Security professionals say this is one of the worst computer vulnerabilities ever seen. Firms including Microsoft say state-backed Chinese and Iranian hackers and rogue cryptocurrency miners have already confiscated it. The Department of Homeland Security has sounded a dire alarm, ordering federal agencies to urgently find and patch bug instances because it’s so easily exploitable — and asking people with public-facing networks to put up firewalls. If they can’t be sure. A small piece of code, the affected software is often undocumented.
Recorded in a widely used utility called Log4j, the flaw lets Internet-based attackers easily control everything from industrial control systems to Web servers and consumer electronics. Identifying just which systems use the utility is a challenge; It is often hidden under layers of other software.
The top US cybersecurity defense official, Jane Easterly, on Monday called the flaw “one of the most serious, if not the most serious, in her entire career” in a call with state and local officials and private sector partners. Revealed publicly last Thursday, it is catnip for cybercriminals and digital spies because it allows easy, password-free access. The Cyber Security and Infrastructure Security Agency, or CISA, which runs Easterly, erected a resource page on Tuesday that says the flaw exists in millions of devices. Other heavily computerized countries were taking it just as seriously, with Germany activating its national IT crisis centre.
Dragos, a top cybersecurity firm, said a wide range of critical industries, including electricity, water, food and beverage, manufacturing and transportation, were exposed. “I think we won’t see a single major software vendor in the world — at least on the industrial side — that doesn’t have a problem,” said Sergio Caltagirone, the company’s vice president of threat intelligence. Eric Goldstein, who heads CISA’s cybersecurity department, said no federal agency had been compromised, but these are early days.
“We have an extremely widespread, easy to exploit and potentially highly harmful vulnerability here that can certainly be used by adversaries to cause real harm,” he said.
a small piece of code, a world of trouble
The affected software, written in the Java programming language, logs user activity. Developed and maintained by a handful of volunteers under the auspices of the open-source Apache Software Foundation, it is highly popular with commercial software developers. According to security firm Bitdefender, it runs on multiple platforms — Windows, Linux, Apple’s macOS — with everything from web cams to car navigation systems and medical devices.
Goldstein told reporters in a call Tuesday evening that CISA will update a list of patched software as fixes become available. “We expect the healing to take some time,” he said.
The Apache Software Foundation said that Chinese tech giant Alibaba informed it about the flaw on November 24. It took two weeks to develop and fix it. Beyond patching, computer security professionals have an even tougher challenge: trying to figure out whether a vulnerability was exploited — whether a network or device was hacked. That means weeks of active surveillance. A frantic weekend of trying to identify — and slam shut — open doors now morphed into a marathon before hackers exploited them.
calm before the storm
“Many people are already very stressed out and too tired to work during the weekend – when we are really going to have to deal with it for the foreseeable future, very well in 2022,” said Joe Slovic, of the Network Intelligence at major security firm Gigamon. Cybersecurity firm Check Point said Tuesday that it has detected more than half a million attempts by known malicious actors to identify flaws on corporate networks around the world. It said the flaw was exploited to install cryptocurrency mining malware – which uses computing cycles to secretly mine digital money in five countries.
So far, no successful ransomware infections taking advantage of the flaw have been detected, although Microsoft said in a blog post that criminals who break into networks and sell access to ransomware gangs can be found on both Windows and Linux systems. was discovered to exploit the vulnerability. It said criminals were also increasingly incorporating vulnerabilities into the botnets that corral many zombie computers to negligently terminate.
“I think it’s going to take two weeks to see the impact of what’s going to happen because hackers get into organizations and will be figuring out what to do next.” John Graham-Cumming, chief technical officer of Cloudflare, whose online infrastructure protects websites from online threats. We’re in a state before the storm, said Sean Gallagher, senior researcher at cybersecurity firm Sophos.
“We expect adversaries to gain as much reach as they can now with a view to monetizing and/or capitalizing on it later.” This will involve removing the username and password.
Microsoft and cybersecurity firm Mandiant said state-backed Chinese and Iranian state hackers were already taking advantage of the vulnerability for espionage. Microsoft said there were also North Korean and Turkish state-backed hackers. John Haltquist, a top Mandiant analyst, would not name the target, but said the Iranian actors are “particularly aggressive” and had participated in ransomware attacks against Israel primarily for disruptive purposes.
Microsoft said that the same Chinese cyber conglomerate that exploited a flaw in its on-premises Exchange Server software in early 2021 was using Log4j to “enhance its specific targeting”.
Software: Insecure by Design?
Experts say the Log4j episode highlights a poorly addressed problem in software design. Many programs used in critical tasks are not developed with enough security in mind. Gigamon’s Slovic said that open-source developers like the volunteers responsible for Log4j shouldn’t be blamed so much as the entire industry of programmers, who often blindly include snippets of such code without due diligence.
Popular and custom-built applications often lack the “software bill of materials” that lets users know what’s under the hood—a vital necessity in times like these. “This is clearly becoming more and more of a problem as software vendors overall are using openly available software,” Dragos’ Caltagirone said.
In industrial systems, in particular, he said, analog systems in everything from water utilities to food production have been digitally upgraded for automated and remote management over the past few decades. “And one of the ways they did that, obviously, was through software and through the use of programs that used Log4j,” Caltagirone said.
read all breaking news, today’s fresh news And coronavirus news Here.
,