The Department of Homeland Security (DHS) and cyber security experts have issued a dire alert about a software flaw that could impact hundreds of millions of websites and internet-facing devices. A flaw in a widely used utility called log4j has been dubbed the “worst computer vulnerability ever seen.” Log4j is an open-source small piece of free software code that logs network and application activity. This arbitrary code can be found everywhere – from industrial control games to web servers, enterprise software, cloud data centers, online games, and consumer electronics. For example, Apple’s cloud computing service, security firm Cloudflare, and one of the world’s most popular video games, Minecraft, are among the many services that run log4j, according to security researchers.
Cybercriminals can easily take full control remotely of a vulnerable system over the internet without any interaction from the victim. Both Microsoft and cybersecurity firm Mandiant have stated that state-sponsored Chinese and Iranian hackers, as well as rogue cryptocurrency miners, have already launched attacks that exploit the log4j flaw.
DHS Urges All to Address Vulnerable Systems
Because the log4j vulnerability is so easily exploitable, the DHS has ordered federal agencies to find and patch bugs as soon as possible, and has advised those with public-facing networks to install a web application firewall if they are unsure of their vulnerability. The arbitrary code is frequently undocumented.
Cybersecurity and Infrastructure Security Agency, or CISA, has also set up a resource page to deal with the log4j vulnerability flaw and the impact on systems.
Leading cyber security company Dragos says a wide range of critical industries, including electric power, water, food and beverage, manufacturing, and transportation, were compromised. “I don’t think there will be a single major software vendor in the world — at least on the industrial side — that doesn’t have a problem with this,” said Sergio Caltagirone, the company’s vice president of threat intelligence.
No federal agencies have been compromised as of yet, according to infrastructure security agency CISA, but it’s still too early in the game. The software flaw came to light over the weekend of December 10.
A Small Piece of Easily Exploited Code with Severe Risk
User activity is logged by the log4j software, which is written in the Java programming language. It is widely used by commercial software developers and was created and maintained by a small group of volunteers under the auspices of the open-source Apache Software Foundation. According to the security firm Bitdefender, it runs across many platforms — Windows, Linux, and Apple’s macOS — and powers everything from webcams to car navigation systems and medical devices.
CISA plans on updating an inventory of patched software as fixes become available, but this will take time.
Apache Software Foundation said it would take two weeks to develop and release a fix.
The Race Is On to Pinpoint and Protect Vulnerable Systems
In the meantime, major vendors are scrambling to protect their systems. Security experts say what’s even more daunting than coming up with a fix for the apache log4j bug is detecting whether vulnerable systems have been already exploited. It will take weeks of active monitoring to see whether a network or device was hacked with malicious input data in attempt to steal data.
Hackers can try to break into vulnerable systems to probe vulnerable servers or install cryptocurrency mining software, botnet code and other forms of malicious software, according to security researchers. Threat actors can also install malware and shut down networks. Microsoft said that an Iran-backed hacking group has been “deploying ransomware, acquiring, and making modifications of the log4j exploit. The attack has also been used by “access brokers”—hackers who break into companies and then sell that access to other criminals, who then install ransomware, a type of code that locks up a victim’s files and demands payment to unlock them.
So far there have been more than half a million attempts by known malicious actors to identify the log4j vulnerability on corporate networks across the globe. More than 100 hacking attempts were occurring per minute as of Tuesday, December 14, according to cybersecurity firm Check Point.
Neilson Marketing Does Not Utilize Log4J
We want our clients to know that Neilson Marketing Services does not use apache log4j anywhere in our hosting stack or on your website. You do not need to be concerned about the log4j vulnerability on your Agency Tsunami website.
It’s also important to note that most people think of “online” as their public-facing website, and in the interest of keeping you safe, we’d strongly recommend that you check with all of your other software vendors and IT managers, as nearly all of the services and software utilized are online or have an internet connection. An agency CRM solution, rating and quoting systems, for example, could be vulnerable to exploitation attempts. If you use a CRM or rate and quote online, please check with your vendors to ensure that your system is not vulnerable. If your system is vulnerable, apply recommended patches as soon as possible and request confirmation that you have not been compromised. Custom software developed in-house is also vulnerable. Although log4j may not be used directly, it could be a an open-source component obtained from a third-party vendor.
Security in the products and services we provide to our agency, MGA, wholesaler, program administrators, carriers, Insurtech, and vendor clients is a top priority for us at Neilson Marketing Services.
