In the “Weekly Round-Up” we summarise and give extra reading suggestions for some of the past weeks financial crime news headlines, powered by Acuminor’s crime universe ThreatView2®.
Log4Shell. There, I said it.
This week has been very intriguing and equally worrisome. I need to start with this since it will permute a lot of what I’m expecting to see in the future because of it. It is on many information and IT security professionals’ minds, and there are many write-ups on it. But to give a bit of a perspective on why it is crucial.
So, to start. What is it? It is a technical vulnerability found in a software library called Log4J (No need to dive deeper here). What is important is that the software is used by so many suppliers of both software and hardware producers. It has all the hallmarks of a gigantonormous supply chain problem. So, should I worry about this if I’m running a sawmill, dentist clinic, hair salon, bank, or server facility? Well, the short answer is yes. Suppose any of the applications that you use to manage your business (payment systems, log systems, PLCs… endless list) are using that piece of software to deliver a service to you. In that case, you might become a victim or part of a supply chain attack scheme.
When the possibility of attacking this software became public, the attacks started to happen and are steadily ongoing. There has been a race to patch/fix the vulnerability, but in that race, it also turned out that the patches also were hackable. Right now, there is a race to hack those who have fixed their systems since it turns out that the fix also has flaws.
In recent times we have seen several massive data breaches due to supply chain attacks, and we have learned how dangerous these kinds of vulnerabilities are. So, dig into some of my favourite write-ups and grab the bit longer read from ENISA on supply chain problems.
Datadog has a good overview and links to additional reads.
DataDog – The Log4j Log4Shell vulnerability: Overview, detection, and remediation
NCSC has good high-level information
A short story on the flaws in patching
ArsTechnica – Patch fixing critical Log4J 0-day has its own vulnerability that’s under exploit
And a longer read from ENISA on why you should care about your supply chains.
To jump to another excellent report that deserves the spotlight from Transparency International UK on money laundering risks in the E-payments sector. I grew up in Fintech 1.0 when E-wallets got their foothold, and I see a lot of reoccurring red flags from yore, but plenty new as well due to the increased complexity of systems and actors. So, grab the report below.
This will be my last roundup for this year and darn what a great year it has been. I’m really looking forward go headfirst into the new year and creating fantastic tools. And, of course, to reconnect with you. So, until 2022, have a great Christmas season!
Want to learn more about what we do at Acuminor? Read about our world for more information, send me a message on LinkedIn or send an email to relations@acuminor.com.
Johan Landström
Co-founder and CISO Acuminor
About Acuminor
The methods used by criminals is constantly evolving and each organisation faces different risks as a result. With help of expertise and powerful technology, Acuminor’s risk analysis platform provides unique insights into threats and risks from money laundering, terrorist financing and sanction violations. This enables you to know your risks and reduce them before it’s too late
