Home Web internet The security flaw that terrifies the Internet

The security flaw that terrifies the Internet


BOSTON (AP) – Security professionals say this is one of the worst computer vulnerabilities they’ve ever seen. Companies, including Microsoft, claim that state-backed Chinese and Iranian hackers and rogue cryptocurrency miners have already taken hold of it.

The Department of Homeland Security has sounded the alarm, ordering federal agencies to urgently find and fix instances of bugs because they are so easily exploitable – and telling those with public networks to set up firewall if they cannot be sure. A small piece of code, the often undocumented affected software.

Housed in a widely used utility called Log4j, the flaw allows internet-based attackers to easily take control of everything from industrial control systems to web servers and consumer electronics. Simply identifying which systems are using the utility is a challenge; it is often hidden under layers of other software.

America’s top cybersecurity defense official Jen Easterly called the flaw “one of the most serious I have seen in my entire career, if not the most serious” in a call Monday with state and local officials and private sector partners. Publicly disclosed last Thursday, it is a catnip for cybercriminals and digital spies because it allows easy entry and without a password.

READ MORE: Biden tackles cybersecurity with tech and financial leaders

The Cybersecurity and Infrastructure Security Agency, or CISA, which Easterly heads, set up a resource page on Tuesday to address the flaw it says is present in hundreds of millions of devices. Other heavily computerized countries were taking it just as seriously, with Germany activating its national computer crisis center.

A wide range of critical industries including power, water, food and beverage, manufacturing and transportation were on display, said Dragos, a large cybersecurity firm. “I think we won’t see a single major software company in the world – at least on the industrial side – having a problem with this,” said Sergio Caltagirone, vice president of corporate threat intelligence. .

Eric Goldstein, who heads CISA’s cybersecurity division, said no federal agency was compromised. But these are the first days.

“What we have here is an extremely widespread, easy to exploit and potentially very damaging vulnerability that could certainly be used by adversaries to cause real damage,” he said.

A little piece of code, a world of trouble

The relevant software, written in the Java programming language, records user activity. Developed and maintained by a handful of volunteers under the auspices of the open source Apache Software Foundation, it is very popular with commercial software developers. It runs on many platforms – Windows, Linux, Apple’s macOS – powering everything from webcams to car navigation systems and medical devices, according to security firm Bitdefender.

Goldstein told reporters on a call Tuesday evening that CISA will update an inventory of patched software as patches become available. “We expect the repair to take some time,” he said.

The Apache Software Foundation said Chinese tech giant Alibaba notified it of the breach on November 24. It took two weeks to develop and release a fix.

Beyond patches, IT security professionals face an even greater challenge: trying to detect if the vulnerability has been exploited, if a network or device has been hacked. This will mean weeks of active surveillance. A hectic weekend of trying to identify – and shut down – open doors before hackers exploit them now turns into a marathon.

Lull before the storm

“A lot of people are already stressed enough and tired enough from working on weekends – when we’re really going to be dealing with that for the foreseeable future, roughly until 2022,” said Joe Slowik, head of intelligence at threats to the network. Gigamon security company.

Cybersecurity firm Check Point said on Tuesday it had detected more than half a million attempts by known malicious actors to identify the flaw on corporate networks around the world. He said the flaw was exploited to install cryptocurrency mining malware – which uses computer cycles to surreptitiously mine digital money – in five countries.

So far, no successful ransomware infections exploiting the flaw have been detected, although Microsoft said in a blog post that criminals breaking into networks and selling access to ransomware gangs were detected by exploiting the vulnerability of Windows and Linux systems. He said criminals are also quickly incorporating the vulnerability into botnets that enlist multiple zombie computers for theft.

“I think what’s going to happen is it will be two weeks before the effect of this kicks in, as hackers have entered organizations and will determine what to do next.” John Graham-Cumming, CTO of Cloudflare, whose online infrastructure protects websites from online threats.

Senior researcher Sean Gallagher from cybersecurity firm Sophos said we were in a lull before the storm.

“We would expect opponents to probably grab as much access to anything they can get right now with the goal of monetizing and / or leveraging it later.” This would include extracting usernames and passwords.

State-backed Chinese and Iranian state hackers were already exploiting the vulnerability for espionage purposes, Microsoft and cybersecurity firm Mandiant said. Microsoft said so are state-backed hackers in North Korea and Turkey. John Hultquist, one of Mandiant’s top analysts, did not name any targets, but said Iranian actors were “particularly aggressive” and participated in ransomware attacks against Israel primarily for disruptive purposes.

Microsoft said the same Chinese cyber espionage group that exploited a flaw in its on-premises Exchange Server software in early 2021 was using Log4j to “expand its typical targeting.”

Insecure by design?

The Log4j episode exposes a poorly addressed problem in software design, experts say. Too many programs used in critical functions have not been developed with sufficient attention to safety.

Open source developers like the volunteers responsible for Log4j shouldn’t be as much to blame as an entire industry of programmers who often blindly include snippets of this code without doing their due diligence, Gigamon’s Slowik said.

Popular and custom apps often lack a “software nomenclature” that lets users know what’s under the hood – a critical need at times like this.

“This is obviously becoming more of a problem, as software vendors as a whole use freely available software,” Dragos’ Caltagirone said.

In industrial systems in particular, he added, old analog systems in everything from water utilities to food production have been digitally upgraded over the past decades for automated management and to distance. “And one of the ways they did that, obviously, was through software and through the use of programs that used Log4j,” Caltagirone said.