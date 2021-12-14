



Experts warn that bugs in the Log4j software may cause problems in the future.

Getty

Due to the discovery of a significant security flaw in widely used logging software, many of the tech industry scrambled and patched it over the weekend before cybercriminals exploited the vulnerability.

If left unpatched, a bug in the Java logging library Apache Log4j could be used by cyber attackers to hijack computer servers and put your favorite online services and consumer devices at risk of failure. ..

One of the first known attacks to exploit this vulnerability involved the computer game Minecraft. The attacker was able to hijack one of the game’s servers that built the world before Microsoft, the owner of Minecraft, patched the issue.

This bug is a so-called zero-day vulnerability. Security experts did not create the patch before it was known and could be abused.

Experts warn that the vulnerability is being actively exploited. Cybersecurity firm Checkpoint said Monday that it had detected more than 800,000 exploit attempts in the first 72 hours after the bug was published.

“This is clearly one of the most serious vulnerabilities on the Internet in recent years,” the company said in a report. “The possibility of damage is immeasurable.”

The news also urged federal officials to urge affected people to patch their systems immediately or otherwise fix the flaws.

“Obviously, this vulnerability poses a serious risk,” said Jen Eastary, director of cybersecurity and infrastructure security agencies, in a statement. She said the flaw is an “urgent issue” for security professionals, given the widespread use of Apache Log4j.

Here’s what else you need to know about Log4j vulnerabilities:

Who will be affected?

John Clay, vice president of threat intelligence at Trend Micro, said the flaw could be catastrophic due to the widespread use of the Log4j logging library in all types of enterprise and open source software.

Logging libraries are also popular because they are free to use. The price tag comes with a trade-off. Only a handful of people keep it. In contrast, paid products usually have a large software development and security team behind them.

On the other hand, it’s up to the affected company to patch the software before something bad happens.

“Depending on the organization, it can take hours, days, or even months,” Clay said.

By Monday, companies such as IBM, Oracle, AWS, and Microsoft will all issue advisories that warn customers of bugs, outline patch progress, and encourage them to install relevant security updates as soon as possible. did.

Consumers can do nothing more than update their devices, software, and apps when prompted.

Why is this a big deal?

Exploitation of this vulnerability could allow an attacker to control a Java-based web server, launch a remote code execution attack, and control a computer server. This can open up a number of potential security risks.

Cybersecurity firm Sophos says it has so far found evidence that malicious cryptocurrency mining operations are trying to take advantage of vulnerabilities. Swiss officials said there is evidence that this flaw is being used to deploy botnets that are commonly used in both DDoS attacks and crypto mining.

Crypto mining attacks, also known as cryptojacking, allow hackers to use malware to hijack target computers to mine Bitcoin and other cryptocurrencies. DDoS (Distributed Denial of Service) attacks include controlling your computer to flood your website with fake visits, overwhelming your site, and taking it offline.

What about fallout?

It’s too early to say.

Checkpoint says news will come in the middle of the holiday season, when IT desks are frequently run by key personnel and may not have the resources to respond to serious cyberattacks.

The U.S. government has already warned companies to be wary of ransomware and cyberattacks during the holidays, noting that cybercriminals often do not take holidays and see the festive season as a desirable time for strikes. ..

Some have already called Log4j “the worst hack in history,” Clay said, but believes it depends on how quickly companies deploy patches to crush potential problems.

Given the cataclysmic impact of flaws on so many software products today, he says, companies may want to think twice about using free software in their products.

“There is no doubt that there will be more such bugs in the future,” he said.

