ICT Security-Sécurité PC et Internet
87.1K views | +1 today
Follow
ICT Security-Sécurité PC et Internet
Education Technology
ICT Security + Privacy + Piracy + Data Protection - Censorship - Des cours et infos gratuites sur la"Sécurité PC et Internet" pour usage non-commercial... (FR, EN+DE)...
Curated by Gust MEES
Your new post is loading...
Your new post is loading...
Scooped by Gust MEES
Scoop.it!

Log4j vulnerability: Infosec industry goes to red alert • The Register

From www.theregister.com - December 13, 2021 6:14 PM

Miscreants are wasting no time in using the widespread Log4j vulnerability to compromise systems, with waves and waves of live exploit attempts focused mainly – for now – on turning infected devices into cryptocurrency-mining botnet drones.

Israel's Check Point said this morning it was seeing around 100 exploit attempts every minute, going into further detail in a blog post.

Apache Log4j is a logging utility written in Java that is used all over the world in many software packages and online systems. Last week it emerged that Alibaba security engineer Chen Zhaojun had found and privately disclosed on November 24 details of a trivial-to-exploit remote code execution hole (CVE-2021-44228) in Log4j 2.x, specifically versions 2.14.1 and earlier.

Exploitation is possible by feeding a specially crafted snippet of text, such as a message or username, to an application that logs this information using Log4j 2.

 

Learn more / En savoir plus / Mehr erfahren: 

 

https://www.scoop.it/topic/securite-pc-et-internet

 

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=Log4j

 

Gust MEES's insight:

Miscreants are wasting no time in using the widespread Log4j vulnerability to compromise systems, with waves and waves of live exploit attempts focused mainly – for now – on turning infected devices into cryptocurrency-mining botnet drones.

Israel's Check Point said this morning it was seeing around 100 exploit attempts every minute, going into further detail in a blog post.

Apache Log4j is a logging utility written in Java that is used all over the world in many software packages and online systems. Last week it emerged that Alibaba security engineer Chen Zhaojun had found and privately disclosed on November 24 details of a trivial-to-exploit remote code execution hole (CVE-2021-44228) in Log4j 2.x, specifically versions 2.14.1 and earlier.

Exploitation is possible by feeding a specially crafted snippet of text, such as a message or username, to an application that logs this information using Log4j 2.

 

Learn more / En savoir plus / Mehr erfahren: 

 

https://www.scoop.it/topic/securite-pc-et-internet

 

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=Log4j

 

more...
No comment yet.
Sign up to comment
Scooped by Gust MEES
Scoop.it!

Log4j update: Experts say log4shell exploits will persist for 'months if not years' | #CyberSecurity

Log4j update: Experts say log4shell exploits will persist for 'months if not years' | #CyberSecurity | ICT Security-Sécurité PC et Internet | Scoop.it
From www.zdnet.com - December 13, 2021 6:09 PM

Cybersecurity experts believe CVE-2021-44228, a remote code execution flaw in Log4j, will take months, if not years, to address due its ubiquity and ease of exploitation.

Steve Povolny, head of advanced threat research for McAfee Enterprise and FireEye, said Log4Shell "now firmly belongs in the same conversation as Shellshock, Heartbleed, and EternalBlue." 

"Attackers began by almost immediately leveraging the bug for illegal crypto mining, or using legitimate computing resources on the Internet to generate cryptocurrency for financial profit... Further exploitation appears to have pivoted towards theft of private information," Povolny told ZDNet.

"We fully expect to see an evolution of attacks."

 

Learn more / En savoir plus / Mehr erfahren: 

 

https://www.scoop.it/topic/securite-pc-et-internet

 

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=Log4j

 

 

 

Gust MEES's insight:

Cybersecurity experts believe CVE-2021-44228, a remote code execution flaw in Log4j, will take months, if not years, to address due its ubiquity and ease of exploitation.

Steve Povolny, head of advanced threat research for McAfee Enterprise and FireEye, said Log4Shell "now firmly belongs in the same conversation as Shellshock, Heartbleed, and EternalBlue." 

"Attackers began by almost immediately leveraging the bug for illegal crypto mining, or using legitimate computing resources on the Internet to generate cryptocurrency for financial profit... Further exploitation appears to have pivoted towards theft of private information," Povolny told ZDNet.

"We fully expect to see an evolution of attacks."

 

Learn more / En savoir plus / Mehr erfahren: 

 

https://www.scoop.it/topic/securite-pc-et-internet

 

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=Log4j

 

 

 

more...
No comment yet.
Sign up to comment
About Follow us Resources Terms Mobile Features
Facebook
X
LinkedIn