A researcher recently found a vulnerability in a piece of software called Log4j, which is used in the Java programming language and essentially generates an activity log, which could allow hackers to hijack a equipment.
Christopher Schirner / Flickr
hide captions
switch captions
Christopher Schirner / Flickr
Last weekend, employees of the popular world-building video game Minecraft posted an unusual blog post announcing that one version of the game had a digital vulnerability that hackers could exploit to take over. take the player’s computer. The game company released a patch and encouraged players who run their own servers to do the same.
But the cybersecurity community quickly realized that this vulnerability, embedded in an extremely popular and popular software tool, has the potential to affect billions of devices.
Over the weekend, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency released a statement about what’s known as the “Log4j”, or “Log4shell” vulnerability. The agency discussed efforts to help private sector partners troubleshoot and called on all companies to upgrade their software.
“To be clear, this vulnerability poses a serious risk,” CISA director Jen Easterly said in the statement. “We will only mitigate potential impacts through collaborative efforts between the government and the private sector. We call on all organizations to join us in this essential effort and act.”
Vulnerability found in a commonly used software
A researcher working for Chinese technology company Alibaba discovered the bug and privately reported it to the Apache Software Foundation, an all-volunteer corporation that develops and maintains open source software. It went viral when Minecraft revealed it and the researcher posted about it online.
When programmers write code, they often rely on some extremely popular and freely available software – like using building blocks – to perform common tasks. In this case, the vulnerable software is Log4j, which is used in the Java programming language and essentially generates activity logs on the device, replicating everything that happens as the program runs.
“You want to think of it like a modular component that’s used in a lot of different types of software. And its job is … basically just recording things that happened and writing them in. another computer somewhere else,” Andrew Morris, founder. and CEO of the cyber intelligence company GreyNoise.
But the researcher has found that a hacker can send a message to this logger from anywhere in the world via the internet, issuing commands to it. That will allow the bad guy to have full access to the device.
Hackers can easily take control
Cybersecurity experts say the vulnerability is particularly dangerous because it affects so many programs – nearly anything written in Java, or based on software written in Java, from products made by Amazon. export to Apple. Security researchers have continued to run lists of potentially hacked companies and programs, including those that have released patches.
The vulnerability is also relatively easy to exploit. “It’s really not that complicated,” Morris said. And when cybersecurity researchers release a proof-of-concept, confirming that the vulnerability can be exploited, and explaining how, bad actors can use it as a blueprint. “It’s like you build a machine once and then everyone else can use the same machine to mine the device as you want,” Morris notes.
As a result, cybersecurity professionals have spent the past weekend working around the clock, and that will likely continue for days if not weeks.
“The internet is on fire,” said David “Moose” Wolpoff, chief technology officer of cybersecurity firm Randori, referring to severe tension in the cybersecurity community. “The reality is that everyone I know professionally who just worked a very long weekend will continue to work in the coming weeks in what is essentially a race against hackers.”
Criminals launched attacks using L4j
Cybersecurity researchers are scanning the Internet the same way cybercriminals do – identifying which devices might be vulnerable in hopes of protecting them before hackers can infect entire networks or launch calls more destructive attack.
Companies have seen hackers exploit this vulnerability, including crypto miners hijacking computing power to mine digital currencies, cybercriminals auctioning access to networks they have penetrated, and armies of zombie digital devices known as botnets target vulnerable machines to join their ranks.
According to Katie Nickels, director of threat intelligence at cybersecurity, even if hackers can break through the “open door” left by this vulnerability, companies can limit the damage by deploying multiple layers of security to prevent criminals from entering the network beyond the individual compromised devices. Red Canary company.
“Once an enemy gets into a machine, they want to do other things. … They want to mine cryptocurrencies, or they want to steal your information, or they want to switch to other networks if they’re in Nickels said. “And that’s why I think a lot of people lose sight of the importance of not just trying to spot an enemy as they’re entering or to prevent them from entering, but also having what what we call ‘defensive intensive’. Maybe I have a lock, but then I also have a security system. “
Experts say the current chaos will spark conversation about how to better prepare to defend against similar attacks in the future – beyond scrambling to patch a vulnerability.
For example, if companies don’t even know that they are depending on a vulnerable Java library, they won’t be able to fix the problem.
That’s why the White House is now requiring companies that sell software to the government to include what’s known as a Software Bill of Materials, which is like a “recipe” of code, Nickels said. Even so, she notes that some companies may also not be aware of all the layers of software that are built into the pre-existing software they use: “We rely on too many cloud services, too various software components. Who should we choose?”
Nickels says that finding the entire number of companies that use software like Log4j, let alone many other common software tools, would be a huge undertaking.
But cybersecurity experts also stress the importance of open source software like Log4j, created, developed and maintained by an unpaid volunteer for the work.
“I can’t stress to you how dire and serious the situation is,” said Morris of GreyNoise, “as it relates to the amount of technical dependency that falls on open source, well-run software products.” by a handful of people,” said Morris of GreyNoise. “Sometimes a person in their spare time when they are arranging other work, doing other work.
“It’s really important that we think about how we support the people who write the software that moves our world forward.”
