On Friday, the Cybersecurity and Infrastructure Security Agency issued an emergency directive directing federal civilian executive branch agencies to repair a critical security weakness in widely used logging software that cybercriminals might exploit.
The order directs the authorities to investigate if the software that receives “data input from the internet” is vulnerable to the Log4j flaw, which was revealed just over a week ago. The agencies must repair or delete the impacted software by 5 p.m. ET on December 23 and report their actions by December 28.
A flaw in the Java logging library Apache Log4j puts vast swaths of the internet in danger. Cyberattackers could exploit a vulnerability in commonly used software to seize control of computer servers, placing everything from consumer electronics to government and business systems in jeopardy.
The computer game Minecraft was used in one of the first known exploits of the flaw. Before Microsoft, which owns Minecraft, addressed the flaw, attackers were able to seize control of one of the game’s servers. The flaw is referred to as a “zero-day” vulnerability. Before it became recognized and potentially exploitable, security experts had not devised a patch for it.
Experts warn that the flaw is actively being exploited. Check Point said on Wednesday that in the days since the flaw was made public, it had detected more than 1.8 million attempts to exploit it, with over 46% of those originating from known criminal organizations.
In a report, the business stated, “It is certainly one of the most dangerous vulnerabilities on the internet in recent years.” Furthermore, “The potential for harm is unquantifiable.”
Federal officials issued warnings in response to the disclosure, urging individuals affected to patch their systems or otherwise address the faults as soon as possible. In addition, CISA announced on Tuesday that the vulnerability would be added to the list of those that government agencies must address.
In a statement, CISA Director Jen Easterly said, “To be clear, this vulnerability poses a grave danger.” Moreover, given Apache Log4j’s widespread use, she said the bug poses an “urgent challenge” to security professionals.
Here’s everything else you need to know about the Log4j flaw.
Who is impacted by this?
Because the Log4j logging library is widely used in commercial and open-source applications. The weakness could be fatal, according to Jon Clay, Trend Micro’s vice president of threat intelligence.
The free-to-use nature of the logging library contributes to its popularity. However, that high price comes with a catch: only a few people can afford to keep it up. On the other hand, Paid goods are frequently supported by massive software development and security teams.
Meanwhile, it’s up to the impacted businesses to update their software before something disastrous occurs.
“Depending on the organization, that may take hours, days, or even months,” Clay added.
IBM, Oracle, AWS, and Microsoft had all released advisories by Monday, notifying their customers of the bug, detailing their patch efforts, and pushing them to apply necessary security updates as soon as possible.
According to Nadir Izrael, chief technology officer and co-founder of the IoT security firm Armis, any consumer device that employs a web server might be running Apache. In addition, Apache is also frequently utilized in devices like smart TVs, DVR systems, and security cameras, according to him.
“Imagine how many of these devices are sitting in loading docks or warehouses, unable to receive security updates because they aren’t linked to the internet,” Izrael said. “They’re vulnerable to attack the moment they’re unboxed and connected.”
Consumers can only update their devices, software, and apps when prompted. However, as Izrael points out, a vast number of older internet-connected gadgets are no longer receiving updates, leaving them vulnerable.
What’s the big deal about this?
The vulnerability, if exploited, might allow an attacker to gain control of Java-based web servers and perform remote-code execution assaults, giving them complete control of the computer servers. This could lead to a slew of security-threatening scenarios.
Microsoft announced on Tuesday that it had discovered evidence of the issue being used by organizations in China, Iran, North Korea, and Turkey. A ransomware group based in Iran and other entities notorious for selling access to networks for ransomware attacks are among them. According to Microsoft, these efforts could lead to an upsurge in ransomware assaults in the future.
Bitdefender also reported that it had spotted assaults on Windows computers using the Khonsari ransomware family.
According to CISA Executive Assistant Director Eric Goldstein, much of the activity discovered by the CISA thus far has been “low level” and concentrated on activities such as crypto-mining. He went on to say that no federal agency has been harmed as a result of the defect and that the government hasn’t been able to link any of the activity to a specific group yet.
Sophos discovered evidence of the issue being exploited for crypto mining activities. At the same time, Swiss officials said the flaw is being used to deploy botnets, which are commonly employed in both DDoS attacks and crypto mining.
Cryptomining attacks, also known as cryptojacking, allow hackers to use software to take control of a target computer and mine bitcoin or other cryptocurrencies. DDoS (distributed denial of service) attacks entail taking control of a computer to flood a website with bogus visitors, overloading it, and knocking it offline.
Izrael is especially concerned about the impact on organizations with staff who work from home. According to him, the distinction between work and personal devices is frequently blurred, putting company data at risk if a worker’s device is compromised.
What will be the consequences?
It’s too early to say.
According to Check Point, the announcement comes just before the holiday season, when IT departments are generally staffed with skeleton teams and may not have the resources to respond to a significant threat.
The US government has previously urged businesses to be on the lookout for ransomware and cyberattacks over the holidays, stressing that cybercriminals don’t take vacations and typically view the Christmas season as a prime opportunity to strike.
While some are already referring to Log4j as the “worst hack in history,” Clay believes it will rely on how quickly organizations issue updates and address any problems.
Given the current devastating impact of the bug on so many software products, he advises enterprises to reconsider adopting free software in their goods.
“There’s little doubt we’ll see more issues like this in the future,” he predicted.