Attackers in China Using Open-source Log4j Flaw (axios.com) 24
A group of Chinese attackers has been using the massive vulnerability in Log4j, common piece of open-source code, to target a large academic institution, Crowdstrike says. From a report: Experts say hundreds of millions of systems are vulnerable and that attacks based on the flaw are continuing. CrowdStrike said its software observed an attack that exploited the Log4j flaw in software from VMware. The attack came from a China-based group dubbed Aquatic Panda that has been conducting intelligence gathering and industrial espionage, CrowdStrike said. Some security experts, including Cybersecurity and Infrastructure Security Agency (CISA) head Jen Easterly, have called the flaw among the worst they have ever seen.
Attackers _everywhere_ are using it (Score:2, Insightful)
If Chinese attackers started only now, they are late to the game. Seriously, what is it with the stupid headline?
Re: Attackers _everywhere_ are using it (Score:2)
Re: Attackers _everywhere_ are using it (Score:4, Insightful)
Re: Attackers _everywhere_ are using it (Score:1)
Indeed - also enable exexInstalledOnly
Re: (Score:2)
Didn't the NSA sat on EternalBlue forever before it got leaked? Thank you so much for WannaCry, i guess.
Re: (Score:1)
Indeed. Too many people are incapable of fact-checking, so "manufacturing consent" works nicely. Numbers on this are apparently that only about 20% of all people can fact-check (if it is made easy for them by providing all the relevant facts and arguments, people that can do independent fact checking are maybe 10%), 65% believe what those around them believe and 15% cannot be reached in any way, they will just stick to their personal delusion no matter what.
You have to admit though that the US still sometim
Sniper Time! (Score:1)
If the gov't doesn't stop it, then it's time for snipers. Give everyone a fair warning, but if a warned group of hackers keeps it up, zammo!
Let's stop tolerating this shit!
Re: (Score:1)
Re: (Score:2)
And who exactly should be shot? Someone blamed China, should we shoot actual Panda bears? Only actual Panda bears that are in water when you shoot them?
Re: (Score:1)
The CIA probably knows who the individual culprits are.
Re: (Score:2)
There is one now! Honing a tool for the next attack! Shoot! Shoot! Shoot!
https://nationalzoo.si.edu/web... [si.edu]
Re: (Score:1)
Maybe USA spooks are working with China spooks to do it, and they have a good time and laugh at the leaders of both countries.
Re: (Score:3)
Someone's clue is missing in action and they have zero idea how sniping and anything else about war and OOTW work.
Stick to vidya games...
Re: (Score:2)
Well, I would on board with doing that to to the utterly stupid Java designers that are really responsible here. And the Managers that hired them. As a bonus, these cretins can actually be identified and they may be identified by the threat. The attackers that now walk through the wide open barn door, not so much.
Re: (Score:2)
It's not Java that's the issue, it's recursively applying format substitution in log4j. You're inevitably going to be logging user input at some point - you shouldn't be trusting strings substituted into log messages. You could write this kind of bug in any language.
Solarwinds (Score:4)
Funny how when Solarwinds caused about a billion devices including a huge number of hospitals and government institutions to be pwned overnight, the headlines weren't "Attackers worldwide using *closed-source* SAML flaw", were they?
Re: (Score:2)
I thought the SolarWinds hack was done by stealing credentials. That's doesn't depend on a flaw, open or closed source.
Did Oracle use Log4j for internal Java JVM/JDK? (Score:1)
Patched since Dec 10 .. (Score:2)