The Log4j software bug could put your favorite sites at risk: What you need to know
The discovery of a major security flaw in widely used logging software sent much of the tech industry scrambling over the weekend to put in place patches before the vulnerability could be exploited by cybercriminals.
If left unpatched, the bug in the Java-logging library Apache Log4j could be used by cyberattackers to take over computer servers, potentially putting favorite online services, as well as consumer devices, at risk of failure.
One of the first known attacks using the vulnerability involved the computer game Minecraft. Attackers were able to take over one of the world-building game’s servers before Microsoft, which owns Minecraft, patched the problem.
The bug is a so-called zero-day vulnerability. Security professionals hadn’t created a patch for it before it became known and potentially exploitable.
Experts warn that the vulnerability is being actively exploited. Cybersecurity firm Check Point said Monday it had detected over 800,000 attempted exploits of the bug in the first 72 hours after it became public.
“It is clearly one of the most serious vulnerabilities on the internet in recent years,” the company said in a report. “The potential for damage is incalculable.”
The news also prompted warnings from federal officials who urged those affected to immediately patch their systems or otherwise fix the flaws.
“To be clear, this vulnerability poses a severe risk,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said in a statement. She noted the flaw presents an “urgent challenge” to security professionals given Apache Log4j’s wide usage.
Here’s what else you need to know about the Log4j vulnerability.
Who is affected?
The flaw is potentially disastrous because of the wide-spread use of the Log4j logging library in all kinds of enterprise and open-source software, said Jon Clay, vice president of threat intelligence at Trend Micro.
The logging library is popular, in part, because it’s free to use. That price tag comes with a trade-off: just a handful of people maintain it. Paid products, by contrast, usually have large software development and security teams behind them.
Meanwhile, it’s up to the affected companies to patch their software before something bad happens.
“That could take hours, days or even months depending on the organization,” Clay said.
By Monday, companies including IBM, Oracle, AWS and Microsoft had all issued advisories alerting their customers to the bug, outlining their progress on patches and urging them to install related security updates as soon as possible.
Consumers can’t do much more than update their devices, software and apps when prompted.
Why is this a big deal?
If exploited, the vulnerability could allow an attacker to take control of Java-based web servers and launch remote-code execution attacks, which could give them control of the computer servers. That could open up a host of security compromising possibilities.
Cybersecurity firm Sophos said that so far it’s found evidence of malicious crypto mining operations trying to use the vulnerability to their advantage. Swiss officials said there’s evidence the flaw is being used to deploy botnets often used in both DDoS attacks and cryptomining.
Cryptomining attacks, sometimes known as cryptojacking, allow hackers to take over a target computer with malware in order to mine for bitcoin or other cryptocurrencies. DDoS, or distributed denial of service, attacks involve taking control of a computer to flood a website with fake visits, overwhelming the site and knocking it offline.
What’s the fallout going to be?
It’s too soon to tell.
Check Point notes that the news comes just ahead of the height of the holiday season when IT desks are often running on skeleton crews and might not have the resources to respond to a serious cyberattack.
The US government has already warned companies to be on high alert for ransomware and cyberattacks over the holidays, noting that cybercriminals don’t take time off and often see the festive season as a desirable time to strike.
While Clay said some people are already starting to refer to Log4j as the “worst hack in history,” he thinks that will depend on how fast companies roll out patches and squash potential problems.
Given the cataclysmic effect the flaw is having on so many software products right now, he says companies might want to think twice about using free software in their products.
“There’s no question that we’re going to see more bugs like this in the future,” he said.