A race against time has begun to address a significant vulnerability that has spread across global computing discovered on Thursday and could be catastrophic if hackers exploit it.
Amit Yoran, CEO of the American cyber security firm Tenable, warned that this was “the biggest and most significant impact of the last decade.”
This vulnerability is included in Log4j, which is included in the software for a large number of “recording” functions, a small set of Apache foundations, for recording “records” (events that occurred on the system).
In some versions of Log4j, the bug makes control of the host machine much easier.
The hacker may try to infiltrate the victim’s computer network and use ransomware and spy tools there.
“A first-year computer science student with the basic tools to build a website,” said Loic Guizo AFP, general secretary of the CLUSIP, a federation of French experts who can take advantage of this shortcoming. Told Cyber Security.
The bug has been fixed, but hackers are trying to outdo companies that delay its implementation.
“Since Friday, scanners used by hackers have been” testing servers to see if they are vulnerable, “and” it does not stop every weekend, “said David Grout, a European executive at the U.S. cybersecurity firm Montient.
For now, proven compromises seem to be rare or relatively harmless.
“+ We pay particular attention to instances of installing cryptocurrencies”, these cryptocurrency mining programs are installed on machines without the knowledge of their owner, which is described to AFP Philip Rondall of the company’s checkpoint.
– Layer of components –
However, for this expert, the worst has yet to come.
“State groups, ransomware groups, first seek access to other machines,” he explained.
He expected “visible attacks” like ransomware to “appear in a few days or weeks”.
On the part of IT lawyers, it is difficult to quickly identify any software and applications of the company that use this small volume globally.
Two companies that specialize in code verification and flaw hunting, the French YesWeHack and the US HackerOne, have called on companies to quickly learn from this situation.
YesWeHack estimates that “this vulnerability reminds us that any modern computer system is made up of hundreds or thousands of components, and that the most unexpected or unknown of them can be dangerous.”
“In this case, (it) is a component used by almost all systems, often without even knowing it, for a harmless function (…), which today becomes the Achilles heel of the Internet,” she underlined.
For its part, HackerOne had the opportunity to ask companies to fund its “Internet buck pound” program, which pays protocol hackers for vulnerabilities found in free software programs.
“The average user uses 528 free software components,” the US company said in a statement, adding that “most companies could not easily fix the flaws when these components were discovered”.