Cloudflare (NET) stock price tumbles 6% on cyberthreat
Cloudflare’s stock price closed down 6.47% Friday after decentralised-finance firm BadgerDAO said a flaw in the company’s account-creation process led to the theft of $120m (£90.43) in cryptocurrencies.
Companies around the world scrambled Friday to fix an open-source software bug dubbed LogShell4. Despite the security troubles, the BadgerDAO token rose more than 14% at one point Friday afternoon on the West Coast.
Cloudflare (NET) secures online resources, including websites, and secures and ensures the reliability of your external-facing resources such as websites, application programming interfaces (APIs), and other software applications.
BadgerDAO cites phishing attack
In a blog post, BadgerDAO attributed the theft to a 2 December hack phishing attack that stemmed from a “maliciously injected snippet,” provided by Cloudflare Workers, a serverless application platform that runs on the company’s cloud-based network.
Cybersecurity experts attributed the cyberthreat to a software application known as Log4J. BadgerDAO noted that it was working with Cloudflare and Mandiant to prevent future problems.
BadgerDAO indicated that the theft of its assets was tied to a log glitch – but did not specifically cite Log4J. Cloudflare has denied that its systems were compromised Bloomberg reported.
What is your sentiment on NET?
Threat ‘extremely bad’
“This log4j (CVE-2021-44228) vulnerability is extremely bad,” tweeted Marcus Hutchins, a British cybersecurity expert credited with helping to stop the 2017 WannaCry ransomware attack that struck hundreds of thousands of computers around the world. “Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string. So far iCloud, Steam, and Minecraft (software platforms) have all been confirmed vulnerable.”
In Java script, logging is an API that provides the ability to trace out the errors of the applications, according to Javatpoint.com. When an application generates the logging call, the logger records the event in the log record. After that, it sends to the corresponding handlers or appenders.
Cloudflare updates WAF
Sam Rhea, Cloudflare’s product management director said, in a blog post, the company has updated its Web application firewall (WAF) to defend computer infrastructure against what was dubbed a zero-day attack because developers were unfamiliar with it.
Rhea said the logging package allows hackers to execute code on a remote service and also exploits servers that are allowed unfettered connectivity to the Internet.
“If the string has already been logged, the vulnerability compromises servers by tricking them into sending a request to a malicious LDAP server,” wrote Rhea. “The destination of the malicious server could be any arbitrary (website address). Attackers who control that (address) can then respond to the request with arbitrary code that the server can execute.”
Cloudflare co-founder, president and CEO Matthew Prince said on Twitter that Log4J was so bad that the company decided to roll out at least some form of protection for all customers by default, even those who do not have the company’s WAF.
Companies need to patch
“But, no matter what we are able to do, we will not be able to fully protect against all exploits of #Log4J because there are so many ways things can get logged. (It’s) critical to patch your Log4J systems,” he wrote.
“I'd be hard-pressed to think of a company that's not at risk,” Joe Sullivan, chief security officer for Cloudflare, told ABC News.
BadgerDAO has indicated that $9m in the stolen assets are recoverable.