Expires in 10 months
24 June 2022
TrustedSec CEO David Kennedy stated that while it could take several years to correct this, attackers will be looking... every day to exploit it." "This is a very serious threat for businesses."
Here are some tips you need to be aware of:
Log4j: What is it and why is it important?
According to security experts, Log4j is one the most popular online logging libraries. Log4j provides software developers with a way to build an inventory of activities that can be used for a variety of purposes, such as auditing, troubleshooting and tracking. The library is free and open-source which means it can be used in all areas of the internet.
"It's ubiquitous. Even if you don't utilize Log4j directly as an author, you could still be running vulnerable code since one open source library you use is dependent on Log4j," Chris Eng of cybersecurity firm Veracode told CNN Business. This is the way software works: It's turtles all down.
The software is used by corporations such as Apple, IBM and Oracle, Cisco, Google, Amazon and Cisco. It could present on popular websites and apps, and millions of devices that use these services could be exposed to the vulnerability.
Are hackers exploiting it?
Attackers seem to have had more than a week's start on exploiting the flaw in the software before it was publicly disclosed, according to cybersecurity firm Cloudflare. With the number of hacking attempts occurring every day, many worry that the worst is yet to come.
"Sophisticated and more experienced threat agents will find a way to really weaponize vulnerability to get maximum gain," Mark Ostrowski (Check Point's head engineer) told reporters on Tuesday.
Late Tuesday, Microsoft said in an update to a blog post that state-backed hackers from China, Iran, North Korea and Turkey have attempted to exploit the Log4j vulnerability.
What is the reason this security flaw is so bad?
Experts are particularly worried about the vulnerability due to the fact that hackers could gain access to a company’s computer server, which gives them access to other areas of a network. Kennedy says it's hard to identify the vulnerability and determine if a system has already compromised.
Another vulnerability was discovered in Log4j's software late Tuesday. The Apache Software Foundation, a non-profit organization that has developed Log4j as well as other open-source software has released an update to secure organisations.
What are the companies doing to address the problem?
This week, Minecraft published a blog post that announced a flaw was discovered in a version of its game. It quickly issued an update. Similar steps have been implemented by other companies.
US warns of hundreds of millions of devices at the risk of a new software vulnerability
IBM, Oracle, AWS and Cloudflare have all issued advisory notices to customers, with some pushing security updates or laying out their plans for possible patches.
"This is a serious vulnerability, but you cannot hit the button to fix it like an ordinary major vulnerability." It's going to require lots of time and effort," said Kennedy.
To be transparent and to cut down on false information, CISA said it would create a website for the public with information on which software products were affected by the vulnerability and the ways hackers exploited them.
What can you do to help protect yourself?
The pressure is largely on companies to act. It is imperative that users update their software, apps and devices whenever they are prompted by companies in the coming days or weeks.
The US government has issued a caution for affected companies to be on alert over the holidays for cyberattacks and ransomware.
There is a risk that an increasing number of malicious actors will make use of the vulnerability in innovative ways. While large technology companies may have security teams in place to deal with these threats However, many other organizations don't.
"What I'm most concerned about is the schools, the hospitals and the places where there's only one IT person working on security but doesn't have the time or the budget or the tooling," said Katie Nickels, Director of Intelligence at cybersecurity company Red Canary. " extremecraft are the companies I'm most worried about -small companies with small security budgets."