The Minecraft staff published an unusual blog post last week revealing that the game’s digital flaw could be exploited by hackers to gain control of players’ computers. The company issued a patch and encouraged users to use it on their own servers.
The cybersecurity community soon realized that this vulnerability was embedded in a popular and widely used software tool. It could impact billions of devices.
The Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security (CISA), released a statement over the weekend about what is now known as “Log4j”, or “Log4shell.” The agency discussed the possibility of working with private sector partners to fix the problem, and encouraged all companies to update their software.
Jen Easterly, CISA Director, stated in the statement that “To be clear this vulnerability poses a serious risk.” We will minimize any potential impacts by working together with the private sector and government. All organizations are encouraged to join us in this important effort and to take action.
This flaw was discovered in software that is commonly used.
The bug was discovered by a researcher for Alibaba, a Chinese tech company. He then privately informed Apache Software Foundation (an all-volunteer organization that develops and maintains open source software). The bug was made public by Minecraft, and the researcher published an online report about it.
Programmers often use common, freely available software to accomplish common tasks when writing code. Log4j is a vulnerable piece of Java software. It’s used in programming languages Java. Log4j creates a log on the device and copies everything that happens during programs.
It should be viewed as a modular component that can be used in many, many types of software. Its job is basically to record things and write them to another computer,” explained Andrew Morris, CEO of GreyNoise cyber-intelligence company.
The researcher found that hackers could send commands to the logger via the internet from any location in the world. This would allow the bad actor to gain full control of the device.
Hackers are able to easily take control
Cybersecurity experts believe that this vulnerability is especially dangerous because it affects so many programs, including almost everything written in Java and any program that depends on Java software, from Apple products to those made by Amazon. Security researchers keep track of vulnerable programs and companies, which includes those that have released patches.
It is also relatively simple to exploit the flaw. Morris stated that the flaw is not difficult to exploit. Bad actors can take the proof of concept that cybersecurity researchers have released, which confirms it is possible to exploit this vulnerability and explains how to do so, as a blueprint. Morris explained that it’s almost like building a machine once and everyone else can then use the same machine to exploit it as you do.
Cybersecurity experts worked around the clock over the weekend, and this is likely to continue for several days, if not weeks.
David “Moose”, chief technology officer at Randori cybersecurity firm, said that the internet is “on fire” and was referring to the intense stress in the cybersecurity community. “The truth is that everyone I know professionally just finished a very long weekend, and will continue working through the next weeks in what is essentially an ongoing race with hackers.”
Log4j is being used by criminals to launch attacks
Cybersecurity researchers scan the internet in the same way as cybercriminals — to determine which devices may be vulnerable and defend them against hackers who can infect whole networks or launch more destructive attacks.
This flaw is already being exploited by hackers. Companies see crypto-miners taking over computing power to mine digital currencies, cybercriminals selling access to networks they have penetrated, and botnets attacking vulnerable machines.
According to Katie Nickels (director of threat intelligence at cybersecurity company Red Canary), even if hackers manage to break through this “open door”, companies can minimize the damage by installing multiple layers of security to stop criminals from getting into networks beyond compromised devices.
“Once an adversary has gained access to a machine, they will want to do other tasks.” … Nickels stated that they are looking to mine cryptocurrency or steal your data. They also want to move to different networks if they work in large enterprises, where they can runsom sensitive files. And that’s why I believe a lot people forget the importance of having security “defense in depth” and not only trying to stop adversaries from getting in or detect them as they get in. Although I may have locks, I also have a security program.
Experts believe the current chaos should prompt discussion about ways to better prepare for similar attacks in the future.
Companies won’t be capable of fixing the problem if they don’t know that they depend on the Java library.
Nickels explained that the White House now requires software companies selling software to the government include what’s known as a software bill or materials. This is similar to a “recipe” for code. She noted, however, that not all companies may be aware of the software layers that are embedded in the off-the shelf software they use. “We rely upon many cloud services, so much different software components. “Who should we be asking?”
Nickels stated that it will take a lot of work to figure out how many companies use software such as Log4j and other software tools.
Cybersecurity experts stressed the importance of open-source software like Log4j. This was created and maintained by volunteers who aren’t being paid.
Morris from GreyNoise stated, “I cannot emphasize enough how dire and serious the situation is in relation to the technical dependencies that fall upon software products that are open source, that are managed by a few people.” “Sometimes, one person is working in their spare time while they’re trying to juggle other things or other jobs.
“It is really important to think about how we can support the people who create the software that keeps the world moving forward.”