In the “Weekly Round-Up” we summarise and give extra reading suggestions for some of the past weeks financial crime news headlines, powered by Acuminor’s crime universe ThreatView2® .
Log4Shell. There, I said it.
This week has been very intriguing and equally worrisome. I need to start with this since it will permute a lot of what I’m expecting to see in the future because of it. It is on many information and IT security professionals’ minds, and there are many write-ups on it. But to give a bit of a perspective on why it is crucial.
So, to start. What is it? It is a technical vulnerability found in a software library called Log4J (No need to dive deeper here). What is important is that the software is used by so many suppliers of both software and hardware producers. It has all the hallmarks of a gigantonormous supply chain problem. So, should I worry about this if I’m running a sawmill, dentist clinic, hair salon, bank, or server facility? Well, the short answer is yes. Suppose any of the applications that you use to manage your business (payment systems, log systems, PLCs… endless list) are using that piece of software to deliver a service to you. In that case, you might become a victim or part of a supply chain attack scheme.
When the possibility of attacking this software became public, the attacks started to happen and are steadily ongoing. There has been a race to patch/fix the vulnerability, but in that race, it also turned out that the patches also were hackable. Right now, there is a race to hack those who have fixed their systems since it turns out that the fix also has flaws.
In recent times we have seen several massive data breaches due to supply chain attacks, and we have learned how dangerous these kinds of vulnerabilities are. So, dig into some of my favourite write-ups and grab the bit longer read from ENISA on supply chain problems.
Datadog has a good overview and links to additional reads.
DataDog – The Log4j Log4Shell vulnerability: Overview, detection, and remediation
NCSC has good high-level information
NCSC – Log4j vulnerability – what everyone needs to know
A short story on the flaws in patching
ArsTechnica – Patch fixing critical Log4J 0-day has its own vulnerability that’s under exploit
And a longer read from ENISA on why you should care about your supply chains.
Enisa – Threat Landscape for Supply Chain Attacks
To jump to another excellent report that deserves the spotlight from Transparency International UK on money laundering risks in the E-payments sector. I grew up in Fintech 1.0 when E-wallets got their foothold, and I see a lot of reoccurring red flags from yore, but plenty new as well due to the increased complexity of systems and actors. So, grab the report below.
Transparency UK – Research exposes critical money laundering risks in uk e-payments sector
This will be my last roundup for this year and darn what a great year it has been. I’m really looking forward go headfirst into the new year and creating fantastic tools. And, of course, to reconnect with you. So, until 2022, have a great Christmas season!
P.s Don’t miss Acuminor’s updated version of ThreatView!
