Cybersecurity outlook for 2022

Nation-state cyberthreats and Log4j have the security community on high alert; organizations need to master response and remediation.  

By Naomi Eide • Feb. 14, 2022

Log4j highlights ongoing cyber risk from free, open source software: Moody's

Limited investment and slow remediation response continues to challenge open source software.

By David Jones • Feb. 11, 2022

Critical SAP vulnerabilities spur CISA, researcher pleas for urgent patching

Onapsis security researchers warn attackers could take full control of systems to steal data, disrupt critical business functions and launch ransomware.

By David Jones • Feb. 10, 2022

Apache tells US Senate committee the Log4j vulnerability could take years to resolve

While a software bill of materials could improve supply chain security, users still download vulnerable versions of software. 

By David Jones • Feb. 9, 2022

NIST targets software supply chain with guidance on security standards

Guidelines call for developers to attest they use secure software practices.

By David Jones • Feb. 7, 2022

In 2022, you can no longer afford to ignore credential security

Credentials are among the most sought-after targets by hackers due to the low risk and high rewards.

Jan. 31, 2022

Blackberry links initial access broker activity to Log4Shell exploit in VMware Horizon

The threat actor primarily installed cryptomining software onto affected systems. In some cases, however, it deployed Cobalt Strike beacons, Blackberry found.

By David Jones • Jan. 26, 2022

Log4j raises cyber risk for public finance entities, Fitch warns

Local agencies and critical sites face increased operational and financial risk as the vulnerability opens organizations to ransomware or other malicious activity. 

By David Jones • Jan. 19, 2022

Extracting portions of open source in software development threatens app security

While companies employ safeguards to detect flaws in applications, the likelihood of organizations running a complete database of all the places a vulnerability lives is slim.

By Samantha Schwartz • Jan. 19, 2022

Cobalt Strike targets VMware Horizon after UK warnings of Log4Shell threats

Researchers say the threat emulation tool may endanger thousands of vulnerable servers.

By David Jones • Jan. 18, 2022

Big tech pushes White House for open source funding, standards after Log4j

Technology officials are calling on cross-sector collaboration to prevent a recurrence of a Log4j-style security crisis. 

By David Jones • Jan. 14, 2022

Microsoft pushes patch for wormable HTTP vulnerability, exploitation undetected so far

An attacker does not need to interact with a user or have privileged access to infect a system. 

By Samantha Schwartz • Jan. 13, 2022

Log4j threat activity limited, but CISA says actors lay in wait

Microsoft is warning about new activity from a threat actor exploiting the vulnerability in VMware Horizon to deploy ransomware.

By David Jones • Jan. 11, 2022

Log4Shell threat activity targeting VMware Horizon, UK researchers warn

NHS Digital warned unknown threat actors are targeting the servers in order to create web shells and enable future data theft, ransomware or other attacks.

By David Jones • Jan. 10, 2022

FTC threatens enforcement on firms lax about Log4j vulnerability

The FTC warning underscores a commitment by federal regulators to ensure a more secure environment for enterprise and consumer software, according to legal experts and industry analysts. 

By David Jones • Jan. 5, 2022

Log4j activity expected to play out well into 2022

As industry returns from the holiday break, organizations are assessing potential security threats from Log4j, ranging from coin miners to hands-on-keyboard attacks.

By David Jones • Jan. 4, 2022

US allies call for Log4j vigilance as organizations struggle to detect vulnerabilities

The Five Eyes partners are warning about bad actors taking advantage of the holiday break to launch attacks.

By David Jones • Dec. 23, 2021

Organizations still downloading vulnerable Log4j versions

Log4j vulnerabilities impacted more than 17,000 Java packages, representing about 4% of the ecosystem, researchers found.

By David Jones • Dec. 22, 2021

Exploits underway for Zoho ManageEngine zero day, compromising enterprises, MSPs

CISA added the latest ManageEngine vulnerability to its exploit catalog and required government agencies to issue a patch by Dec. 24. 

By Samantha Schwartz • Dec. 21, 2021

Federal authorities brace for long holiday as Log4j threat activity rises

CISA warned civilian agencies to immediately patch systems before Christmas break as researchers see an increase in malicious activity targeting organizations worldwide.

By David Jones • Dec. 20, 2021

Log4j and the problem with trusting open source

Open source isn't the issue — companies need mechanisms to ensure the integrity of the software and code they adopt.

By Samantha Schwartz • Dec. 20, 2021

Log4j: What we know (and what's yet to come)

The vulnerability has upended federal officials and the infosec industry, putting hundreds of millions of devices and systems at risk. 

By David Jones • Dec. 17, 2021

Log4j attacks poised to rise as threat actors search for attack vectors

Microsoft warns that threat actors are using third-party hosted Minecraft servers to launch ransomware attacks. The company also warned that access brokers are getting into the game.

By David Jones • Dec. 16, 2021

Security teams prepare for the yearslong threat Log4j poses

Industry is still investigating the full extent of the vulnerability, which limits the actions security teams can immediately take. 

By Samantha Schwartz • Dec. 16, 2021

Log4j threat expands as second vulnerability emerges and nation states pounce

Early stage ransomware attempts are underway and federal officials are urging organizations to take immediate steps to protect IT systems.

By David Jones • Dec. 15, 2021