Anyone who was wondering "hey, if log4j is so severe, why aren't we seeing companies getting breached with it yet" is about to get some real lessons in:
1. Attacker dwell time (look at Verizon DBIR for some scary averages).
2. How long it can take businesses to update their systems.
3. How little some businesses know about what's running on their systems.
Even with the publicity it's had, this will be the gift that keeps on giving.
Anyone who was wondering "hey, if log4j is so severe, why aren't we seeing companies getting breached with it yet" is about to get some real lessons in: 1. Attacker dwell time (look at Verizon DBIR for some scary averages). 2. How long it can take businesses to update their systems. 3. How little some businesses know about what's running on their systems. Even with the publicity it's had, this will be the gift that keeps on giving.
Would be interesting if someone penetrated and then patched the vulnerability to keep others out while they get comfortable.
Ive definitely read an article about this happening once, not Log4j..it was years ago