Tsananin rashin lahani a cikin Log4j wani abu ne illa ka'ida. Masu laifin Cyber scan tashoshin jiragen ruwa na duniya don nemo hanyoyin amfani da su. Masu binciken tsaro sun lura da daruruwan dubban hare-hare.
A cikin ƴan kwanakin da suka gabata, Check Point Software ya gane ƙoƙarin 470,000 scan cibiyoyin sadarwa na duniya. The scans ana yin su, a tsakanin sauran abubuwa, don nemo sabar da ke ba da izinin buƙatun HTTP na waje. Irin waɗannan sabar suna da wuyar yin amfani da mummunan rauni a cikin ɗakin karatu na Java Log4j. Idan uwar garken ya ba da damar buƙatun HTTP, mai hari na iya yin ping uwar garken tare da layi ɗaya yana nuni zuwa uwar garken nesa tare da umarnin Java don aiwatar da malware. Idan an haɗa uwar garken pinged zuwa aikace-aikacen Java mai sarrafa Log4j, aikace-aikacen Java yana aiwatar da layi azaman umarni don aiwatar da malware. A kasan layin, uwar garken wanda aka azabtar yana aiwatar da abin da maharin ya umarta. Kungiyar tsaro ta Sophos ta ce ta gano dubban daruruwan hare-hare.
Fuskokin da suka saba
Tun da farko mun rubuta labarin mai haske game da aikin fasaha da aka ambata a sama na rashin ƙarfi a Log4j. Babban sharadi don cin zarafi shine ikon isa aikace-aikacen Java wanda ya haɗa Log4j. A wasu lokuta wannan wasan yara ne. Misali, Apple yayi amfani da iCloud Log4j don yin rikodin sunayen iPhones. Ta canza sunan samfurin iPhone a cikin iOS zuwa umarni don Java, ya zama mai yiwuwa a fasa sabobin Apple.
A wasu lokuta, aikace-aikacen ba su da sauƙin tasiri. Babbar barazana ta fito ne daga maharan tare da kwarewa, ilimi da dabarun da ake da su. Masu bincike na tsaro daga Netlab360 sun kafa tsarin yaudara guda biyu (magungunan zuma, ed.) don gayyatar hare-hare akan aikace-aikacen Java tare da Log4j. Don haka masu binciken sun jawo sabbin bambance-bambancen nau'ikan malware guda tara, gami da MIRAI da Muhstik. An tsara nau'ikan malware don cin zarafin Log4j. Manufar harin gama gari shine ƙarfafa botnets don ma'adinan crypto da hare-haren DDoS. Check Point Software ya gudanar da irin wannan binciken akan ma'auni mafi girma. A cikin 'yan kwanakin da suka gabata, kungiyar tsaro ta yi rajistar hare-hare 846,000.
Tsaro
A bayyane yake cewa masu aikata laifukan yanar gizo suna neman kuma suna amfani da nau'ikan Log4j masu rauni. Mafi kyawun tsaro shine kuma ya rage don ƙididdige duk aikace-aikacen Log4j a cikin yanayi. Idan mai siyar da aikace-aikacen da aka yi amfani da Log4j ya fito da sabuntawar sigar, ana ba da shawarar faci. Idan ba haka ba, kashewa shine zaɓi mafi aminci. NCSC tana adana bayyani na raunin software wanda aka sarrafa Log4j a ciki.
A halin yanzu wani abu ne amma mai ba da shawara don haɓaka matakan software na ku ko daidaita aikin Log4j. Rashin lahani yana da bambance-bambance. Microsoft, da sauransu, sun gano bambance-bambancen ka'idojin da aka yi amfani da su don koyar da aikace-aikacen Java don gudanar da malware. Check Point yayi magana akan maye gurbi sama da 60.