November 20, 2022

TSD #016: Log4Shell Still A Problem.

This week's edition is brought to you by CultureAI. CultureAI goes beyond traditional security awareness to help companies monitor and respond to every human cyber risk and behaviour. With automated attack simulations and coaching programmes, CultureAI easily connects your workplace apps to spot risky employee security behaviours as and when they happen.

Hello friend 👋

With the World Cup kicking off soon, we are seeing a significant increase in targeting towards Middle Eastern countries. This is to be expected as cybercrime gangs will pivot in order to attempt to profit from the event. This could be in the form of ransomware attacks or simple credit card-stealing malware. A ransomware attack against the World Cup or its suppliers would certainly be interesting to watch unfold from a cyber-lessons perspective, but I'm not sure I'd want to be the CISO in that scenario. Russia's Military Intelligence Unit 74455 were said to have attempted to disrupt the 2018 winter Olympics and Paralympics in Pyongyang, South Korea. I guess even sport has politics in it!

Notably this week, the FBI and CISA released a joint statement that an Iranian state-sponsored threat actor penetrated the network of the Federal Civilian Executive Branch (FCEB) by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server. Yep, you read that right, the vulnerability the whole world went crazy patching earlier in December 2021. Evidently, someone forgot to patch something at the FCEB, and as a result, the Iranians got in. Oddly, they deployed a crypto-miner. Personally, I'd have thrown some ransomware in there. It's the ransomware gangs making hundreds of millions of dollars every year; crypto-mining malware has taken a back-row seat these last few years. They did however move around to the domain controller, compromise credentials and install some reverse proxies for persistence, so we can give them that. The official report contains all the mappings to the MITRE ATT&CK framework and all the Indicators of Compromise (IOCs), if you'd like to read the report in full, click here.

You can get in touch with me by simply hitting reply. I respond to every email that hits my inbox.

Until next week,

Gary ✌️

Fun Things This Week

📽 My New Video

A little bit of a different video this week. I went "live" for the first time on YouTube and spoke with the Cyber Crime Junkies podcast. We had some buggy audio for the first 15 minutes (I left a timestamp in the comments if you'd like to jump to that part), but after that, we're good as gold. We talked about ransomware gangs, cyber careers, my exact path into cyber and much more. If that sounds fun, you can watch it on YouTube. For the gear-heads among you, we used Restream for the stream and it's actually really nice to use.


In the latest episode of Smashing Security, they discuss housing market scams, Twitter, and Google's record-breaking fine of $391.5 million, because the company completely ignored users’ requests to not track their locations. Sadly, Google probably made billions from this tracking activity, so the $400m will just seem like the cost of doing business to them.

📘 Books

I've almost finished compiling a list of awesome cyber books for you to sink your teeth into over the winter. Keep your eyes peeled for it dropping on my LinkedIn this week. It's mostly factual books, but there are some fiction ones in there too! I think there's something for everyone to enjoy!

👾 Cool Tools

nuvola is a tool to dump and perform automatic and manual security analysis on AWS environments configurations and services using predefined, extensible and custom rules created using a simple Yaml syntax.

Dismember is a command-line toolkit for Linux that can be used to scan the memory of all processes (or particular ones) for common secrets and custom regular expressions, among other things.

More Articles
Subscribe to The Sunday Download

Receive weekly news and insights in your inbox. Don't miss out!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.