Software Bug Could Let Hackers Control Your Smart Home Systems, Car Navigation And More

ACROSS AMERICA — What’s known as the “Log4j” or “Log4Shell” vulnerability, originally detected as a software bug in Microsoft's online gaming program Minecraft, is causing widespread worry across the internet because it gives cybercriminals easy, password-free access to servers around the world.

The flaw in Log4j, a piece of commonly used open-source logging code written in the Java programming language, gives hackers an open door to plant malware, steal data and create other mayhem, the U.S. Department of Homeland Security is warning.

The code is used widely by commercial software developers across multiple platforms, including Windows, Linux, Apple’s macOS.

“The internet’s on fire right now,” Adam Meyers, senior vice president of intelligence at the cybersecurity company CrowdStrike, told The Associated Press last week.

“People are scrambling to patch,” he said, “and all kinds of people scrambling to exploit it.”

Within 12 hours of the discovery of the bug, it had been “fully weaponized,” and malefactors had developed and distributed the tools to exploit it, according to the AP.

Here are five things to know:

1. How Bad Is It?

Jen Easterly, the top U.S. cybersecurity defense official, said in a call Monday with state and local officials and private-sector businesses that the software bug is “one of the most serious I’ve seen in my entire career, if not the most serious.”

On a scale of one to 10, Log4Shell was ranked a 10 in terms of nastiness by the Apache Software Foundation, which oversees the development of the software where the bug was originally discovered. That’s because anyone with the exploited code can obtain full access to an unpatched computer that uses the software, with no password required.

Amit Yoran, the chief executive of the cybersecurity firm Tenable, told the AP the bug is “the single biggest, most critical vulnerability of the last decade,” and possibly the biggest in the history of modern computing.

2. Who’s Affected?

Any device that uses the internet is potentially at risk — and that’s hundreds of millions of them, according to the Cybersecurity and Infrastructure Security Agency, or CISA. A wide swath of critical industries — electric power, water, food and transportation, for example — have already been exposed, according to Dragos, a leading industrial control cybersecurity firm.

“I think we won’t see a major software vendor in the world — at least on the industrial side — not have a problem with this,” Sergio Caltagirone, Drago’s vice president of threat intelligence, told the AP.

It’s used to power devices commonly found in homes and offices — smartwatches, TVs, gaming consoles, computers, thermostats, webcams, car navigation systems, DVD players, parking meters and medical devices.

“This vulnerability has a very significant ripple effect on the software supply chain, and it is hard to predict the total scope and long-term impact of the vulnerability,” the security firm Bitdefender said on its website. “What we can say already is that mitigation will be a marathon, not a sprint. We expect to see more application-specific exploits soon and the situation is still very dynamic.”

No federal agencies have been compromised, Eric Goldstein, who heads CISA's cybersecurity division, told reporters in a conference call Tuesday.

But it’s still early, he said.

“What we have here is an extremely widespread, easy to exploit and potentially highly damaging vulnerability that certainly could be utilized by adversaries to cause real harm,” he said.

3. What Should You Do?

Update your software regularly to make sure your devices have the latest patches.

One big challenge is identifying software harboring the Log4j bug, according to ZDNet.

CISA is regularly updating its inventory of patched software as fixes become available, and it’s keeping a list of vendors affected by Log4j. Some familiar names include Atlassian, Amazon, Microsoft Azure, Cisco, Commvault, ESRI, Exact, Fortinet, JetBrains, Nelson, Nutanix, OpenMRS, Oracle, Red Hat, Splunk, Soft and VMware.

The NCC Group, a global cybersecurity and risk mitigation firm, has posted network-detection protocol to help users determine if they’ve been exploited. Microsoft also has offered guidance for preventing Log4j attacks.

4. Have Any Attacks Been Successful?

By Tuesday, the cybersecurity firm Check Point said it had detected more than a half-million attempts to identify the vulnerability on corporate networks around the globe, the AP reported.

Around the globe, digital spies exploited the flaw to plant cryptocurrency mining malware to surreptitiously mine digital money in five countries, Check Point told the AP on Tuesday.

Those attempts were thwarted, but security experts say it’s just a matter of time before a successful ransomware attack occurs.

“I think what’s going to happen is it’s going to take two weeks before the effect of this is seen because hackers got into organizations and will be figuring out what to do to next,” John Graham-Cumming, chief technical officer of Cloudflare, told the AP. Cloudflare's online infrastructure protects websites from online threats.

John Hultquist, a top threat analyst at the cybersecurity firm Mandiant, told the AP that state-backed hackers in China and Iran have already exploited the flaw, presumably for cyber-espionage, and other state actors are likely to do the same.

He declined to name the target or geographical location of the Chinese hackers, but said those from Iran are “particularly aggressive” and had taken part in ransomware attacks primarily for disruptive ends.

5. How Long Will This Last?

Don’t expect the problem to immediately disappear. Complete remediation “will take some time,” Goldstein told reporters Tuesday.

“A lot of people are already pretty stressed out and pretty tired from working through the weekend — when we are really going to be dealing with this for the foreseeable future, pretty well into 2022,” Joe Slowik, threat intelligence lead at the network security firm Gigamon, told the AP.

Sean Gallagher, a senior researcher at the cybersecurity firm Sophos, told the AP he thinks digital spies are hard at work extracting usernames and passwords.

“We expect adversaries are likely grabbing as much access to whatever they can get right now with the view to monetize and/or capitalize on it later on,” he told the AP.

The Associated Press contributed reporting.