The Log4j security bug poses risk!
The flaw, which was discovered late last week, is in Java-based software known as “Log4j.” This software is used by huge companies to configure their apps, and it poses a risk to much of the internet.
According to security analysts, Log4j is used by Apple’s cloud computing service, security firm Cloudflare. Moreover, one of the world’s most popular video games, Minecraft.
Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency of DHS called it “one of the most significant issues”. Easterly said in a statement on Saturday that “a growing set” of hackers are actively seeking to exploit the flaw.
David Kennedy, CEO of cybersecurity firm TrustedSec said, “It will take years to address this while attackers will be looking… on a daily basis[to exploit it].” Furthermore, he said, “This is a ticking time bomb for companies.”
What exactly is Log4j, and why is it crucial?
According to cybersecurity experts, Log4j is one of the most widely used logging libraries online. Log4j allows programmers to create a log of activities that may be used for a variety of applications. That includes debugging, auditing, and data tracking. The library practically touches every portion of the internet because it is both open-source and free.
Apple, IBM, Oracle, Cisco, Google, and Amazon are among the companies that use the software. It could be present in popular apps and websites. This exposes hundreds of millions of devices around the world that use these services to the risk.
Chris Eng, chief research officer at cybersecurity firm Veracode told CNN Business, “It’s ubiquitous. Even if you’re a developer who doesn’t use Log4j directly, you might still be running the vulnerable code. Because one of the open-source libraries you use depends on “Log4j.”
He also said, “This is the nature of software: It turtles all the way down.”
Are hackers exploiting Log4j?
According to cybersecurity firm Cloudflare, attackers appear to have had more than a week’s head start on exploiting the software issue before it was officially publicized. With such a large number of hacking attempts per day, some are concerned that the worst is yet to come.
Mark Ostrowski, Check Point’s head of engineering said, “Sophisticated, more senior threat actors will figure out a way to really weaponize the vulnerability to get the biggest gain.”
Microsoft stated in a blog post late Tuesday that state-sponsored hackers from China, Iran, North Korea, and Turkey had attempted to exploit the Log4j issue.
Why is this security flaw exploitative?
While it’s necessary to be aware of the vulnerability’s long-term consequences, security experts point out that it’s also important to be aware of the vulnerability’s short-term consequences. Hackers can easily obtain access to a company’s computer system, therefore experts are particularly concerned about the vulnerability. As the exploitation frenzy continues, the primary objective is to take as much action as possible immediately to reduce that tail.
Late Tuesday, the second vulnerability in Log4j’s system was discovered. The Apache Software Foundation, a non-profit that created Log4j and other open-source software, has released a security patch that businesses can use.
How are companies reacting to the Log4j flaw?
Minecraft published a blog post last week disclosing the discovery of a vulnerability in a version of the game, and swiftly offered a fix. Similar procedures have been adopted by other businesses. Customers have received advisories from IBM, Oracle, AWS, and Cloudflare, with some recommending security updates and others explaining their plans for potential remedies.
This is such a serious flaw. It isn’t like a standard big vulnerability that can be patched by pressing a button. It will take a significant amount of time and work.
CISA said it will set up a public website with updates on what software items were affected by the vulnerability. Moreover, how hackers exploited it for transparency and to help cut down on disinformation.
How to protect yourself from the Log4j security flaw?
Additionally, companies are under a lot of pressure to act promptly. For the time being, individuals should ensure that they update their devices. Furthermore, the software, and apps when prompted by firms in the coming days and weeks.
Have something to add to the story? Comment down below!