‘Fully weaponised’ Log4Shell flaw ‘could be the biggest threat in the history of modern computing’ | Daily Mail Online

'Fully weaponised' Log4Shell flaw 'could be the biggest threat in the history of modern computing' | Daily Mail Online

A ‘fully weaponised’ software flaw that easily allows criminals to steal personal data, plant malicious software or hijack credit card details is the biggest threat in the history of modern computing, experts have warned. 

The glitch, first discovered by users of the wildly popular online game Minecraft, allows another user to seize control of a device and execute programmes without the owner’s consent. 

The flaw, which has tech experts scrambling for a quick fix, may be the worst computer vulnerability discovered in years. 

‘The internet´s on fire right now,’ said Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike. 

‘People are scrambling to patch,’ he said, ‘and all kinds of people scrambling to exploit it.’ 

He said Friday morning that in the 12 hours since the bug’s existence was disclosed that it had been ‘fully weaponized,’ meaning malefactors had developed and distributed tools to exploit it.

It was uncovered in a utility that’s ubiquitous in cloud servers and enterprise software used across industry and government. 

Until it is resolved, criminals, spies and programming novices alike are granted easy access to internal networks where they can steal valuable data, plant malware, erase crucial information and much more.

Unless a patch is found, criminals, spies and programming novices could gain easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more. [File photograph]

‘I´d be hard-pressed to think of a company that´s not at risk,’ said Joe Sullivan, chief security officer for Cloudflare, whose online infrastructure protects websites from malicious actors. 

Untold millions of servers have it installed, and experts said the fallout would not be known for several days. Amazon, Twitter and Apple’s iCloud are understood to be ‘vulnerable’ to the exploit.

Hackers are also understood to be able to use QR codes, whose use was widely popularised throughout the pandemic for NHS Test and Trace purposes, to run malicious code on servers. 

The scare prompted senior intelligence experts to react, including Robert Joyce, director of cybersecurity at the National Security Agency in America.

He explained: ‘The Log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, including the NSA’s GHIDRA (a free open source reverse engineering tool)’. 

Amit Yoran, CEO of the cybersecurity firm Tenable, called it ‘the single biggest, most critical vulnerability of the last decade’ – and possibly the biggest in the history of modern computing.

The vulnerability, dubbed `Log4Shell,´ was rated 10 on a scale of one to 10 the Apache Software Foundation, which oversees development of the software. Anyone with the exploit can obtain full access to an unpatched computer that uses the software.

Experts said the extreme ease with which the vulnerability lets an attacker access a web server – no password required – is what makes it so dangerous.

Marcus Hutchins, an internet security researcher, warned Log4Shell could make millions of apps vulnerable to hacking as its software is often used by developers.  

New Zealand’s computer emergency response team was among the first to report that the flaw was being ‘actively exploited in the wild’ just hours after it was publicly reported Thursday and a patch released.

The vulnerability, located in open-source Apache software used to run websites and other web services, was reported to the foundation on Nov. 24 by the Chinese tech giant Alibaba, it said. It took two weeks to develop and release a fix.

But patching systems around the world could be a complicated task. 

While most organizations and cloud providers such as Amazon should be able to update their web servers easily, the same Apache software is also often embedded in third-party programs, which often can only be updated by their owners.

Cybersecurity experts say users of the online game Minecraft have already exploited it to breach other users’ devices by pasting a short message into in a chat box

Yoran, of Tenable, said organizations need to presume they´ve been compromised and act quickly.

The first obvious signs of the flaw’s exploitation appeared in Minecraft, an online game hugely popular with kids and owned by Microsoft. 

Meyers and security expert Marcus Hutchins said Minecraft users were already using it to execute programs on the computers of other users by pasting a short message in a chat box.

Microsoft said it had issued an urgent software patch for Minecraft users. ‘Customers who apply the fix are protected,’ it said.

Researchers reported finding evidence the vulnerability could be exploited in servers run by companies such as Apple, Amazon, Twitter and Cloudflare.

Cloudflare’s Sullivan said there we no indication his company’s servers had been compromised. Apple, Amazon and Twitter did not immediately respond to requests for comment.

This content was originally published here.

Laat een reactie achter

Het e-mailadres wordt niet gepubliceerd.