Late last week, staff at Minecraft, a video game that builds a popular world, published a rare blog post announcing that the game version has a digital flaw that hackers can exploit to hijack a player’s computer. The game company has released a patch and encouraged players running their own servers to do the same.

However, the cybersecurity community quickly realized that vulnerabilities built into very popular and popular software tools could affect billions of devices.

The Department of Homeland Security’s cybersecurity and infrastructure security agency issued a statement over the weekend regarding what became known as the “Log4j” vulnerability or the “Log4shell.” The agency discussed efforts to help private sector partners solve their problems and encouraged all companies to upgrade their software.

“Obviously, this vulnerability poses a serious risk,” CISA director Jen Easterly said in a statement. “We minimize the potential impact only through collaborative efforts between the government and the private sector. We ensure that all organizations participate in this important effort and take action. I strongly demand. “

Defects were found in a bit of commonly used software

A researcher working at the Chinese technology company Alibaba discovered the bug and personally notified the Apache Software Foundation, an all-volunteer company developing and maintaining open source software. It was open to the public when Minecraft made the disclosure and researchers posted it online.

When programmers write code, they often rely on very common and freely available software, such as using building blocks to perform common tasks. In this case, the vulnerable software was called Log4j. It is used in the Java programming language, which basically logs activity on the device and copies everything that happens while the program is running.

“I would like to think of it as a modular component used in many different types of software. Its job is … basically to record what happened and write it to another computer in another location. That’s it, “said founder Andrew Morris. CEO of cyber intelligence company Gray Noise.

However, researchers have discovered that hackers can send messages and commands to this logger from anywhere in the world over the Internet. This gives a malicious attacker full access to hijack the device.

Hackers can easily take control

According to cybersecurity experts, the vulnerability affects almost any program written in Java or dependent on software written in Java, from Amazon products to Apple products. Therefore, it is especially dangerous. Security researchers continue to run a list of potentially vulnerable companies and programs, including those that have released patches.

This flaw is relatively easy to exploit. “It’s not that complicated,” Morris said. Then, cybersecurity researchers release a proof of concept, confirm that the vulnerability can be exploited, and explain how to do so, and a malicious person can use it like a blueprint. “Once you build a machine, it’s like anyone else can use the same machine and abuse the device as needed,” Morris said.

As a result, cybersecurity professionals work 24 hours a day last weekend, which can last for days, if not weeks.

“The Internet is on fire,” said David “Moose” Wolpoff, chief technology officer of cybersecurity firm Randori, referring to the serious stress within the cybersecurity community. “In reality, anyone who knows I’ve worked professionally on a very long weekend is essentially a race against hackers and will continue to work for the next few weeks.”

Criminals have already launched an attack using L4j

Cybersecurity researchers hope that cybercriminals will defend their devices before hackers infect the entire network or launch more devastating attacks on devices that may be vulnerable. I’m scanning the internet in the same way I identify it.

Companies have already seen hackers exploit this flaw. For example, cryptocurrency miners hijack computing power to mining digital currencies, cybercriminals auction access to invaded networks, and an army of zombie digital devices called botnets target vulnerable machines. I am joining the rank.

According to Katie Nickels, director of cybersecurity threat intelligence, even if a hacker breaks through the “open door” left by this vulnerability, companies will introduce multiple layers of security and criminals will be individual. You can limit the damage by preventing it from invading your network beyond the compromised device. A solid red canary.

“If an enemy gets into some machine, I want to do something else … they look for cryptocurrencies, steal your information, or move to other networks if you’re on a large network. We will be able to receive confidential files as a ransom. ” “Therefore, many people have lost sight of the importance of using what is called” defense in depth “in security, as well as trying to detect them when they invade or stop them. I think that there. Maybe I have a lock, but then I also have a security system. “

Experts say the current turmoil should provoke conversations about how to go beyond scrambling to fill holes and better prepare to defend against similar attacks in the future.

For example, if your company doesn’t even know that it depends on vulnerable Java libraries, you can’t solve the problem.

That’s why the White House is now requiring companies that sell software to the government to include so-called software bills, such as code “recipe”, Nickels said. Still, some companies said they may not know all the layers of software that are embedded in the off-the-shelf software they use. “We rely on so many cloud services, so many different software components. Do you have a question?”

According to Nickels, keeping track of the total number of companies using software like Log4j can be a daunting task, not to mention many other popular software tools.

However, cybersecurity experts have also emphasized the importance of open source software such as Log4j. Log4j is created, developed and maintained by volunteers who aren’t paying for the work.

“We can’t emphasize how dire and serious the situation is because it’s related to the amount of technical dependencies that depend on open source software products run by a small number of people,” Gray Noise said. Morris said. “When I’m doing other work, sometimes one person is doing other things in his spare time.

“It’s very important to think about how to support people who create software that keeps our world moving forward.”

