Many large-scale tech companies, such as Microsoft, Cisco, Google, and IBM, and even some government cybersecurity agencies like CISA, have already reported vulnerabilities and issued guidelines on dealing with the threat.
Reports are coming in about hackers already mass scanning vulnerable servers in an attempt to thumbprint and identify soft spots. A software so broadly used as Log4J could give a threat actor loads of opportunities to exploit this vulnerability and take control of whole affected systems, harming both large enterprises and their customers.
Log4J software library is a bombshell full of information that could harm hundreds of millions of people worldwide
A tiny bit of code that big shots dread
A vulnerability called Log4Shell was first noticed in Minecraft and reported on 24 November by Chen Zhaojun. Log4Shell is a minor flaw in Apache's Log4J software library that can make colossal damage to millions of organizations and industries that utilize this software day-to-day throughout their websites and apps.
I think we won't see a single major software vendor in the world - at least on the industrial side - not have a problem with this
Caltagirone added that a wide range of electricity, manufacturing, transportation, and even food and beverage industries were already exposed. To make things worst, the Log4J software library, aside from being ubiquitous, is an extremely sensitive one since it is a library that logs the user activity (security and performance data) – in other words – it is an information bombshell! As such, in the wrong hands, it could easily lead to data exfiltration, credential thefts, ransomware threats, installing crypto coin miners, and various other illegal activities.
Remediation may take a while
It took two weeks for Apache Software Foundation to develop and release the fix that successfully patches the vulnerability. However, until now, more than half of a million breach attempts by known malicious organizations were detected, and nobody can tell for sure how many more unknown threat actors are lurking from the shadow.
We're in a lull before the storm
We're talking about a bug that endangers all Java-based servers and programs, and so it's very hard to conceive the proportions of the damage – especially since software updates across the web take time to implement (and time is of the essence). No ransomware or similar infections have been reported so far, but they're expected in the next few weeks. It is suspected that hackers are already mass scanning and storing data for their future cyber attacks. As the senior researcher, Sean Gallagher, of Sophos put it, it seems unavoidable that this is just in a lull before the storm.
Desperate times call for combined efforts
Cybersecurity experts around the world are diligently trying to detect any potential exploitations, but I am afraid that they've been able only to scrape the surface of a much bigger problem. It's becoming crystal clear by now that the whole volunteering open-source software design system needs re-evaluation and a more systematic approach, with necessary protective measurements in force.
In the meantime, experts are calling this one of the worst vulnerabilities in years, and we should all take it seriously. Here's what you can do to minimize the damage and protect our devices:
Update, update, update!
We can not emphasize enough the importance of regular updates. Software updates usually add new features and remove outdated ones, and that's all very good... but they are primarily there to patch security holes and fix bugs like Log4Shell – and in that way, protect your devices.
It's exactly situations like these that remind us how susceptible we are to cyberattacks if we don't take the precautions. We all tend to adopt the defensive "it's not going to happen to me" attitude and not to act until we see the first warning signs. Unfortunately, by that time, it'll already be too late. So, if you haven't already, take a moment now and update all your OS and apps, especially the ones you suspect are using Apache codes or Java servers.
Some particularly vulnerable apps and games, like Minecraft, offer you the opportunity to fix the vulnerability manually. So if you are a Minecraft player, and, for some reason, you do not wish to update to the safe version 1.18.1, follow these instructions for the manual fix.
It's no longer the question of how could a bunch of volunteers have gone so wrong? At this point, it's the matter of admitting the shortcomings of the entire industry, relying on blind insertion of code snippets (without enough precautions being taken), and making some significant changes. As per us, the users, let's not forget to always ask ourselves – what can we do to protect ourselves and others in this crazy environment?