It is one of the most far-reaching security vulnerabilities in the history of the Internet, and gradually more and more hackers are trying to exploit it. State attackers are also trying to capitalize on the problem called Log4shell, which startled IT professionals around the world over the weekend. This is what IT security companies report.
The problem lies in the utility program Log4j, part of the widely used Java technology. It should actually only log what happens on a computer server. However, computers connected to the network, e.g. from online games or cloud providers, can be taken over by hackers via the vulnerability. Products from Amazon, Cisco or IBM are always affected. The vulnerable technique is so widespread that professionals still find it difficult to gauge which and how many services are affected (more on the loophole here).
The IT security company Checkpoint has attempted the attack counted: On Saturday, twelve hours after the vulnerability became known, it was 40,000, and after 72 hours more than 800,000. Because of the extremely rapid growth, Checkpoint speaks of a “cyber pandemic”.
State hackers try to exploit Log4shell, reports including the Microsoft security team, which monitors and analyzes groups of hackers. State groups from China, Iran, North Korea and Turkey would take advantage of Log4shell. They tried to adapt the attack technique for the vulnerability, which has been known since last week, for their purposes and to merge it with existing malware. In this way, unauthorized persons could completely take over computers remotely.
Attackers practically feel their way through the Internet
The Iranian group, named Phosphorus by Microsoft, used the vulnerability to install ransomware on target devices without authorization. Such software encrypts data on victims’ systems, rendering those systems unusable. It is often used to extort ransom from such “shackled” companies and organizations. According to the analysts, the group uses ransomware to make money or simply to cripple goals. The Chinese group called Hafnium is also attacking software infrastructure via Log4shell. Other groups have taken root in systems through the gap and are now selling access to them to ransomware hackers.
According to Microsoft, however, so-called mass scans make up the largest part of Log4Shell activity: attackers practically feel their way through the Internet, looking for vulnerable devices. Botnets – armies of hijacked computers interconnected by criminals – also use this technology. However, some of the scans measured are likely to be traced back to IT security experts who want to protect devices rather than take them over. As on the weekend, hackers installed so-called coin miners on their victims’ computers. The attackers want to use their computing power to secretly generate crypto currencies for themselves. Windows and Linux systems are equally affected.
The Apache Software Foundation, which takes care of Log4j, has made a security update available to close the gap. The US cybersecurity agency, meanwhile, set a deadline. She urged federal agencies to download the update by Christmas. However, the update originally provided by the foundation did not fully protect systems. Version 2.15.0 of Log4j left a hole open which attackers could use to paralyze the software. The new update 2.16.0 closes this gap. Anyone who operates servers in the network should here download.