header image

Log4Shell in Focus | Cyber Intelligence Briefing: 17 December 2021

Joseph Tarraf, Kyle Schwaeble 17 December 2021
17 December 2021    Joseph Tarraf, Kyle Schwaeble


Today's fast-changing threat landscape puts increased pressure on companies to make the right investment choices and improve their cyber resilience. For this report, S-RM surveyed 600 senior leaders and IT decision makers to discover which cyber investment areas provide the best value for money and what savings result from investing in cyber security.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

This is our final briefing for 2021. Following a two-week break for the festive period, we’ll be back with the next edition on 7 January 2022.

  1. IN FOCUS: Log4Shell. Critical vulnerability with widespread impact disclosed. Urgent action required.
  2. Kronos ransomware attack. The HR giant’s cloud-based services went offline following a cyber-attack.
  3. QR code phishing attacks. New phishing campaign involves the use of QR codes to steal banking credentials.
  4. Put a patch on it. It’s Patch Tuesday and Microsoft reveals 67 flaws have been fixed.

1. IN FOCUS: Log4Shell has widespread impact

A critical vulnerability in Log4j was disclosed on 10 December 2021. Log4j is a widely used logging tool implemented by millions of software products globally. The vulnerability, known as Log4Shell and tracked as CVE-2021-44228, was originally discovered in November 2021 but is thought to have existed since as early as 2013.

Log4Shell is relatively easy to exploit and doing so can enable an attacker to gain remote control over vulnerable systems. The flaw lies in the way Log4j processes data. At a high level, instead of processing all user input as data and simply logging it accordingly, an attacker can input specially crafted text that causes the server running Log4j to load and execute code from a remote source specified by the threat actor.

Because of the large number of products that use Log4j, identifying which systems in your organisation are vulnerable can be extremely challenging. Furthermore, while patches are available, simply updating vulnerable systems may not be sufficient. Threat actors, including ransomware groups, have already started to exploit the vulnerability.


SO WHAT? Organisations should urgently audit their digital estate to identify systems running Log4j. See here for an extensive list of systems that are known to be impacted. All vulnerable systems should be patched immediately. Furthermore, IT and security teams should work to determine whether their organisation has already been compromised and initiate incident response plans if they discover any signs of compromise.

2. Ransomware Attack Hits Kronos

Kronos, a multinational human resources management platform, suffered a ransomware attack last weekend that disrupted its cloud-based services. The outage will likely prevent multiple companies that use the Kronos platform from accessing staff management and payroll processing services for several weeks. Kronos also reported that data belonging to many of its customers was likely accessed by the attackers.


SO WHAT? Organisations should ensure that their business continuity plans consider direct and third-party cyber security risks.

3. Phishing attacks using QR codes to steal banking credentials 

A new phishing campaign that leverages QR codes to steal banking credentials has been uncovered in Germany. Instead of including a cleartext URL in the phishing email, the threat actors convince their victims to scan a QR code that ultimately directs them to the attacker's phishing site. This makes it easier for threat actors to bypass some email security controls that scan URLs.


SO WHAT? Organisations should conduct regular cyber awareness training, including on how to identify potential phishing emails. Users should be sceptical of all links to external sites and should only ever enter their credentials into sites that they have visited themselves and not those they have been directed to by a link in an email.

4. Patch Tuesday!

Microsoft’s Patch Tuesday for December has fixed 67 vulnerabilities, including six zero-days. Seven of these are classified as “critical” with the remaining 60 marked as “important”. One of the six zero-days patched is CVE-2021-43890, an actively exploited Windows Installer vulnerability, which has been used by threat actors to deliver various malware variants, including Emotet.


SO WHAT? Patch Tuesday is a vital reminder for businesses to regularly apply patches to ensure good cyber hygiene. Microsoft’s patch updates can always be found here.


Cyber Threat Intelligence Briefing

To discuss this article or other industry developments, please reach out to one of our experts.

Joseph Tarraf
Joseph tarraf Managing Director, Cyber Security Email Joseph
Kyle Schwaeble
Kyle schwaeble Senior Analyst Email Kyle


We examine a cyber incident from the perspective of several key stakeholders.

Download Report