Cyber experts race to patch software flaw
BOSTON — Security pros say it’s one of the worst computer vulnerabilities they’ve ever seen. Firms including Microsoft say state-backed Chinese and Iranian hackers and rogue cryptocurrency miners have already seized on it.
The Department of Homeland Security has sounded a dire alarm, ordering federal agencies to urgently find and patch bug instances because it’s so easily exploitable — and telling those with public-facing networks to put up firewalls if they can’t be sure.
Lodged in an extensively used utility called Log4j, the flaw lets internet-based attackers easily seize control of everything from industrial control systems to web servers and consumer electronics. It runs across many platforms — Windows, Linux, Apple’s macOS — powering everything from web cams to car navigation systems and medical devices, according to the security firm Bitdefender.
But simply identifying which systems use the utility is a challenge; it is often hidden under layers of other software.
The top U.S. cybersecurity defense official, Jen Easterly, deemed the flaw “one of the most serious I’ve seen in my entire career, if not the most serious” in a call this week with state and local officials and partners in the private sector. Publicly disclosed Dec. 9, it’s catnip for cybercriminals and digital spies because it allows easy, password-free entry.
The Cybersecurity and Infrastructure Security Agency, or CISA, which Easterly runs, posted a resource page Tuesday to deal with the flaw it says is present in hundreds of millions of devices.
An array of critical industries, including electric power, water, food and beverage, manufacturing and transportation, were exposed, said Dragos, a cybersecurity firm.
Eric Goldstein, who heads CISA’s cybersecurity division, said no federal agencies were known to have been compromised. He said CISA would be updating an inventory of patched software as fixes become available, but noted: “We expect remediation will take some time.”