Log4j – Page 6 – WindowsTechs.com

FTC warns of potential penalties for firms that fail to fix Log4j software flaws

Posted on January 4, 2022 by Tonya Riley

The Federal Trade Commission Tuesday warned companies that if they fail to take action to remedy a major recent software vulnerability in open-source software tool Log4j, there could be legal repercussions. “When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms,” the agency warned. “It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.” Log4j is ubiquitous in software used throughout the technology industry, and is found in products built by companies including Amazon, Google and Microsoft. The widespread use of such technology has made it difficult to identify potential victims. At the same time, the popularity has made it an easy target for a range of cybercriminals to exploit. The warning shot from the top consumer protection agency comes […]

The post FTC warns of potential penalties for firms that fail to fix Log4j software flaws appeared first on CyberScoop.

Continue reading FTC warns of potential penalties for firms that fail to fix Log4j software flaws→

This Week in Security: The Log4j That Won’t Go Away, WebOS, and More

Posted on December 31, 2021 by Jonathan Bennett

In the past two weeks, Log4j has continued to drive security news, with more vulnerable platforms being found, and additional CVEs coming out. First up is work done by TrendMicro, …read more Continue reading This Week in Security: The Log4j That Won’t Go Away, WebOS, and More→

Chinese hackers use Log4j exploit to go after academic institution

Posted on December 29, 2021 by Tonya Riley

A Chinese hacking group known for industrial espionage and intelligence collection used a vulnerability in Log4j to go after a large academic institution, researchers at CrowdStrike revealed Wednesday. Threat analysts observed the group attempting to install malware after gaining access using a modified version of a Log4j exploit for VMWare Horizon, a virtual workspace technology. CrowdStrike also observed the Chinese hackers trying to harvest credentials for further exploitation. CrowdStrike analysts believe that the group behind the attack, which it is calling “Aquatic Panda,” has likely been active since at least May 2020. Its operations have primarily focused on targets in the telecommunications, technology and government sectors. “Because OverWatch disrupted the attack before AQUATIC PANDA could take action on their objectives, their exact intent is unknown,” Param Singh, vice president of CrowdStrike OverWatch, wrote to CyberScoop in an email. “This adversary, however, is known to use tools to maintain persistence in environments […]

The post Chinese hackers use Log4j exploit to go after academic institution appeared first on CyberScoop.

Continue reading Chinese hackers use Log4j exploit to go after academic institution→

Log4Shell vulnerability Number Four: “Much ado about something”

Posted on December 29, 2021 by Paul Ducklin

It’s a Log4j bug, and you ought to patch it. But we don’t think it’s a critical crisis like the last one. Continue reading Log4Shell vulnerability Number Four: “Much ado about something”→

4 practical strategies for Log4j discovery

Posted on December 27, 2021 by Help Net Security

For security teams scrambling to secure their organizations against Log4j exploitation, one of the first and most challenging tasks is understanding where Log4j exists within their environment. Without this understanding, any remediation efforts will b… Continue reading 4 practical strategies for Log4j discovery→

Log4Shell is a dumpster fire that should have been avoided

Posted on December 23, 2021 by Help Net Security

On Thursday, December 9, 2021, my young, Minecraft-addicted kids were still completely oblivious of the Log4j vulnerabilities in their favorite game. Then again, so was every cybersecurity professional in the world. That all changed when the Apache Log… Continue reading Log4Shell is a dumpster fire that should have been avoided→

Microsoft Sentinel Launches New Log4j Vulnerability Solution In Public Preview

Posted on December 22, 2021 by Rabia Noureen

Microsoft has announced some important updates for Microsoft Sentinel, its scalable cloud-native SIEM tool that provides AI-powered security analytics in enterprise environments. The Redmond giant has launched a new solution in public preview that should help IT Admins to detect Apache Log4j vulnerabilities. Last week, Microsoft acknowledged the emergence of an Apache Log4j vulnerability (CVE-2021-44228) […] Continue reading Microsoft Sentinel Launches New Log4j Vulnerability Solution In Public Preview→

CISA, Five Eyes issue guidance meant to slow Log4Shell attacks

Posted on December 22, 2021 by Tonya Riley

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released Wednesday an advisory offering vendors and affected organizations a detailed guide on how to deal with potential risks to IT and cloud services posed by an exploit in Apache Log4j’s software library. “This joint CSA expands on the previously published guidance by detailing steps that vendors and organizations with IT and/or cloud assets should take to reduce the risk posed by these vulnerabilities,” the advisory states. The warning was issued alongside the FBI and National Security Agency and the security agencies of Five Eyes intelligence partners, Australia, Canada, New Zealand, the United Kingdom. “Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world; we implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks,” CISA Director Jen Easterly said in a statement. The alert follows previous guidance […]

The post CISA, Five Eyes issue guidance meant to slow Log4Shell attacks appeared first on CyberScoop.

Continue reading CISA, Five Eyes issue guidance meant to slow Log4Shell attacks→

Open-source software holds the key to solving Log4Shell-like problems

Posted on December 22, 2021 by Help Net Security

Earlier this month, the existence of a critical vulnerability in Apache Log4j 2 was revealed and a PoC for it published. Dubbed Log4Shell, it’s an issue in a logging library for Java applications that is widely used across popular open-source projects … Continue reading Open-source software holds the key to solving Log4Shell-like problems→

The Log4j flaw is the latest reminder that quick security fixes are easier said than done

Posted on December 21, 2021 by AJ Vicens

Cybersecurity professionals have spent weeks scrambling to address a bug in a widely used software library that could enable hackers to steal data, launch ransomware attacks or otherwise knock systems offline. The bug, known as Log4Shell, exists in Log4j, an open-source software tool that is used widely in the technology industry. The flaw could allow for attackers, in some cases, to take over vulnerable systems by duping a target into logging code capable of downloading malware hosted elsewhere. Given the ubiquity of the software and the sheer number of vulnerable systems, U.S. cybersecurity officials gave federal agencies until Dec. 23 to evaluate their exposure and take remediation steps, urging private sector entities to do the same. Jen Easterly, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, had previously called the bug perhaps “the most serious” she’d seen in her career. The CISA directive cited “active […]

The post The Log4j flaw is the latest reminder that quick security fixes are easier said than done appeared first on CyberScoop.

Continue reading The Log4j flaw is the latest reminder that quick security fixes are easier said than done→