New Cybersecurity Vulnerability poses ‘Severe Risk’
An urgent statement has been issued by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) about a new cyber vulnerability that could reach a large number of internet users.
“This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use,” CISA Director Jen Easterly said in a statement.
“To be clear, this vulnerability poses a severe risk,” Easterly said.
The vulnerability is a part of a commonly used piece of software called “Log4j”. It is a utility that runs in the background of many commonly used software applications.
Tony Turner, VP of Security Solutions for the cybersecurity company Fortress says, “It is probably one of the most ubiquitous software components on the internet today.” Turner said that the vulnerability impacts everything from gaming systems and consumer platforms to critical infrastructure and the Department of Defense.
“Why this is so important is it is trivial to exploit,” Turner said. “Anyone can do this, like teenagers and kids are playing around with this [vulnerability] like it’s a game.”
Cybersecurity experts have been working around the clock to fix this problem. “IT security teams around the world have been burning midnight oil all weekend and will continue and this is not a weekend problem, this is a months and months from now problem,” Turner said.
An alert released by Microsoft says they are “monitoring the threat landscape for attacks and developing customer protections.”
“Our security teams have been conducting an active investigation of our products and services to understand where Apache Log4j may be used and are taking expedited steps to mitigate any instances,” the alert continued.
According to an Amazon Web Services blog post, “This vulnerability is severe and due to the widespread adoption of Apache Log4j, its impact is large.”
National Security Agency Director of Cybersecurity, Rob Joyce, said in a tweet that that Log4j vulnerability is a “significant threat for exploitation due to the widespread inclusion in software frameworks.”
Many sources have said that it could be weeks before the vulnerability – and how it has been exploited – is understood. This leaves a significant problem in that Log4j touches such a large portion of the internet – from cell phones and e-commerce to gaming platforms and internet connected devices.
Tony Turner told ABC News “I think this is bigger than SolarWinds, it’s bigger than Colonial [pipeline] or Kaseya. That’s just because of the reach just because of the ubiquitous nature and the ease of exploitation here.”
“This is probably one of the most important vulnerabilities of all time… we’re still trying to understand the ultimate reach of this and I think we’re going to be unpacking this for years to come,” Turner said.
Story via ABC News