The Chinese government has recently confronted Alibaba Cloud Computing service for not timely reporting its findings of the critical Log4j vulnerability. This time, the tech giant vowed to comply and improve its risk management after this action.
Alibaba Cloud Did Not Report Log4 Bug
Stock activity of the Alibaba Group Holding Ltd (BABA-SW) (top C) is displayed above security guards as they stand outside the Exchange Square towers in Hong Kong on November 4, 2020, after a last minute decision to suspend the record-breaking IPO of fintech giant Ant Group the night before.
According to a report from SCMP on Thursday, Dec. 23, the e-commerce titan stated that its engineer had asked Apache Software Foundation for help regarding the logging Log4j software.
Initially, the retail giant could not disclose important details to the Chinese ministry in time. In addition, it did not anticipate the severity of the risks that the security flaw carries.
In response to this action, the Ministry of Industry and Information Technology (MIIT) decided to suspend the work with the tech firm. Alibaba failed to report the emergence of the controversial Log4j vulnerability to the authorities, leading to its six-month suspension.
Depending on Alibaba's take on the issue, the MIIT will weigh the available options if it would push through its collaboration with the company.
Related Article: Log4j Scanner by CISA Has Been Released to Look for Security Vulnerabilities, Flaws from Apps
Chinese Firms Need to Report Vulnerabilities to MIIT
In the same report from SCMP, the new regulation for 2021 involves the mandatory reporting of Chinese companies regarding vulnerabilities. Based on the policy, they should report the bugs that are spotted in software.
The Chinese ministry initiated this platform to mitigate the development of cybersecurity threats in the systems. In December 2019, MIIT formed this project to help the companies manage risks.
If a company fails to report a vulnerability to the agency, its business would be hugely impacted. Thus, there would be some losses on its part. However, for Alibaba, it would be difficult to determine the extent of the damage.
So far, the Log4j bug is one of the most "catastrophic" vulnerabilities that hit the systems in 2021. Despite being created in a Java platform, it could easily invade systems from prominent firms such as Google and Amazon.
Alibaba Cloud engineer Chen Zhoujun spotted this flaw and immediately sought help from Apache through email on Nov. 24. It disclosed the flaw on Dec. 9.
The Log4shell exploit has exposed "Minecraft Java Edition" to remote code execution. By simply logging in through the software, the players could receive malicious code in chats.
Second Ransomware Family Exploits Log4j
Venture Beat reported that the Apache Log4j had been exploited by a second ransomware family in the US and Europe.
At that time, the experts discovered that the TellYouThePass ransomware had attempted its delivery to systems outside China.
Per Sophos Labs senior threat researcher Sean Gallagher, the most common targets of this attack include the Google and Amazon cloud services.
Another researcher from Sophos, Andrew Brandt, wrote in an email that the TellYouThePass family could be run on Windows and Linux. He added that it was linked to high-profile vulnerabilities such as EternalBlue.
Read Also: Log4j Attack On Belgian Government CONFIRMED By Country's Defense Ministry
This article is owned by Tech Times
Written by Joseph Henry
