The US Government Cybersecurity and Infrastructure Security Agency has published a report examining the malware that infected an organisation with unpatched Log4Shell vulnerability in a VMware Horizon server. CISA Releases Log4Shell-Related MAR | CISA
Long term firmware compromise
This is an article looking at the invisible threat in our hardware – UEFI rootkit attacks. Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us | Ars Technica
“Shoddy” customers’ identity security
JPMorgan Securities, UBS Financial Services, and TradeStation Securities have been fined by the U.S. Securities and Exchange Commission – although to me the fines look like small change for these organisations! JPMorgan, UBS accused of shoddy identity theft protection • The Register
Stealing emails undetected using Chrome extensions
The malicious extension has been called SHARPEXT by researchers at Volexity and impacts the Chromium-based web browsers, Chrome, Edge, and can steal email from Gmail. Cyberspies use Google Chrome extension to steal emails undetected (bleepingcomputer.com)
Commercialised cyberweapons
For when you have time, here are two articles from Microsoft looking at cyberweapons: Continuing the fight against private sector cyberweapons – Microsoft On the Issues Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits – Microsoft Security Blog The view from the US Government Pegasus spyware: Just ‘tip of …
