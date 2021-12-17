Log4j software, an open source library, is unknown to most people, but it is behind some of the most used programs in the world, such as Apple iCloud, Google, Twitter, Steam and Minecraft. So, ever since they discovered he had a security breach, technology and security companies are on full alert.

The breach was considered one of the most dangerous in the world, receiving top marks in its risk assessment because it allows malicious people to execute malicious code remotely.

“Apache Log4j’s remote code execution vulnerability is the largest and most critical in the last decade,” said Amit Yoran, computer network security expert and founder of the US Computer Emergency Preparedness Team.

For Juan Andres Guerrero-Saade, cybersecurity researcher at SentinelOne, the problem is “one of those vulnerabilities worthy of a nightmare and there’s practically no way to prepare for it.”

The problem was revealed by a security researcher at Chinese company Alibaba Group Holding.

Check below 5 reasons that make this gap a great reason for attention:

1) There were 1.8 million attacks in 4 days

The notification of the vulnerability caused the number of cyber attacks to take very high proportions the very next day. Over the weekend, businesses and government agencies around the world appeared as targets on security monitoring dashboards.

According to a note from Check Point, in the first four days alone, there were 1.8 million attacks exploiting the flaw in the Log4j library.

Cybersecurity researchers have noted that the Log4J flaw has caused an uproar in cybercriminal forums on the deep web.

2) Program can invade computer from a distance

In less than 24 hours, around 70 different malware that took advantage of the breach were detected. In addition, it has already been detected that a worm (malicious program that spreads itself) based on the vulnerability is in development.

It will be able to download files remotely, give the user control of computers and can use the compromised computer as a server to broadcast.

3) It’s very easy to use

According to an analysis by Kaspersky, all criminals need to take advantage of the flaw in Log4J is to force the application to write a line of code (string) in a program developed with it.

Once this is done, the person can upload their own code in the application, without any action from the owner of the equipment.

Fábio Assolini, senior security researcher at Kaspersky, advises that this vulnerability is especially dangerous because even inexperienced hackers can easily exploit it.

4) Governments already use the cyber-espionage loophole

Government-funded cyberintelligence groups are also exploring ways to take advantage of the loophole for cyber espionage, according to Check Point.

The Iranian group Phosphorus, known for applying ransomware (programs that hijack and encrypt data and then charge a ransom), bought tools to exploit the Log4J flaw in their targets.

Charming Kitten, another Iranian hacker organization, has already started targeting Israeli targets with this vulnerability.

Other cyber-espionage teams, such as the Chinese Hafnium, and other unidentified agents in North Korea and Turkey have already been identified.

The Microsoft Threat Intelligence Center (MSTIC) hopes the vulnerability will be abused by the group in further attacks.

The US government on Friday sent a warning to the private sector about the failure and the risk it poses.

The software affected by Log4j may be unknown to the general public, but the case looks like what happened last year with SolarWinds, whose software was at the center of a widespread Russian espionage campaign.

5) Open source library is low cost project

Part of the seriousness of the Log4J situation lies in the fact that the library has little support. Developed by four developers in their spare time, the open source framework was widely adopted without ever receiving support from large companies.

“There has been a lot of criticism now because Microsoft, Cisco and many big big tech companies use Log4j and don’t put a dollar in the project”, laments Assolini.

Although a partial fix was released Friday by Apache, the non-profit foundation responsible for Log4j, experts say it will take time to find the bug and implement the solutions. The rush, added to the lack of resources, makes the problem take a long time to be completely resolved.

“It is critical software, used by many people, and which four people maintain, as volunteers, without receiving anything, without financial support”, concludes the expert. (With Reuters)