'Exhausted' network defenders say technological dependency creates new vulnerabilities. From a report: Cyberattacks on major technology providers and the interconnected world of software and hardware that power the global economy continued at a relentless pace in 2021, according to U.S. officials and security experts. Instead of one company being victimized at a time like in a traditional data breach, thousands were often exposed simultaneously. Businesses, hospitals and schools also worked to defend themselves against an onslaught of ransomware attacks, which increasingly reap $10 million or more in extortion payments. The annus horribilis culminated this month with discovery of a flaw in an obscure but widely used internet code known as Log4j, which one senior Biden administration official said was the worst she had seen in her career. The latest vulnerability comes as U.S. officials warn corporate leaders of a potential surge of cyberattacks while businesses slow their operations during the holiday season.

The string of incidents highlights how decades of digital transformation have linked business and government computer systems in opaque and sometimes surprising ways that will create new vulnerabilities. Major disruptions are certain to continue, cybersecurity officials said. "Network defenders are exhausted," said Joe Slowik, threat-intelligence lead at the security firm Gigamon. New attention and investment in cybersecurity hasn't improved the status quo, he said. "Money is flowing into the field, but largely on technical solutions while the core need -- more capable people -- remains hard to address."

In the moments before a 6.2-magnitude earthquake struck the northern California coast on Monday, roughly half a million phones began to buzz. From a report: An early-alert system managed by the US Geological Survey sent warnings out before the ground started to shake, giving residents in the sparsely populated area vital time to take cover. The earthquake brought significant shaking but minimal damage in Humboldt county, about 210 miles north-west of San Francisco, and officials said it was an excellent test of the alert-system. It was the largest magnitude quake that's occurred since the system, known as ShakeAlert, was officially rolled out across the west coast. "We got some reports from folks that they got up to 10 seconds' warning before they felt shaking. That's pretty darn good," said Robert de Groot, a ShakeAlert coordinator with the USGS.

ShakeAlert issues warnings through a series of agencies and apps including the MyShakeApp, public wireless emergency alert systems, and the Android operating system, powered by Google. A data package is created from information provided by USGS sensors and -- within seconds -- shows up on phones. Some apps that provide alerts are available to download but even some who didn't have an app on their phone were notified. Affected individuals are instructed to drop, cover, and hold on. Having extra seconds to do so can save lives. This event provided an opportunity for the scientists and system operators to test and improve ShakeAlert so it will be even better when the next big earthquake strikes. "We can run as many simulations and tests as possible but we are really going to learn the most from real earthquakes," de Groot said. "It's giving us the chance to use the system and learn how to do a better job of alerting people."

An anonymous reader quotes a report from TechCrunch: As nostalgia goes, the Fisher-Price Chatter phone doesn't disappoint. The classic retro kids toy was given a modern revamp for the holiday season with the new release for adults which, unlike the original toy designed for kids, can make and receive calls over Bluetooth using a nearby smartphone. The Chatter -- despite a working rotary dial and its trademark wobbly eyes that bob up and down when the wheels turn -- is less a phone and more like a novelty Bluetooth speaker with a microphone, which activates when the handset is lifted. The Chatter didn't spend long on sale; the phone sold out quickly as the waitlists piled up. But security researchers in the U.K. immediately spotted a potential problem. With just the online instruction manual to go on, the researchers feared that a design flaw could allow someone to use the Chatter to eavesdrop.

Ken Munro, founder of the cybersecurity company Pen Test Partners, told TechCrunch that chief among the concerns are that the Chatter does not have a secure pairing process to stop unauthorized phones in Bluetooth range from connecting to it. Munro outlined a series of tests that would confirm or allay his concerns. [...] The Chatter doesn't have an app, and Mattel said the Chatter phone was released as "a limited promotional item and a playful spin on a classic toy for adults." But Munro said he's concerned the Chatter's lack of secure pairing could be exploited by a nearby neighbor or a determined attacker, or that the Chatter could be handed down to kids, who could then unknowingly trigger the bug. "It doesn't need kids to interact with it in order for it to become an audio bug. Just leaving the handset off is enough," said Munro.

Researchers say a second family of ransomware has been growing in usage for attack attempts that exploit the critical vulnerability in Apache Log4j, including in the U.S. and Europe. VentureBeat reports: A number of researchers, including at cybersecurity giant Sophos, have now said they've observed the attempted deployment of a ransomware family known as TellYouThePass. Researchers have described TellYouThePass as an older and largely inactive ransomware family -- which has been revived following the discovery of the vulnerability in the widely used Log4j logging software. TellYouThePass is the second family of ransomware that's been observed to exploit the vulnerability in Log4j, known as Log4Shell, joining the Khonsari ransomware, according to researchers.

While previous reports indicated that TellYouThePass was mainly being directed against targets in China, researchers at Sophos told VentureBeat that they've observed the attempted delivery of TellYouThePass ransomware both inside and outside of China -- including in the U.S. and Europe. "Systems in China were targeted, as well as some hosted in Amazon and Google cloud services in the U.S. and at several sites in Europe," said Sean Gallagher, a senior threat researcher at Sophos Labs, in an email to VentureBeat on Tuesday. Sophos detected attempts to deliver TellYouThePass payloads by utilizing the Log4j vulnerability on December 17 and December 18, Gallagher said. TellYouThePass has versions that run on either Linux or Windows, "and has a history of exploiting high-profile vulnerabilities like EternalBlue," said Andrew Brandt, a threat researcher at Sophos, in an email. The Linux version is capable of stealing Secure Socket Shell (SSH) keys and can perform lateral movement, Brandt said. Sophos initially disclosed its detection of TellYouThePass ransomware in a December 20 blog post.

The first report of TellYouThePass ransomware exploiting the Log4j vulnerability appears to have come from the head of Chinese cybersecurity group KnownSec 404 Team on December 12. The attempted deployment of TellYouThePass in conjunction with Log4Shell was subsequently confirmed by additional researchers, according to researcher community Curated Intelligence. In a blog post Tuesday, Curated Intelligence said its members can now confirm that TellYouThePass has been seen exploiting the vulnerability "in the wild to target both Windows and Linux systems." TellYouThePass had most recently been observed in July 2020, Curated Intelligence said. It joins Khonsari, a new family of ransomware identified in connection with exploits of the Log4j vulnerability.

AltMachine writes: "Chinese regulators on Wednesday suspended an information-sharing partnership with Alibaba Cloud Computing, a subsidiary of e-commerce conglomerate Alibaba Group, over accusations it failed to promptly report and address [the Log4Shell vulnerability]," reports Reuters, citing state-backed media reports. Alibaba Cloud recently discovered a major remote code execution vulnerability in the Apache Log4j2 component, notifying the U.S.-based Apache Software Foundation, but did not immediately report it to Ministry of Industry and Information Technology (MIIT,) China's telecommunications regulator.

MIIT said it then received a report from a third party about the issue (days after), rather than from Alibaba Cloud. "In response, MIIT suspended a cooperative partnership with the cloud unit regarding cybersecurity threats and information-sharing platforms, to be reassessed in six months and revived depending on the company's internal reforms," reports Reuters. According to Chinese laws, companies must report new vulnerabilities within 48 hours.

Microsoft has notified earlier this month a select group of Azure customers impacted by a recently discovered bug that exposed the source code of their Azure web apps since at least September 2017. The vulnerability was discovered by cloud security firm Wiz and reported to Microsoft in September. The issue was fixed in November, and Microsoft has spent the last few weeks investigating how many customers were impacted. The Record reports: The issue, nicknamed NotLegit, resides in Azure App Service, a feature of the Azure cloud that allows customers to deploy websites and web apps from a source code repository. Wiz researchers said that in situations where Azure customers selected the "Local Git" option to deploy their websites from a Git repository hosted on the same Azure server, the source code was also exposed online.

All PHP, Node, Ruby, and Python applications deployed via this method were impacted, Microsoft said in a blog post today. Only apps deployed on Linux-based Azure servers were impacted, but not those hosted on Windows Server systems. Apps deployed as far back as 2013 were impacted, although the exposure began in September 2017, when the vulnerability was introduced in Azure's systems, the Wiz team said in a report today. [...] The most dangerous exposure scenarios are situations where the exposed source code contained a .git configuration file that, itself, contained passwords and access tokens for other customer systems, such as databases and APIs.

Kim Jong Un marked a decade as supreme leader of North Korea in December. Whether he can hold on to power for another 10 years may depend on state hackers, whose cybercrimes finance his nuclear arms program and prop up the economy. From a report: According to the U.S. Cybersecurity & Infrastructure Security Agency, North Korea's state-backed "malicious cyberactivities" target banks around the world, steal defense secrets, extort money through ransomware, hijack digitally mined currency, and launder ill-gotten gains through cryptocurrency exchanges. Kim's regime has already taken in as much as $2.3 billion through cybercrimes and is geared to rake in even more, U.S. and United Nations investigators have said. The cybercrimes have provided a lifeline for the struggling North Korean economy, which has been hobbled by sanctions. Kim has shown little interest in returning to negotiations that could lead to a lifting of sanctions if North Korea winds down its nuclear arms program.

Money from cybercrimes represents about 8% of North Korea's estimated economy in 2020, which is smaller than when Kim took power, according to the Bank of Korea in Seoul. (The bank for years has provided the best available accounting on the economic activity of the secretive state.) Kim's decision to shut borders because of Covid-19 suspended the little legal trade North Korea had and helped send the economy into its biggest contraction in more than two decades. Kim's regime has two means of evading global sanctions, which were imposed to punish it for nuclear and ballistic missile tests. One is the ship-to-ship transfer of commodities such as coal: A North Korean vessel will shift its cargo to another vessel, or the other way around, and both vessels typically try to cloak their identity. The other is the cyberarmy. Its documented cybercrimes include attempts to steal $2 billion from the Swift (Society for Worldwide Interbank Financial Telecommunication) system of financial transactions. North Korea has also illegally accessed military technology that could be used for financial gain, according to a UN Security Council panel charged with investigating sanctions-dodging by the government.

Amazon's crucial web services business AWS is experiencing problems today, with issues affecting services like Slack, Imgur, and the Epic Games store for some users. From a report: It's not looking good if you're working from home, with some Slack users unable to view or upload images, and work management tool Asana also hit by the outages. In an incident update, Slack said its services are "experiencing issues with file uploads, message editing, and other services." Asana says the problems constitute a "major outage," with "many of our users unable to access Asana." Epic Games Store said "Internet services outages" are "affecting logins, library, purchases, etc." It's the third time in as many weeks that problems with AWS have had a significant effect on online services.

An anonymous reader quotes a report from ZDNet: The Belgian Ministry of Defense has confirmed a cyberattack on its networks that involved the Log4j vulnerability. In a statement, the Defense Ministry said it discovered an attack on its computer network with internet access on Thursday. They did not say if it was a ransomware attack but explained that "quarantine measures" were quickly put in place to "contain the infected elements." "Priority was given to the operability of the network. Monitoring will continue. Throughout the weekend, our teams were mobilized to contain the problem, continue our operations and alert our partners," the Defense Ministry said. "This attack follows the exploitation of the Log4j vulnerability, which was made public last week and for which IT specialists around the world are jumping into the breach. The Ministry of Defense will not provide any further information at this stage."

Multiple reports from companies like Google and Microsoft have indicated that government hacking groups around the world are leveraging the Log4j vulnerability in attacks. [...] Centre for Cybersecurity Belgium spokesperson Katrien Eggers told ZDNet that they too sent out a warning to Belgian companies about the Apache Log4j software issue, writing that any organization that had not already taken action should "expect major problems in the coming days and weeks." "Because this software is so widely distributed, it is difficult to estimate how the discovered vulnerability will be exploited and on what scale," the Centre for Cybersecurity Belgium said, adding that any affected organizations should contact them. "It goes without saying that this is a dangerous situation."

segaboy81 writes: Amazon Games is new to the AAA games space, finding tremendous success with their title New World. Since its release in September, YouTubers like Sethphir and Video Game Databank have begun to carve out their own niche in the New World community, seeing their subscriber base soar into the tens of thousands. However, YouTubers may begin to suffer under the watchful eye of New World's leadership. Recently, YouTuber Video Game Databank discovered a serious bug in version 1.2 regarding aptitude levels in a single crafting attempt which purportedly resulted in his loss of 40,000 coins. Dutifully, he reported the bug to Amazon customer support. When they didn't understand his complaint, he shared a video showing the bug in action. He goes on to call this a "fatal mistake" as just two hours later the video is removed from Youtube after a manual copyright claim was invoked by Amazon. While it could be a coincidence, it certainly seems like a hostile action on behalf of the games studio as it was not an automated, AI triggered task. Someone at the studio manually filed the claim.

The United Kingdom's National Crime Agency and National Cyber Crime Unit have uncovered a colossal trove of stolen passwords. From a report: We know this because Troy Hunt, of Have I Been Pwned (HIBP) fame, yesterday announced the agency has handed them over to his service, which lets anyone conduct a secure search of stolen passwords to check if their credentials have been exposed. The NCA shared 585,570,857 with HIBP, and Hunt said 225,665,425 were passwords that he hasn't seen before in the 613 million credentials HIBP already stored before the NCA handed over this new batch.

An anonymous reader quotes a report from The Record: Many apps used by schools contain features that can lead to the "unregulated and out of control" sharing of student data to advertising companies and other security issues, according to a report published Monday by the nonprofit Me2B Alliance. The report follows up on research published by the group in May, which audited 73 apps used by 38 schools to find that 60% of them were sending student data to a variety of third parties. Roughly half of them were sending student data to Google, while 14% were sending data to Facebook.

In the update, Me2B specifically looked at the use of a common feature called "WebView," which allows developers to integrate web pages into apps. Although the feature allows schools to include dynamic details -- like calendars and results of sporting events -- in apps without having to update the app itself, it can lead to the siphoning of student data and, in particularly bad cases, students and parents being targeted by scams. For example, on several occasions the researchers observed the hijacking of web pages linked to by school apps, leading users to malicious sites. An app used by Maryland's largest school district accidentally directed users to a compromised site that once was used for the district's sports teams. The Quinlan, Texas school district had a sports domain integrated into its app that was purchased by an unknown actor for $30 before anyone took action -- a security threat that's sometimes called a "dangling domain." Some of the recommendations to mitigate security risks include "training for app administrators, creating processes at schools for keeping track of expiring URLs, requiring schools to report lost or dangling domains within a specific time, and launching a 'privacy bounty program' at the US Department of Education to audit school apps," reports The Record. "But perhaps the fastest way to reduce these risks is to alter the way the apps work."

"Apple and Google can change rules for in-app WebView links to ensure app developers can't overrule a local device browser preference," said Zach Edwards, who is in charge of data integrity testing for the Me2B Alliance.

An anonymous reader quotes a report from ZDNet, written by Steven J. Vaughan-Nichols: Months have gone by, and the great resignation keeps rolling along. Some people thought that people would come flocking back to the office once generous unemployment benefits ended. Nope. Wrong. Months after Republican states cut the $300-a-week Federal benefit and other benefits expired, there has been no rush to return to the workforce. There are many reasons for this. People don't want to catch COVID-19; people are sick of bad jobs; early retirement; and the one I care about today, bosses still think they can force skilled workers to return to offices. I've said it before; I'll say it again. That's not going to happen. People with talent and high-value skills, like most technology workers, aren't returning to traditional offices. You don't have to believe me, though. Look at the numbers being reported.

A Hackajob survey of 2,000 UK tech workers and employers found not quite three-quarters (72%) of tech workers said having the ability to do remote work was very important to them. All, and by the way, just over one in five were looking for new jobs with remote work. A more recent Microsoft survey found UK techies felt even stronger about the issue. In this survey, they found over half of the employees would consider quitting if you tried to force them back into the office. It's not just the UK. The Future Forum Pulse survey found IT workers in the US, UK, Australia, France, Germany, and Japan all had one thing in common: Most want to work at least part of the time remotely. To be precise, 75% want flexibility in where they work, while 93% want flexibility in when they work. Why? The top reason: "Better work-life balance."

The problem? Many executives and owners haven't gotten the clue yet. 44% said they wanted to work from the office daily. Employees? 17%. Three-quarters of bosses said they at least wanted to work from the office 3-5 days a week, versus 34% of employees. Can we say disconnect? I can. And, here's the point. Today, for the first time in my lifetime, workers, not employers, are in the driver's seat. [...] But, that doesn't mean that you must give up the traditional office entirely. You don't. In the Dice State of Remote Work report, there's a remote work spectrum. Sure, some workers never want to cross the office transom again, but others like a flexible work schedule where they can work outside of the office a set number of days per week or month. By Dice's count, only one in five workers are bound and determined to never come into the office again. 75% would be fine with flex work. But, pay attention folks, only 3% want to go back to the old-school 9 to 5, every weekday at the office. I repeat a mere 3% want to return to the office as most of you knew it in the 2010s. Indeed, 7% of respondents said they would even take a 5% salary cut to work remotely.

The UK National Crime Agency has shared a collection of more than 585 million compromised passwords it found during an investigation with Have I Been Pwned, a website that indexes data from security breaches. The Record reports: The NCA now becomes the second law enforcement agency to officially supply HIBP with hacked passwords after the US Federal Bureau of Investigations began a similar collaboration with the service back in May. In a blog post today, Troy Hunt, HIBP creator Troy Hunt said that 225 million of the compromised passwords found by the NCA were new and unique.

These passwords have been added to a section of the HIBP website called Pwned Passwords. This section allows companies and system administrators to check and see if their current passwords have been compromised in hacks and if they are likely to be part of public lists used by threat actors in brute-force and password-spraying attacks. Currently, the HIBP Pwned Passwords collection includes 5.5 billion entries, of which 847 million are unique. All these passwords are also available as a free download, so companies can check their passwords against the data set locally without connecting to Hunt's service.

In a statement shared by Hunt, the NCA said it found the compromised passwords, paired with email accounts, in an account at a UK cloud storage facility. The NCA said they weren't able to determine or attribute the compromised email and password combos to any specific platform or company.

Google's open-source team said they scanned Maven Central, today's largest Java package repository, and found that 35,863 Java packages use vulnerable versions of the Apache Log4j library. From a report: This includes Java packages that use Log4j versions vulnerable to the original Log4Shell exploit (CVE-2021-44228) and a second remote code execution bug discovered in the Log4Shell patch (CVE-2021-45046). James Wetter and Nicky Ringland, members of the Google Open Source Insights Team, said in a report today that typically when a major Java security flaw is found, it typically tends to affect only 2% of the Maven Central index. However, the 35,000 Java packages vulnerable to Log4Shell account to roughly 8% of the Maven Central total of ~440,000, a percentage the two described using just one word -- "enormous." But since the vulnerability was disclosed last week, Wetter and Ringland said the community has responded positively and has already fixed 4,620 of the 35,863 packages they initially found vulnerable. This number accounts to 13% of all the vulnerable packages.

A security researcher says an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk. From a report: Etizaz Mohsin told TechCrunch that the Airangel HSMX Gateway contains hardcoded passwords that are "extremely easy to guess." With those passwords, which we are not publishing, an attacker could remotely gain access to the gateway's settings and databases, which store records about the guest's using the Wi-Fi. With that access, an attacker could access and exfiltrate guest records, or reconfigure the gateway's networking settings to unwittingly redirect guests to malicious webpages, he said. Back in 2018, Mohsin discovered one of these gateways on the network of a hotel where he was staying. He found that the gateway was synchronizing files from another server across the internet, which Mohsin said contained hundreds of gateway backup files from some of the most prestigious and expensive hotels in the world. The server also stored "millions" of guest names, email addresses and arrival and departure dates, he said. Mohsin reported the bug and the server was secured, but that sparked a thought: Could this one gateway have other vulnerabilities that could put hundreds of other hotels at risk? In the end, the security researcher found five vulnerabilities that he said could compromise the gateway -- including guests' information.

Earlier this week long-time Slashdot reader DJAdapt wrote: According to a post on the Kronos Community Page, a cyber security incident due to a ransomware attack is affecting UKG Workforce Central, UKGTeleStaff, Healthcare Extensions, and Banking Scheduling. Although they are currently working with cyber security experts on the issue, they say that it may take several weeks to restore full system availability.
CNN reported: Ultimate Kronos Group, one of the largest human resources companies, disclosed a crippling ransomware attack on Monday [December 13th], impacting payroll systems for a number of workers. After noticing "unusual activity" on Saturday [December 11th], Kronos noted that its systems were down and could remain that way for several weeks.

Kronos has a long list of notable customers across the public and private sector, including the city of Cleveland, New York's Metropolitan Transportation Authority (MTA), Tesla and MGM Resorts International. It also works with many hospitals across the country. Some employers find themselves having to make contingency plans in order to pay workers, such as shifting to paper checks. And some impacted employees have been unable to access payroll systems...

In addition to the potential payroll issues, there's also data privacy concerns. The city of Cleveland said in a statement Monday that Kronos alerted it that sensitive information may have been compromised in the attack. Employee names, addresses and the last four digits of social security numbers may have been stolen by the hackers inside Kronos's network.
Other Kronos customers include Whole Foods, GameStop and Honda, as well as state and local government agencies like the state of West Virginia, reports NBC News: John Riggi, the senior advisor for cybersecurity at the American Hospital Association, an industry group, said that he had spoken with multiple hospitals that have had to create contingency plans for getting employees paid, managing their schedules and tracking their hours. "Quite frankly, this could not have happened at a worse time. We've had a surge in Covid patients, flu patients," Riggi said. "It's a distraction to hospital administrators at a time when they don't need any additional burden or diversion of resources."
"Though it has not been confirmed, there is speculation that the notorious Log4Shell vulnerability was involved," writes CPO magazine, "given that the Kronos cloud services are known to be built on Java to a great degree...."

"Microsoft's security team has reported that ransomware attacks are already unfolding after these breaches in at least several cases."

The Log4Shell exploit "exposes how a vulnerability in a seemingly simple bit of infrastructure code can threaten the security of banks, tech companies, governments, and pretty much any other kind of organization," writes VentureBeat. But the incident also raises some questions: Should large deep-pocketed companies besides Google, which always seems to be heavily involved in such matters, be doing more to support the cause with people and resources?
Long-time Slashdot reader frank_adrian314159 shares a related article from a programming author on Dev.To, who'd read hot takes like "Open source needs to grow the hell up." and "Open source' is broken". [T]he log4j developers had this massive security issue dumped in their laps, with the expectation that they were supposed to fix it. How did that happen? How did a group of smart, hard-working people get roped into a thankless, high-pressure situation with absolutely no upside for themselves...?

It is this communal mythology I want to talk about, this great open source brainwashing that makes maintainers feel like they need to go above and beyond publishing source code under an open source license — that they need to manage and grow a community, accept contributions, fix issues, follow vulnerability disclosure best practices, and many other things...

In reality what is happening, is that open source maintainers are effectively unpaid outsourcing teams for giant corporations.
The log4j exploit was first reported by an engineer at Alibaba — a corporation with a market capitalization of $348 billion — so the article wonders what would happen if log4j's team had sent back a bill for the time they'd spend fixing the bug.

Some additional opinions (via the "This Week in Programming" column):

• PuTTY maintainer Andrew Ducker: "The internet (and many large companies) are dependent on software maintained by people in their spare time, for free. This may not be sustainable."

• Filippo Valsorda, a Go team member at Google: "The role of Open Source maintainer has failed to mature from a hobby into a proper profession... The status quo is unsustainable.... GitHub Sponsors and Patreon are a nice way to show gratitude, but they are an extremely unserious compensation structure."

Valsorda hopes to eventually see "a whole career path with an onramp for junior maintainers, including training, like a real profession."

Previously, one assumption about the 10 out of 10 Log4j security vulnerability was that it was limited to exposed vulnerable servers. We were wrong. The security company Blumira claims to have found a new, exciting Log4j attack vector. ZDNet reports: According to Blumira, this newly-discovered Javascript WebSocket attack vector can be exploited through the path of a listening server on their machine or local network. An attacker can simply navigate to a website and trigger the vulnerability. Adding insult to injury, WebSocket connections within the host can be difficult to gain deep visibility into. That means it's even harder to detect this vulnerability and attacks using it. This vector significantly expands the attack surface. How much so? It can be used on services running as localhost, which are not exposed to a network. This is what we like to call a "Shoot me now" kind of problem. Oh, and did I mention? The client itself has no direct control over WebSocket connections. They can silently start when a webpage loads. Don't you love the word "silently" in this context? I know I do.

In their proof-of-concept attack, Blumira found that by using one of the many Java Naming and Directory Interface (JNDI) exploits that they could trigger via a file path URL using a WebSocket connection to machines with an installed vulnerable Log4j2 library. All that was needed to trigger success was a path request that was started on the web page load. Simple, but deadly. Making matters worse, it doesn't need to be localhost. WebSockets allow for connections to any IP. Let me repeat, "Any IP" and that includes private IP space.

Next, as the page loads, it will initiate a local WebSocket connection, hit the vulnerable listening server, and connect out over the identified type of connection based on the JNDI connection string. The researchers saw the most success utilizing Java Remote Method Invocation (RMI). default port 1099., although we are often seeing custom ports used. Simply port scanning, a technique already in the WebSocket hacker handbook, was the easiest path to a successful attack. Making detecting such attacks even harder, the company found "specific patterns should not be expected as it is easy to trigger traffic passively in the background." Then, an open port to a local service or a service accessible to the host is found, it can then drop the JNDI exploit string in path or parameters. "When this happens, the vulnerable host calls out to the exploit server, loads the attacker's class, and executes it with java.exe as the parent process." Then the attacker can run whatever he wants. Blumira suggests users "update all local development efforts, internal applications, and internet-facing environments to Log4j 2.16 as soon as possible, before threat actors can weaponize this exploit further," reports ZDNet.

"You should also look closely at your network firewall and egress filtering. [...] In particular, make sure that only certain machines can send out traffic over 53, 389, 636, and 1099 ports. All other ports should be blocked." The report continues: "Finally, since weaponized Log4j applications often attempt to call back home to their masters over random high ports, you should block their access to such ports. "

An anonymous reader shares a report: Journalists, activists, and human rights defenders face a constant battle to keep files safe from a growing set of digital threats and surveillance. But physical attacks can be challenging to defend against, whether an opportunist snatch-and-grab thief or an oppressive government kicking down someone's door. This week, a project called BusKill launched a custom USB magnetic breakaway cable that acts as a "dead man's switch," locking a computer if someone physically snatches it and severs the magnetic connectors. BusKill has been in the works for more than two years as a do-it-yourself project. Anyone with the hardware could compile the source code, but it only worked on Linux and components quickly sold out. After a crowdsourcing effort, the cable is now available to buy starting at $59 and has an accompanying app that works on macOS, Windows, and Linux, allowing the person using the cable to easily arm and disarm the cable with a touch of a button.