Massive data breaches have become so common that we’ve gotten numb to reports detailing another hack or 0-day exploit. That doesn’t reduce the risk of such events happening, as the cat-and-mouse game between security experts and hackers continues. As some vulnerabilities get fixed, others pop up requiring attention from product and service providers. The newest one has a name that will not mean anything to most people. They call the hack Log4Shell in security briefings, which doesn’t sound very scary. But the new 0-day attack is so significant that some people see it as the worst internet hack in history.
Malicious individuals are already exploiting the Log4Shell attack, which allows them to get into computer systems and servers without a password. Security experts have seen Log4Shell in action in Minecraft, the popular game that Microsoft owns. A few lines of text passed around in a chat might be enough to penetrate the defenses of a target computer. The same ease of access would allow hackers to go after any computer out there using the Log4J open-sourced java-based logging utility.
Why the Log4Shell hack is so dangerous
The reports on Log4Shell indicate that the hack is a major threat to many Internet companies. This is because hackers might take advantage of it to execute code inside their systems. Patching the vulnerability is possible, and companies have started deploying fixes. But each separate internet entity will have to handle the matter on its own servers and systems. This means not everyone will deploy fixes simultaneously, risking prolonged exposure to the attacks.
“The internet’s on fire right now,” Adam Meyers told AP News. “People are scrambling to patch and all kinds of people scrambling to exploit it.”
Meyers is the senior vice president of intelligence at Crowdstrike, a cybersecurity company monitoring the Log4Shell hack. He revealed that hackers “fully weaponized” the vulnerability just 12 hours after researchers initially disclosed it.
Everyone is at risk
The AP notes that the Log4Shell hack may be the worst vulnerability in years. That’s because it impacts a utility “ubiquitous in cloud servers and enterprise software used across industry and government.” Hackers who exploit it can easily get into internal systems, as they don’t have to hack a password to abuse the flaw.
From there, they can execute code remotely to steal data, plant malware, and do all sorts of malicious activities. Nation-state attackers who employ highly trained hackers with access to massive resources could quickly weaponize the attack. And everyone would be at risk.
“I’d be hard-pressed to think of a company that’s not at risk,” Cloudflare security officer Joe Sullivan told AP. He said that untold millions of servers might have the utility installed. As a result, the fallout from the Log4Shell hack will be a mystery for several days.
The fix for the Log4Shell hack
The Log4Shell hack patch arrived on Thursday, alongside reports describing the vulnerability. This is crucial because New Zealand’s computer emergency response team then reported that hackers are already exploiting the flaw in the wild.
The Log4Shell hack is “the single biggest, most critical vulnerability of the last decade,” Amit Yoran warned AP. Yoran is the CEO of cybersecurity firm Tenable. He said that organizations must presume they’ve been compromised and act accordingly.
Researchers say that companies like Apple, Amazon, Twitter, and Cloudflare could run servers where hackers might abuse the vulnerability. That doesn’t mean hackers have attacked those companies. The point is that any internet service out there might be susceptible to the Log4Shell hack.
What internet users can do right now is ensure their software is up to date and await more details from security researchers. It’s unclear how the hack might impact end-users of internet companies directly at this time.
The Minecraft attack
Minecraft being played in virtual reality on PlayStation VR. Image source: Mojang
Hackers exploited the flaw in Minecraft, the report notes. Meyers and security expert Marcus Hutchins said that Minecraft users had weaponized the Log4Shell hack. They used a short message in a chat box to others to execute code on the target computers. Microsoft issued a software update for Minecraft. Anyone playing the game should update it to the latest version.
In the case of Minecraft, attackers were able to get remote code execution on Minecraft Servers by simply pasting a a short message into the chat box.
— Marcus Hutchins (@MalwareTechBlog) December 10, 2021
Minecraft is just one place where researchers observed the Log4Shell hack in action. But it didn’t start there. Chinese tech giant Alibaba reported the vulnerability to the open-source Apache Software Foundation on November 24th. A fix was available only two weeks later. The foundation rated the Log4Shell hack as a 10 on a scale of 0 to 10.
More details about the Log4Shell patch are available at this link.