A bug in the technical framework used in many applications and cloud services could leave various software vulnerable to hackers.
Hackers are actively scanning to detect systems that have this weakness so that they can take control of vulnerable systems remotely, according to warnings published on the Dutch and British National Cyber Security Centres (NCSC) websites.
The bug was detected in 'Log4j 2', an open-source Java logging library developed by the Apache Foundation which is widely used by developers to keep a record of activity within an application. This includes custom applications developed within an organisation, as well as numerous cloud services.
Some hackers have already developed tools to automatically target the weakness of the bug, as well as "worms" that can spread independently from one vulnerable system to another under the right conditions, according to a report from Wired.
Alert: Active scanning for Apache Log4j 2 vulnerability (CVE-2021-44228) https://t.co/LVTAKZWD8Z pic.twitter.com/1DqHhKDPeO— NCSC UK (@NCSC) December 10, 2021
If a hacker can exploit the bug, they can strategically send a malicious code that, through a series of technical processes, eventually allows them to take control.
The fear is also that hackers will use hostage software (aka ransomware) with which they can block networks and steal data, and in return demand a ransom.
Updates to reduce the vulnerability
The companies affected by the bug so far include Twitter, Apple and Amazon; the leak has also been found in the software for Tesla's electric cars.
The Dutch NCSC has placed a list online on Github detailing applications that are vulnerable. But it but stressed that this list is "far from complete" and that it will grow in the coming days as more details are found.
- Belgian companies suffer more ransomware attacks, but spend least on security
- Almost half of Belgian companies victims of cybercrime
- Mediamarkt cyber attack: hackers demand $50 million in Bitcoin
Partners, organisations and companies are urged to share additional information on Github, as the priority is figuring out how widespread the problem is. The same agencies in Australia, New Zealand and the United States have issued similar warnings.
Organisations and individuals have been advised to take steps to mitigate the Apache Log4j 2 vulnerability. One of these is to install the latest version or updates of various online services when they become available.
Yet even if fixes are made, researchers warn that the flaw could have serious repercussions worldwide for many mainstream services. Microsoft-owned Minecraft already posted detailed instructions on Friday informing players of the game's Java version on how to patch their systems.