, ServiceNow and Vade.

Infosecurity Europe 2022 Video Walkthrough
Infosecurity Europe 2022 opened its doors today at the ExCeL in London, here is an inside look at the event.

Infosec New Product of the Week: June 24, 2022
Here’s a look at the hottest products from the past week, including releases from Arcserve, Cavelo, ComplyCube, CompoSecure and Hillstone Networks.

Source link
#Weekly #Recap #Log4Shell #Exploit #DevSecOps #Myths #Vulnerabilities #Affecting #Devices #Net #Security

Leave a Reply