A software security vulnerability in widely used computer networks is being compared to a “cyber pandemic” by security analysts and the government.
Known as a “zero day vulnerability,” the security flaw called Log4Shell affects the Apache software used in tens of thousands of computer networks worldwide.
The discovery of the vulnerability last week set off an international scramble to patch the hole to prevent hackers from stealing valuable sensitive information.
“To be clear, this vulnerability poses a severe risk,” said Jen Easterly, director of the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency (CISA).
“We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action,” she said in a statement Saturday.
Other cyber security experts are calling Log4Shell the most serious software vulnerability in history.
The security firm Check Point Research called the vulnerability “a true cyber pandemic.” Hackers exploiting the flaw conducted over 800,000 network penetrations by Dec. 11 – two days after the software problem was disclosed, the firm said.
The affected Apache software is very broadly used in a variety of consumer and enterprise services, websites and applications along with operation technology products. The software is used to monitor security and performance information and the flaw permits hackers to take control of affected systems, to steal information or plant other malicious software.
CISA has not disclosed the actors exploiting the vulnerability. Ms. Easterly, the CISA director, stated only that the flaw “is being widely exploited by a growing set of threat actors.”
The discovery is initially suspected to have involved Chinese hackers.
However, the security firm McAfee stated that the flaw was first discovered Nov. 24th by Chen Zhaojun of China’s Alibaba Cloud Security Team.
Other security experts who suspect China is behind the attacks say Beijing may have preemptively disclosed the flaw in order to protect other zero-day vulnerabilities or to divert suspicions they were exploiting the flaw. China is known to operate formidable military cyber operations, including the use of large numbers of researchers who study software for zero-day flaws.
The first attacks against the hole began Dec. 1 and Dec. 2, according to security firms Cloudflare and Cisco Talos.
Apache has released a software patch for Log4Shell that is said to mitigate the flaw. However, until all versions of the software are patched, systems using the software will continue to be vulnerable to cyberattacks.
“Given the severity of the vulnerability and the likelihood of an increase in exploitation by sophisticated cyber threat actors, CISA urges vendors and users to” put patches in place, the agency said in a statement.
A spokesman for Amazon Web Services described the vulnerability as “severe.”
The cyber news outlet The Record reported that most of the cyber attacks from Log4Shell involve professional crypto-mining and denial-of-service botnets such as Mirai, Muhstik and Kinsing. These hackers are normally among the first to exploit software bugs once discovered.
The report said state-sponsored hackers and cyber espionage groups have not been observed yet. However, Microsoft stated in a recent blog post that its cyber sleuths have begun seeing tactics used by state-run hackers attempting to plant back doors in targeted software.
The last time a similar widespread software flaw was discovered was 2014 involving a vulnerability called Heartbleed that affected OpenSSL security software.
Security analysts said that incident appears not to have produced greater security awareness to protect against hackers.
— Staff writer Ryan Lovelace contributed to this report.