Researchers found a critical vulnerability called Log4Shell, allowing threat actors to compromise millions of devices across the internet.
- The vulnerability has a CVSS score of 10 and anyone with the exploit can get full access to an unpatched machine.
- The affected software can be in programs provided by third parties.
- The flaw could be exploited in servers run by Apple, Twitter, Cloudflare and Amazon.
Researchers found a critical vulnerability called Log4Shell, allowing threat actors to compromise millions of devices across the internet.
The vulnerability has a CVSS score of 10 on a scale of one to 10. If exploited, the vulnerability allows remote code execution on vulnerable servers; anyone with the exploit can get full access to an unpatched computer.
The vulnerability is found in log4j, an open-source logging library used by apps and services across the internet. It impacts Apache Log4j versions 2.0-beta9 to 2.14.2.
“The internet’s on fire right now. People are scrambling to patch, and there are script kiddies and all kinds of people scrambling to exploit it," said Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike. "In the last 12 hours, it has been fully weaponised."
Chinese tech giant Alibaba discovered the vulnerability in the Apache Software Foundation module on November 24. The search is complicated because affected software can be in programs provided by third parties.
Companies with servers confirmed to be vulnerable to Log4Shell attacks include Apple, Amazon, Cloudflare, Twitter, Steam, Baidu, NetEase, Tencent and Elastic. However, there are likely hundreds if not thousands of other organisations affected.
The exploit first appeared in Minecraft, an online game hugely popular with kids and owned by Microsoft. Meyers and security expert Marcus Hutchins said Minecraft users were already using it to execute programs on other users' computers by pasting a short message in a chat box.
Security Measures to be taken:-
- Users are advised to patch log4j to 2.15.0 and above.
- For systems that cannot be updated apply Logout4Shell vaccine to safeguard against exploits targeting the Log4Shell flaw.
- Employ commands & YARA rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228.
- Examine your apps for Log4Shell vulnerability.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?