A newly discovered vulnerability in a widely used software library is wreaking havoc on the Internet, forcing cyber defenders to scramble as hackers rush to exploit the weakness. The vulnerability, known as Log4j, comes from a popular open-source product that helps software developers track changes to the applications they build. It is so popular and embedded in the programs of many companies that security executives expect widespread abuse.
“The Apache Log4J remote code execution vulnerability is the biggest, most significant vulnerability of the last decade,” said Amit Yoran, chief executive of network security firm Tenable and founding director of the US Computer Emergency Readiness Team. The US government on Friday sent a warning to the private sector about the Log4j vulnerability and the impending risk.
In a conference call on Monday, the leader of CISA said this is one of the worst vulnerabilities he has seen in many years. He urged companies to take advantage of the blame to fight those using new methods to get employees to work during the holidays.
Much of the software influenced by Log4j, which bears names such as Hadoop or Solr, may be unfamiliar to the public at large. But with the SolarWinds program at the center of a massive Russian espionage campaign last year, the ubiquity of these workhorse programs makes them ideal jumping-off points for digital intruders.
Juan Andres Guerrero-Sade, lead threat researcher at cybersecurity firm SentinelOne, called it “one of those nightmare vulnerabilities that there’s no way to prepare for.” While a partial fix for the vulnerability was released by Log4j’s creator Apache on Friday, affected companies and cyber defenders will need time to detect the vulnerable software and apply the patch properly. Security experts said that Log4j is maintained by a few volunteers.
In practice, the defect allows an outsider to enter a code active in the record-keeping process. That code then tells the server hosting the software to execute a command giving the hacker control. The issue was first publicly disclosed by a security researcher working for Chinese technology company Alibaba Group Holding Ltd., Apache noted in its security advisory.
It is now clear that the initial exploit was spotted on December 2, before a patch was rolled out a few days later. Attacks become more widespread as people are playing Minecraftt used it to control servers and spread the word in gaming chat.
No major disruptive cyber incidents resulting from the vulnerability have been publicly documented so far, but researchers see an alarming uptick in hacking groups trying to take advantage of the bug for espionage. “We also expect to see this vulnerability in everyone’s supply chain,” said Chris Evans, chief information security officer. hackervan,
Experts tracking the developments said several botnets, or groups of computers controlled by criminals, were also exploiting the flaw to connect more captive machines.
Now many experts fear that the bug could be used to deploy malware that either destroys data or encrypts it, such as the one used in May against US pipeline operator Colonial Pipeline. This led to gasoline shortages in some parts of the United States. Guerrero-Sade said his firm had already seen Chinese hacking groups moving to exploit the vulnerability.
US cyber security firms Mandient and CrowdStrike also said they have found sophisticated hacking groups that are taking advantage of bugs to breach targets. Mandiant described those hackers as “actors of the Chinese government” in an email to Reuters.