Connect with us


DHS warns of a critical flaw in widely used software




DHS’s Cybersecurity and Infrastructure Security Agency ordered federal civilian agencies to update their software. And Jen Easterly, the head of the agency, warned that the vulnerability was being widely exploited by a “growing group” of hackers.

The vulnerability is found in Java-based software known as “Log4j” that large organizations, including some of the world’s largest technology companies, use to configure their applications.

Apple’s cloud computing service, security firm Cloudflare and one of the world’s most popular video games, Minecraft, are among the organizations running Log4j, according to security researchers.

The vulnerability could give a hacker a relatively easy way to access an organization’s computer server. From here, an attacker could devise other ways to access an organization’s network systems.

Security experts say the consequences of software failure could continue for days and weeks as organizations rush to address the issue.

The situation escalated before the weekend when a tool was released to exploit the vulnerability on GitHub, a software repository. This gave malicious hackers a potential roadmap on how to use the vulnerability to break into devices.

Easterly said Monday that his agency would hold a call with critical infrastructure companies across the country to inform them of the situation.

It will be the responsibility of the organizations running the software, rather than the individual consumers, to implement the fixes. The Apache Software Foundation, which manages Log4j software, has released a security solution for organizations to implement.

Cybersecurity researchers interviewed by CNN said it was unclear how many devices on the Internet were exposed to the vulnerability. But IT administrators around the world are on the alert and preparing for a long weekend of responding to hackers.

Kevin Beaumont, a researcher who closely monitors emerging software flaws, compared the enigma in which organizations find themselves with the flaw of “blocking” software.[ing] the doors of your car, but then allow it[ing] no one to shout at Siri from outside the car to drive him away. “

“Log4j is buried deep inside the products and [organizations], it will be painful to fix, “Beaumont tweeted on Friday.

GreyNoise Intelligence, a company that maps Internet traffic, said the number of devices trying to exploit the vulnerability had more than doubled from Friday to Saturday.

GreyNoise founder Andrew Morris said his company had been consulting with major technology companies and government organizations to mitigate the impact of malicious cyber activity.

“Many really important people are concerned” about the vulnerability, Morris told CNN.