Security professionals say it is one of the worst computer vulnerabilities they have ever seen as agencies in the United States and Australia sound the alarm on Log4j software, which has a key weakness that is startling experts.
Publicly disclosed last Thursday, the weakness is catnip for cyber criminals and digital spies because the software is widely used and the flaw it allows easy, password-free entry to some systems.
However, as concerns mount that the loophole has been exploited by some state-sponsored hackers, along with rogue cryptocurrency miners, experts have said the problem’s full extent will not be known for weeks.
Here is what you need to know about the Log4j security fault, which has also been dubbed Log4shell.
What is Log4j? Is it a problem?
The issue lies in a commonly used utility that has been incorporated into countless pieces of software because it is open source, meaning anyone can use it.
That utility is called Log4j and it is ubiquitous as a tool to log activity on computers.
Developed and maintained by a handful of volunteers under the auspices of the open-source Apache Software Foundation, it is extremely popular with commercial software developers.
It runs across many platforms, powering everything from webcams to car navigation systems and medical devices, according to the security firm Bitdefender.
The flaw in Log4j lets internet-based attackers easily seize control of everything from industrial control systems to web servers and consumer electronics.
Unless it is fixed, it gives a potential opening to internal networks where cyber criminals can loot valuable data, plant malware, erase crucial information and more.
Apache Software Foundation said the Chinese tech giant Alibaba notified it of the flaw on November 24.
It took two weeks to develop and release a fix.
The first obvious signs of the flaw’s exploitation appeared in the Microsoft online game Minecraft.
Minecraft users were able to use it to execute programs on the computers of other users by pasting a short message in a chat box.
Microsoft said a fix has already been released for the game.
What is the risk?
The cybersecurity world is taking this very seriously and the Apache foundation rated the risk at 10 out of 10.
Here in Australia, the Australian Cyber Security Centre has issued a critical alert for the vulnerability, urging organisations to apply the latest patches to address the weakness.
The US Department of Homeland Security has ordered federal agencies to urgently eliminate the bug because it is so easily exploitable — and telling those with public-facing networks to put up firewalls if they cannot be sure.
In the US, the top cybersecurity defence official, Jen Easterly, deemed the flaw “one of the most serious I’ve seen in my entire career, if not the most serious” in a call on Monday with state and local officials as well as partners in the private sector.
A wide swath of critical industries, including electric power, water, food and beverage, manufacturing and transportation, were exposed, according to cybersecurity firm Dragos.
“I think we won’t see a single major software vendor in the world — at least on the industrial side — not have a problem with this,” Sergio Caltagirone, the company’s vice president of threat intelligence, said.
Eric Goldstein from the US Cybersecurity and Infrastructure Security Agency said the US federal government was leading a global response.
He said no federal agencies were known to have been compromised, but the threat still remained.
“What we have here is an extremely widespread, easy-to-exploit and potentially highly damaging vulnerability that certainly could be utilised by adversaries to cause real harm,” Mr Goldstein said.
When will we know how bad this is?
Maybe not for a while.
Log4j is often embedded in third-party programs that need to be updated by their owners.
“We expect remediation will take some time,” Mr Goldstein said.
John Graham-Cumming, chief technical officer of Cloudflare, whose online infrastructure protects websites from online threats, said the problem was still revealing itself.
“I think what’s going to happen is it’s going to take two weeks before the effect of this is seen because hackers got into organisations and will be figuring out what to do to next,” Mr Graham-Cumming said.
Sean Gallagher from the Cybersecurity firm Sophos agreed, saying the world was in a lull before the storm.
“We expect adversaries are likely grabbing as much access to whatever they can get right now with the view to monetise and/or capitalise on it later on,” he said.
That would include extracting usernames and passwords.
State-backed Chinese and Iranian hackers have already exploited the flaw, presumably for cyberespionage, and other state actors were expected to do so as well, according to John Hultquist, a top threat analyst at the cybersecurity firm Mandiant.
He did not name the target of the Chinese hackers nor its geographical location.
Mr Hultquist said the Iranian actors were “particularly aggressive” and had taken part in ransomware attacks primarily for disruptive ends.
Do we know who’s been hacked?
Beyond patching to fix the flaw, computer security professionals have an even more daunting challenge trying to detect whether the vulnerability was exploited and whether a network or device was hacked.
That will mean weeks of active monitoring.
A frantic weekend of trying to identify — and slam shut — open doors before hackers exploited them now shifts to a marathon.
The cybersecurity firm Check Point said on Tuesday it detected more than half a million attempts by known malicious actors to identify the flaw on corporate networks across the globe.
It said the flaw was exploited to plant cryptocurrency mining malware — which uses the target’s computer power to mine cryptocurrency for the hacker — in five countries.
So far, no successful ransomware infections leveraging the flaw have been detected, but experts say that is probably just a matter of time.
Why did this happen?
The Log4j episode exposes a poorly addressed issue in software design, according to experts who argue too many programs used in critical functions have not been developed with enough security.
Open-source developers — like the volunteers responsible for Log4j — should not be blamed so much as an entire industry of programmers who often blindly include snippets of such code without doing due diligence, according to Joe Slowik of network security firm Gigamon.
Popular and custom-made applications often lack a “Software Bill of Materials” that lets users know what’s under the hood, a crucial need at times like this.
“This is becoming obviously more and more of a problem as software vendors overall are utilising openly available software,” Mr Caltagirone said.
In industrial systems, particularly, he added, formerly analog systems in everything from water utilities to food production have in the past few decades been upgraded digitally for automated and remote management.
“And one of the ways they did that, obviously, was through software and through the use of programs which utilised Log4j,” Mr Caltagirone said.
This content was originally published here.