The Five Eyes (Australia, Canada, New Zealand, the United Kingdom, and the United States) have updated their guidance on mitigating the risk Log4j vulnerabilities pose.
Today is the deadline for US Federal civilian agencies to mitigate Log4j vulnerabilities in compliance with the Cybersecurity and Infrastructure Security Agency's (CISA) Emergency Directive (ED) 22-02. CISA "encourage[s] all organizations to take similar steps."
CISA has also published an open-sourced scanner designed to detect Log4j vulnerabilities. "This tool is intended to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities." The scanner was developed from a variety of other open source tools developed in response to the discovery and disclosure of Log4j issues. It's available on GitHub.
Engineers at Hangzhou-based online retailer Alibaba were the ones who discovered and reported Log4shell to the Apache Software Foundation. But Chinese authorities have taken issue with the way Alibaba disclosed it, feeling that the Ministry of Industry and Information Technology (MIIT) should have been the first ones notified. Reuters reports that the MIIT has suspended data-sharing with Alibaba Cloud for at least six months, with a resumption of that relationship contingent upon Alibaba's undertaking to do better in the future.
The Conti ransomware gang is actively exploiting Log4shell. Venture Beat quotes AdvIntel to the effect that signs point to a useful diversification (useful from Conti's point-of-view) in the gang's arsenal. Tech Republic reminds its readers that Conti's style is the double-extortion attack: steal the data, render them inaccessible, and then threaten to both withhold decryption and release stolen files unless the victims pay up.