Chinese hackers are exploiting ‘fully weaponised’ software vulnerability which is causing ‘mayhem on the web’ and poses a threat to internet-connected devices worldwide, experts warn

  • Experts say the ‘Log4shell’ flaw is the biggest threat to the internet in a decade
  • Countries have issued critical warnings over the threat the software flaw poses
  • The flaw is considered so serious because the affected software is used in a wide range of devices that use Java software, embedded in programmes worldwide
  • If exploited, hackers can gain access and steal personal data and plant malware 










Chinese hackers are already exploiting a ‘fully weaponised’ software vulnerability which is causing mayhem on the web, with experts warning that it is the ‘most serious’ threat they have seen in decades. 

The flaw was uncovered earlier this month in a piece of software called Log4j, which helps applications interact with one-another across computer networks. 

By exploiting the flaw, dubbed Log4Shell, hackers can take control of servers which run the network and repurpose them for their own ends.

That could mean stealing data on those servers such as medical records and photos, plundering company databases for people’s bank details, or locking up servers and extorting firms in so-called ‘ransomware’ attacks.

And there is little that most ordinary users can do to stop this from happening, or any way to tell if data has been stolen in this way.

As one cybersecurity source who spoke to MailOnline put it: ‘This is where you put your faith in the lap of the computer Gods and hope it gets fixed soon.’  

Chinese hackers are already exploiting a ‘fully weaponised’ software vulnerability which is causing mayhem on the web, with experts warning that it poses a threat to internet-connected devices across the globe. Pictured: A hacker works on a computer [stock image]

What is Log4J, how does it work, and what does the hack do? 

Log4J is a piece of software that logs user activity and app behaviour on a computer network. It is an API, or ‘application programming interface’, which fetches and carries data across the network – essentially one of the invisible cogs that makes the computer world turn.

Most APIs are open-source, meaning they can be accessed by anyone and are frequently built into networks by engineers constructing them, often without their customers knowing.

The flaw that has been exposed in Log4J gives hackers a back door into networks which use the program. It allows them to drop malicious pieces of code on to servers running the network, which can then be repurposed to do the hacker’s bidding.

In practice, this means that hackers would be able to steal any data stored on those servers or use them to carry out tasks – provided they know how to write code to do the particular task. 

For users, it could mean having medical records and bank account details stolen, along with files and photos that have been backed up online.

Most major firms will have additional layers of security in place such as encryption software that could foil such a hack, but users will have little or no way of knowing this. 

And, even if people find out their data is vulnerable, there is little they can do to secure it or to find out if hacker have been able to access it. 

For companies, it could mean hackers locking up their servers and demanding money to unlock them in a ‘ransomware’ attack, or using them them to run capacity-draining processes such as crypto mining. 

Because Log4J is open source, many companies may not even know they are using it until the attack has been carried out.

The UK’s National Cyber Security Centre has urged all firms to check for ‘unknown instances’ of Log4J on their systems, while IT experts have warned the hack will likely cause problems for ‘years’ to come.

Advertisement

Data will only be vulnerable to this hack if it has been stored on a server that uses an API – an ‘application programming interface’, effectively an invisible cog that helps computer networks turn – which incorporates Log4J, the expert added.

It means, for example, that photos which have never been uploaded to the internet should be safe – but many phones will automatically back up images online without users being aware of it.

Most companies will also have additional security measures in place such as encryption software which would likely protect sensitive data, but users will have little or no way of knowing if this is the case and will be unable to take extra measures to protect the data even if they find out it is vulnerable.

And because Log4J is open source – meaning it can be freely accessed and used by network engineers – many companies may have no idea their systems have been built using it until it is too late. 

Millions of firms are thought to be in danger. It security first Check Point said 37 per cent of the UK’s corporate networks have already been the target of attempted exploitation of the vulnerability, with hackers scanning the internet for possible targets. 

Some of the world’s largest tech companies, including Microsoft, Cisco, IBM and Google, as well as government agencies such as Cybersecurity and Infrastructure Security Agency (CISA) in the US, have found some of their servers to be vulnerable.

They have since issued guidelines on how to tackle the threat, urging customers that use Log4j to update the software to the latest version, released since Apache – the software firm which created Log4J – became aware of the vulnerability.

US cybersecurity firms Mandiant and Crowdstrike also said they found sophisticated hacking groups leveraging the bug to breach targets. Mandiant described those hackers as ‘Chinese government actors’ in an email to Reuters news agency. 

Tech experts are issuing dire warnings over the vulnerability, saying that the flaw poses one of the most severe cyber-security risks ever seen.

‘The Apache Log4j Remote Code Execution Vulnerability is the single biggest, most critical vulnerability of the last decade,’ said Amit Yoran, chief executive of network security firm Tenable and founder of the US Computer Emergency Readiness Team. 

Juan Andres Guerrero-Saade, principal threat researcher with cybersecurity firm SentinelOne, called it ‘one of those nightmare vulnerabilities that there’s pretty much no way to prepare for.’

Guerrero-Saade said his firm had already seen Chinese hacking groups moving to take advantage of the vulnerability. 

Lotem Finkelstein, Director of Threat Intelligence and Research at Check Point Software, said: This is clearly one of the most serious vulnerabilities on the internet in recent years, and it’s spreading like wild fire. At one point, we saw over 100 hacks a minute related to the LogJ4 vulnerability.

‘We’re seeing what appears to be an evolutionary repression, with new variations of the original exploit being introduced rapidly — over 60 in less than 24 hours. The number of combinations of how to exploit it gives the attacker many alternatives to bypass newly introduced protections,’ he said.

‘This vulnerability, because of the complexity in patching it and easiness to exploit, will stay with us for years to come, unless companies and services take immediate action to prevent the attacks on their products by implementing a protection. 

‘Now is the time to act. Given the holidays seasons, when security teams may be slower to implement protective measure, the threat is imminent. This acts like a cyber pandemic — highly contagious, spreads rapidly and has multiple variants, which force more ways to attack.’

The flaw is considered so serious because the affected software is used in a wide range of devices that use Java software. It is so popular and embedded across many companies’ programs that security executives expect widespread abuse. 

Online services used by millions including Netflix, Amazon, Uber and LinkedIn and cloud-based services such Apple iCloud, Android OS, Google Documents and more are all understood to be under threat from the software bug. 

Tech giants such as Amazon Web Services and IBM have already moved to address the flaw in their products. However, potential attackers had more than a week’s head start before it was made public.

It was first noticed on sites used by users of the popular video game Minecraft, and was officially reported to Apache on November 24 by Chen Zhaojun – an employee of Chinese e-commerce giant Alibaba. 

It is now apparent that initial exploitation was spotted Dec. 2, before a patch rolled out a few days later. The attacks became much more widespread as people playing Minecraft used it to take control of servers and spread the word in gaming chats. 

The US government sent a warning to the private sector about Apache’s Log4j vulnerability and the looming risk it poses on Friday, while Germany has activated its national IT crisis centre in response to the ‘extremely critical’ flaw. 

In a statement, CISA said: ‘Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. 

‘An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.’

CISA director Jen Easterly warned that the flaw was already being widely exploited ‘by a growing set of threat actors.’

‘The internet’s on fire right now,’ said Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike. ‘People are scrambling to patch,’ he said, ‘and all kinds of people scrambling to exploit it.’

He said Friday morning that in the 12 hours since the bug’s existence was disclosed, it had been ‘fully weaponized,’ meaning malefactors had developed and distributed tools to exploit it.

Everything we know about the ‘Log4Shell’ bug so far

WHAT IS THE PROGRAMMING FLAW? 

An exploit discovered in the Java logging library, log4j2, has sent developers scrambling for a patch.

Java remains one the world’s most popular programming languages and is used to create functions within an app or system. 

HOW WILL IT AFFECT MY DEVICES? 

With the ‘Log4Shell’ bug, hackers can take full control of an external server, without authentication, with relative ease.

Experts have warned it is one of the biggest threats in the history of modern computing.

The following apps or online services are known to use Java within its programming, either through back-end services or user interfaces.

  • Google and Android OS
  • Netflix
  • Spotify
  • Apple’s iCloud
  • LinkedIn
  • Uber
  • Amazon
  • Minecraft 

WHAT CAN I DO TO STOP IT? 

News of a potential vulnerability affecting millions of devices has sent programmers scrambling for a fix.

Firewalls and VPNs are likely already working on short-term fixes to protect their customers’ online security.

Experts have suggested all Log4j users should immediately look to upgrade to Log4j-2.15.0-rc2.

Unofficial patches have also been launched by internet sleuths. 

Advertisement

Much of the software affected by Log4j, which bears names like Hadoop or Solr, may be unfamiliar to the public at large. 

But as with the SolarWinds program at the centre of a massive Russian espionage operation last year, the ubiquity of these workhorse programs makes them ideal jumping-off points for digital intruders. 

While a partial fix for the vulnerability was released on Friday by Apache, the maker of Log4j, affected companies and cyber defenders will need time to locate the vulnerable software and properly implement patches.

In practice, this flaw allows an outsider to enter active code into the record-keeping process. That code then tells the server hosting the software to execute a command giving the hacker control.

So far no major disruptive cyber incidents have been publicly documented as a result of the vulnerability, but researchers are seeing an alarming uptick in hacking groups trying to take advantage of the bug for espionage. 

‘We also expect to see this vulnerability in everyone’s supply chain,’ said Chris Evans, chief information security officer at HackerOne.

Multiple botnets, or groups of computers controlled by criminals, were also exploiting the flaw in a bid to add more captive machines, experts tracking the developments said.

What many experts now fear is that the bug could be used to deploy malware that either destroys data or encrypts it, like what was used against U.S. pipeline operator Colonial Pipeline Co in May which led to shortages of gas in some parts of the US.

Meanwhile, a spokesman for Germany’s Interior Ministry said the country’s federal IT safety agency is urging users to patch their systems as quickly as possible to fend off possible attacks using a bug in the Log4J tool.

‘The threat situation is extremely critical,’ the spokesman, Steve Alter, told reporters in Berlin. ‘Immediate protective measures are required.’

German authorities have recorded efforts to exploit the bug around the world, including successful attempts, he said, without elaborating. So far no successful attacks against German government entities or networks have been confirmed, though a number have been deemed vulnerable, said Alter.

Germany is in contact with ‘numerous national and international partners’ on the matter, he said. ‘A successful exploit of this weakness would mean that someone could take complete control of the affected system.’

Java remains one the world’s most popular programming languages and is used to create functions within an app or system. 

Unless a patch is found, criminals, spies and programming novices could gain easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more. [stock image]

Unless a patch is found, criminals, spies and programming novices could gain easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more. [stock image]

It’s still used to this day, either for backend services to user development interfaces, in some of the world’s most popular applications or online services, including Netflix, Amazon, Google and Android OS, Spotify, LinkedIn and Uber. 

With the ‘Log4Shell’ bug, hackers can take full control of an external server, without authentication, with relative ease.  

‘I would be hard-pressed to think of a company that´s not at risk,’ said Joe Sullivan, chief security officer for Cloudflare, whose online infrastructure protects websites from malicious actors.

‘Log4Shell’ was uncovered in a utility that’s ubiquitous in cloud servers and enterprise software used across industry and government. 

Until it is resolved, criminals, spies and programming novices alike are granted easy access to internal networks where they can steal valuable data, plant malware, erase crucial information and much more.

Untold millions of servers have it installed, and experts said the fallout would not be known for several days. Amazon, Twitter and Apple’s iCloud are understood to be ‘vulnerable’ to the exploit.

Hackers are also understood to be able to use QR codes, whose use was widely popularised throughout the pandemic for NHS Test and Trace purposes, to run malicious code on servers. 

The scare prompted senior intelligence experts to react, including Robert Joyce, director of cybersecurity at the National Security Agency in America.

He explained: ‘The Log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, including the NSA’s GHIDRA (a free open source reverse engineering tool)’. 

The vulnerability, dubbed was rated 10 on a scale of one to 10 the Apache Software Foundation, which oversees development of the software. Anyone with the exploit can obtain full access to an unpatched computer that uses the software.

Experts said the extreme ease with which the vulnerability lets an attacker access a web server – no password required – is what makes it so dangerous.

Marcus Hutchins, an internet security researcher, warned Log4Shell could make millions of apps vulnerable to hacking as its software is often used by developers.  

Cybersecurity experts say users of the online game Minecraft have already exploited it to breach other users' devices by pasting a short message into in a chat box

Cybersecurity experts say users of the online game Minecraft have already exploited it to breach other users’ devices by pasting a short message into in a chat box

New Zealand’s computer emergency response team was among the first to report that the flaw was being ‘actively exploited in the wild’ just hours after it was publicly reported Thursday and a patch released.

The vulnerability, located in open-source Apache software used to run websites and other web services, was reported to the foundation on Nov. 24 by the Chinese tech giant Alibaba, it said. It took two weeks to develop and release a fix.

But patching systems around the world could be a complicated task. 

While most organizations and cloud providers such as Amazon should be able to update their web servers easily, the same Apache software is also often embedded in third-party programs, which often can only be updated by their owners.

The first obvious signs of the flaw’s exploitation appeared in Minecraft, an online game hugely popular with kids and owned by Microsoft. 

Meyers and security expert Marcus Hutchins said Minecraft users were already using it to execute programs on the computers of other users by pasting a short message in a chat box.

Microsoft said it had issued an urgent software patch for Minecraft users. ‘Customers who apply the fix are protected,’ it said.

Researchers reported finding evidence the vulnerability could be exploited in servers run by companies such as Apple, Amazon, Twitter and Cloudflare.

Advertisement