Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
China Security

Attackers in China Using Open-source Log4j Flaw (axios.com) 24

A group of Chinese attackers has been using the massive vulnerability in Log4j, common piece of open-source code, to target a large academic institution, Crowdstrike says. From a report: Experts say hundreds of millions of systems are vulnerable and that attacks based on the flaw are continuing. CrowdStrike said its software observed an attack that exploited the Log4j flaw in software from VMware. The attack came from a China-based group dubbed Aquatic Panda that has been conducting intelligence gathering and industrial espionage, CrowdStrike said. Some security experts, including Cybersecurity and Infrastructure Security Agency (CISA) head Jen Easterly, have called the flaw among the worst they have ever seen.
This discussion has been archived. No new comments can be posted.

Attackers in China Using Open-source Log4j Flaw

Comments Filter:
  • If Chinese attackers started only now, they are late to the game. Seriously, what is it with the stupid headline?

  • If the gov't doesn't stop it, then it's time for snipers. Give everyone a fair warning, but if a warned group of hackers keeps it up, zammo!

    Let's stop tolerating this shit!

    • Russia has shown that polonium works.
    • And who exactly should be shot? Someone blamed China, should we shoot actual Panda bears? Only actual Panda bears that are in water when you shoot them?

    • Someone's clue is missing in action and they have zero idea how sniping and anything else about war and OOTW work.

      Stick to vidya games...

    • by gweihir ( 88907 )

      Well, I would on board with doing that to to the utterly stupid Java designers that are really responsible here. And the Managers that hired them. As a bonus, these cretins can actually be identified and they may be identified by the threat. The attackers that now walk through the wide open barn door, not so much.

      • by _merlin ( 160982 )

        It's not Java that's the issue, it's recursively applying format substitution in log4j. You're inevitably going to be logging user input at some point - you shouldn't be trusting strings substituted into log messages. You could write this kind of bug in any language.

  • by arQon ( 447508 ) on Wednesday December 29, 2021 @06:13PM (#62126459)

    Funny how when Solarwinds caused about a billion devices including a huge number of hospitals and government institutions to be pwned overnight, the headlines weren't "Attackers worldwide using *closed-source* SAML flaw", were they?

    • by _merlin ( 160982 )

      I thought the SolarWinds hack was done by stealing credentials. That's doesn't depend on a flaw, open or closed source.

  • Did Oracle use Log4j for internal Java JVM/JDK and therefore could the whole Java ecosystem be compromised? Asked from Oracle without an answer.
  • Dec 10 [theregister.com]: "The Apache Foundation published a patch for the critical-rated vuln earlier today"

It's been a business doing pleasure with you.

Working...