ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

Log4J flaw puts hundreds of millions of devices at risk

Many large-scale tech companies, such as Microsoft, Cisco, Google, and IBM, and even some government cybersecurity agencies like CISA, have already reported vulnerabilities and issued guidelines on dealing with the threat.

 

Reports are coming in about hackers already mass scanning vulnerable servers in an attempt to thumbprint and identify soft spots. A software so broadly used as Log4J could give a threat actor loads of opportunities to exploit this vulnerability and take control of whole affected systems, harming both large enterprises and their customers.

Log4J software library is a bombshell full of information that could harm hundreds of millions of people worldwide

A tiny bit of code that big shots dread

A vulnerability called Log4Shell was first noticed in Minecraft and reported on 24 November by Chen Zhaojun. Log4Shell is a minor flaw in Apache's Log4J software library that can make colossal damage to millions of organizations and industries that utilize this software day-to-day throughout their websites and apps.

I think we won't see a single major software vendor in the world - at least on the industrial side - not have a problem with this

Sergio Caltagirone, Vice President of Dragos

Caltagirone added that a wide range of electricity, manufacturing, transportation, and even food and beverage industries were already exposed. To make things worst, the Log4J software library, aside from being ubiquitous, is an extremely sensitive one since it is a library that logs the user activity (security and performance data) – in other words – it is an information bombshell! As such, in the wrong hands, it could easily lead to data exfiltration, credential thefts, ransomware threats, installing crypto coin miners, and various other illegal activities.

Remediation may take a while

It took two weeks for Apache Software Foundation to develop and release the fix that successfully patches the vulnerability. However, until now, more than half of a million breach attempts by known malicious organizations were detected, and nobody can tell for sure how many more unknown threat actors are lurking from the shadow.

We're in a lull before the storm

Sean Gallagher, Senior Researcher at Sophos

We're talking about a bug that endangers all Java-based servers and programs, and so it's very hard to conceive the proportions of the damage – especially since software updates across the web take time to implement (and time is of the essence). No ransomware or similar infections have been reported so far, but they're expected in the next few weeks. It is suspected that hackers are already mass scanning and storing data for their future cyber attacks. As the senior researcher, Sean Gallagher, of Sophos put it, it seems unavoidable that this is just in a lull before the storm.

Desperate times call for combined efforts

Cybersecurity experts around the world are diligently trying to detect any potential exploitations, but I am afraid that they've been able only to scrape the surface of a much bigger problem. It's becoming crystal clear by now that the whole volunteering open-source software design system needs re-evaluation and a more systematic approach, with necessary protective measurements in force.

In the meantime, experts are calling this one of the worst vulnerabilities in years, and we should all take it seriously. Here's what you can do to minimize the damage and protect our devices:

Update, update, update!

We can not emphasize enough the importance of regular updates. Software updates usually add new features and remove outdated ones, and that's all very good... but they are primarily there to patch security holes and fix bugs like Log4Shell – and in that way, protect your devices.

It's exactly situations like these that remind us how susceptible we are to cyberattacks if we don't take the precautions. We all tend to adopt the defensive "it's not going to happen to me" attitude and not to act until we see the first warning signs. Unfortunately, by that time, it'll already be too late. So, if you haven't already, take a moment now and update all your OS and apps, especially the ones you suspect are using Apache codes or Java servers.

Manual fix

Some particularly vulnerable apps and games, like Minecraft, offer you the opportunity to fix the vulnerability manually. So if you are a Minecraft player, and, for some reason, you do not wish to update to the safe version 1.18.1, follow these instructions for the manual fix.

Immediate protection

Despite the chaos, one of the leading VPN providers has stepped up with a solution. ExpressVPN has released its very own safeguard against the Log4J vulnerability, an added layer of protection for all its users – and, all it takes for you to protect your device is to switch the VPN on. This is the first VPN service that took this big step, once again confirming its title of the VPN industry titan.

Check out our ExpressVPN review

Conclusion

It's no longer the question of how could a bunch of volunteers have gone so wrong? At this point, it's the matter of admitting the shortcomings of the entire industry, relying on blind insertion of code snippets (without enough precautions being taken), and making some significant changes. As per us, the users, let's not forget to always ask ourselves – what can we do to protect ourselves and others in this crazy environment?

Written by: Danka Delić

With her BA in English Language and Literature, Private Pilot Licence, and passion for researching and writing, Danka brings further diversity to the team. As a former world traveler, she learned to appreciate cyber security and the necessity for digital privacy. Danka is a nature, animal, and written-word lover. She enjoys staying on the go, both mentally and physically, and spends most of her free time either reading or hiking with her dog.

0 Comments

There are no comments yet.

Got Something to Say?

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

Large brand with very good value, and a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service