Cybersecurity

Officials, experts sound the alarm about critical cyber vulnerability

Officials and cyber experts on Friday sounded the alarm about a critical logging vulnerability that could potentially impact thousands of organizations, racing to implement patches before hackers can exploit the opening.

The vulnerability in an Apache logging framework, known as “Log4j,” that could allow hackers to obtain access to targeted systems remotely sent experts running to update systems. Apache put out a security advisory warning of the threat and recommending steps to help organizations protect themselves. 

“It does feel like the internet is on fire today, anyone and everyone who is involved in the world of internet security is digging in right now trying to understand the implications of this new vulnerability,” Joe Sullivan, the chief security officer at Cloudflare, a website infrastructure and security company, told The Hill in an interview Friday. 

The vulnerability was already seen Friday to have far-reaching implications.

The online game Minecraft, which is owned by Microsoft, announced that its Java Edition was vulnerable to exploitation and recommended immediate steps users should take to address security concerns.

Researchers at data security platform LunaSec found evidence that Steam and Apple’s iCloud were also impacted, while Palo Alto Networks noted in a blog post that Twitter, Amazon and Chinese web giant Baidu were also reportedly being attacked. 

The Cybersecurity and Infrastructure Security Agency (CISA) put out an alert telling impacted organizations to “immediately” implement mitigations to protect against the vulnerability.

“A remote attacker could exploit this vulnerability to take control of an affected system,” the CISA alert read. “Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.”

Both Austria‘s and New Zealand’s computer emergency readiness teams also put out alerts around the Log4j vulnerability, with the New Zealand team warning the vulnerability was being “actively exploited.”

“Reports from online users show that this is being actively exploited in the wild and that proof-of-concept code has been published,” the New Zealand agency wrote

Sullivan noted that the vulnerability allowed for “remote code execution” by malicious actors looking to gain access to other systems, and that it was potentially the “biggest” vulnerability yet given that the Log4j software is widely used. 

“It’s a foundational vulnerability in a significant piece of software that resides within a lot of other bigger pieces of software,” Sullivan said. “It’s like a particular type of tire is vulnerable to losing air very quickly, and it’s not just going to be one car manufacturer that has that tire, it’s going to be everywhere that that tire exists in the world, you need to go fix it.”

Rob Joyce, the director of cybersecurity at the National Security Agency (NSA), tweeted Friday that “the log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA’s GHIDRA,” a software program used for reverse engineering.

The number of malicious actors attempting to exploit the vulnerability surged on Friday, with Sullivan telling The Hill that Cloudflare had seen a “spike over the last 6-10 hours.”

The exploitation of the vulnerability comes after a difficult year in cybersecurity.

Late last year, Russian government-linked hackers were discovered to be using a vulnerability in software from SolarWinds to compromise at least nine federal agencies and 100 private sector groups. The U.S. and its allies earlier this year formally blamed hackers linked to the Chinese government for exploiting vulnerabilities in Microsoft’s Exchange Server to potentially compromise thousands of organizations. 

Sullivan stressed Friday that companies should pay attention to patching against the Log4j vulnerability.

“The reality is that almost every company that runs software that faces the internet needs to do diligence to make sure they’re secure, this is as big as it gets,” Sullivan said. “It doesn’t mean that everybody is exploitable, it means that everybody needs to make sure that they are not, so it means that every single security team at every single company is looking at this now.”