Hackers have targeted more than 40 per cent of companies globally since last Friday through a previously unnoticed vulnerability in a widely used piece of open-source software called Log4J, according to the cyber security group Check Point.
Check Point said there had been 846,000 documented attacks relating to the vulnerability in the 72 hours since Friday, and that at some points its researchers were seeing more than 100 hacks a minute.
The flaw in Log4J allows attackers to easily gain remote control over computers running apps in Java, a popular programming language.
Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency (CISA) told industry executives that the vulnerability was “one of the most serious I’ve seen in my entire career, if not the most serious,” according to US media reports. Hundreds of millions of devices are likely to be affected, she said.
Check Point said that in many cases, the hackers were taking control of computers to use them to mine cryptocurrency, or to become part of botnets, vast networks of computers that can be used to overwhelm websites with traffic, to send spam, or for other illegal purposes.
Both CISA and the UK’s National Cyber Security Centre have now issued alerts urging organisations to make upgrades related to the Log4J vulnerability, as experts attempt to assess the fallout. Amazon, Apple, IBM, Microsoft and Cisco are among those that have rushed to put out fixes, but no severe breaches have been reported publicly so far.
The vulnerability is the latest to hit corporate networks, after the emergence of flaws in the past year in commonly used software from Microsoft and IT company SolarWinds. Both these weaknesses were initially exploited by state-backed espionage groups from China and Russia respectively.
According to Check Point, nearly half of all attacks have been conducted by known cyber attackers. These included groups using Tsunami and Mirai — malware that turns devices into botnets, or networks used to launch remotely controlled hacks such as denial of service attacks. It also included groups using XMRig, a software that mines the hard-to-trace digital currency Monero.
Researchers at Mandiant told Reuters that sophisticated groups including “Chinese government actors” were also attempting to exploit the bug.
“With this vulnerability, attackers gain almost unlimited power — they can extract sensitive data, upload files to the server, delete data, install ransomware or pivot to other servers,” Nicholas Sciberras, head of engineering at vulnerability scanner Acunetix, said. It was “astonishingly easy” to deploy an attack, he said, adding that it would “be exploited for months to come”.
The source of the vulnerability is faulty code developed by unpaid volunteers at the non-profit Apache Software Foundation, which runs multiple open source projects, raising questions about the security of vital parts of IT infrastructure. Log4J has been downloaded millions of times.
The flaw has existed unnoticed since 2013, experts say. Matthew Prince, chief executive of cyber group Cloudflare, said that it started to be actively exploited from December 1, although there was no “evidence of mass exploitation until after public disclosure” from Apache the following week.