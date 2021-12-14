



Washington, December 13 (Reuters)-Scramble cyber defenders as a new vulnerability in a widely used software library causes turmoil on the Internet and hackers are rushing to exploit their weaknesses. I’m strong.

Known as Log4j, this vulnerability is due to a popular open source product that helps software developers track changes in applications they build. It is so popular that it is built into the programs of many companies, so security executives anticipate widespread exploitation.

“The Apache Log4j remote code execution vulnerability is the largest and most serious vulnerability in the last decade,” said Amit Yoran, CEO of network security company Tenable and founder of the US Computer Emergency Response Team. Mr. says.

The US government has warned the private sector about the Log4j vulnerability and the imminent risks it poses on Friday.

At a conference call on Monday, CISA leaders said this was one of the worst vulnerabilities seen over the years. She urged businesses to have staff working throughout the holidays to combat people who are using new ways to exploit their flaws.

Many of the software affected by Log4j are named like Hadoop or Solr and may not be familiar to the general public. But like the SolarWinds program, which was the center of large-scale Russian espionage last year, the ubiquity of these flagship programs is an ideal starting point for digital intruders.

Juan Andres Guerrero-Saade, a leading threat researcher at cybersecurity firm SentinelOne, calls it “one of the nightmare vulnerabilities with few ways to prepare.”

Apache released a partial fix for the vulnerability on Friday, but Log4j makers, affected companies, and cyber defenders need time to find the vulnerable software and implement the patch properly. .. According to security experts, Log4j itself is maintained by a few volunteers.

In fact, this flaw allows outsiders to enter the active code into the records management process. The code then tells the server hosting the software to execute a command that gives control to the hacker.

The issue was first published by a security researcher working at Alibaba Group Holding Limited (9988.HK), a Chinese technology company, Apache said in a security advisory.

It is now clear that the first exploit was discovered on December 2nd, before the patch was released a few days later. The attack became even more widespread as people playing Minecraft used it to control the server and spread the word in game chat.

So far, no major destructive cyber incidents have been publicly documented as a result of the vulnerability, but researchers have seen a surprising rise in hacking groups trying to exploit bugs for espionage. I’m watching it.

Chris Evans, Chief Information Security Officer at HackerOne, said:

Multiple botnets, or groups of computers controlled by criminals, were also trying to exploit this flaw to add more captive machines, according to experts tracking development.

Many experts are now afraid of malware that corrupts or encrypts data, such as the one used against US pipeline operator Colonial Pipeline (COLPI.UL) in May. A bug could be used to deploy it. Of the United States.

Guerrero-Saade said his company had already seen a Chinese hacking group working to exploit the vulnerability.

US cybersecurity firms Mandiant and Crowdstrike also said they have discovered an advanced hacking group that uses bugs to break through targets. In an email to Reuters, Mandiant described these hackers as “actors of the Chinese government.”

Reported by Christopher Bing and Rafael Satter in Washington, Joseph Men in San Francisco.Edited by Matthew Lewis and Stephen Coates

Our Standard: Thomson Reuters Trust Principles.

