I’m continuing to read from articles that have been sent to my list about Log4J and I’ll briefly talk about what I’m reading.
Logging system security flaw compromises iCloud, Steam accounts Ars Technica
This article talks about the initial report on this explosive Vulnerability. Besides podcast 74 which we released yesterday, we’ll be on Throwback Saturday Night for the last hour of their show on the Mix. There is really nothing new within this article, but if you really want the beginning, this may be something worth reading.
Hackers launch over 840,000 attacks through Log4J flaw Ars Technica
This was talked about as part of the original articles I took from for podcast 74 of the Security Box. Unfortunately, actors will jump on anything to get their hands in to our data and Clubhouse continues to have rooms about this. I wanted to listen to the weekly news room happening at the time I’m writing, but I can’t listen to it and blog these articles, so hopefully, there’ll be a replay of this available that I can catch later.
One of the paragraphs in this article probably doesn’t surprise me any. It says:
Perpetrators include “Chinese government attackers,” according to Charles Carmakal, chief technology officer of cyber company Mandiant.
Since the Chinese have really been up to no good in my opinion, especially during this pandemic, nothing surprises me in regards to this paragraph.
I want to stress this paragraph which states:
The flaw in Log4J allows attackers to easily gain remote control over computers running apps in Java, a popular programming language.
People may be confused between Java and JavaScript, but these are two different languages. Javascript is a scripting language used in web pages, where Java can be used in programming altogether.
While I understand Apple has put out a patch, this next paragraph might be of interest. It states
Both CISA and the UK’s National Cyber Security Centre have now issued alerts urging organizations to make upgrades related to the Log4J vulnerability,
as experts attempt to assess the fallout. Amazon, Apple, IBM, Microsoft, and Cisco are among those that have rushed to put out fixes, but no severe breaches
have been reported publicly so far.
As I’ve heard in rooms, this Apache logging system is in quite a lot of products and services and this could be here for quite awhile.
Within the podcast, we mentioned our good friend Mirai, and one of the paragraphs within this article talks about other things out there that are using this flaw. That paragraph says:
According to Check Point, nearly half of all attacks have been conducted by known cyber attackers. These included groups using Tsunami and Mirai—malware that turns devices into botnets, or networks used to launch remotely controlled hacks such as denial of service attacks. It also included groups using XMRig, a software that mines the hard-to-trace digital currency Monero.
So … we’ve got actors using quite a number of old friends in new ways that will haunt this industry.
Also, the article indicates that you can get unlimited access with this vulnerability. Apache has released now two patches to deal with this, and according to what I’ve heard in rooms, its been out there since 2013.
The paragraph mentioning this statement I just mentioned says:
The flaw has existed unnoticed since 2013, experts say. Matthew Prince, chief executive of cyber group Cloudflare, said it started to be actively exploited from December 1, although there was no “evidence of mass exploitation until after public disclosure” from Apache the following week.
This is definitely going to get very interesting.
As Log4Shell wreaks havoc, payroll service reports ransomware attack Ars Technica
This is unfortunate. While Ransomware is on the rise, Log4j is taking hold as an attack vector. The company here is not ruling out the attack point being log4j and they’re very clear that this is going to take weeks to resolve. You should at least check this article out because there may be some similarities, although nothing is confirmed whether the entry point for the ransomware was Log4J or not. Can’t forget this attack point.
Patch fixing critical Log4J 0-day has its own vulnerability that’s under exploit Ars Technica
As stated, Apache has released two fixes, and this was covered in clubhouse in various rooms. In the room I left when I wanted to write this post they were mentioning that they’ll be continuing to watch this, as there are people in this industry who are in that room. They also said that the open source software packages and programs are “not secure” anymore after this, and I can see why they are saying that. I’m not about to make that claim, as software like the twitter clients for the blind for the PC are written in the open source system and they’re very safe to use. So, let’s make sure that we mention that there may be software that qualifies as not safe, but not all open source software is going to be unsafe.
The article talks about the earlier 2.15 release and what was fixed in 2.16, so please read this if you need to know what is going on.
More Later
I’ll continue to write more as I continue to read more. This is all I’ve read as I continue to catch up. Let’s make sure we stay as safe as possible
I’ll also be blogging some of the news too, as we need to be aware of this big time flaw so th news will be blogged as well. Thanks for reading!