The Internet freaked out by a unique security issue

According to cyber security experts, it is one of the worst computer flaws they have ever encountered. According to Microsoft, state-backed Chinese and Iranian hackers, as well as rogue bitcoin miners, have already seized on it.

The US Department of Homeland Security has issued a serious warning, directing other government agencies to locate and fix bug cases as soon as possible since they are so easily exploitable — and advising those with public-facing networks to install firewalls if they are unsure. The impacted software, a small bit of code, is frequently undocumented.

The weakness, which is included in a widely used application called Log4j, allows internet-based attackers to quickly take control of everything from industrial control systems to web servers and consumer gadgets. It can be difficult to determine which computers utilise the application since it is sometimes concealed under layers of other software.

Jen Easterly, the top U.S. cybersecurity defence officer, called the issue “one of the most serious I’ve encountered in my whole career, if not the most serious,” during a teleconference with state and local governments and private-sector partners on Monday. It was made public last Thursday, and it’s a dream come true for fraudsters and digital spies since it provides for quick, password-free entrance.

Easterly’s Cybersecurity and Infrastructure Security Agency, or CISA, has set up a web page to cope with the issue, which it claims is prevalent in hundreds of millions of devices. Other extensively computerised nations took it just as seriously, with Germany establishing a national IT crisis centre.

According to Dragos, a leading cybersecurity organisation, a wide range of key businesses, including electric power, water, food and beverage, manufacturing, and transportation, were compromised. “I don’t believe we’ll see a single significant software provider in the world – at least on the industrial side – not have an issue with this,” Sergio Caltagirone, the company’s vice president of threat intelligence, said.

According to Eric Goldstein, head of CISA’s cybersecurity branch, no government entities have been infiltrated. But this is still early in the game.

“What we have here is an extraordinarily pervasive, easily exploitable, and possibly highly devastating vulnerability that attackers could surely employ to inflict actual harm,” he explained.

 Security topic log4j (CVE-2021-44228 – CVSS score 10 of 10):
How you can check your HANA XSA systems and implement the mitigation. As well as to check if the settings are correct.
(Source: https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/)Log4j

A SMALL PIECE OF CODE, A WORLD OF TROUBLE

User activity is logged by the impacted software, which is developed in the Java programming language. It is widely used by commercial software developers and was created and maintained by a small group of volunteers under the aegis of the open-source Apache Software Foundation. According to security firm Bitdefender, it works across several platforms — Windows, Linux, and Apple’s macOS — and powers anything from cameras to auto navigation systems and medical gadgets.

Goldstein told reporters that CISA would keep an inventory of patched software up to date when new updates become available. “We anticipate that remediation will take time,” he added.

The Apache Software Foundation stated that the Chinese internet behemoth Alibaba warned them of the problem on November 24. A fix took two weeks to create and distribute.

Beyond patching, computer security experts have an even more difficult challenge: determining if the vulnerability was exploited – whether a network or device was compromised. This will need weeks of diligent observation. A frenzied weekend of identifying — and slamming shut — open doors before hackers exploited them has now turned into a marathon.

LULL BEFORE THE STORM

“A lot of folks are already fairly worn out and fatigued from working all weekend — when we’re actually going to be dealing with this for the foreseeable future, quite far into 2022,” said Joe Slowik, threat intelligence head at network security firm Gigamon.

Check Point, a cybersecurity firm, said that it has discovered more than 500,000 attempts by known hostile actors to find the issue on business networks around the world. According to the report, the hole was used to install cryptocurrency mining malware — which utilises processing cycles to generate digital money secretly — in five nations.

Although no successful ransomware attacks have been found as of yet, Microsoft stated in a blog post that hackers who breach into networks and sell access to ransomware gangs had been detected exploiting the vulnerability in both Windows and Linux systems. According to the report, hackers were quickly putting the vulnerability into botnets, which trap many zombie machines for nefarious purposes.

“I believe it will take two weeks before the consequence of this is visible since hackers have gained access to companies and are determining what to do next.” Cloudflare’s chief technological officer, John Graham-Cumming, whose internet infrastructure defends websites from malicious assaults.

According to Sean Gallagher, senior researcher at cybersecurity firm Sophos, we’re in the calm before the storm.

“We anticipate opponents acquiring as much access to anything they can get right now in order to monetize and/or capitalise on it later.” This would include obtaining usernames and passwords.

State-backed According to Microsoft and the cybersecurity firm Mandiant, Chinese and Iranian state hackers were already using the weakness for espionage. North Korean and Turkish state-sponsored hackers, according to Microsoft, were also involved. According to John Hultquist, a senior Mandiant analyst, the Iranian attackers are “especially active” and have participated in ransomware operations against Israel solely for disruptive purposes.

The same Chinese cyber-spy organisation that exploited a hole in Microsoft’s on-premises Exchange Server software in early 2021 was using Log4j to “expand their normal targeting,” according to Microsoft.

SOFTWARE: INSECURE BY DESIGN?

According to experts, the Log4j incident reveals a poorly handled flaw in software architecture. Too many applications utilised in vital operations were not designed with security in mind.

According to Slowik of Gigamon, open-source developers such as the volunteers responsible for Log4j should not be condemned so much as an entire industry of programmers who frequently add portions of such code without appropriate scrutiny.

Popular and custom-made programmes frequently lack a “Software Bill of Materials” that informs users about what is going on behind the hood – a critical requirement in times like this.

“This is certainly becoming more and more of a concern as software providers in general use publically available software,” said Caltagirone of Dragos.

Previously analogue systems in everything from water utilities to food production, he continued, have been modernised digitally for automated and remote administration in the last several decades. “And, obviously, one of the ways they achieved it was through software and the usage of programmes that used Log4j,” Caltagirone explained.