A critical flaw discovered in software used in millions of devices across the world has cybersecurity experts worried.
The vulnerability, which was reported late last week, is in Java-based software known as “Log4j” that many software developers use to configure their applications. Its widespread use makes it a widespread problem.
UNSW Sydney Professor Salil Kanhere explained that “almost every bit of software we use will keep records of errors and other important events” – known as logs.
“Rather than creating their own logging system, many software developers use the open-source Log4j, making it one of the most common logging frameworks in the world,” he told 7NEWS.com.au.
“Attackers can trick Log4j into running malicious code by forcing it to store a log entry that includes a particular string of text.”
Many forms of enterprise and open-source software, including cloud platforms, popular apps and websites and email services, use Log4j – even Apple’s cloud computing service and one of the world’s most popular video games, Minecraft.
The hundreds of millions of devices around the world that access any one of these services could then be at risk from attempts to exploit the vulnerability.
The issue that enables the attack has been in the code for some time but was only recognised late last month by a security researcher at Chinese computing firm Alibaba Cloud.
The exact extent of the exposure is still unravelling
While it’s hard to say exactly how many Australians may be impacted, Professor Kanhere said in theory any device that’s exposed to the internet is at risk if it is running Apache Log4J.
He said – with all this in mind – the vulnerability is “very concerning”.
“Major technology players, including Amazon Web Services, Microsoft, Cisco, Google, Twitter, Apple and IBM have all found that at least some of their services were vulnerable and have been rushing to issue fixes and advise customers about how best to proceed.
“The exact extent of the exposure is still unravelling. Smaller developers and organisations who may lack resources and awareness will be slower to react and fix their products and services.”
Are hackers exploiting it?
Earlier this week, the US Head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) Jen Easterly said: “a growing set” of hackers were actively attempting to exploit the vulnerability.
More than 100 hacking attempts per minute, according to data this week from cybersecurity firm Check Point.
Professor Kanhere said the range of impacts had already been broad due to the nature of the vulnerability.
“An attacker only needs to get the system to log a strategically crafted string of code,” he said, “from there they can load arbitrary code on the targeted server and install malware or launch other attacks.”
“So far, attackers have exploited the flaw to install crypto-miners on vulnerable systems, steal system credentials, burrow deeper within compromised networks, and steal data.”
This is a ticking time bomb for companies
Apache Software Foundation, a US nonprofit organisation that developed Log4j and other open-source software, has since released a security fix for organisations to apply.
However, with such a high number of hacking attempts happening each day, some worry the worst is to yet come.
CEO of cybersecurity firm TrustedSec David Kennedy said it will “take years to address this while attackers will be looking… on a daily basis (to exploit it)”.
“This is a ticking time bomb for companies.”
So, what can you do to protect yourself?
The pressure is largely on companies to act.
However, Professor Kanhere said users should identify whether their internet-facing devices, software or apps are running Log4j and upgrade them to the latest version of the library which includes the latest security patches.
“Also, update any enterprise software for which updates are made available by the vendors,” he added.
“It is also recommended to set up additional security measures for devices running Log4j to monitor for further attacks and intrusions.”
Professor Kanhere said while patches can be created very quickly, which has occurred here, “it takes time for everyone to apply them”.
“Software systems and web services are so complex, and so layered with dozens of stacked levels of abstraction, code running on code on code, that it could take months for all these services to update.”