A major cybersecurity vulnerability is impacting nearly all of the internet, sending everything from financial institutions to government entities scrambling to patch their systems, before cybercriminals and nation states can launch cyberattacks.
Known as the Log4j vulnerability, the flaw impacts a piece of open-source logging software that allows developers to understand how their programs function. The idea is to help companies understand potential bugs or performance issues in their own software.
But Log4j, which is part of the software offered by the open source Apache Software Foundation, can be exploited to allow attackers to take over the computers and networks of any organization running the program.
Patches have already been released, but applying them is a different story. Organizations, whether government or private, are notoriously slow when it comes to updating their software.
“It's a very, very serious issue,” NYU Tandon School of Engineering associate professor Justin Cappos told Yahoo Finance. “Since it's part of the software supply chain, many different pieces of software can be affected.”
The fear is that the flaw could be used by attackers to take remote control of any unpatched system and use them as their own. That, experts say, could give cybercriminals the means to do everything from stealing user data to taking control of real-world infrastructure.
The danger of Log4j
The Log4j vulnerability is dangerous for two reasons: how widely used the software is, and how attackers can take advantage of the flaw.
“If you have the vulnerability, and I exploit it, that means I can run my code on your machine,” explained Herb Lin, senior research scholar at the Center for International Security and Cooperation at Stanford University. “So now it's like I'm on your machine, and now I can do anything that you can do.”
According to Lin, that can include doing things like stealing emails, destroying files, and installing ransomware. And the potential damage doesn’t stop there.
“I can now take control of the generator that your computer is connected to or the telephone switch or the chemical plant and so on and so forth,” Lin said. “So that's the issue. The vulnerability comes from the fact that this code has been a part of millions and millions and millions of installations around the world.”
Another major problem is the fact that you, as an individual, have no control over whether the internet companies you trust to protect your files will deploy the appropriate patches quickly.
“If there's a bug inside of Microsoft Word I might be able to go and say, ‘Oh, I don't use Microsoft Word. I don't need to worry about this,’ right? But here the problem is that you may not even be aware where the software is being used,” said Cappos.
Criminals and nation states are already trying to exploit the vulnerability
According to Microsoft’s threat intelligence team, the majority of the attacks related to the Log4j vulnerability have been related to scanning attempts. That means the attackers are trying to see whether potential victims are vulnerable to attack.
Think of it like a burglar trying the door locks on a row of cars parked on a dark street. The cybercriminals are essentially trying to see who has locked their doors and who hasn't.
Some hackers, meanwhile, are already using the flaw to launch attacks, including installing crypto miners on victims’ machines, stealing user credentials, and taking data from compromised systems.
Microsoft (MSFT) says groups in Turkey, China, Iran, and North Korea are also developing the means to take advantage of the Log4j flaw. And some Iranian and Chinese groups are already using the exploit to beef up their own existing cyber attack capabilities.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has already ordered federal civilian agencies to patch their systems and has advised that non-federal partners do so as well.
Patching the internet isn’t easy
Fixing a problem like the Log4j flaw requires that companies that use the software download the appropriate patch. But it will take time for companies to implement the latest software. That’s because major organizations have to also ensure that the patch doesn’t impact their own programs.
More cynically, there’s the fact that some companies simply don’t follow the best cybersecurity practices and so don’t patch their systems in a timely manner, if at all.
What can you do? Nothing, really. The Log4j flaw isn’t something that most individual users can address. It’s up to the companies that have their information to address the exploit on their own. And if they don’t, then your data could leak out there into the wild.
More from Dan
Got a tip? Email Daniel Howley at firstname.lastname@example.org over via encrypted mail at email@example.com, and follow him on Twitter at @DanielHowley.