Login to comment
I have an opinion that I’d love to see become a thing.— Daniel Cuthbert (@dcuthbert) December 14, 2021
Tech firms pay their damn way. This list, and others, show an entire industry that probably spends more on friggin’ giveaways at cons than supporting devs who build their products with open source tool chains. https://t.co/JyfU2fsp9G
Defenders 🚨 against Log4shell— Kevin Beaumont (@GossiTheDog) December 14, 2021
I have been working with @CISAgov to produce a validated list of third party products using vulnerable Log4j
✅ find out your exposure and how to fix it
✅ This is work in progress
✅ Bookmark and track situation changeshttps://t.co/iQNJYsRQVC
We’re working closely with our public and private sector partners to address a critical vulnerability affecting the Apache log4j #software library. This vulnerability is being widely exploited by threat actors and presents an urgent challenge to patch: https://t.co/utbcDZBtPv— Cybersecurity and Infrastructure Security Agency (@CISAgov) December 13, 2021
This is another mitigation people are putting in - but it depends on a recent version of Log4j to work.— Kevin Beaumont (@GossiTheDog) December 13, 2021
There’s a lot of placebo effect mitigations happening with Log4Shell, sadly. Even some vendors have issued motivations that don’t actually work. https://t.co/6Fv5KzkeYJ
CISA recommends 3 immediate actions:— Cybersecurity and Infrastructure Security Agency (@CISAgov) December 13, 2021
1⃣Enumerate internet-facing endpoints that use Log4j.
2⃣Ensure your #SOC is actioning every alert on devices that fall into the category above.
3⃣Install a web application firewall that automatically updates.
Hard to overstate the severity of the Apache Log4j vulnerability being exploited across critical and industry systems as we speak.— Nicole Perlroth (@nicoleperlroth) December 14, 2021
CISA Director @CISAJen “one of the most serious I’ve seen in my entire career, if not the most serious.”
Good aggregated list of updates from companies and the affect on them from #log4j vulnerability. Exactly the value add that @CISAJen and team should be providing to the world!— Dmitri Alperovitch (@DAlperovitch) December 14, 2021
Would encourage you to join forces with @GossiTheDog and merge his list in!https://t.co/T8W01PJCdD
What percentage of Java software can’t be patched because the companies that developed it have lost the source code?— Matthew Green (@matthew_d_green) December 13, 2021
Bad news for web3 enthusiasts, confirmed successful coin miner attacks using the Log4j vulnerability.— Nicole Perlroth (@nicoleperlroth) December 14, 2021
Attackers are also dropping:
•Khonsari, new ransomware targeting Windows.
•Orcus, a remote access Trojan.
•Reverse bash shells for future attacks.
(Per @Bitdefender) https://t.co/7LWg41mWND
Just added support to LDAP Serialized Payloads in the JNDI-Exploit-Kit. This attack path works in *ANY* java version as long the classes used in the Serialized payload are in the application classpath. Do not rely on your java version being up-to-date and update your log4j ASAP! pic.twitter.com/z3B2UolisR— Márcio Almeida (@marcioalm) December 13, 2021
This is such as bad look for a vendor that keeps time and processes payroll. Kronos hit with ransomware, warns of data breach and 'several week' outage https://t.co/bafTjxcZZQ via @ZDNet & @jgreigj https://t.co/tRVBZzZ5xR and community link. https://t.co/i9h4xOeLIe— Larry Dignan (@ldignan) December 13, 2021
What happened?: On Dec. 10th, an acute remote code execution vulnerability was reported in the #Apache logging package Log4j 2 versions 2.14.1. Exploiting this vulnerability allows threat actors to control #java-based web servers and launch #RCE attacks: https://t.co/sE5OvYJrTN pic.twitter.com/c0Gs0Xs0pe— Check Point Software (@CheckPointSW) December 14, 2021
Mad props to Chen Zhaojun of Alibaba Cloud Security for responsibly disclosing the #log4j vulnerability in private directly to the log4j developers, so that a patch to log4j was released by December 6th, several days before the vulnerability went public.— Talia Ringer (@TaliaRinger) December 12, 2021
#CISA created a webpage called Apache #Log4j Vulnerability Guidance and will actively maintain a community-sourced GitHub repository of publicly available information and vendor-supplied advisories regarding the Log4j flaw. https://t.co/5RllGpaisf— Lindsey O'Donnell Welch (@LindseyOD123) December 14, 2021
Further to the recent vulnerability announcement https://t.co/0z74LyiOxL— KAPPTURE (@Kappture1) December 14, 2021
Kappture does not use the 3rd party log4j library in its products. There is no action require by Kappture or any of its clients.#Hospitality #Tech #Security #CISA #log4j pic.twitter.com/O9kNsIqkP7
Attackers Target #log4j to Drop #ransomware, Web Shells, #Backdoors— 𝔸𝕞𝕚𝕥𝕒𝕧 𝔹𝕙𝕒𝕥𝕥𝕒𝕔𝕙𝕒𝕣𝕛𝕖𝕖 (@bamitav) December 15, 2021
Login to comment