This massive security breach sent the Internet into panic | WETM
BOSTON (AP) – Security professionals say this is one of the worst computer vulnerabilities they’ve ever seen. They say state-backed Chinese and Iranian hackers and rogue cryptocurrency miners have already taken hold of it.
The Department of Homeland Security is sounding the alarm bells, ordering federal agencies to urgently eliminate the bug because it is so easily exploitable – and telling those with public networks to put up firewalls if they can’t be sure. The affected software is small and often undocumented.
Detected in a widely used utility called Log4j, the flaw allows Internet-based attackers easily take control everything from industrial control systems to web servers and consumer electronics. Simply identifying which systems are using the utility is a formidable challenge; it is often hidden under layers of other software.
America’s top cybersecurity defense official Jen Easterly called the flaw “one of the most serious I have seen in my entire career, if not the most serious” in a call Monday with state and local officials and private sector partners. Publicly disclosed last Thursday, it is a catnip for cybercriminals and digital spies because it allows easy entry and without a password.
The Cybersecurity and Infrastructure Security Agency, or CISA, which manages Easterly, created a resource page Tuesday to help erase a flaw he says is present in hundreds of millions of devices. Other heavily computerized countries were taking it just as seriously, with Germany activating its national computer crisis center.
A wide range of critical industries including electric power, water, food and beverage, manufacturing and transportation were on display, said Dragos, one of the leading industrial control cybersecurity companies. . “I think we won’t see a single major software vendor in the world – at least on the industrial side – have a problem with this,” said Sergio Caltagirone, vice president of corporate threat intelligence. .
Eric Goldstein, who heads CISA’s cybersecurity division, said Washington was leading a global response. He said no federal agency had been compromised. But these are the first days.
“What we have here is an extremely widespread, easy to exploit and potentially very damaging vulnerability that could certainly be used by adversaries to cause real damage,” he said.
A LITTLE CODE, A WORLD OF PROBLEMS
The relevant software, written in the Java programming language, records user activity on the computers. Developed and maintained by a handful of volunteers under the auspices of the open source Apache Software Foundation, it is extremely popular with commercial software developers. It works on many platforms – Windows, Linux, Apple macOS – powering everything from webcams to car navigation systems and medical devices, according to security company Bitdefender.
Goldstein told reporters on a conference call Tuesday night that CISA will update an inventory of patched software as patches become available. Log4j is often integrated with third-party programs which must be updated by their owners. “We expect the repair to take some time,” he said.
The Apache Software Foundation said Chinese tech giant Alibaba notified it of the breach on November 24. It took two weeks to develop and release a fix.
Beyond applying patches to fix the flaw, IT security professionals have an even more daunting challenge: trying to detect if the vulnerability has been exploited, if a network or device has been hacked. This will mean weeks of active surveillance. A hectic weekend of trying to identify – and shut down – open doors before hackers exploit them now turns into a marathon.
STOP BEFORE THE STORM
“A lot of people are already stressed enough and tired enough from working all weekend – when we’re really going to be dealing with that for the foreseeable future, roughly until 2022,” said Joe Slowik, head of intelligence at threats to the network. Gigamon security company.
Cybersecurity firm Check Point said on Tuesday it had scanned 44 percent of corporate networks and detected 1.3 million attempts to exploit the vulnerability, most by known malicious groups. He said the flaw was exploited to implant cryptocurrency mining malware – which uses computer cycles to surreptitiously mine digital money – in five countries.
So far, no successful ransomware infections using the flaw have been detected. But experts say it’s probably only a matter of time.
“I think what’s going to happen is it will be two weeks before the effect of this kicks in, as hackers have entered organizations and will determine what to do next.” John Graham-Cumming, CTO of Cloudflare, whose online infrastructure protects websites from online threats.
We’re in a lull before the storm, said lead researcher Sean Gallagher of the cybersecurity company Sophos.
“We would expect opponents to probably grab as much access to anything they can get right now with the goal of monetizing and / or leveraging it later.” This would include extracting usernames and passwords.
State-backed Chinese and Iranian hackers have previously exploited the loophole, presumably for cyber espionage, and other state actors were believed to be doing so as well, said John Hultquist, senior threat analyst at the cybersecurity company Mandiant. He would not name the target of the Chinese pirates or its location. He said Iranian actors were “particularly aggressive” and participated in ransomware attacks primarily for disruptive purposes.
SOFTWARE: INSECURITY BY DESIGN?
The Log4j episode exposes a poorly addressed problem in software design, experts say. Too many programs used in critical functions have not been developed with sufficient attention to safety.
Open source developers like the volunteers responsible for Log4j shouldn’t be as much to blame as an entire industry of programmers who often blindly include snippets of this code without doing their due diligence, Gigamon’s Slowik said.
Popular and custom apps often lack a “software nomenclature” that lets users know what’s under the hood – a critical need at times like this.
“This is obviously becoming more of a problem, as software vendors as a whole use freely available software,” Dragos’ Caltagirone said.
In industrial systems in particular, he added, old analog systems in everything from water utilities to food production have been digitally upgraded over the past decades for automated management and to distance. “And one of the ways they did that, obviously, was through software and through the use of programs that used Log4j,” Caltagirone said.