The Cybersecurity and Infrastructure Security Agency issued an emergency directive on Friday that ordered federal civilian executive branch agencies to address a major security flaw in widely used logging software that could be exploited by cybercriminals.
The order requires the agencies to check whether software that accepts “data input from the internet” are affected by the Log4j vulnerability, which was discovered about a week ago. The agencies are instructed to patch or remove affected software by 5 p.m. ET on Dec. 23 and report the steps taken by Dec. 28.
The bug in the Java-logging library Apache Log4j poses risks for huge swathes of the internet. The vulnerability in the widely used software could be used by cyberattackers to take over computer servers, potentially putting everything from consumer electronics to government and corporate systems at risk of a cyberattack.
One of the first known attacks using the vulnerability involved the computer game Minecraft. Attackers were able to take over one of the world-building game’s servers before Microsoft, which owns Minecraft, patched the problem. The bug is a so-called zero-day vulnerability. Security professionals hadn’t created a patch for it before it became known and potentially exploitable.
Experts warn that the vulnerability is being actively exploited. Cybersecurity firm Check Point said Wednesday that it had detected more than 1.8 million attempts to exploit the bug in the days since it became public, with over 46% of those coming from known malicious groups.
“It is clearly one of the most serious vulnerabilities on the internet in recent years,” the company said in a report. “The potential for damage is incalculable.”
The news also prompted warnings from federal officials who urged those affected to immediately patch their systems or otherwise fix the flaws. In addition, CISA said Tuesday that it was adding the vulnerability to the list of those mandatory for federal agencies to fix.
“To be clear, this vulnerability poses a severe risk,” CISA Director Jen Easterly said in a statement. She noted the flaw presents an “urgent challenge” to security professionals, given Apache Log4j’s wide usage.
Here’s what else you need to know about the Log4j vulnerability.
Who is affected?
The flaw is potentially disastrous because of the widespread use of the Log4j logging library in all kinds of enterprise and open-source software, said Jon Clay, vice president of threat intelligence at Trend Micro.
The logging library is popular, in part, because it’s free to use. That price tag comes with a trade-off: Just a handful of people maintain it. Paid products, by contrast, usually have large software development and security teams behind them.
Meanwhile, it’s up to the affected companies to patch their software before something bad happens.
“That could take hours, days or even months depending on the organization,” Clay said.
By Monday, companies including IBM, Oracle, AWS and Microsoft had all issued advisories alerting their customers to the bug, outlining their progress on patches and urging them to install related security updates as soon as possible.
Generally speaking, any consumer device that uses a web server could be running Apache, said Nadir Izrael, chief technology officer and co-founder of the IoT security company Armis. He added that Apache is widely used in devices like smart TVs, DVR systems and security cameras.
“Think about how many of these devices are sitting in loading docks or warehouses, unconnected to the internet, and unable to receive security updates,” Izrael said. “The day they’re unboxed and connected, they’re immediately vulnerable to attack.”
Consumers can’t do much more than update their devices, software and apps when prompted. But, Izrael notes, there’s also a large number of older internet-connected devices out there that just aren’t receiving updates anymore, which means they’ll be left unprotected.
Why is this a big deal?
If exploited, the vulnerability could allow an attacker to take control of Java-based web servers and launch remote-code execution attacks, which could give them control of the computer servers. That could open up a host of security-compromising possibilities.
Microsoft said Tuesday that it had found evidence of the flaw being used by tracked groups based in China, Iran, North Korea and Turkey. Those include an Iran-based ransomware group, as well as other groups known for selling access to systems for the purpose of ransomware attacks. Those activities could lead to an increase in ransomware attacks down the road, Microsoft said.
Bitdefender also reported that it detected attacks carrying a ransomware family known as Khonsari against Windows systems.
Most of the activity detected by the CISA has so far been “low level” and focused on activities like cryptomining, CISA Executive Assistant Director Eric Goldstein said on a late Tuesday call with reporters. He added that no federal agency has been compromised as a result of the flaw and that the government isn’t yet able to attribute any of the activity to any specific group.
Cybersecurity firm Sophos also reported evidence of the vulnerability being used for crypto mining operations, while Swiss officials said there’s evidence the flaw is being used to deploy botnets often used in both DDoS attacks and cryptomining.
Cryptomining attacks, sometimes known as cryptojacking, allow hackers to take over a target computer with malware to mine for bitcoin or other cryptocurrencies. DDoS, or distributed denial of service, attacks involve taking control of a computer to flood a website with fake visits, overwhelming the site and knocking it offline.
Izrael also worries about the potential impact on companies with work-from-home employees. Often the line blurs between work and personal devices, which could put company data at risk if a worker’s personal device is compromised, he said.
What’s the fallout going to be?
It’s too soon to tell.
Check Point notes that the news comes just ahead of the height of the holiday season when IT desks are often running on skeleton crews and might not have the resources to respond to a serious cyberattack.
The US government has already warned companies to be on high alert for ransomware and cyberattacks over the holidays, noting that cybercriminals don’t take time off and often see the festive season as a desirable time to strike.
While Clay said some people are already starting to refer to Log4j as the “worst hack in history,” he thinks that will depend on how fast companies roll out patches and squash potential problems.
Given the cataclysmic effect the flaw is having on so many software products right now, he says companies might want to think twice about using free software in their products.
“There’s no question that we’re going to see more bugs like this in the future,” he said.
CNET’s Andrew Morse contributed to this report.