A bug discovered last week in a bit of software called “Log4j” could be the most dangerous threat to computer network security in years.
Governments and businesses worldwide are scrambling to patch the software running on millions of server computers before hackers can use the Log4j bug to steal vast amounts of data or launch crippling attacks on networks.
But they don’t have much time. A report issued by Microsoft on Tuesday said that hackers linked to the governments of China, Iran, North Korea, and Turkey are already exploiting the security hole.
Some speculate that the new bug may be implicated in this week’s ransomware attack on UKG, the parent company of Lowell-based Kronos, a maker of Internet-based workforce management software used by businesses nationwide. The attack on Kronos targeted systems that manage employee schedules and calculate hours worked. Companies throughout the US were affected, including supermarket chains Stop & Shop, Hannaford, and Whole Foods, retailer Staples, and Keolis, the company that manages commuter train service in the Boston area.
UKG said it had no evidence that the attackers used the Log4j bug to gain access to the Kronos network. But Allan Liska, an intelligence analyst at Somerville-based cybersecurity firm Recorded Future, said there may be a connection.
“The timing certainly lines up,” Liska said.
A host of global tech companies are racing against time to close the breach. Cambridge-based Akamai Technologies, which delivers Internet data for many of the world’s biggest companies, has issued patches to protect its customers. Amazon’s AWS cloud-computing platform, as well as networking giant Cisco Systems and database company Oracle, are also updating their systems. So is Minecraft, a popular online game owned by Microsoft, after a cybersecurity expert showed how Log4j could be used to attack servers hosting the game. Meanwhile, Boston-based data security firm Cybereason began offering free downloads of a “vaccine” that can quickly protect server networks from Log4j attacks.
Software security experts are alarmed not only because the bug is present on so many systems, but also because it’s so simple that even amateur hackers can activate it.
“It’s a really easy-to-exploit vulnerability,” said Stuart Madnick, professor emeritus of information technologies at the MIT Sloan School of Management. “It’s something that the average run-of-the-mill hacker out there probably could do mischief with.”
Software developers routinely use pre-existing code libraries to add features to their programs, rather than writing everything from scratch. The Log4j library was created by Apache, a non-profit foundation that builds open-source software and makes it available to anyone, free of charge. Programmers add the Log4j library to many programs to capture and record important activities and data, such as the identities of those using a server.
But last week Chen Zhaojun, a security researcher at the Chinese e-commerce company Alibaba, revealed a severe flaw in Log4j. A hacker could order a server running Log4j to contact a remote computer, then execute whatever commands it receives from the remote computer. This could give hackers total control of the vulnerable server, and eventually the entire server network. They could infect the machines with ransomware programs or other software that could steal or corrupt data.
On December 9, Chen publicly revealed the Log4j flaw, kicking off a global race to fix the problem before criminals and rogue states could take advantage of it.
Liska called the announcement “irresponsible,” because Chen didn’t simply describe how the bug worked. He also included a bit of sample code that demonstrated how to exploit it. In effect, said Liska, the Alibaba researcher gave hackers worldwide the recipe they’d need to carry out Log4j attacks of their own.
Sure enough, bad guys have tried to launch Log4j-based attacks. For instance, cybersecurity company Sophos says it’s detected attempts to use the bug to secretly install cryptocurrency mining software on servers. This would let criminals use the excess computing capacity of the servers to generate digital currency like bitcoin or Ether, and direct the money into the criminals’ accounts.
But that is a relatively benign sort of crime. Madnick said a severe bug like Log4j could be exploited for all kinds of malignant purposes. “There are the criminal types who are looking for money,” he said. “There are the government types that are looking to disrupt other countries or to steal information. And then there are ... terrorists who are out to make the world fall apart.”
Liska warned that eliminating the risk will be exceedingly difficult, because Log4j is embedded into thousands of server applications. Worse yet, many of those who use the code don’t even know it. That’s because software developers often don’t keep track of the code libraries they’ve used. In addition, they sometimes use libraries that contain code from other libraries.
The Biden administration has been trying to solve the problem, at least on the federal level. In May, the administration issued an executive order requiring that companies that sell software to the government must provide a “software bill of materials,” a complete inventory of all the code components used in a program. That way, if a problem arises with a particular component, like Log4j, government techs will know exactly which of their programs contain the code, making cleanup far faster and easier.
But fully implementing this policy will take years, and there’s no way to compel states, cities, or the private sector to do the same. So the Log4j scare probably won’t be the last of its kind.