US Warns Hundreds of Millions of Devices at Risk of Recently Revealed Software Vulnerability
As big tech companies struggle to contain the fallout from the incident, U.S. officials have phoned industry executives to warn them that hackers are actively exploiting the vulnerability.
“This vulnerability is one of the most serious I have seen in my entire career, if not the most serious,” Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), said in a phone call. shared with CNN. . Major financial firms and healthcare executives attended the conference call.
“We expect the vulnerability to be widely exploited by sophisticated actors and we have little time to take the necessary steps to reduce the likelihood of damaging incidents,” Easterly said.
This is the most striking warning to date from US officials about the software flaw since it was announced late last week that hackers were using it to try and break into the software. computer networks of organizations. It’s also a test of the new channels federal officials have put in place to work with industry leaders after widespread hacks exploiting SolarWinds and Microsoft software revealed last year.
Experts told CNN that it could take weeks to fix the vulnerabilities and that suspected Chinese hackers were already trying to exploit it.
It provides a relatively easy way for a hacker to gain access to an organization’s computer server. From there, an attacker could devise other means of gaining access to systems on an organization’s network.
The Apache Software Foundation, which manages the Log4j software, has released a security patch that organizations can apply.
Race against time to correct the flaw
Organizations are now in a race against time to see if they have computers running the vulnerable software that has been exposed to the Internet. Cyber security officials in government and industry are working tirelessly on the issue.
“We’re going to have to make sure we have a sustained effort to understand the risk of this code across America’s critical infrastructure,” Jay Gazlay, another CISA official, said during the phone call.
Hackers linked to the Chinese government have already started using the vulnerability, according to Charles Carmakal, senior vice president and chief technology officer of cybersecurity firm Mandiant. Mandiant declined to specify which organizations the hackers were targeting.
“Over time anyone can arm the damn thing,” Mandiant CEO Kevin Mandia told CNN, referring to the vulnerability. “That’s the problem. And there will probably be some great hackers hiding in the noise of the less good.”
The “noise” is a real problem. For cybersecurity professionals, Twitter has been a constant source of useful information and, in some cases, misinformation unrelated to vulnerability.
To address the issue, CISA said it will create a public website with information on the software products affected by the vulnerability and the techniques used by hackers to exploit it.
“It will be a multi-week process in which new actors exploit the vulnerability,” Eric Goldstein, CISA executive deputy director for cybersecurity, said in a phone call.
The pervasiveness of the software has forced cybersecurity professionals across the country to spend the weekend checking their systems for vulnerability.
“For most of the IT world, there were no weekends,” Rick Holland, chief information security officer at cybersecurity firm Digital Shadows, told CNN. “It was just another long streak of days.”
CNN’s Geneva Sands contributed reporting.