Tinker
@TinkerSec
A lot of folks think that this "patching" is "4D Chess" but it's really a basic behavior in a turf war.

The "turf" is your systems.

And you are not part of this "war".

I'll run through how it works and why unauthorized hackers do this as a standard TTP...

If you run a scan on your environment to see if you're patched for #log4j...

...and find that you are already patched.

Make sure you were the one that patched it.

Say I'm a mid level, decently skilled hacker.

I'm not a script kiddie. I have some experience. But, I'm not part of some nation state group or anything like that.

I just have a small bot net that I need to grow.

I see a major vuln w/a simple exploit like this #Log4J!

Awesome!

So I scan for vulnerable systems, find one, and hack into it.

But I find someone else is here!

This is normal. #Log4J is a hot topic right now. Everyone and their cat is hacking the internet.

What to do? I don't want this other hacker here.

I want this system to myself.

So I lay down a backdoor. Maybe a simple user account with root privileges accessible via SSH or maybe a backdoor implant that I have ready built.

I kick out the other hacker. Maybe by killing his connection process or system firewalling his IP.

Then...

Then... to make sure that hacker doesn't come back and to make sure that no other groups come in behind me by using the same #Log4J vulnerability that I used...

I patch the system.

I'm not patching the system to hide from sysadmins or to remove the system from some corporate patch management program.

I'm just covering my ass.

I'm just protecting my new found asset from other hackers.

This is my botnet now, so I need to maintain information security.

Tinker
@TinkerSec
·
13h
Alright, I'm officially over #Log4J.

Not saying anything in my org is patched.

Just saying I'm done worrying about it & am moving on w/my life.

Y'all need to stop living in fear.

Just accept that exploits happen & if it's your company's time to be breached, it's their time.