X

我们使用cookie,以确保适合你的经验

我们用饼干和其他跟踪技术来提高你的浏览体验在我们的网站上,显示个性化内容和有针对性的广告,分析网站流量,并理解我们的观众来自哪里。你也可以阅读我们的隐私政策,我们使用cookie来确保你在我们的网站上的最好的体验。

选择我接受,或继续在网站上,你同意我们使用饼干条款和条件

得到应用
\"\"
<\/span><\/figcaption><\/figure>By Christopher Bing, Raphael Satter and Joseph Menn
<\/strong>
WASHINGTON: A newly discovered vulnerability in a widely used software library is causing mayhem on the internet<\/a>, forcing cyber defenders to scramble as hackers rush to exploit the weakness.

The vulnerability, known as Log4j<\/a>, comes from a popular open source product that helps software developers track changes in applications that they build. It is so popular and embedded across many companies' programs that security executives expect widespread abuse.

\"The Apache Log4j Remote Code Execution Vulnerability is the single biggest, most critical vulnerability of the last decade,\" said Amit Yoran, chief executive of Tenable, a network security firm, and the founding director of the U.S. Computer Emergency Readiness Team.

The U.S. government sent a warning to the private sector about the Log4j vulnerability<\/a> and the looming risk it poses on Friday.

In a conference call on Monday, the leader of CISA said it was one of the worst vulnerabilities seen in many years. She urged companies to have staff working through the holidays to battle those using new methods to exploit the flaw.

Much of the software affected by Log4j, which bears names like Hadoop or Solr, may be unfamiliar to the public at large. But as with the SolarWinds program at the center of a massive Russian espionage operation last year, the ubiquity of these workhorse programs makes them ideal jumping-off points for digital intruders.

Juan Andres Guerrero-Saade, principal threat researcher with cybersecurity firm SentinelOne, called it \"one of those nightmare vulnerabilities that there's pretty much no way to prepare for.\"

While a partial fix for the vulnerability was released on Friday by Apache, the maker of Log4j, affected companies and cyber defenders will need time to locate the vulnerable software and properly implement patches. Log4j itself is maintained by a few volunteers, security experts said.

In practice, the flaw allows an outsider to enter active code into the record-keeping process. That code then tells the server hosting the software to execute a command giving the hacker control.

The issue was first publicly disclosed by a security researcher working for Chinese technology company Alibaba Group Holding Ltd, Apache noted in its security advisory.

It is now apparent that initial exploitation was spotted Dec. 2, before a patch rolled out a few days later. The attacks became much more widespread as people playing Minecraft used it to take control of servers and spread the word in gaming chats.

So far no major disruptive cyber incidents have been publicly documented as a result of the vulnerability, but researchers are seeing an alarming uptick in hacking groups trying to take advantage of the bug for espionage.

\"We also expect to see this vulnerability in everyone's supply chain,\" said Chris Evans, chief information security officer at HackerOne.

Multiple botnets, or groups of computers controlled by criminals, were also exploiting the flaw in a bid to add more captive machines, experts tracking the developments said.

What many experts now fear is that the bug could be used to deploy malware that either destroys data or encrypts it, like what was used against U.S. pipeline operator Colonial Pipeline in May which led to shortages of gasoline in some parts of the United States.

Guerrero-Saade said his firm had already seen Chinese hacking groups moving to take advantage of the vulnerability.

U.S. cybersecurity firms Mandiant and Crowdstrike also said they found sophisticated hacking groups leveraging the bug to breach targets. Mandiant described those hackers as \"Chinese government actors\" in an email to Reuters.
<\/body>","next_sibling":[{"msid":88267539,"title":"UK lawmakers call for tougher crackdown on online scammers, cyberflashing","entity_type":"ARTICLE","link":"\/news\/uk-lawmakers-call-for-tougher-crackdown-on-online-scammers-cyberflashing\/88267539","category_name":null,"category_name_seo":"telecomnews"}],"related_content":[],"msid":88267565,"entity_type":"ARTICLE","title":"Widely used software with key vulnerability sends cyber defenders scrambling","synopsis":"The vulnerability, known as Log4j, comes from a popular open source product that helps software developers track changes in applications that they build. It is so popular and embedded across many companies' programs that security executives expect widespread abuse.","titleseo":"telecomnews\/widely-used-software-with-key-vulnerability-sends-cyber-defenders-scrambling","status":"ACTIVE","authors":[],"analytics":{"comments":0,"views":345,"shares":0,"engagementtimems":1205000},"Alttitle":{"minfo":""},"artag":"Reuters","artdate":"2021-12-14 07:51:19","lastupd":"2021-12-14 07:53:40","breadcrumbTags":["Log4j","Internet","Log4j vulnerability","cyber security","cyber security news","International","cyber attack","about log4j"],"secinfo":{"seolocation":"telecomnews\/widely-used-software-with-key-vulnerability-sends-cyber-defenders-scrambling"}}" data-authors="[" "]" data-category-name="" data-category_id="" data-date="2021-12-14" data-index="article_1">

广泛使用的软件与关键漏洞发送网络防御匆忙

脆弱性,称为Log4j,来自一个流行的开源产品,可以帮助软件开发人员跟踪的变化他们构建的应用程序。它是如此受欢迎,嵌入在许多公司的项目安全管理人员面临普遍的滥用。

  • 更新2021年12月14日07:53点坚持
阅读: 100年行业专业人士
读者的形象读到100年行业专业人士
克里斯托弗Bing,拉斐尔坐和约瑟夫·梅恩的
华盛顿:一个新发现的漏洞在图书馆广泛应用软件上造成混乱互联网混乱,迫使网络防御黑客急于利用的弱点。

漏洞,被称为Log4j来自一个流行的开源产品,可以帮助软件开发人员跟踪的变化他们构建的应用程序。它是如此受欢迎,嵌入在许多公司的项目安全管理人员面临普遍的滥用。

“Apache Log4j远程代码执行漏洞是最大、最关键的漏洞的最后十年,”伦说,首席执行官站得住脚的,网络安全公司,创始主任美国计算机紧急响应小组。

广告
美国政府向私人部门的警告Log4j脆弱性和即将到来的周五带来风险。

在周一的电话会议上,中国钢铁工业协会的领导人说,这是最糟糕的一个漏洞出现在许多年。她敦促公司工作人员通过假期来对抗那些使用新的方法来利用这一缺陷。

大部分的软件受Log4j,熊的名字像Hadoop或Solr,公众可能是陌生的。但与SolarWinds程序的中心去年大规模的俄罗斯间谍行动,无处不在的这些主力项目使他们的理想起点数码入侵者。

首席研究员威胁网络安全公司胡安Andres Guerrero-Saade SentinelOne,称之为“其中的一个噩梦的漏洞几乎没有准备。”

而上周五公布的部分漏洞修复是Apache Log4j的制造商,影响公司和网络防御将需要时间来定位脆弱的软件和正确实现补丁。Log4j本身是由几个志愿者,维护安全专家说。

在实践中,缺陷允许局外人活动代码输入到记录过程。这段代码然后告诉服务器托管的软件来执行一个命令给黑客控制。

广告
问题是首次公开披露安全研究员为中国技术公司阿里巴巴集团(Alibaba Group Holding Ltd .)工作,Apache指出的安全顾问。

现在明显的是,最初的开发是12月2日发现补丁推出前几天后。攻击变得更加普遍,人们玩"我用它来控制服务器和传播这个词在游戏聊天。

到目前为止没有公开重大破坏性网络事件记录的漏洞,但是研究人员看到惊人的上升在黑客组织试图利用错误的间谍活动。

“我们也希望看到这个漏洞在每个人的供应链,”克里斯·埃文斯说,在HackerOne首席信息安全官。

多个僵尸网络,或组的电脑控制的罪犯,也利用缺陷,以增加更多的人工机器,跟踪发展专家们说。

现在许多专家担心的是,错误可以被用来部署恶意软件破坏数据或加密,像被用来对付美国殖民管道管道运营商可能导致汽油的短缺在美国的一些地区。

Guerrero-Saade说,他的公司已经看到中国黑客组织转移到利用的漏洞。

美国网络安全公司Mandiant和Crowdstrike还表示,他们发现复杂的黑客组织利用漏洞突破目标。中国政府Mandiant公司将这些黑客们描述为“演员”在给路透的邮件。
  • 发布于2021年12月14日07:51点坚持
是第一个发表评论。
现在评论

评论

现在评论 阅读评论(1)

加入2 m +行业专业人士的社区

订阅我们的通讯最新见解与分析。乐动扑克

下载ETTelec乐动娱乐招聘om应用

  • 得到实时更新
  • 保存您最喜爱的文章
扫描下载应用程序
  • 乐动扑克
  • 广泛使用的软件与关键漏洞发送网络防御匆忙
\"\"
<\/span><\/figcaption><\/figure>By Christopher Bing, Raphael Satter and Joseph Menn
<\/strong>
WASHINGTON: A newly discovered vulnerability in a widely used software library is causing mayhem on the internet<\/a>, forcing cyber defenders to scramble as hackers rush to exploit the weakness.

The vulnerability, known as Log4j<\/a>, comes from a popular open source product that helps software developers track changes in applications that they build. It is so popular and embedded across many companies' programs that security executives expect widespread abuse.

\"The Apache Log4j Remote Code Execution Vulnerability is the single biggest, most critical vulnerability of the last decade,\" said Amit Yoran, chief executive of Tenable, a network security firm, and the founding director of the U.S. Computer Emergency Readiness Team.

The U.S. government sent a warning to the private sector about the Log4j vulnerability<\/a> and the looming risk it poses on Friday.

In a conference call on Monday, the leader of CISA said it was one of the worst vulnerabilities seen in many years. She urged companies to have staff working through the holidays to battle those using new methods to exploit the flaw.

Much of the software affected by Log4j, which bears names like Hadoop or Solr, may be unfamiliar to the public at large. But as with the SolarWinds program at the center of a massive Russian espionage operation last year, the ubiquity of these workhorse programs makes them ideal jumping-off points for digital intruders.

Juan Andres Guerrero-Saade, principal threat researcher with cybersecurity firm SentinelOne, called it \"one of those nightmare vulnerabilities that there's pretty much no way to prepare for.\"

While a partial fix for the vulnerability was released on Friday by Apache, the maker of Log4j, affected companies and cyber defenders will need time to locate the vulnerable software and properly implement patches. Log4j itself is maintained by a few volunteers, security experts said.

In practice, the flaw allows an outsider to enter active code into the record-keeping process. That code then tells the server hosting the software to execute a command giving the hacker control.

The issue was first publicly disclosed by a security researcher working for Chinese technology company Alibaba Group Holding Ltd, Apache noted in its security advisory.

It is now apparent that initial exploitation was spotted Dec. 2, before a patch rolled out a few days later. The attacks became much more widespread as people playing Minecraft used it to take control of servers and spread the word in gaming chats.

So far no major disruptive cyber incidents have been publicly documented as a result of the vulnerability, but researchers are seeing an alarming uptick in hacking groups trying to take advantage of the bug for espionage.

\"We also expect to see this vulnerability in everyone's supply chain,\" said Chris Evans, chief information security officer at HackerOne.

Multiple botnets, or groups of computers controlled by criminals, were also exploiting the flaw in a bid to add more captive machines, experts tracking the developments said.

What many experts now fear is that the bug could be used to deploy malware that either destroys data or encrypts it, like what was used against U.S. pipeline operator Colonial Pipeline in May which led to shortages of gasoline in some parts of the United States.

Guerrero-Saade said his firm had already seen Chinese hacking groups moving to take advantage of the vulnerability.

U.S. cybersecurity firms Mandiant and Crowdstrike also said they found sophisticated hacking groups leveraging the bug to breach targets. Mandiant described those hackers as \"Chinese government actors\" in an email to Reuters.
<\/body>","next_sibling":[{"msid":88267539,"title":"UK lawmakers call for tougher crackdown on online scammers, cyberflashing","entity_type":"ARTICLE","link":"\/news\/uk-lawmakers-call-for-tougher-crackdown-on-online-scammers-cyberflashing\/88267539","category_name":null,"category_name_seo":"telecomnews"}],"related_content":[],"msid":88267565,"entity_type":"ARTICLE","title":"Widely used software with key vulnerability sends cyber defenders scrambling","synopsis":"The vulnerability, known as Log4j, comes from a popular open source product that helps software developers track changes in applications that they build. It is so popular and embedded across many companies' programs that security executives expect widespread abuse.","titleseo":"telecomnews\/widely-used-software-with-key-vulnerability-sends-cyber-defenders-scrambling","status":"ACTIVE","authors":[],"analytics":{"comments":0,"views":345,"shares":0,"engagementtimems":1205000},"Alttitle":{"minfo":""},"artag":"Reuters","artdate":"2021-12-14 07:51:19","lastupd":"2021-12-14 07:53:40","breadcrumbTags":["Log4j","Internet","Log4j vulnerability","cyber security","cyber security news","International","cyber attack","about log4j"],"secinfo":{"seolocation":"telecomnews\/widely-used-software-with-key-vulnerability-sends-cyber-defenders-scrambling"}}" data-news_link="//www.iser-br.com/news/widely-used-software-with-key-vulnerability-sends-cyber-defenders-scrambling/88267565">