A flaw in widely used internet software known as Log4j has left companies and government officials scrambling to respond to a glaring cybersecurity threat to global computer networks.
The bug could enable potentially devastating cyberattacks that span economic sectors and international borders, according to security experts.
U.S. officials said hundreds of millions of devices were at risk and issued an emergency directive ordering federal agencies to take steps to mitigate the threat by Christmas Eve. Researchers and major technology companies warned that hackers linked to foreign governments and criminal ransomware groups were probing how to exploit the vulnerability within targets’ computer systems.
The U.K.’s National Cyber Security Centre warned corporate boards that “the situation is fluid and changing regularly,” and provided guidance for overseeing company risk and response to Log4j.
What is Log4j?
Software developers use the Log4j framework to record user activity and the behavior of applications. Distributed free by the nonprofit Apache Software Foundation, Log4j has been downloaded millions of times and is among the most widely used tools to collect information across corporate computer networks, websites and applications. The software is maintained by Apache volunteers who have so far released three security updates. An Apache spokeswoman said the way Log4j is inserted into different pieces of software makes it impossible to track the tool’s reach.
How can hackers take advantage of Log4j’s vulnerability?
The Log4j flaw allows attackers to execute code remotely on a target computer, which could let them steal data, install malware or take control. Exploits discovered recently include hacking systems to mine cryptocurrency. Other hackers have built malware to hijack computers for large-scale assaults on internet infrastructure, cyber researchers have found.
The vulnerability might give hackers enough of a foothold within a system to install ransomware, a type of computer virus that locks up data and systems until the attackers are paid by victims. Security company F-Secure Oyj said its analysts have observed some ransomware variants being deployed via the Log4j flaw, along with malware that is often deployed as a precursor to a ransomware strike.
“To be clear, this vulnerability poses a severe risk,” said Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency. Internet-facing systems as well as back-end systems could contain the vulnerability.
Are foreign governments taking advantage of the flaw?
Security company Mandiant Inc. and Microsoft Corp. said they have traced attempted attacks that exploit the flaw to hackers with suspected links to China and Iran. Microsoft said one of the groups is the same one responsible for a hack of its Exchange Server email product earlier this year, which the U.S. attributed to China. Beijing denies involvement in the attack.
Microsoft said that it has also seen nation-backed hackers from North Korea and Turkey attempting to exploit Log4j.
Cybersecurity company SecurityScorecard Inc. said it has observed scans for the vulnerability linked to Russia-based hackers, including the group blamed for hacking the Democratic National Committee in 2016.
How is the U.S. government responding?
Officials say they have been in frequent contact with cybersecurity companies, cloud-service providers and telecommunications businesses to share information about the threat. The Biden administration ordered federal agencies to locate internet-connected software that uses Log4j and immediately update those tools, bolster their security measures or take them offline.
Eric Goldstein, executive assistant director of the Cybersecurity and Infrastructure Security Agency, said he wasn’t aware of any agency being breached using the Log4j flaw.
“But certainly we are deeply concerned about the prospect of adversaries using this vulnerability to cause real harm and even impacting national-critical functions,” he said.
CISA’s information page offers recommendations.
How is Europe responding?
Belgium’s Defense Ministry said it shut down parts of its computer network because attackers triggered the vulnerability.
Cybersecurity response teams for the 27 European Union countries are monitoring Log4j developments. Experts in national units across Europe are constantly exchanging technical information about what they see, said Gorazd Bozic, the chair of the network of incident response units from EU countries.
The network could move into a higher emergency-level status if a serious exploit occurs in Europe, Mr. Bozic said. So far, analysts have seen low-sophistication attempts to exploit Log4j, such as attackers seeking to install software for mining cryptocurrency, he said.
Belgium’s Centre for Cyber Security has been in contact with local companies after issuing a report on how to identify whether the vulnerability is being compromised, said Kevin Holvoet, a cyber threat intelligence analyst at the agency. Analysts have seen continuing scanning attempts to trigger the bug as well as reconnaissance efforts, he said.
The U.K.’s National Cyber Security Centre published steps to help companies identify the vulnerability in their IT infrastructure. The Dutch National Cyber Security Centre is maintaining a list of software that is and isn’t affected by the vulnerability.
In Romania, the National Cyber Security Directorate sent individual alerts to companies and critical infrastructure operators, said Dan Cimpean, the organization’s director. Mr. Cimpean said he has seen no sign of a serious incident in Romania. If a Romanian company is compromised, cyber experts from the agency could help, he said. “We have tools to escalate a very fast response if needed,” he said.
How widespread is the Log4j flaw?
Cybersecurity company Akamai Technologies Inc. has tracked 10 million attempts to exploit the Log4j vulnerability per hour in the U.S. Hackers are using the vulnerability to target the retail sector more than any other, Akamai said. The technology, financial-services and manufacturing industries have also been frequent targets.
Which technology suppliers are affected by the Log4j vulnerability?
Many, and the list is growing. Among them are Apple Inc., Amazon.com Inc., Cloudflare Inc., IBM, Microsoft’s Minecraft, Palo Alto Networks Inc. and Twitter Inc. Several technology companies have issued alerts and guidance to customers about how to decrease their risk.
How can companies fix the Log4j problem?
CISA suggests immediately identifying internet-facing devices that have Log4j and ensuring your security team responds to alerts related to these devices. Also, install a web application firewall with rules that automatically update so that your team can concentrate on fewer alerts.
Microsoft recommended a series of steps to mitigate the risk of exploitation, including contacting your software application providers to be sure they are using the most up-to-date version of the Java programming language, which would include patches.
In lieu of available patches, Teresa Walsh, global head of intelligence at the Financial Services Information Sharing and Analysis Center, recommends that companies limit unnecessary outbound internet traffic, which would go some way to protecting vulnerable systems.
“Firms can reduce their risk by reducing their exposure,” she said.
Write to David Uberti at david.uberti@wsj.com, James Rundle at james.rundle@wsj.com and Catherine Stupp at Catherine.Stupp@wsj.com
Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8