Security News

The Log4j JNDI attack and how to prevent itThe disclosure of the critical Log4Shell vulnerability and the release of first one and than additional PoC exploits has been an unwelcome surprise for the entire information security community, but most of all those who are tasked with keeping enterprise systems and network secure. Ransomware hits HR solutions provider Kronos, locking customers out of vital servicesThe end of the year chaos caused by the revelation of the Log4Shell vulnerability has, for some organizations, been augmented by a ransomware attack on Ultimate Kronos Group, one of the biggest HR and workforce management solutions providers in the US. Microsoft patches spoofing vulnerability exploited by EmotetMicrosoft has delivered fixes for 67 vulnerabilities, including a spoofing vulnerability actively exploited to deliver Emotet/Trickbot/Bazaloader malware family.

Defenders will once again be busy beavers this weekend: There's an alternative attack vector for the ubiquitous Log4j vulnerability, which relies on a basic Javascript WebSocket connection to trigger remote code-execution on servers locally, via drive-by compromise. "This newly discovered attack vector means that anyone with a vulnerable Log4j version can be exploited through the path of a listening server on their machine, or local network through browsing to a website, and triggering the vulnerability," researchers said in a Friday note to Threatpost.

Latest episode - listen now! (Yes, there are plenty of critical things to go along with Log4Shell.)

SAP has identified 32 apps that are affected by CVE-2021-44228 - the critical vulnerability in the Apache Log4j Java-based logging library that's been under active attack since last week. Thomas Fritsch, an SAP security researcher at enterprise security firm Onapsis, said in his SAP Patch Tuesday writeup that the number of HotNews Notes may seem high, but one of them - #3089831, tagged with a CVSS score of 9.9 - was initially released on SAP's September 2021 Patch Tuesday.

Last Thursday security researchers began warning that a vulnerability tracked as CVE-2021-44228 in Apache Log4j was under active attack and had the potential, according to many reports, to break the internet. To its credit, Apache hastily released a patch to fix Log4Shell with Log4j version 2.15.0 last Friday.

Due to the extraordinary widespread use of the open-source Apache Log4j library, the saga of the Log4Shell vulnerability is nowhere near finished. The recent discovery of a second Log4j vulnerability has shown that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

The first public case of the Log4j Log4Shell vulnerability used to download and install ransomware has been discovered by researchers.Yesterday, BitDefender reported that they found the first ransomware family being installed directly via Log4Shell exploits.

Amongst all the brouhaha about Log4Shell, it's easy to forget all the other updates that surround us. It's also time to check your Apple devices, because Apple just pushed out a slew of its they-arrive-when-they're-ready-and-don't-expect-any-warning security patches.

From there, an attacker can carry out any number of further attacks. What Bad Log4Shell Outcomes Are Possible for SMBs? Ofer Maor, Mitiga CTO: One of the concerns is that a lot of these attacks now will focus on getting initial access only and establishing persistence.

The Cybersecurity and Infrastructure Security Agency has ordered federal agencies to patch systems against the critical Log4Shell vulnerability and released mitigation guidance in response to active exploitation. CISA has now created a dedicated page with technical details about the Apache Log4j logging library flaw and patching information for vendors and impacted organizations.