Millions of devices around the world could be exposed to a newly revealed software vulnerability, as a cyber government official has shown Biden to executives from the main industries of the USA, on Monday (13).
According to her, industries need to take steps to solve “one of the most serious failures” she has seen in her career.
As major tech companies struggle to contain the consequences, US officials have made a phone call with industry executives warning that the hackers are actively exploiting the vulnerability of systems.
For now, cybersecurity analysts told the CNN, the pressure is on tech companies to clean up software code and big companies to find out if they are affected by the flaw.
But because the vulnerability is so pervasive and likely to be present in things like popular apps and websites, consumers can also feel the consequences if these services are actually hacked.
“This vulnerability is one of the most serious I’ve seen in my entire career, if not the most serious,” said Jen Easterly, director of the US Cyber Security and Infrastructure Agency (CISA), in a shared call with CNN.
Large finance firms and healthcare executives attended the briefing by telephone.
“We hope that the vulnerability will be extensively studied by specialized agents, we have limited time to take the necessary steps to reduce the likelihood of harmful incidents,” said Easterly.
A CNN contacted CISA to comment on the meeting. CyberScoop, a technology news site, first reported the content of the call.
This is the sternest warning by US officials of software failure since news broke last week that hackers were using it to try to break into organizations’ computer networks.
It is also a test of new channels that federal authorities have created to work with industry executives following widespread cyber attacks exploiting SolarWinds and SolarWinds software. Microsoft unveiled last year.
Experts told the CNN it can take weeks to resolve the vulnerabilities. Furthermore, they point out that alleged Chinese hackers are already trying to exploit it.
The vulnerability is in the Java-based software known as “Log4j” that large organizations, including some of the world’s largest technology companies, use to log information into their applications.
Tech giants like Amazon Web Services e IBM they moved to fix the bug in their products.
It offers a hacker a relatively easy way to access an organization’s computer server.
From there, an attacker can devise other ways to access systems on an organization’s network.
The Apache Software Foundation, which manages the Log4j software, has released a security fix for organizations to apply.
Race against time to fix the flaw
But attackers had more than a week’s advantage in exploiting the software flaw before it was publicly disclosed, according to the cybersecurity firm. Cloudflare.
Organizations are now in a race against time to find out if they have computers running vulnerable software that has been exposed to the Internet.
Government and industry cybersecurity executives are continually working on the issue.
“We will have to make sure that we have a sustained effort to understand the risk of this code across all major infrastructure in the United States,” Jay Gazlay, another CISA official, said by telephone.
Hackers linked to the Chinese government have already started using the vulnerability, according to Charles Carmakal, senior vice president and chief technology officer at cybersecurity firm Mandiant.
Mandiant declined to go into detail about which organizations hackers are targeting.
“In time, everyone can set the damn thing up,” Mandiant CEO Kevin Mandia told CNN, referring to vulnerability.
“That is the problem. And there will probably be great hackers hiding among the not-so-good ones.”
“Noise” is a real problem. For cybersecurity professionals, the Twitter it has been a constant flurry of useful information and, in some cases, misinformation that has nothing to do with vulnerability.
To solve the problem, CISA said it would create a public website with information about which software products were affected by the vulnerability and the techniques hackers were using to exploit it.
“This will be a multi-week process in which new actors are exploiting the vulnerability,” Eric Goldstein, CISA’s Executive Assistant Director of Cybersecurity, said by telephone.
The ubiquity of software forced professionals to cyber security from across the country to spend the weekend checking to see if their systems are vulnerable.
“For most of the information technology world, there was no weekend,” said Rick Holland, director of information security at cybersecurity firm Digital Shadows, to CNN. “It was just another long set of days.”
*With information from Geneva Sands, CNN
Reference: CNN Brasil