A team of experts has shed light on the many ways in which the Log4j weakness, news of which broke before Christmas, may hit the global business community.
Specialists from code security firm, Contrast Security, recently shared the information which explores how Log4j, the most popular piece of free open-source Java computer language software used by developers worldwide, will continue to impact major firms including Apple, Tesla, Microsoft, and government agencies for the foreseeable future.
Arshan Dabirsiaghi, Chief Scientist and Co-founder at Contrast Security, said:
“This is the most severe software vulnerability we have ever seen. It is incredibly widespread and extremely easy for hackers to exploit.”
The team also established that the Log4j attacks are now being weaponised for ransomware and data theft. Even self-replicating worms and bots are now known to exist.
Organisations are rushing to plug the hole, but progress has been slow. Several fixes have also been issued by Apache but found to be incomplete – setting the process back each time.
Security research teams are starting to see disruption of service and confirmed hacks including the Canadian and Belgian governments. In addition to confirmed hacks, organisations are choosing to take down websites and services to minimise their exposure.
Data shows that attacks were on the rise as early as November 24th – long before the vulnerability was publicly disclosed. Many customers’ applications have been protected, allowing those customers to schedule permanent fixes without being exposed.
Steve Wilson, Chief Product Officer at Contrast said:
“As we reviewed our own internal data, we saw a dramatic uptick in attacks of this type starting two weeks before this problem became common knowledge. This means networks at many organisations are already compromised.”