Discover and read the best of Twitter Threads about #Log4J
Most recents (24)
Risk environment in #cyber "complex & getting more complex" @DHS_Policy Rob Silvers tells @BillingtonCyber
State of private-public partnership on #cybersecurity "strong but a lot more work needed" per @DHS_Policy
Says gvt needs to keep showing private sector the value of working w/it & that gvt response on #Log4J & w/#Russia-#Ukraine has made a strong case
Says gvt needs to keep showing private sector the value of working w/it & that gvt response on #Log4J & w/#Russia-#Ukraine has made a strong case
.@DHS_Policy says you rarely see a private sector company get burned in #cyber by being transparent & working w/the gvt
Argues companies more likely to get hurt by not collaborating
Argues companies more likely to get hurt by not collaborating
The CSRB conducted an exhaustive review of the events surrounding the December 2021 disclosure of a vulnerability in #Log4j, which led to one of the most intensive cybersecurity responses in history. Highlights from the report š§µ 1/
#Log4j is one of the most serious software vulnerabilities ever. Itās an endemic vulnerability and unpatched versions will remain in systems for years to come, perhaps a decade or longer. The #Log4j event is not over. Risk remains and network defenders must stay vigilant. 2/
Many companies could not quickly identify where in their environments they had vulnerable code, revealing opportunities to increase software transparency and capacity to respond quickly to newly-discovered vulnerabilities. 3/
I am very proud of this inaugural report from Cyber Safety Review Board (CSRB) on the #Log4j incident. Grateful for the leadership of our Board Chair @DHS_Policy and Deputy Chair @argvee. Here are the most important highlights from my perspective š§µ
1. CSRB has found NO EVIDENCE of any malicious exploitation of vulnerability prior to the December 9th public disclosure of the vulnerability. This is important since there was speculation about whether China or any other country may have had early knowledge and exploited the bug
Public reporting prior to our investigation had indicated the opposite, so it was important for us to try to get to the bottom of this issue
Today the Cyber Safety Review Board is proud to release its first-ever report on the #Log4j vulnerability. Learn more ā¬ļø cisa.gov/sites/default/ā¦ 
The CSRB is a ground-breaking public-private partnership. Never before have industry and government #cyber leaders come together in this way to review serious incidents, identify what happened & advise the entire community on how we can do better in the future.
Directed by @POTUS in his EO on Improving the Nationās Cybersecurity, @SecMayorkas launched the CSRB. Iām proud to serve as Chair alongside Deputy Chair Heather Adkins of Google.
The Most Important PVC in Zero Trust Architecture is People, Also Required for ZTA is the PAM Module in SecHard!
People are one of the most important circle in data security. Research also shows that the vast majority of data leaks result from abuse of employee privileges.
People are one of the most important circle in data security. Research also shows that the vast majority of data leaks result from abuse of employee privileges.
What Threats Might Occur?
Due to the difficulty of identity management, many different types of threats can arise ranging from espionage to ransomware.
Due to the difficulty of identity management, many different types of threats can arise ranging from espionage to ransomware.
Can SecHard Prevent Privilege Abuse?
Unlike a traditional PAM product, SecHard offers a PAM solution that integrates with other PVC areas recommended by the ZTA.
Unlike a traditional PAM product, SecHard offers a PAM solution that integrates with other PVC areas recommended by the ZTA.
Infra/App monitoring Tools-thread šš»
What is monitoring?
The purpose of IT monitoring is to determine how well your IT infrastructure and the underlying components perform in real time. The resolution gets quicker &smarter
#Linux #Monitoing #Security #infosec #ITJobs #Tools
What is monitoring?
The purpose of IT monitoring is to determine how well your IT infrastructure and the underlying components perform in real time. The resolution gets quicker &smarter
#Linux #Monitoing #Security #infosec #ITJobs #Tools
Type of monitoring:
1. Availability monitoring:Ā this is designed to provide users with information about uptime and the performance of whatever is being monitored.
2. Application performance management (APM): Using APM solutions, businesses can monitor
1. Availability monitoring:Ā this is designed to provide users with information about uptime and the performance of whatever is being monitored.
2. Application performance management (APM): Using APM solutions, businesses can monitor
whether their IT environment meets performance standards, identify bugs and potential issues, and provide flawless user experiences via close monitoring of IT resources.
3. Security monitoring:Ā Security monitoring is designed to observe a network for breaches or
3. Security monitoring:Ā Security monitoring is designed to observe a network for breaches or
NEW on #Log4Shell...
Horde of miner bots and backdoors leveraged #Log4J to attack VMware Horizon servers
1/14
Horde of miner bots and backdoors leveraged #Log4J to attack VMware Horizon servers
1/14
In the wake of December 2021 exposure of a remote code execution vulnerability (dubbed āLog4Shellā) in the ubiquitous Log4J Java logging library, we tracked widespread attempts to scan for and exploit the weaknessāparticularly among cryptocurrency mining bots. 2/14
The vulnerability affected hundreds of software products, making it difficult for some organizations to assess their exposure. 3/14
Look, there's been *another* massive banking leak, this one from @CreditSuisse, showing complicity in laundering money for the world's greatest monsters: human traffickers, despots, criminals. They're calling it #SuisseSecrets.
theguardian.com/news/2022/feb/ā¦ 1/
theguardian.com/news/2022/feb/ā¦ 1/
They had to call it that, because #SwissLeaks was already taken, for the 2015 @UBS leaks that revealed UBS's complicity in the same fucking thing. 2/
As @jneiman77 - lawyer for the Credit Suisse whistleblowers - told @theguardian, "How many rogue bankers do you need to have before you start having a rogue bank?" 3/
I had the opportunity to testify yesterday to the Senate Committee on Homeland Security & Governmental Affairs about log4j. A š§µ on the experience.
My prepared statement: hsgac.senate.gov/download/testiā¦
Video of session: hsgac.senate.gov/hearings/respoā¦
My prepared statement: hsgac.senate.gov/download/testiā¦
Video of session: hsgac.senate.gov/hearings/respoā¦
Rocky start. First time wearing suit & tie since covid. Two years of WFH in sweatpants & hoodies hasnāt done me any favors. Realized to my horror the extra lbs meant I couldnāt get the top button of my shirt fastened! Borrowed a safety pin from the front desk and was on my way.
My bag check tag from the hotel seemed a little ominous given I was meeting with the Senate committee responsible for oversight for Homeland Security.
NEW: "At best at the moment we have strategic warning...everyone knows there is a gathering storm" per US National #Cyber Director @ncdinglis, who tells @thecipherbrief summit agencies, private sector need something more
"We need to double down on resilience" per @ncdinglis to be better prepared for or able to avoid the next #Log4j
#Ukraine-#Russia-#Cyber: "We've seen this play before" per @ncdinglis referring to #notpetya
"We have to double down on collaboration...create relationships and muscle memory" to deal w/whatever crisis might unfold, he says
"We have to double down on collaboration...create relationships and muscle memory" to deal w/whatever crisis might unfold, he says
This paragraph implies the global cybersecurity community sometimes *fails* to galvanize the IT community to stamp out a vuln that can kill hospital patients in an operating room.
But there IS a precedent. I will don the oldest hat in cybersecurity #criticism to reveal it...
But there IS a precedent. I will don the oldest hat in cybersecurity #criticism to reveal it...
#thegrugq, who has 121K followers including the CISA Director herself, posted a video on "cyber warfare" the other day confirming cybersecurity's failure to save hospital patients' lives. Cyber MURDERS occur because IT & gov't don't yet care to stop it:
#thegrugq was forced in his video to shrug off the murderous "cases of people at hospitals who have died due to cyber incidents," recognizing that "there's not really a response that can be made to it." He went on to say "until it's a huge big deal, it's sort of ignored."
Happening now-@CISAgov update on #Log4j shell: "This really is the most serious vulnerability I've seen in my career" per Director @CISAJen
Likely present in hundreds of millions of products worldwide, & exploiting vulnerability "trivial" she adds
Likely present in hundreds of millions of products worldwide, & exploiting vulnerability "trivial" she adds
Il se passe quelque chose d'Ʃnorme dans le monde de l'opensource, qui sont des retombƩes de #log4j, je vous explique tout Ƨa dans ce thread:
HĆ©sitez pas Ć RT si ce genre de threads vous plaisent ! Merci !
š
HĆ©sitez pas Ć RT si ce genre de threads vous plaisent ! Merci !
š
Beaucoup de librairies opensource ont commencĆ© Ć dĆ©ployer des versions non fonctionnelles, avec des messages ciblĆ©s envers les 500 fortunes (cf. github.com/Marak/colors.jā¦) ou tout simplement supprimer totalement leur librairie (cf. github.com/marak/Faker.js/)
tout Ƨa est du Ć un mouvement qui commence Ć naitre dans le monde de l'opensource: Les dĆ©veloppeurs de projets OpenSource en ont marre que des grosses boites (top 500 fortunes) utilisent leurs projets opensource sans retour (monĆ©taires ou non d'ailleurs) de leur part.
#Log4j is one of those vulnerabilities that seems ready-made for mass exploitation. Remotely accessible + unauthenticated + widely used + super easy. So where are all the victims? My very firstš§µš
This is like the Fermi paradox, but for #cybersecurity. There *are* victims, and *this is* a serious vulnerability that should be quickly mitigated.
But the seeming ease of exploit + availability of targets appears very disproportionate from known victimization, if judged from press, public and security company reporting. There's a handful of reasons for this. In no particular order:
Daily Bookmarks to GAVNetĀ 12/23/2021 greeneracresvaluenetwork.wordpress.com/2021/12/23/daiā¦
The agglomeration and dispersion dichotomy of human settlements on Earth | Scientific Reports
nature.com/articles/s4159ā¦
#HumanSettlements, #Dispersion, #agglomeration, #SatelliteImagery, #SocialBehavior
nature.com/articles/s4159ā¦
#HumanSettlements, #Dispersion, #agglomeration, #SatelliteImagery, #SocialBehavior
The Week Ahead: Biden's last stand
robertreich.substack.com/p/week-ahead-bā¦
#legislation, #PartisanPolitics, #BuildBackBetter, #FederalFunding, #VoteDelay, #consequences
robertreich.substack.com/p/week-ahead-bā¦
#legislation, #PartisanPolitics, #BuildBackBetter, #FederalFunding, #VoteDelay, #consequences
Thread #log4j
"The āmost seriousā security breach ever is unfolding right now. Hereās what you need to know."
Wondering how this affects #voting machines? Is anyone looking into that?
@rad_atl @VickerySec @kiniry @benniejsmith
via @washingtonpost
washingtonpost.com/technology/202ā¦
"The āmost seriousā security breach ever is unfolding right now. Hereās what you need to know."
Wondering how this affects #voting machines? Is anyone looking into that?
@rad_atl @VickerySec @kiniry @benniejsmith
via @washingtonpost
washingtonpost.com/technology/202ā¦
āThe log4j vulnerability is the most serious vulnerability I have seen in my decades-long career,ā Jen Easterly, U.S. Cybersecurity and Infrastructure Security Agency director, said in a Thursday interview on CNBC.
"#Log4j is a chunk of code that helps software applications keep track of their past activities. Instead of reinventing a āloggingā ā or record-keeping ā component each time developers build new software, they often use existing code like log4j instead. Itās free on the Internet"
NEW on #Log4Shell
Logjam: #Log4j exploit attempts continue in globally distributed scans, attacks
China and Russia, Kinsing miner botnet dominate sources of exploit attempts...
1/16
Logjam: #Log4j exploit attempts continue in globally distributed scans, attacks
China and Russia, Kinsing miner botnet dominate sources of exploit attempts...
1/16
Since the first vulnerability in the Apache Foundationās Log4j logging tool was revealed on December 10, three sets of fixes to the Java library have been released as additional vulnerabilities were uncovered. 2/16
This rapid iteration of fixes has left software developers and organizations worldwide scrambling to assess and mitigate their exposure with nearly daily-changing guidance.
In the meantime, weāve seen attempts to detect or exploit the vulnerability continue non-stop. 3/16
In the meantime, weāve seen attempts to detect or exploit the vulnerability continue non-stop. 3/16
#Log4J Worm is ITW
@vxunderground has a sample of the self propagating worm using log4j as a vector.
It installs a Mirai bot which makes sense to targeting embedded Linux devices
Looks like it uses user-agent for exploitation and modifies the binary before sending (?)
@vxunderground has a sample of the self propagating worm using log4j as a vector.
It installs a Mirai bot which makes sense to targeting embedded Linux devices
Looks like it uses user-agent for exploitation and modifies the binary before sending (?)
From what I can quickly reverse engineer it looks like this malware is targeting mainly Huawei routers
Very very similar to CVE-2017-17215
For reference:
securitynews.sonicwall.com/xmlpost/new-waā¦
Very very similar to CVE-2017-17215
For reference:
securitynews.sonicwall.com/xmlpost/new-waā¦
This variant will quickly get modified and used and repurposed to exploit other hardware and devices.
Welcome to the age of the log4j worms everyone.
šŖµšŖ±
Welcome to the age of the log4j worms everyone.
šŖµšŖ±
Reading about detecting #log4j vuln on the Java platform, which is a highly complex undertaking. Libraries can be found as an extracted archive, .jar archive, .war archive containing .jar files, .ear archive containing .war and .jar files, all depending on the platform (1/11)
Then there is Spring Boot with .jar files containing other .jar files. Long ago you could even have your .jar files in a .zip archive. Guess you can look for these on your file system recursively. With a special class loader Java could load classes from anything... (2/11)
Normally the specific jar file would be named something like log4j-core-{version}.jar, but if the developer decided to re-package log4j with the application the jar file name can be anything. (3/11)
It's been one of the more eventful weeks in cybersecurity history. In my little corner of the world, it went a little something like this... 1/n
The first #log4j / #log4shell blog from #SURGe @splunk splunk.com/en_us/blog/secā¦ was published a week ago with @meansec leading from the front and jump-started by @DrShannon2000 and @jsy9981 2/n
Meanwhile, hundreds of Splunkers worked through last weekend to publish our official advisory. If you take one thing from this thread, it should be this! It's updated frequently and includes details about CVE-2021-45046 and more. splunk.com/en_us/blog/bulā¦ 3/n
The critical vulnerability in Apacheās #Log4j Java-based logging utility (CVE-2021-44248) has been called the āmost critical vulnerability of the last decade.ā
The flaw has forced developers of many software products to push out updates or mitigations to customers. 2/21
The flaw has forced developers of many software products to push out updates or mitigations to customers. 2/21
And Log4jās maintainers have published two new versions since the bug was discoveredāthe second completely eliminating the feature that made the exploit possible in the first place. 3/21
šØ Board members šØ
You may have heard about #Log4j, a critical vulnerability that has the cyber community concerned.
Here's what it is, why people are worried, & questions you need to be asking your IT teams right now:
š (1/19)
You may have heard about #Log4j, a critical vulnerability that has the cyber community concerned.
Here's what it is, why people are worried, & questions you need to be asking your IT teams right now:
š (1/19)
#Log4j is used by developers to keep track of what happens in their software applications.
š Itās a huge journal of the activity of a system or application and is used by developers to keep an eye on any problems.
(2/19)
š Itās a huge journal of the activity of a system or application and is used by developers to keep an eye on any problems.
(2/19)
Last week, versions of #Log4j were found to have a critical vulnerability.
šµļøIf left unfixed, attackers can use it to break into networks and enable malicious activity like stealing data and infecting networks.
(3/19)
šµļøIf left unfixed, attackers can use it to break into networks and enable malicious activity like stealing data and infecting networks.
(3/19)
I've just developed a new regex to detect #log4Shell attack attempts in #log4j. It supports obfuscated payloads using recently discovered bypass words.
If you find new bypasses, please let me know. I'll do my best to keep it up-to-date!
Regex and details in this thread (1/8)
If you find new bypasses, please let me know. I'll do my best to keep it up-to-date!
Regex and details in this thread (1/8)
š Regex:
\${(?i)((\${|}+)?(j|(([^-]*?:)+?'?-?(?1)'?))'?}*)((\${|}+)?(n|(([^-]*?:)+?'?-?(?6)'?))'?}*)((\${|}+)?(d|(([^-]*?:)+?'?-?(?11)'?))'?}*)((\${|}+)?(i|ı|(([^-]*?:)+?'?-?(?16)'?))'?}*)
(2/8)
\${(?i)((\${|}+)?(j|(([^-]*?:)+?'?-?(?1)'?))'?}*)((\${|}+)?(n|(([^-]*?:)+?'?-?(?6)'?))'?}*)((\${|}+)?(d|(([^-]*?:)+?'?-?(?11)'?))'?}*)((\${|}+)?(i|ı|(([^-]*?:)+?'?-?(?16)'?))'?}*)
(2/8)
š” Supported obfuscation methods:
- generic lookup functions (lower, upper, date, ...)
- :- syntax (${X:Y:Z:-VAL})
- random characters in lookup blocks
- random case in lookup blocks
- abrupt termination of lookup block (${lower:})
- ...
(3/8)
- generic lookup functions (lower, upper, date, ...)
- :- syntax (${X:Y:Z:-VAL})
- random characters in lookup blocks
- random case in lookup blocks
- abrupt termination of lookup block (${lower:})
- ...
(3/8)
So kinda like a #log4j attack on democracy itself
Technically a bad analogy mea culpa because passwords would never pass to logs (gulp) but meant to convey a surplus of meaning; certification of votes and whatnot; gunking the logs as a hack if you open an exploit
What is log4j in 3mins
npr.org/2021/12/14/106ā¦
npr.org/2021/12/14/106ā¦
