Discover and read the best of Twitter Threads about #log4j

Most recents (24)

Risk environment in #cyber "complex & getting more complex" @DHS_Policy Rob Silvers tells @BillingtonCyber
State of private-public partnership on #cybersecurity "strong but a lot more work needed" per @DHS_Policy

Says gvt needs to keep showing private sector the value of working w/it & that gvt response on #Log4J & w/#Russia-#Ukraine has made a strong case
.@DHS_Policy says you rarely see a private sector company get burned in #cyber by being transparent & working w/the gvt

Argues companies more likely to get hurt by not collaborating
Read 4 tweets
The CSRB conducted an exhaustive review of the events surrounding the December 2021 disclosure of a vulnerability in #Log4j, which led to one of the most intensive cybersecurity responses in history. Highlights from the report 🧵 1/
#Log4j is one of the most serious software vulnerabilities ever. It’s an endemic vulnerability and unpatched versions will remain in systems for years to come, perhaps a decade or longer. The #Log4j event is not over. Risk remains and network defenders must stay vigilant. 2/
Many companies could not quickly identify where in their environments they had vulnerable code, revealing opportunities to increase software transparency and capacity to respond quickly to newly-discovered vulnerabilities. 3/
Read 7 tweets
I am very proud of this inaugural report from Cyber Safety Review Board (CSRB) on the #Log4j incident. Grateful for the leadership of our Board Chair @DHS_Policy and Deputy Chair @argvee. Here are the most important highlights from my perspective 🧵
1. CSRB has found NO EVIDENCE of any malicious exploitation of vulnerability prior to the December 9th public disclosure of the vulnerability. This is important since there was speculation about whether China or any other country may have had early knowledge and exploited the bug
Public reporting prior to our investigation had indicated the opposite, so it was important for us to try to get to the bottom of this issue
Read 14 tweets
Today the Cyber Safety Review Board is proud to release its first-ever report on the #Log4j vulnerability. Learn more ⬇️ cisa.gov/sites/default/…
The CSRB is a ground-breaking public-private partnership. Never before have industry and government #cyber leaders come together in this way to review serious incidents, identify what happened & advise the entire community on how we can do better in the future.
Directed by @POTUS in his EO on Improving the Nation’s Cybersecurity, @SecMayorkas launched the CSRB. I’m proud to serve as Chair alongside Deputy Chair Heather Adkins of Google.
Read 7 tweets
The Most Important PVC in Zero Trust Architecture is People, Also Required for ZTA is the PAM Module in SecHard!

People are one of the most important circle in data security. Research also shows that the vast majority of data leaks result from abuse of employee privileges.
What Threats Might Occur?

Due to the difficulty of identity management, many different types of threats can arise ranging from espionage to ransomware.
Can SecHard Prevent Privilege Abuse?

Unlike a traditional PAM product, SecHard offers a PAM solution that integrates with other PVC areas recommended by the ZTA.
Read 5 tweets
Infra/App monitoring Tools-thread 👇🏻

What is monitoring?

The purpose of IT monitoring is to determine how well your IT infrastructure and the underlying components perform in real time. The resolution gets quicker &smarter

#Linux #Monitoing #Security #infosec #ITJobs #Tools Image
Type of monitoring:

1. Availability monitoring: this is designed to provide users with information about uptime and the performance of whatever is being monitored.

2. Application performance management (APM): Using APM solutions, businesses can monitor
whether their IT environment meets performance standards, identify bugs and potential issues, and provide flawless user experiences via close monitoring of IT resources.

3. Security monitoring: Security monitoring is designed to observe a network for breaches or
Read 7 tweets
NEW on #Log4Shell...

Horde of miner bots and backdoors leveraged #Log4J to attack VMware Horizon servers

1/14
In the wake of December 2021 exposure of a remote code execution vulnerability (dubbed “Log4Shell”) in the ubiquitous Log4J Java logging library, we tracked widespread attempts to scan for and exploit the weakness—particularly among cryptocurrency mining bots. 2/14
The vulnerability affected hundreds of software products, making it difficult for some organizations to assess their exposure. 3/14
Read 14 tweets
Look, there's been *another* massive banking leak, this one from @CreditSuisse, showing complicity in laundering money for the world's greatest monsters: human traffickers, despots, criminals. They're calling it #SuisseSecrets.

theguardian.com/news/2022/feb/… 1/ A flooded suburban American street; a partially submerged Sw
They had to call it that, because #SwissLeaks was already taken, for the 2015 @UBS leaks that revealed UBS's complicity in the same fucking thing. 2/
As @jneiman77 - lawyer for the Credit Suisse whistleblowers - told @theguardian, "How many rogue bankers do you need to have before you start having a rogue bank?" 3/
Read 27 tweets
I had the opportunity to testify yesterday to the Senate Committee on Homeland Security & Governmental Affairs about log4j. A 🧵 on the experience.

My prepared statement: hsgac.senate.gov/download/testi…

Video of session: hsgac.senate.gov/hearings/respo…
Rocky start. First time wearing suit & tie since covid. Two years of WFH in sweatpants & hoodies hasn’t done me any favors. Realized to my horror the extra lbs meant I couldn’t get the top button of my shirt fastened! Borrowed a safety pin from the front desk and was on my way.
My bag check tag from the hotel seemed a little ominous given I was meeting with the Senate committee responsible for oversight for Homeland Security.
Read 24 tweets
NEW: "At best at the moment we have strategic warning...everyone knows there is a gathering storm" per US National #Cyber Director @ncdinglis, who tells @thecipherbrief summit agencies, private sector need something more
"We need to double down on resilience" per @ncdinglis to be better prepared for or able to avoid the next #Log4j
#Ukraine-#Russia-#Cyber: "We've seen this play before" per @ncdinglis referring to #notpetya

"We have to double down on collaboration...create relationships and muscle memory" to deal w/whatever crisis might unfold, he says
Read 4 tweets
This paragraph implies the global cybersecurity community sometimes *fails* to galvanize the IT community to stamp out a vuln that can kill hospital patients in an operating room.

But there IS a precedent. I will don the oldest hat in cybersecurity #criticism to reveal it...
#thegrugq, who has 121K followers including the CISA Director herself, posted a video on "cyber warfare" the other day confirming cybersecurity's failure to save hospital patients' lives. Cyber MURDERS occur because IT & gov't don't yet care to stop it:
#thegrugq was forced in his video to shrug off the murderous "cases of people at hospitals who have died due to cyber incidents," recognizing that "there's not really a response that can be made to it." He went on to say "until it's a huge big deal, it's sort of ignored."
Read 4 tweets
Happening now-@CISAgov update on #Log4j shell: "This really is the most serious vulnerability I've seen in my career" per Director @CISAJen

Likely present in hundreds of millions of products worldwide, & exploiting vulnerability "trivial" she adds
"We have seen widespread exploitation" by criminal actors & seen some reports of more significant activity, per @CISAJen

But @CISAgov cannot independently confirm some reported use/exploitation by foreign adversaries
.@CISAgov continues to push for remediation and strengthening security protocols as it leads US response, per @CISAJen

CISA's webpage with guidance has already gotten 330,000 page views since it was stood up almost a month ago

Another tool downloaded @ 4,000 times
Read 11 tweets
Il se passe quelque chose d'énorme dans le monde de l'opensource, qui sont des retombées de #log4j, je vous explique tout ça dans ce thread:

Hésitez pas à RT si ce genre de threads vous plaisent ! Merci !
👇
Beaucoup de librairies opensource ont commencé à déployer des versions non fonctionnelles, avec des messages ciblés envers les 500 fortunes (cf. github.com/Marak/colors.j…) ou tout simplement supprimer totalement leur librairie (cf. github.com/marak/Faker.js/)
tout ça est du à un mouvement qui commence à naitre dans le monde de l'opensource: Les développeurs de projets OpenSource en ont marre que des grosses boites (top 500 fortunes) utilisent leurs projets opensource sans retour (monétaires ou non d'ailleurs) de leur part.
Read 11 tweets
#Log4j is one of those vulnerabilities that seems ready-made for mass exploitation. Remotely accessible + unauthenticated + widely used + super easy. So where are all the victims? My very first🧵😉
This is like the Fermi paradox, but for #cybersecurity. There *are* victims, and *this is* a serious vulnerability that should be quickly mitigated.
But the seeming ease of exploit + availability of targets appears very disproportionate from known victimization, if judged from press, public and security company reporting. There's a handful of reasons for this. In no particular order:
Read 11 tweets
Thread #log4j
"The ‘most serious’ security breach ever is unfolding right now. Here’s what you need to know."

Wondering how this affects #voting machines? Is anyone looking into that?
@rad_atl @VickerySec @kiniry @benniejsmith

via @washingtonpost
washingtonpost.com/technology/202…
“The log4j vulnerability is the most serious vulnerability I have seen in my decades-long career,” Jen Easterly, U.S. Cybersecurity and Infrastructure Security Agency director, said in a Thursday interview on CNBC.
"#Log4j is a chunk of code that helps software applications keep track of their past activities. Instead of reinventing a “logging” — or record-keeping — component each time developers build new software, they often use existing code like log4j instead. It’s free on the Internet"
Read 14 tweets
NEW on #Log4Shell

Logjam: #Log4j exploit attempts continue in globally distributed scans, attacks

China and Russia, Kinsing miner botnet dominate sources of exploit attempts...

1/16
Since the first vulnerability in the Apache Foundation’s Log4j logging tool was revealed on December 10, three sets of fixes to the Java library have been released as additional vulnerabilities were uncovered. 2/16
This rapid iteration of fixes has left software developers and organizations worldwide scrambling to assess and mitigate their exposure with nearly daily-changing guidance.

In the meantime, we’ve seen attempts to detect or exploit the vulnerability continue non-stop. 3/16
Read 16 tweets
#Log4J Worm is ITW

@vxunderground has a sample of the self propagating worm using log4j as a vector.

It installs a Mirai bot which makes sense to targeting embedded Linux devices

Looks like it uses user-agent for exploitation and modifies the binary before sending (?)
From what I can quickly reverse engineer it looks like this malware is targeting mainly Huawei routers

Very very similar to CVE-2017-17215

For reference:

securitynews.sonicwall.com/xmlpost/new-wa…
This variant will quickly get modified and used and repurposed to exploit other hardware and devices.

Welcome to the age of the log4j worms everyone.

🪵🪱
Read 9 tweets
Reading about detecting #log4j vuln on the Java platform, which is a highly complex undertaking. Libraries can be found as an extracted archive, .jar archive, .war archive containing .jar files, .ear archive containing .war and .jar files, all depending on the platform (1/11)
Then there is Spring Boot with .jar files containing other .jar files. Long ago you could even have your .jar files in a .zip archive. Guess you can look for these on your file system recursively. With a special class loader Java could load classes from anything... (2/11)
Normally the specific jar file would be named something like log4j-core-{version}.jar, but if the developer decided to re-package log4j with the application the jar file name can be anything. (3/11)
Read 11 tweets
It's been one of the more eventful weeks in cybersecurity history. In my little corner of the world, it went a little something like this... 1/n
The first #log4j / #log4shell blog from #SURGe @splunk splunk.com/en_us/blog/sec… was published a week ago with @meansec leading from the front and jump-started by @DrShannon2000 and @jsy9981 2/n
Meanwhile, hundreds of Splunkers worked through last weekend to publish our official advisory. If you take one thing from this thread, it should be this! It's updated frequently and includes details about CVE-2021-45046 and more. splunk.com/en_us/blog/bul… 3/n
Read 28 tweets
NEW on #Log4Shell...

Inside the code: How the Log4Shell exploit works

1/21
The critical vulnerability in Apache’s #Log4j Java-based logging utility (CVE-2021-44248) has been called the “most critical vulnerability of the last decade.”

The flaw has forced developers of many software products to push out updates or mitigations to customers. 2/21
And Log4j’s maintainers have published two new versions since the bug was discovered—the second completely eliminating the feature that made the exploit possible in the first place. 3/21
Read 21 tweets
🚨 Board members 🚨

You may have heard about #Log4j, a critical vulnerability that has the cyber community concerned.

Here's what it is, why people are worried, & questions you need to be asking your IT teams right now:

📖 (1/19)
#Log4j is used by developers to keep track of what happens in their software applications.

📒 It’s a huge journal of the activity of a system or application and is used by developers to keep an eye on any problems.

(2/19)
Last week, versions of #Log4j were found to have a critical vulnerability.

🕵️If left unfixed, attackers can use it to break into networks and enable malicious activity like stealing data and infecting networks.

(3/19)
Read 19 tweets
I've just developed a new regex to detect #log4Shell attack attempts in #log4j. It supports obfuscated payloads using recently discovered bypass words.

If you find new bypasses, please let me know. I'll do my best to keep it up-to-date!

Regex and details in this thread (1/8) Image
🔍 Regex:
\${(?i)((\${|}+)?(j|(([^-]*?:)+?'?-?(?1)'?))'?}*)((\${|}+)?(n|(([^-]*?:)+?'?-?(?6)'?))'?}*)((\${|}+)?(d|(([^-]*?:)+?'?-?(?11)'?))'?}*)((\${|}+)?(i|ı|(([^-]*?:)+?'?-?(?16)'?))'?}*)

(2/8)
💡 Supported obfuscation methods:
- generic lookup functions (lower, upper, date, ...)
- :- syntax (${X:Y:Z:-VAL})
- random characters in lookup blocks
- random case in lookup blocks
- abrupt termination of lookup block (${lower:})
- ...

(3/8)
Read 8 tweets
So kinda like a #log4j attack on democracy itself
Technically a bad analogy mea culpa because passwords would never pass to logs (gulp) but meant to convey a surplus of meaning; certification of votes and whatnot; gunking the logs as a hack if you open an exploit
What is log4j in 3mins
npr.org/2021/12/14/106…
Read 4 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!