Over the weekend, businesses and governments around the world rushed to defend against cyberattacks aimed at exploiting a serious flaw in a widely used piece of Internet software that security experts warn could give hackers sweeping access to networks.
Because the code is so widely used on corporate networks, cybersecurity researchers believe the bug, hidden in an obscure piece of server software called Log4j, represents one of the most serious threats seen in recent years.
The Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security issued an urgent alert about the vulnerability and urged businesses to take action. “To be clear, this vulnerability poses a severe risk,” CISA Director Jen Easterly stated on Saturday. We will only be able to reduce potential consequences through collaborative efforts between the government and the private sector.” Over the weekend, Germany’s cybersecurity organization issued a “red alert” about the bug. Australia dubbed the situation “critical.”
Security experts warned that assessing the extent of the damage could take weeks or more, and that hackers exploiting the vulnerability could access sensitive data on networks and install back doors that they could use to maintain access to servers even after the flawed software was patched.
“It’s one of the most significant vulnerabilities I’ve seen in a long time,” said Aaron Portnoy, principal scientist at Randori.
Many companies, according to security experts, have other processes in place that would prevent a malicious hacker from running software and breaking into these companies, potentially limiting the impact of the bug.
In a customer alert, Microsoft Corp. stated that “attackers are probing all endpoints for vulnerability.” Amazon.com Inc., Twitter Inc., and Cisco Systems Inc. are among the companies that have stated that they are investigating the scope of the problem. In a security alert, Amazon, the world’s largest cloud computing company, stated, “We are actively monitoring this issue and are working on addressing it.”
According to Ralph Goers, a volunteer with the project, the software flaw was reported late last month to the Log4j development team, a group of volunteer coders who distribute their software free of charge as part of the Apache Software Foundation. On December 9, the foundation, a non-profit organization that helps oversee the development of many open-source programs, notified its user community of the vulnerability.
“This is a critical issue,” Mr. Goers stated. “People need to upgrade in order to get the fix,” he explained. Log4j is used on servers to record user activities so that security or software development teams can review them later.
It’s unclear how many servers are affected by the bug because Log4j is distributed for free, but the logging software has been downloaded millions of times, according to Mr. Goers.
Software vendors that include Log4j in their products, such as International Business Machines Corp.’s Red Hat, Oracle Corp., and VMware Inc., have stated that patches are being distributed.
It’s not the first time open-source software has raised security concerns. In 2014, internet users all over the world were urged to reset their passwords after another vulnerability, known as Heartbleed, was discovered in OpenSSL, an obscure yet similarly ubiquitous piece of internet software built by volunteers.
According to researchers, hackers began widely exploiting the flaw early Friday, including gaining access to servers running Microsoft’s Minecraft gaming software. The researchers soon noticed widespread scanning and attempts to exploit the Log4j bug on the Internet. Microsoft advised some Minecraft players to upgrade their software to fix the bug in a note published on Friday.
Check Point Software Technologies Ltd. said it saw more than 100,000 attempts to exploit the bug over a 24-hour period, about half of which it estimated were from malicious cyberattackers. According to Check Point, the rest were conducted by legitimate researchers, either governments scanning national infrastructure or security researchers.
Cas van Cooten, a Dutch researcher, claimed to have discovered the bug on Apple Inc.’s servers, potentially allowing him to run code within Apple’s network. Mr. van Cooten stated that he immediately notified Apple of the problem.
“It would have been a piece of cake for a malicious hacker to weaponize this,” he said. An Apple spokesman did not respond to requests for comment.
Carson Owlett, another researcher, stated that consultants from his security firm, Black Mirage LLC, were able to detect the bug on systems run by other companies, including Twitter and LinkedIn, both of which are owned by Microsoft.
“Our teams are looking into it, but we don’t have any details to share at this time,” a Twitter spokesperson said in an email Friday. According to a LinkedIn spokesperson, “while we’re responding to this, just as security teams at many companies are, we’re not experiencing any active issue.”
Because servers log all kinds of data, from email addresses to web navigation requests, these attempts could give attackers a foothold on a vulnerable server deep within corporate networks, according to Ryan McGeehan, an independent security consultant and former Facebook director of security. “A successful attack is similar to creating a wormhole,” he explained. “The assailant has no idea where they’ll end up.”
Cisco is looking into more than 150 of its products for the Log4j bug. So far, it has discovered three vulnerable products and determined that 23 are not, according to a company spokesman on Saturday.