A critical vulnerability in a widely used software tool – increasingly exploited in the online game Minecraft – is rapidly emerging as a major threat to organizations around the world.
“The Internet is on fire right now,” said Adam Meyers, senior vice president of intelligence at cybersecurity firm crowdstrike, “People are scrambling to patch,” he said, “and all kinds of people are scrambling to take advantage of it.” He said Friday morning that it was “fully weaponized” in the 12 hours after the bug’s existence was revealed, meaning that perpetrators had developed and distributed tools to exploit it.
This flaw may be the worst computer vulnerability discovered in years. It was an open-source logging tool that is ubiquitous in cloud servers and enterprise software used in industry and government. Unless it’s fixed, it gives criminals, spies and programming novices alike easy access to internal networks where they can rob valuable data, install malware, erase important information, and more. can.
“I would find it hard to think of a company that isn’t at risk,” Chief Security Officer Joe Sullivan said. cloudflare, whose online infrastructure protects websites from malicious actors. Untold millions of servers have installed it, and experts said the outcome would not be known for several days.
Amit Yoran, CEO of cybersecurity firm Tenable, called it “the biggest, most significant vulnerability of the last decade” – and possibly the biggest in the history of modern computing.
The vulnerability, called ‘Log4Shell’, was rated 10 on a scale of one to 10 by the Apache Software Foundation, which oversees development of the software. Anyone with an exploit can gain full access to an unpatched computer using the software,
Experts said the vulnerability with the extreme ease that lets an attacker access a Web server — no password required — is what makes it so dangerous.
New Zealand’s computer emergency response team was among the first to report that the flaw was being “actively exploited in the wild” on Thursday, just hours after it was publicly reported and a patch was released.
The vulnerability, located in the open-source Apache software used to run websites and other web services, was reported to the foundation by the Chinese tech giant on November 24. Alibaba, it said. It took two weeks to develop and release a fix.
But patching systems around the world can be a complicated task. While most organizations and cloud providers like heroine To be able to update your web server easily, the same Apache software is also often embedded in third party programs, which can often only be updated by their owners.
Tenable’s Yoran said organizations need to recognize they have been compromised and act quickly.
The first obvious signs of exploitation of the defect appeared Minecraft, an online game that is extremely popular among kids and is owned by Microsoft, Meyers and security expert Marcus Hutchins said Minecraft users were already using it to execute programs on other users’ computers by pasting a short message into the chat box.
Microsoft said it has released a software update for Minecraft users. “The fixes that customers apply are safe,” it said.
Cloudflare’s Sullivan said that we have no indication that his company’s servers were compromised. Apple, Amazon and Twitter did not immediately respond to requests for comment.