Microsoft and cybersecurity company Mandiant say hacking groups linked to China, Iran, North Korea, and Turkey are exploiting the Log4j flaw
Researchers call it one of the most dire cybersecurity threats to emerge in years and could enable devastating attacks
Wall Street Journal
Related Coverage
- Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation Microsoft Security Blog
- View article VentureBeat
- View article CRN
- View article HackRead
- View article The OSIRIS Codex
- Professionals Flustered over Log4j Vulnerability; Meta's Review Board Intervenes to Control Misinformation ExchangeWire.com · Zara Briggs
- Log4Shell attacks expand to nation-state groups from China, Iran, North Korea, and Turkey The Record · Catalin Cimpanu
- Chinese, Iranian State Hackers Exploiting Log4j Flaw: Mandiant SecurityWeek · Mike Lennon
- Log4j mitigation advice for Microsoft security and IT admins CSO · Susan Bradley
- U.S. warns new software flaw leaves millions of computers vulnerable NBC News · Kevin Collier
- Problematic Log4j Functionality Disabled as More Security Issues Come to Light SecurityWeek · Eduard Kovacs
- Log4j software bug could cause ‘incalculable’ damage: What you need to know CNET · Bree Fowler
- Apache Log4j Vulnerability Guidance CISA
- CISA Log4j (CVE-2021-44228) Vulnerability Guidance GitHub · Cisagov
- Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) LunaSec Blog · Chris Thompson
- CVE-2021-45046 — Learn more at National Vulnerability Database (NVD) cve.mitre.org
- EXPLAINER: The security flaw that's freaked out the internet Associated Press · Frank Bajak
- Log4j flaw: Now state-backed hackers are using bug as part of attacks, warns Microsoft ZDNet · Liam Tung
- CISA orders federal agencies to patch Log4Shell by December 24th BleepingComputer · Sergiu Gatlan
- Here We Go Again: Second Log4j Flaw Surfaces Security Boulevard · Teri Robinson
- CISA probes scope, potential fallout of Log4j vulnerability CyberScoop · Tim Starks
- Working With Vendors to Address the Apache Log4j 2 Library Vulnerability OneTrust · Bri Smith
- Second security flaw found in Log4Shell software — what this means for you Tom's Guide · Paul Wagenseil
- Log4j overview related software GitHub · Ncsc-Nl
- Technical Advisory: Zero-day critical vulnerability in Log4j2 exploited in the wild Business Insights In Virtualization … · Martin Zugec
- Hackers launch more than 1.2m attacks through Log4J flaw Financial Times · Hannah Murphy
- Second Log4j Vulnerability (CVE-2021-45046) Discovered — New Patch Released The Hacker News · Ravie Lakshmanan
- How to Automatically Mitigate Log4Shell via a Live Patch (CVE-2021-44228 + CVE-2021-45046) LunaSec Blog
- Massive open-source flaw has put millions of systems at risk Axios · Ina Fried
- Log4Shell Vulnerability: What Security Operations Teams Need to Know Now and How SOAR Can Help You Detect and Respond Security Boulevard · Dan Kaplan
- Log4j could be the most serious security threat ever seen, CISA head warns TechRadar
- Ransomware, Trojans, DDoS Malware and Crypto-Miners Delivered in Log4Shell Attacks SecurityWeek · Eduard Kovacs
- Criminal groups continue to exploit Apache Log4j vulnerability with ransomware and malware SiliconANGLE · Duncan Riley
- New ransomware now being deployed in Log4Shell attacks BleepingComputer · Lawrence Abrams
- Attackers Target Log4J to Drop Ransomware, Web Shells, Backdoors Dark Reading · Jai Vijayan
- Apache takes off, nukes insecure feature at the heart of Log4j from orbit with v2.16 The Register · Gareth Corfield
- Takeaways from the Log4j Log4Shell vulnerability Cloud Monitoring as a Service …
- Log4j Vulnerability Causes Nearly 900K Cyberattacks in Four Days PYMNTS.com
- Second Log4j vulnerability discovered, patch already released ZDNet · Jonathan Greig
- Log4j Vulnerability: The Perfect Holiday Present that Nobody Wants Sucuri Blog · Ben Martin
- Log4j exploits attempted on 44% of corporate networks; ransomware payloads spotted VentureBeat · Kyle Alspach
- Private Internet Access VPN Issues Update to Protect Users Against Apache Log4j/Log4Shell Exploit PIA VPN Blog
- Here's Why The Log4j Security Vulnerability Has CISA Pressing The Panic Button HotHardware.com News · Zak Killian
- First Log4Shell attacks spreading ransomware have been spotted The Record · Catalin Cimpanu
- How to Buy Precious Patching Time as Log4j Exploits Fly Threatpost · Lisa Vaas
- Log4Shell: We Are in So Much Trouble — The open source Java logging library Apache Log4j is used a lot. The New Stack · Steven J. Vaughan-Nichols
- Almost half of networks probed for Log4Shell weaknesses ComputerWeekly.com · Alex Scroxton
- Federal agencies have until Dec. 24 to apply fixes for Log4Shell vulnerability FedScoop · John Hewitt Jones
- Cyber experts express growing alarm over Apache vulnerability The Hill · Maggie Miller
Discussion
-
@dnvolz
Dustin Volz
on x
New: Hackers linked to China and other governments are among an ever-growing assortment of groups seeking to exploit the widespread Log4j vulnerability, according to Microsoft and cyber firms. Chinese APT seen is same that was behind Msft Exchange attack. https://www.wsj.com/...
-
@zackwhittaker
Zack Whittaker
on x
“One of the groups exploiting the security hole in Log4j is the same China-backed group that was linked to a widespread attack on Microsoft Exchange servers earlier this year.” https://www.wsj.com/...
-
@cisagov
@cisagov
on x
CISA recommends 3 immediate actions: 1⃣Enumerate internet-facing endpoints that use Log4j. 2⃣Ensure your #SOC is actioning every alert on devices that fall into the category above. 3⃣Install a web application firewall that automatically updates. 2/2
-
@hackervilela
Vitor Vilela
on x
Yesterday I spent the whole day patching ten different systems and looks like I will have to patch them again 😅 https://twitter.com/...
-
@lunasecio
LunaSec
on x
Here's our analysis and finding of the 2nd log4j vulnerability (CVE-2021-45046). We found this CVE still leaves you vulnerable to #Log4Shell even if you've patched in certain, limited cases. https://www.lunasec.io/...
-
@c_c_krebs
Chris Krebs
on x
New! Looks like @CISAgov's #log4j affected software @github repo is up https://github.com/.... Useful central compilation of products and guidance.
-
@dalperovitch
Dmitri Alperovitch
on x
Good aggregated list of updates from companies and the affect on them from #log4j vulnerability. Exactly the value add that @CISAJen and team should be providing to the world! Would encourage you to join forces with @GossiTheDog and merge his list in! https://github.com/...
-
@caseyjohnellis
Cje
on x
hunting #Log4Shell in products? @CISAgov is maintaining a list of vulnerable/not-vulnerable/fixed/ unknown software... submit a your PRs! https://github.com/...
-
@gossithedog
Kevin Beaumont
on x
Defenders 🚨 against Log4shell I have been working with @CISAgov to produce a validated list of third party products using vulnerable Log4j ✅ find out your exposure and how to fix it ✅ This is work in progress ✅ Bookmark and track situation changes https://github.com/...
-
@catfish_man
David Smith
on x
“But, rest assured, this will be the sixth time we have upgraded log4j this week, and we have become exceedingly efficient at it” https://twitter.com/...
-
@hhariri
Hadi Hariri
on x
How did the world spend December 2021? Updating software. Constantly. https://cve.mitre.org/...
-
@epro
Emil Protalinski
on x
Translation: We know you're probably already on vacation, but can you pretty please do some bare minimum security before Christmas? https://twitter.com/...
-
@likethecoins
Katie Nickels
on x
It appears there is a *second* Log4J vulnerability that requires another patch. First CVE from last week: https://cve.mitre.org/... New CVE today: https://cve.mitre.org/... https://twitter.com/...
-
@williamturton
William Turton
on x
This list is absolutely mind blowing. I knew log4j affected so many things, but seeing is spelled out like this is crazy https://github.com/...
-
@dcuthbert
Daniel Cuthbert
on x
I have an opinion that I'd love to see become a thing. Tech firms pay their damn way. This list, and others, show an entire industry that probably spends more on friggin' giveaways at cons than supporting devs who build their products with open source tool chains. https://twitter…
-
@nsqe
H. Poteat
on x
Buckle up. This is likely not the last patch we'll need for log4j over the next few days/weeks. Every badguy on the planet is hitting log4j with every creative nonsense imaginable (jdni injection in Do Not Track headers? Why not!), so if there are holes, they'll be found. https:/…
-
@eastdakota
@eastdakota
on x
Earliest evidence we've found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was in the wild at least 9 days before publicly disclosed. However, don't see evidence of mass exploitation until after public disclosure.
-
@cisagov
@cisagov
on x
We're working closely with our public and private sector partners to address a critical vulnerability affecting the Apache log4j #software library. This vulnerability is being widely exploited by threat actors and presents an urgent challenge to patch: https://cisa.gov/... 1/2
-
@kevincollier
Kevin Collier
on x
Super handy resource that really scores the scope of log4j. Hundreds of vulnerable applications named here. https://twitter.com/...
-
@tinkersec
Tinker
on x
I don't care if #Log4J is supposed to be pronounced as Log-Forge... ...I'm still gonna pronounce it as Log-Four-Jay. Same way that Nginx is not Engine-Ex, it's En-Ginx (G pronounced like the G in gif).
-
@taliaringer
Talia Ringer
on x
Mad props to Chen Zhaojun of Alibaba Cloud Security for responsibly disclosing the #log4j vulnerability in private directly to the log4j developers, so that a patch to log4j was released by December 6th, several days before the vulnerability went public.
-
@eastdakota
@eastdakota
on x
@Cloudflare We're seeing over 1,000 attempted exploits of the #Log4J vulnerability per second. Our WAF rules are protecting customers directly, but sanitizing logs helps ensure down-stream log processing isn't impacted. https://blog.cloudflare.com/ ...
-
@tomanthonyseo
Tom Anthony
on x
Interesting Log4j payload I discovered, simply omit the closing brace }, and now you will potentially get a bunch of data exfiltrated to your server until the next } appears in that data. Had it work on a FANG target... https://twitter.com/...
-
@marcioalm
Márcio Almeida
on x
Just added support to LDAP Serialized Payloads in the JNDI-Exploit-Kit. This attack path works in *ANY* java version as long the classes used in the Serialized payload are in the application classpath. Do not rely on your java version being up-to-date and update your log4j ASAP! …
-
@nicoleperlroth
Nicole Perlroth
on x
Bad news for web3 enthusiasts, confirmed successful coin miner attacks using the Log4j vulnerability. Attackers are also dropping: •Khonsari, new ransomware targeting Windows. •Orcus, a remote access Trojan. •Reverse bash shells for future attacks. (Per @Bitdefender) https://twit…
-
@campuscodi
Catalin Cimpanu
on x
The the Dutch National Cyber Security Center (NCSC-NL) has probably the most complete list of software that is (or not) affected by the Log4Shell vulnerability https://github.com/... https://twitter.com/...
-
@checkpointsw
Check Point
on x
What happened?: On Dec. 10th, an acute remote code execution vulnerability was reported in the #Apache logging package Log4j 2 versions 2.14.1. Exploiting this vulnerability allows threat actors to control #java-based web servers and launch #RCE attacks: https://blog.checkpoint.c…
-
@jhaddix
Jason Haddix
on x
If you identify a vendor vulnerable to log4Shell and they are not on this list; make a pull request. You'll save some tears from blue teams and IT all over the world: https://gist.github.com/... Not all heroes wear capes...
-
@nicoleperlroth
Nicole Perlroth
on x
Hard to overstate the severity of the Apache Log4j vulnerability being exploited across critical and industry systems as we speak. CISA Director @CISAJen “one of the most serious I've seen in my entire career, if not the most serious.” https://www.cyberscoop.com/...
-
@eastdakota
Matthew Prince
on x
Yup. And will uniquely linger like a spore. https://twitter.com/...
-
@techjournalist
Sean Kerner
on x
“Some security issues you get are sort of red herrings,” said Gary Gregory, who has worked on the Apache Software Foundation team that maintains #Log4j for nearly a decade. “But this one was, ‘Oh crap.’ #log4shell https://www.bloomberg.com/...
-
@gossithedog
Kevin Beaumont
on x
This is another mitigation people are putting in - but it depends on a recent version of Log4j to work. There's a lot of placebo effect mitigations happening with Log4Shell, sadly. Even some vendors have issued motivations that don't actually work. https://twitter.com/...
-
@soychicka
Random Facts Girl
on x
Who would ever think that a tool with such polished branding could be the weak link in the collapse of teh innerwebs? https://arstechnica.com/... https://twitter.com/...
-
@rover829
Vincent Lee
on x
Bloomberg: The first person to alert members of an open-source software project who frantically worked to fix a fatal flaw in a widely used software tool was a cloud-security team employee at Alibaba. https://twitter.com/...
-
@jamietarabay
Jamie Tarabay
on x
“In the frantic time since the flaw was publicly disclosed, researchers have concluded that the vulnerability had existed in #Log4j since September 2013, apparently unknown to its vast universe of users.” #Apache https://twitter.com/...
-
@matthew_d_green
Matthew Green
on x
Does anyone know how the log4j bug leaked out? Per @TaliaRinger was reported to the project on 12/6 and then was found in the wild a few days later. Coincidence? Leaked disclosure? Found in the wild?
-
@chriseng
Chris Eng
on x
As we were starting to hear over the weekend, updating JVM version is no longer an effective mitigation. Continue focusing on patching the root cause! https://twitter.com/...
-
@matthew_d_green
Matthew Green
on x
What percentage of Java software can't be patched because the companies that developed it have lost the source code?
-
@timstarks
Tim Starks
on x
CISA's recently concluded phone briefing with industry on the Log4j vulnerability sounded some pretty dire notes. Here's what Easterly et al told critical infrastructure folk. https://www.cyberscoop.com/...
-
@tonyajoriley
Tonya Riley
on x
.@timstarks got the inside scoop on CISA's call with industry leaders about #log4j today. CISA is expecting hundreds of millions of devices are likely to be affected. Cannot overstate the seriousness of this. https://www.cyberscoop.com/...