Log4j’s security flaw can affect the entire Internet; What do you need to know

A major flaw in a widely used software has made cybersecurity experts set off alarms and big companies ran to fix the problem.

The vulnerability, reported last week, is in Java-based software known as “Log4j,” which large organizations use to configure their applications — and poses potential risks for much of the Internet.

The cloud computing service from Apple, security company Cloudflare and one of the world’s most popular video games, Minecraft, are among the many services that run Log4j, according to security researchers.

Jen Easterly, Head of the Department of Cyber ​​Security and Infrastructure Security Agency (CISA) of the Department of Homeland Security U.S, called it “one of the most serious failures” ever seen in his career.

On a release on Saturday (11), Easterly said that “a growing set” of hackers is actively trying to exploit this vulnerability.

As of Tuesday (14), more than 100 hacking attempts were occurring per minute, according to this week’s data from cybersecurity firm Check Point.

“It will take years to resolve this, while attackers will be trying to exploit it daily,” said David Kennedy, CEO of cybersecurity firm TrustedSec.

“This is a time bomb for companies.”

What is Log4j and why does it matter?

Log4j is one of the most popular log libraries used online, according to security experts cybernetics.

Log4j gives software developers a way to create an activity log to be used for a variety of purposes, such as troubleshooting, auditing, and tracking data.

Being open source and free, the library essentially reaches all parts of the Internet.

“It’s omnipresent. Even if you’re a developer who doesn’t use Log4j directly, you might still be running vulnerable code because one of the open source libraries you use depends on Log4j,” Chris Eng, research director at cybersecurity firm Veracode, told CNN Business.

“That’s the nature of software: it goes down completely.”

Empresas como Apple, IBM, Oracle, Cisco, Google e Amazon, all run the software.

It can be present on popular apps and websites, and hundreds of millions of devices around the world that access these services could be exposed to the vulnerability.

Are hackers exploiting this?

Attackers appear to have had more than a week’s advantage in exploiting the software flaw before the information was released publicly, from according to Cloudflare cybersecurity company.

Now, with such a high number of hacking attempts taking place every day, some worry that the worst is yet to come.

“Threat agents [hackers] Sophisticated and savvy people will figure out a way to really use vulnerability as a weapon for the biggest gain,” said Mark Ostrowski, chief engineering officer at Check Point, on Tuesday.

On Tuesday (14), Microsoft said in a update a blog what hackers from China, Iran, North Korea and Turkey tried to exploit the Log4j flaw.

Why is this security hole so bad?

Experts are concerned about the vulnerability because hackers can gain easy access to a company’s computer server, allowing entry to other parts of the network.

It’s also very difficult to find the vulnerability or see if a system has already been compromised, according to Kennedy.

Additionally, a second vulnerability in the Log4j system was found on Tuesday.

Apache Software Foundation, a non-profit organization that developed Log4j and other open source software, has released a security fix for organizations to apply.

How are companies trying to solve the problem?

Last week Minecraft published a blog post announcing that a vulnerability had been discovered in one version of the game — and quickly issued a fix. Other companies have taken similar steps.

IBM, Oracle, AWS and Cloudflare have issued notices to customers, with some pushing security updates or outlining their plans for potential patches.

“This is such a serious bug, but it’s not like you can push a button to fix it like you normally do. It will take a lot of time and effort,” Kennedy said.

For transparency and to help reduce misinformation, CISA said it would create a public website with updates on which software products were affected by the flaw and how hackers exploited them.

What can you do to protect yourself?

The pressure is mainly on companies to have some demonstration.

For now, people should be sure to update devices, software and applications when companies give notice in the coming days and weeks.

What is the next?

the United States government issued an alert of ransomware and cyber attacks to keep affected companies on high alert during the holiday.

There is concern that a growing number of malicious actors will make use of the vulnerability in new ways, and while large technology companies may have security teams to deal with these potential threats, many other organizations are not.

“What worries me most are schools, hospitals, places where there is a single professional technology information (IT) that takes care of security and who doesn’t have the time, budget or security tools,” said Katie Nickels, director of cybersecurity intelligence at Red Canary.

“These are the organizations I’m most concerned about — small organizations with small security budgets.”

Sean Lyngaas contributed to this report.

(Translated text. Check the original here)

Reference: CNN Brasil

You may also like