Buckle Up for More Log4j Madness

It feels like the world has a lot of Pandora’s boxes open at once right now. Last week another crisis came into view with disclosure of a vulnerability in the widely used open source Apache logging library Log4j. Since then, system administrators, incident responders, and governments have been scrambling to install patches and reduce the threat. The bug is simple for attackers to exploit and can lead to full server takeover. Patching is on the rise, but Apache has had to release additional fixes that now must be installed. After some preliminary probing and exploitation from attackers around the world, defenders are bracing for a brutal next wave. And they say that vulnerable systems will lurk in networks for years, just waiting to be discovered and exploited.

Meanwhile, researchers put the surveillance-for-hire industry on blast this week as Meta took down infrastructure on its platforms from seven companies that had targeted more than 50,000 of the company’s users and others. And Google’s Project Zero did a deep technical analysis of NSO Group’s ForcedEntry iOS exploit, underscoring just how sophisticated a private organization’s hacking tools can be. WIRED also took a look at growth tactics of the world’s largest deepfake abuse site that uses AI to generate false nude images.

With all of this targeted hacking and misinformation floating around, check out WIRED’s guide to defending yourself against “smishing” or SMS phishing attacks deployed by everyone from the most elite hackers down to run of the mill spammers.

And there’s more. Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an emergency directive on Friday that all federal civilian agencies must assess their systems and apply patches and other mitigations related to the Log4j vulnerability by December 23. The order also requires the agencies to provide CISA with an accounting by December 28 of the names and versions of all their affected systems and details about the protections they’ve put in place for each application. 

“CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” CISA wrote in the directive. “This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.”

The Patent and Trademark Office took external access to its systems offline for 12 hours beginning on Wednesday night as a precaution in response to the Log4j vulnerability. CISA says there are no confirmed Log4j compromises of federal civilian networks and that so far no other agencies have done shutdowns like the Patent Office’s. But the temporary takedown reflects the extreme risk and urgency of patching the flaw. Homeland Security Secretary Alejandro Mayorkas said on Thursday that he is «extraordinarily concerned» about the vulnerability.

After an investigation last month by Reveal from The Center for Investigative Reporting and WIRED, lawmakers have called for both a Federal Trade Commission investigation of Amazon’s shoddy data protection and for a federal privacy law. WIRED and Reveal’s report showed that Amazon had let many internal employees look up customer orders at will, and that a data company in China likely obtained access to the personal data of millions of customers, among other lapses. Amazon has said that those incidents don’t reflect current practices. But senators Ron Wyden (D-OR) and Jon Tester (D-MT), along with several representatives, have pointed to the series of failures as proof that US companies need to do more to protect their customers’ data.

Former defense contractor John Murray Rowe Jr. was arrested on Wednesday over espionage charges after the Department of Justice says he allegedly “attempted to provide classified national defense information to the Russian government.” Rowe, 63, faces a maximum sentence of life in prison if convicted. He reportedly worked as a test engineer for multiple defense contractors over a 40 year career and held various security clearances throughout that time from “Secret” up to “Top Secret” and “Sensitive Compartmented Information.” Among other things, Rowe worked on aerospace technology for the Air Force. A series of security violations that showed a potential allegiance to Russia led officials to identify Rowe as an insider threat and terminate him as a contractor in 2018. From there the FBI began an investigation and in March 2020, Rowe allegedly met with an undercover FBI employee pretending to be a Russian government official. Prosecutors say that he and the undercover agent corresponded in over 300 emails during which Rowe revealed that he would be willing to work for the Russian government to discuss his prior work and steal US secrets.

French police arrested an unidentified man from southeast France for allegedly laundering ransomware payments amounting to more than $21.4 million. Authorities also did not name the ransomware gang or gangs he is accused of collaborating with. The action comes on the heels of a concerted global effort to deter ransomware attacks and hold perpetrators accountable.

More Great WIRED Stories