CISA Director Jen Easterly says the Log4j flaw likely affects hundreds of millions of devices and may be the most serious bug she has seen in her career
A vulnerability in a widely used Apache library … Ncsc-Nl / GitHub : Log4j overview related software Kyle Alspach / VentureBeat : Log4j exploits attempted on 44% of corporate networks; ransomware payloads spotted Hannah Murphy / Financial Times : Hackers launch more than 1.2m attacks through Log4J flaw LunaSec Blog : How to Automatically Mitigate Log4Shell via a Live Patch (CVE-2021-44228 + CVE-2021-45046) Ina Fried / Axios : Massive open-source flaw has put millions of systems at risk Ravie Lakshmanan / The Hacker News : Second Log4j Vulnerability (CVE-2021-45046) Discovered — New Patch Released Dan Kaplan / Security Boulevard : Log4Shell Vulnerability: What Security Operations Teams Need to Know Now and How SOAR Can Help You Detect and Respond Duncan Riley / SiliconANGLE : Criminal groups continue to exploit Apache Log4j vulnerability with ransomware and malware TechRadar : Log4j could be the most serious security threat ever seen, CISA head warns Jai Vijayan / Dark Reading : Attackers Target Log4J to Drop Ransomware, Web Shells, Backdoors Eduard Kovacs / SecurityWeek : Ransomware, Trojans, DDoS Malware and Crypto-Miners Delivered in Log4Shell Attacks Gareth Corfield / The Register : Apache takes off, nukes insecure feature at the heart of Log4j from orbit with v2.16 Cloud Monitoring as a Service … : Takeaways from the Log4j Log4Shell vulnerability PYMNTS.com : Log4j Vulnerability Causes Nearly 900K Cyberattacks in Four Days Paul Wagenseil / Tom's Guide : Second security flaw found in Log4Shell software — what this means for you Jonathan Greig / ZDNet : Second Log4j vulnerability discovered, patch already released Ben Martin / Sucuri Blog : Log4j Vulnerability: The Perfect Holiday Present that Nobody Wants PIA VPN Blog : Private Internet Access VPN Issues Update to Protect Users Against Apache Log4j/Log4Shell Exploit Zak Killian / HotHardware.com News : Here's Why The Log4j Security Vulnerability Has CISA Pressing The Panic Button Catalin Cimpanu / The Record : First Log4Shell attacks spreading ransomware have been spotted John Hewitt Jones / FedScoop : Federal agencies have until Dec. 24 to apply fixes for Log4Shell vulnerability Maggie Miller / The Hill : Cyber experts express growing alarm over Apache vulnerability Tweets: @eastdakota : Earliest evidence we've found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was in the wild at least 9 days before publicly disclosed. However, don't see evidence of mass exploitation until after public disclosure. @cisagov : We're working closely with our public and private sector partners to address a critical vulnerability affecting the Apache log4j #software library. This vulnerability is being widely exploited by threat actors and presents an urgent challenge to patch: https://cisa.gov/... 1/2 Talia Ringer / @taliaringer : Mad props to Chen Zhaojun of Alibaba Cloud Security for responsibly disclosing the #log4j vulnerability in private directly to the log4j developers, so that a patch to log4j was released by December 6th, several days before the vulnerability went public. Tinker / @tinkersec : I don't care if #Log4J is supposed to be pronounced as Log-Forge... ...I'm still gonna pronounce it as Log-Four-Jay. Same way that Nginx is not Engine-Ex, it's En-Ginx (G pronounced like the G in gif). @eastdakota : @Cloudflare We're seeing over 1,000 attempted exploits of the #Log4J vulnerability per second. Our WAF rules are protecting customers directly, but sanitizing logs helps ensure down-stream log processing isn't impacted. https://blog.cloudflare.com/ ... Tom Anthony / @tomanthonyseo : Interesting Log4j payload I discovered, simply omit the closing brace }, and now you will potentially get a bunch of data exfiltrated to your server until the next } appears in that data. Had it work on a FANG target... https://twitter.com/... Márcio Almeida / @marcioalm : Just added support to LDAP Serialized Payloads in the JNDI-Exploit-Kit. This attack path works in *ANY* java version as long the classes used in the Serialized payload are in the application classpath. Do not rely on your java version being up-to-date and update your log4j ASAP! https://twitter.com/... Kevin Collier / @kevincollier : Super handy resource that really scores the scope of log4j. Hundreds of vulnerable applications named here. https://twitter.com/... Catalin Cimpanu / @campuscodi : The the Dutch National Cyber Security Center (NCSC-NL) has probably the most complete list of software that is (or not) affected by the Log4Shell vulnerability https://github.com/... https://twitter.com/... Nicole Perlroth / @nicoleperlroth : Bad news for web3 enthusiasts, confirmed successful coin miner attacks using the Log4j vulnerability. Attackers are also dropping: •Khonsari, new ransomware targeting Windows. •Orcus, a remote access Trojan. •Reverse bash shells for future attacks. (Per @Bitdefender) https://twitter.com/... Check Point / @checkpointsw : What happened?: On Dec. 10th, an acute remote code execution vulnerability was reported in the #Apache logging package Log4j 2 versions 2.14.1. Exploiting this vulnerability allows threat actors to control #java-based web servers and launch #RCE attacks: https://blog.checkpoint.com/ ... https://twitter.com/... Jason Haddix / @jhaddix : If you identify a vendor vulnerable to log4Shell and they are not on this list; make a pull request. You'll save some tears from blue teams and IT all over the world: https://gist.github.com/... Not all heroes wear capes... Nicole Perlroth / @nicoleperlroth : Hard to overstate the severity of the Apache Log4j vulnerability being exploited across critical and industry systems as we speak. CISA Director @CISAJen “one of the most serious I've seen in my entire career, if not the most serious.” https://www.cyberscoop.com/... Matthew Prince / @eastdakota : Yup. And will uniquely linger like a spore. https://twitter.com/... Sean Kerner / @techjournalist : “Some security issues you get are sort of red herrings,” said Gary Gregory, who has worked on the Apache Software Foundation team that maintains #Log4j for nearly a decade. “But this one was, ‘Oh crap.’ #log4shell https://www.bloomberg.com/... Kevin Beaumont / @gossithedog : This is another mitigation people are putting in - but it depends on a recent version of Log4j to work. There's a lot of placebo effect mitigations happening with Log4Shell, sadly. Even some vendors have issued motivations that don't actually work. https://twitter.com/... Random Facts Girl / @soychicka : Who would ever think that a tool with such polished branding could be the weak link in the collapse of teh innerwebs? https://arstechnica.com/... https://twitter.com/... Vincent Lee / @rover829 : Bloomberg: The first person to alert members of an open-source software project who frantically worked to fix a fatal flaw in a widely used software tool was a cloud-security team employee at Alibaba. https://twitter.com/... Matthew Green / @matthew_d_green : Does anyone know how the log4j bug leaked out? Per @TaliaRinger was reported to the project on 12/6 and then was found in the wild a few days later. Coincidence? Leaked disclosure? Found in the wild? Chris Eng / @chriseng : As we were starting to hear over the weekend, updating JVM version is no longer an effective mitigation. Continue focusing on patching the root cause! https://twitter.com/... Matthew Green / @matthew_d_green : What percentage of Java software can't be patched because the companies that developed it have lost the source code? Tim Starks / @timstarks : CISA's recently concluded phone briefing with industry on the Log4j vulnerability sounded some pretty dire notes. Here's what Easterly et al told critical infrastructure folk. https://www.cyberscoop.com/... Tonya Riley / @tonyajoriley : .@timstarks got the inside scoop on CISA's call with industry leaders about #log4j today. CISA is expecting hundreds of millions of devices are likely to be affected. Cannot overstate the seriousness of this. https://www.cyberscoop.com/... Kevin Beaumont / @gossithedog : For those who used Java versions as a mitigation (included some security vendors in their advisories): it isn't a mitigation. https://twitter.com/...