A critical flaw in widely used software has sounded alarms among cybersecurity experts and large companies rushing to fix the problem.
The vulnerability, which was reported late last week, is in Java-based software known as “Log4j” that large organizations use to configure their applications, and poses a potential risk to much of the Internet.
Apple’s cloud computing service, security company Cloudflare, and one of the world’s most popular video games, Minecraft, are among the many services that Log4j runs, according to security researchers.
Jen Easterly, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), called it “one of the most serious failures” she has seen in her career. In a statement Saturday, Easterly said that “a growing set” of cybercriminals are actively trying to exploit the vulnerability.
As of Tuesday, there were more than 100 hacking attempts per minute, according to data this week from cybersecurity company Check Point.
“It will take years to fix this while the attackers will be looking … [explotarlo] daily, “said David Kennedy, CEO of cybersecurity firm TrustedSec.” This is a time bomb for businesses. ”
This is what you should know:
What is Log4j and why is it important?
Log4j is one of the most popular log libraries used online, according to cybersecurity experts. Log4j offers software developers a way to create an activity log that is used for various purposes, such as troubleshooting, auditing, and data tracking. Being open source and free, the library is present in all parts of the Internet.
“It’s ubiquitous. Even if you’re a developer who doesn’t use Log4j directly, you may be running the vulnerable code because one of the open source libraries you use depends on Log4j,” said Chris Eng, head of research at the cybersecurity firm. Veracode, to Citizen Free Press Business. “This is the nature of software: it is a vicious cycle.”
Companies like Apple, IBM, Oracle, Cisco, Google, and Amazon all run the software. It could be featured on popular websites and applications, and hundreds of millions of devices around the world accessing these services could be exposed to the vulnerability.
Are hackers exploiting it?
According to cybersecurity company Cloudflare, the attackers appear to have had more than a week’s head start to exploit the software flaw before it was made public. Now, with such a high number of attempts to exploit it every day, some fear the worst is yet to come.
“The most sophisticated and high-level cybercriminals will find a way to weaponize vulnerability for maximum profit,” Mark Ostrowski, Check Point’s chief engineering officer, said Tuesday.
Late on Tuesday, Microsoft claimed in a blog update that cybercriminals backed by China, Iran, North Korea and Turkey have tried to exploit the Log4j flaw.
Why is this security flaw so serious?
Experts are especially concerned about this vulnerability because hackers can easily access a company’s server, allowing them to break into other parts of the network. It is also very difficult to find the vulnerability or see if a system has already been compromised, according to Kennedy.
In addition, late on Tuesday a second vulnerability was discovered in the Log4j system. The Apache Software Foundation, a nonprofit organization that developed Log4j and other open source software, released a security fix for organizations using the code to update.
How are companies trying to solve the problem?
Last week, Minecraft posted a blog post announcing that a vulnerability had been discovered in a version of its game, and quickly posted a fix. Other companies have taken similar steps.
IBM, Oracle, AWS, and Cloudflare have issued notices to their customers, with some of them releasing security updates or outlining their plans for possible patches.
Minecraft and Apple would be at risk for security breach 0:47
“This is a very serious flaw, but you can’t push a button to patch it like a traditional major vulnerability. It’s going to take a lot of time and effort,” Kennedy said.
For the sake of transparency and to help reduce misinformation, CISA said it would create a public website with updates on software products affected by the vulnerability and how hackers exploited them.
How to protect yourself?
The pressure is heavily on companies to act. For now, users should make sure to update their devices, programs, and apps when business advises in the coming days and weeks.
What are the steps that follow?
The United States government issued a warning to affected companies to be on high alert during the holiday season for ransomware and cyberattacks.
There are concerns that an increasing number of actors are making use of vulnerability in new ways, and while large tech companies may have the security teams in place to deal with these potential threats, many other organizations do not.
“What worries me the most are school districts, hospitals, places where there is a single IT person who is in charge of security and who has no time or budget or security tools,” said Katie Nickels, director of Intelligence of the cybersecurity company Red Canary. “Those are the organizations that concern me the most: small organizations with small security budgets.”