During a company presentation (July 2023), the #sales person boasted about their ability to find #log4shell weaknesses.
A prime opportunity to point you to this educational #dance track about the #vulnerability: https://youtu.be/HNS2ONvA-Vk

How can it be outdated when sales is still going on about it? 😜

Clients asking us if we are affected by the #MOVEit vulnerabilities. Never heard of it, never used it. But if customers start to ask their suppliers that's an indication of panic. Last time this happened with #log4j #log4shell.

RT @fossasiasg
Join us for an insightful discussion on how to address systemic issues in the #softwaresupplychain & lessons learned from #Log4Shell with #cybersecurity expert @juliangordonhk8 from @Hyperledger @theopenssf at #FOSSASIA Summit 2023 #Singapore 13-15 April https://eventyay.com/e/7cfe0771/session/8249

RT @fossasiasg
Join us for an insightful discussion on how to address systemic issues in the #softwaresupplychain & lessons learned from #Log4Shell with #cybersecurity expert @juliangordonhk8 from @Hyperledger @theopenssf at #FOSSASIA Summit 2023 #Singapore 13-15 April https://eventyay.com/e/7cfe0771/session/8249

#Log4Shell: #OpenSource als Gefahr für die Software-Lieferkette | heise online https://www.heise.de/meinung/Log4Shell-Open-Source-als-Gefahr-fuer-die-Software-Lieferkette-7606506.html #Log4j

You're running untrusted code! https://blog.frankel.ch/running-untrusted-code/

#security #securitymanager #JVM #log4shell #fromthearchives

RT @HaboubiAnis
Etape 1) Alvaro Muñoz @pwntester presente en 2016 la vulnérabilité

Etape 2) Exploitation de la vulnérabilité #log4jRCE / #Log4Shell de 2021.

Etape 3) Tout le système est vérolé #cyberpandemie #breakingtheshell

Presentation: https://blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf

We've just updated the agenda for #SharkFest'23 ASIA with a new class from Sake Blok! His session is titled: "#LOG4SHELL: Getting to know your adversaries"

Sign up today and save on registration: https://sharkfest.wireshark.org

#Wireshark

Join Jamie Coleman in-person at #GIDS #DeveloperSummit #Bengaluru April 25-28 to cover the previously unknown history of #Maven Central and how it works under the covers. Look under the hood to see how the Central team addresses critical security risks like dependency confusion and security events like #Log4Shell: https://developersummit.com/session/the-secret-life-of-maven-central

Ein Jahr nach #Log4Shell - Ein Jahr nach der Entdeckung von Log4Shell hinterlässt die Schwachstelle noch immer ihre Spuren.

https://www.kaspersky.de/blog/log4shell-still-active-2022/29588/

-> Nicht Neues, aber dennoch eine schöne Zustandsbeschreibung. Die Warnung ist aus meiner Sicht mehr als gerechtfertigt, denn sie "hinterlässt nicht nur ihre Spuren", sondern ist nach wie vor extrem gefährlich!

#ISMSBlog

@sophos "[...] only those who fetched the so-called “nightly”, or experimental, version of the software were at risk.
[...] from PyTorch’s report, it seems that the Triton malware executable file specifically targeted 64-bit Linux environments. [...]"

The stolen data is sent as DNS lookup requests to a domain owned by attackers, same as #Log4Shell.

Good news is that #PyTorch already remedied the issues, according to the article and most users should've not been hit by it.

It does seem like this type of attack could become more common. I feel like I've just read a couple of weeks ago about this exact threat, of malicious packages being uploaded to pip.

#ThreatIntel #InfoSec #ThreatHunting #CyberSecurity

@sophos "[...] only those who fetched the so-called “nightly”, or experimental, version of the software were at risk.
[...] from PyTorch’s report, it seems that the Triton malware executable file specifically targeted 64-bit Linux environments. [...]"

The stolen data is sent as DNS lookup requests to a domain owned by attackers, same as #Log4Shell.

Good news is that #PyTorch already remedied the issues, according to the article and most users should've not been hit by it.

I just remembered I wrote a #Log4Shell parody poem based on The Night Before Christmas for #OSSPodcast last year. It was certainly a wild time a year ago. Thank goodness this year is way more boring

https://opensourcesecurity.io/2021/12/26/episode-303-log4j-christmas-spectacular/

Just in time for the holidays, we've uploaded another video from #SharkFest'22 US by Sake Blok! He walks us through his experience getting infected with #LOG4SHELL and how he used Wireshark to investigate.

https://youtu.be/25h6it4I254

#Wireshark #LOG4J #PacketAnalysis

Was ist #Log4Shell und warum ist sie auch nach einem Jahr noch gefährlich?
https://www.kaspersky.de/blog/log4shell-still-active-2022/29588/
#ISMSBlog

#log4javersary #log4j #log4shell

@cnotin we were (are) tracking multiple #log4j vulnerabilities that were remote code exploitable and some of them weren't part of #log4shell.
Also, do you say "LOG FOUR JAY" or "LOG FORGE".
I've heard it both ways.

I'm seeing many articles about the #Log4Shell anniversary which incorrectly talk about the "Log4j" vulnerability.
We've failed at branding this vulnerability properly... so know people confuse it with the library's name.
Are there perhaps people who entirely banned Log4j due to this confusion?

wrote a little bit about the #log4j vulnerability and how things look one year later. 🫣

tl;dr: things aren't *bad*, but why aren't they better? a lot of things got patched and upgraded over 2022, but there are still a non-trivial number of potentially vulnerable devices out there.

#cve #vulnerability #log4shell #infosec #internet #censys

https://censys.io/tis-the-season-%F0%9F%AB%A3-a-look-back-at-the-critical-log4j-vulnerability/

wrote a little bit about the #log4j vulnerability and how things look one year later. 🫣

tl;dr: things aren't *bad*, but why aren't they better? a lot of things got patched and upgraded over 2022, but there are still a non-trivial number of potentially vulnerable devices out there.

#cve #vulnerability #log4shell #infosec #internet #censys

https://censys.io/tis-the-season-%F0%9F%AB%A3-a-look-back-at-the-critical-log4j-vulnerability/