Cybersecurity professionals race to patch software flaw
BOSTON — Security pros say it’s one of the worst computer vulnerabilities they’ve ever seen. Firms including Microsoft say state-backed Chinese and Iranian hackers and rogue cryptocurrency miners have already seized on it.
The Department of Homeland Security has sounded a dire alarm, ordering federal agencies to urgently find and patch bug instances because it’s so easily exploitable — and telling those with public-facing networks to put up firewalls if they can’t be sure. A small piece of code, the affected software is often undocumented.
Lodged in an extensively used utility called Log4j, the flaw lets internet-based attackers easily seize control of everything from industrial control systems to web servers and consumer electronics.
Simply identifying which systems use the utility is a challenge. It is often hidden under layers of other software.
The top U.S. cybersecurity defense official, Jen Easterly, deemed the flaw “one of the most serious I’ve seen in my entire career, if not the most serious” in a call Monday with state and local officials and partners in the private sector. Publicly disclosed last Thursday, it’s catnip for cybercriminals and digital spies because it allows easy, password-free entry.
The Cybersecurity and Infrastructure Security Agency, which Easterly runs, put up a resource page Tuesday to deal with the flaw, which it says is present in hundreds of millions of devices. Other heavily computerized countries were taking it just as seriously, with Germany activating its national information technology crisis center.
A wide swath of critical industries, including electric power, water, food and beverage, manufacturing and transportation, were exposed, said Dragos, a top cybersecurity firm.
“I think we won’t see a single major software vendor in the world — at least on the industrial side — not have a problem with this,” said Sergio Caltagirone, the company’s vice president of threat intelligence.
Eric Goldstein, who heads the security agency’s cybersecurity division, said no federal agencies were known to have been compromised. But these are early days.
“What we have here is a extremely widespread, easy-to-exploit and potentially highly damaging vulnerability that certainly could be utilized by adversaries to cause real harm,” he said.
The affected software, written in the Java programming language, logs user activity.
Developed and maintained by a handful of volunteers under the auspices of the opensource Apache Software Foundation, it is highly popular with commercial software developers. It runs across many platforms — Windows, Linux, Apple’s macOS — powering everything from webcams to car navigation systems and medical devices, according to the security firm Bitdefender.
Goldstein told reporters in a Tuesday call that the security agency would be updating an inventory of patched software as fixes become available.
“We expect remediation will take some time,” he said.
Apache Software Foundation said the Chinese tech giant Alibaba notified it of the flaw Nov. 24. It took two weeks to develop and release a fix.
Beyond patching, computer security pros have an even more daunting challenge: trying to detect whether the vulnerability was exploited — whether a network or device was hacked. That will mean weeks of active monitoring. A frantic weekend of trying to identify — and slam shut — open doors before hackers exploited them now shifts to a marathon.