X

Request a demo

See Cybeats in action. Fill out the form and our team will be in touch with you shortly.
Cybeats recognized in Gartner Innovation Insight for SBOMs Report. Get our Reports

December 17, 2021

Cybeats Addresses Widespread ‘Log4j’ Vulnerability

TORONTO, December 17, 2021 – Scryb Inc. (“Scryb'' or the “Company”)(CSE: SCYB, OTCQB: SCYRF RYMDF, Frankfurt: EIY2) provides commentary on the widespread log4j1vulnerability discovered on December 9th, potentially allowing unauthorized remote access. The United States Cybersecurity and Infrastructure Security Agency issued an alert about the vulnerability, and noted that it is reportedly being actively exploited.2

Log4j is a java library for activity logging, software producers and consumers are currently spending significant resources to identify where this library exists in software or deployed systems. Some enterprises with advanced software inventory systems are reporting success mitigating this vulnerability, whereas several organizations are set to spend extensive resources over the coming months to fully address this issue. Having managed one’s Software Bill of Materials (SBOM), these products that carry the vulnerabilities would be far easier to identify and mitigate. Well-managed CI/CD pipelines including attestations such as SBOM are currently providing value and certainty to recovery plans.

"This is the type of vulnerability that was leveraged in the Equifax breach in 2017, and it will take a while until it stabilises and all the impacted software is patched," said Dmitry Raidman, co-founder and CTO at Cybeats. "Any Java code-based products are potentially affected; it might take months until the patches are delivered to active environments, and some companies that are vulnerable to this exploit at the moment are unaware." To manage this type of risk better in the future, companies may look at SBOM and VEX CSAF as means of obtaining transparency and knowing their software better.

This vulnerability serves as an important indicator of changes underway in supply chain infrastructure. The transparency implicit in software inventory systems and specifically, SBOM are necessary to ensure stability in software supply chains long-term. Multiple Cybeats executives and advisors including CTO & co-founder, Dmitry Raidman, were participants in the U.S. Department of Commerce SBOM working groups which resulted in the SBOM standard adopted by the U.S. federal government. The Company has developed the SBOM Studio™ product to accomplish in seconds what takes weeks. SBOM Studio™ provides management of SBOM’s from design to operation including orchestration with access management for sharing, AI/ML vulnerability and risk analysis and security posture ranking for supply chain organizations and software components.

1 https://en.wikipedia.org/wiki/Log4j

2https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce

Forward-looking enterprises may take this as an opportunity to adopt processes represented by Software Bill of Materials to mitigate future costly incidents like log4j and gain the other economic benefits and a better software asset inventory control”, said Chris Blask, VP Strategy.

 

Subsequent Developments

Univeiled subsequent to the log4j revelations on December 9, Log4j is now experiencing a second vulnerability already that has been weaponized and a new patch version2.16.0.3

CNBC recently interviewed CISA Director, Jen Easterly, who said log4j is “the most serious vulnerability she’s seen in her decade-long career”.4 The log4j vulnerability has been conveyed using the analogy :how many rooms in all Quebec government buildings use 60-watt light bulbs? The answer is likely to physically walk to each room and see if each bulb is 60-watt.5

Detecting the vulnerability in a website is a short process, but without an up-to-date inventory list, verifying whether all of the components affected could take several months. Some regions such as Quebec have reacted by shutting down nearly 4,000websites as a preventative measure, until the gravity of the situation is assessed.6

Log4j is used in thousands of applications, and Authomize has graciously compiled a robust and lengthy list of entities affected by this vulnerability which includes the likes of Amazon, Apache and Microsoft.7

 

About Cybeats

Cybeats is holistic software supply chain security that builds certainty through visibility, comprehensive protection and proactive response, from launch to legacy. Cybeats. Software made certain.

Website:https://cybeats.com

 

About Scryb

Scryb is a platform that powers businesses and technologies with applied intelligence, real-time analytics, and actionable insights. The platform boasts proven adaptability across diverse markets, from digital health and diagnostics to cybersecurity and manufacturing. The cloud-based platform is composed of crucial elements including sensor technology, IoT, predictive analytics, and computer vision.

3 https://thehackernews.com/2021/12/hackers-begin-exploiting-second-log4j.html?m=1

4https://www.cnbc.com/video/2021/12/16/log4j-vulnerability-the-most-serious-ive-seen-in-my-decades-long-career-says-cisa-director.html

5 https://www.cbc.ca/news/canada/montreal/quebec-cybersecurity-threat-government-website-1.6283133

6https://montreal.ctvnews.ca/quebec-shuts-down-3-992-websites-as-preventative-measure-after-security-flaw-discovered-1.5704258

7 https://github.com/authomize/log4j-log4shell-affected/blob/main/affected_components.md

For more information, or to ‘Sub Scryb’ to the Company’s mail list, visit: https://www.scryb.ai

 

Contact:

W. Clark Kent President

Office. 647-872-9982

TF. 1-844-247-6633

Email: info@scryb.ai

Forward-looking Information Cautionary Statement

Except for statements of historic fact, this news release contains certain "forward-looking information" within the meaning of applicable securities law. Forward-looking information is frequently characterised by words such as "plan," "expect," "project," "intend," "believe," "anticipate," "estimate," and other similar words, or statements that certain events or conditions "may" or "will" occur. Forward-looking statements are based on the opinions and estimates at the time the statements are made and are subject to a variety of risks, uncertainties, and other factors that could cause actual events or results to differ materially from those anticipated in the forward-looking statements, including but not limited to delays or uncertainties with regulatory approvals, including that of the CSE. There are uncertainties inherent in forward-looking information, including factors beyond the company’s control. There are no assurances that the commercialization plans for the technology described in this news release will come into effect on the terms or timeframe described herein. The company undertakes no obligation to update forward-looking information if circumstances or management's estimates or opinions should change, except as required by law. The reader is cautioned not to place undue reliance on forward-looking statements. Additional information identifying risks and uncertainties that could affect financial results is contained in the company’s filings with Canadian securities regulators, which filings are available at www.sedar.com.

CYBEATS ENTERS INTO FINANCIAL ADVISORY AGREEMENT WITH HAYWOOD SECURITIES INC.

November 23, 2022

is pleased to announce it has engaged Haywood Securities Inc

Read More →

Cybeats Technologies Corp. Commences Trading Under Symbol “CYBT” on Canadian Securities Exchange

November 22, 2022

is pleased to announce its listing and commencement of trading on the Canadian

Read More →

Cybeats Announces Partnership with Veracode, an Industry-Leading Application Security Firm

September 28, 2022

The partnership will leverage complementary expertise to ensure customers

Read More →

See Cybeats Security
Platform in Action Today.