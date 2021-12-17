ContributorsPublishersAdvertisers
Federal agencies ordered to immediately patch systems against Apache vulnerability

By Maggie Miller
The Hill
 6 days ago
Federal agencies on Friday were ordered to immediately investigate and patch systems to prevent exploitation of a massive vulnerability in Apache logging library log4j that has been increasingly used by nations and cybercriminals to target organizations around the world.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive giving agencies until Dec. 23 to identify which software is impacted by log4j and then either deploy patches against these vulnerabilities or remove the impacted software from the network. The agencies must report all impacted software and actions taken to CISA by Dec. 28.

Following these actions, CISA will provide a report in February to the secretary of Homeland Security and to the Office of Management and Budget, and will keep working with partners to help remediate the vulnerability.

“CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” the directive reads. “This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.”

The vulnerability, first uncovered a week ago, has sent cybersecurity professionals scrambling to address the issue, which has been particularly difficult given that log4j is a fundamental ingredient of much of the software used by major companies.

Nation states have quickly moved to try to take advantage of the situation, with Microsoft and Mandiant reporting earlier this week that Chinese and Iranian hackers had been attempting to exploit the log4j vulnerability.

Exploitation has reached massive levels worldwide, with a spokesperson for Check Point Software telling The Hill Friday that the company had seen 3.8 million attempts to use the vulnerability, more than 100 attempts per moment globally, and that around half of all corporate networks worldwide had been targeted.

“The log4j vulnerabilities pose an unacceptable risk to federal network security,” CISA Director Jen Easterly said in a statement Friday. “CISA has issued this emergency directive to drive federal civilian agencies to take action now to protect their networks, focusing first on internet-facing devices that pose the greatest immediate risk.”

Such agencies are certainly at risk, with Anne Neuberger, the deputy national security advisor for Cyber and Emerging Technology, telling Bloomberg Television Thursday that some agencies had been impacted.

Easterly stressed Friday that while the directive only applies to federal agencies, all companies should take similar measures to protect themselves.

“CISA  also strongly urges every organization large and small to follow the federal government’s lead and take similar steps to assess their network security and adapt the mitigation measures outlined in our Emergency Directive,” Easterly said. “If you are using a vulnerable product on your network, you should consider your door wide open to any number of threats.”  

Edward Hanson
6d ago

Ah, yes .... the digital environment will certainly be the downfall of civilization. That is, unless Biden gets re-elected by some cruel twist of fate. THAT would certainly end our civilization way before digital vulnerability could.

MR GOOD BARE
6d ago

It is a SO software that is added to your phone by hackers..See our justice system around the us 🇺🇸🇺🇸🇺🇸 have a thing called a sting ray They can take control of any one's phone with it a you better believe this one..They know everything about just about every one who has a phone..

MR GOOD BARE
6d ago

I know and have seen this one's name it is a phone software that they are looking for.. People have been using this one to hack people's phone's with using home made SPAM HACKERS COMPUTERS.

Related
CBS News

Nightmare before Christmas: What to know about the Log4j vulnerability

A vulnerability living inside a Java-based software known as "Log4j" shook the internet this week. The list of potential victims encompasses nearly a third of all web servers in the world, according to cybersecurity firm Cybereason. Twitter, Amazon, Microsoft, Apple, IBM, Oracle, Cisco, Google, and one of the world's most popular video games, Minecraft count themselves among the slew of tech and industry giants running the popular software code that U.S. officials estimate have left hundreds of millions of devices exposed.
SOFTWARE
americanmilitarynews.com

China creating ‘brain-control weapons’ and weaponizing biotech, US says

The U.S. Department of Commerce suspects a Chinese military academy and eleven of its associated research institutes are developing technology to support the Chinese military, including brain-control weaponry. On Friday, the Commerce Department added 37 Chinese, Georgian, Malaysian, and Turkish entities to the restricted Entity List. The Commerce Department took...
MEDICAL & BIOTECH
CNN

The Log4j security flaw could impact the entire internet. Here's what you should know

New York (CNN Business) — A critical flaw in widely used software has cybersecurity experts raising alarms and big companies racing to fix the issue. The vulnerability, which was reported late last week, is in Java-based software known as "Log4j" that large organizations use to configure their applications -- and it poses potential risks for much of the internet.
INTERNET
bleepingcomputer.com

CISA orders federal agencies to patch Log4Shell by December 24th

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch systems against the critical Log4Shell vulnerability and released mitigation guidance in response to active exploitation. This follows threat actors' head start in scanning for and exploiting Log4Shell vulnerable systems to deploy malware. Even though Apache quickly released...
TECHNOLOGY
healthitsecurity.com

Severe Apache Log4j Vulnerabilities Could Result in Healthcare Cyberattacks

Threat actors can exploit Log4j and execute arbitrary code on a compromised system or device. Researchers first discovered the remote code execution (RCE) vulnerability in November. However, proof-of-concept exploit code has been circulating on social media recently, making the vulnerability a higher priority. “The exact extent to which Log4j is...
SOFTWARE
mitechnews.com

Cyber Experts Express Growing Alarm Over Apache Vulnerability

WASHINGTON DC – A vulnerability in a widely used logging platform uncovered late last week has left security professionals and officials scrambling to respond and patch systems before other nations and cybercriminals can exploit the flaw. The vulnerability in Apache logging package log4j has affected potentially thousands of companies...
COMPUTERS
The Hacker News

Apache Log4j Vulnerability — Log4Shell — Widely Under Active Attack

Threat actors are actively weaponizing unpatched servers affected by the newly identified "Log4Shell" vulnerability in Log4j to install cryptocurrency miners, Cobalt Strike, and recruit the devices into a botnet, even as telemetry signs point to exploitation of the flaw nine days before it even came to light. Netlab, the networking...
SOFTWARE
inforisktoday.com

Severe Apache Log4j Vulnerability Threatens Enterprise Apps

Stay tuned for updates on this developing story. A zero-day vulnerability detected in the Java logging library Apache Log4j can result in full server takeover and leaves countless applications vulnerable, according to security researchers, who say that the easily exploitable flaw was first detected in the popular game Minecraft. The...
SOFTWARE
NewsBreak
Microsoft
NewsBreak
Technology
News Break
Politics
siliconangle.com

Criminal groups continue to exploit Apache Log4j vulnerability with ransomware and malware

Criminal groups and even suspected state-sponsored hacking groups continue to exploit a serious vulnerability in Apache Log4j with ransomware and other forms of malware. According to research from Check Point Software Technologies Ltd., the number of attacks seeking to take advantage of the vulnerability continues to rise, from 40,000 attacks on Dec. 11 through to more than 800,000 attacks on Dec. 13. The number of variants being used to exploit the vulnerability has also increased to 60 over the same period.
PUBLIC SAFETY
inforisktoday.com

Already Compromised by Apache Log4j? Check Before You Patch

Multiple security researchers have now spotted several instances of threat actors exploiting the Apache Log4j vulnerability by deploying malwares including Muhstik and Mirai botnets or by scanning for vulnerable servers. Responders are advised to check for compromise before they implement fixes. The vulnerability, tracked as CVE-2021-44228 and detected in the...
SOFTWARE
newrelic.com

Security guidance for New Relic customers related to Apache Log4j vulnerabilities

New Relic has released Java Agent and Containerized Private Minion updates to address a critical vulnerability in the open-source Apache Log4j framework that was publicly disclosed on December 9, 2021, as well as an additional, low-risk vulnerability disclosed on December 14, 2021. The critical vulnerability (CVE-2021-44228) can be exploited to allow malicious actors to control systems remotely or exfiltrate data. As a valued New Relic customer, we want to provide you with more information about the vulnerability, what New Relic is doing to protect our systems against this vulnerability, and steps you can take to protect your organization from this issue.
SOFTWARE
CSO

Second Log4j vulnerability carries denial-of-service threat, new patch available

A second vulnerability impacting Apache Log4j has been discovered as the security industry has scrambled to mitigate and fix a severe zero-day Java library logging flaw (CVE-2021-44228) dubbed Log4Shell. The new vulnerability, CVE 2021-45046, could allow attackers to craft malicious input data using a JNDI lookup pattern resulting in a denial-of-service (DoS) attack, according to the CVE description.
SOFTWARE
paloaltonetworks.com

Addressing Apache Log4j Vulnerability with NGFW and Cloud-Delivered Security Services

Learn how our Palo Alto Networks customers can help protect against the critical Apache Log4j vulnerability with our NGFW by using automated preventions and best practices. The Apache Log4j library allows for developers to log various data within their applications. In certain circumstances, data being logged can originate from user input. Should this user input contain special characters, as shown in Step 1 of the above example, a Java method lookup can be called, as shown in Step 2. This method can be redirected to download and execute a Java class hosted on an attacker's external server in Step 3. The malicious Java class is then executed on the victim server that uses the vulnerable log4j instance. For a complete breakdown, description and most up-to-date information on the vulnerability, check out the detailed report from our Unit 42 team.
SOFTWARE
bleepingcomputer.com

CISA releases Apache Log4j scanner to find vulnerable apps

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the release of a scanner for identifying web services impacted by two Apache Log4j remote code execution vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046. "log4j-scanner is a project derived from other members of the open-source community by CISA's Rapid Action Force team...
SOFTWARE
notebookcheck.net

Microsoft patches spoofing vulnerability that was exploited to spread malware

Microsoft patched a zero-day vulnerability that affected the AppX installer in Windows. The vulnerability allowed hackers to create packages to infect systems with malware. The patch was included in the December Patch Tuesday update. Microsoft released a major patch that fixes a spoofing vulnerability in AppX installer (CVE-2021-43890), which was...
SOFTWARE
scmagazine.com

Ellume patches home COVID-19 tests vulnerable to hackers

Hackers were able to game third-party observed testing results using the Bluetooth-enabled Ellume COVID-19 Home Test without modifying the testing device, according to researchers, by running a script or modified testing application on their phone. Ellume patched that vulnerability. The Ellume tests are an option for global travelers and other...
PUBLIC HEALTH
ZDNet

Apache releases new 2.17.0 patch for Log4j to solve denial of service vulnerability

Apache has released version 2.17.0 of the patch for Log4j after discovering issues with their previous release, which came out on Tuesday. Apache said version 2.16 "does not always protect from infinite recursion in lookup evaluation" and explained that it is vulnerable to CVE-2021-45105, a denial of service vulnerability. They said the severity is "high" and gave it a CVSS score of 7.5.
SOFTWARE
The Hill

