Widely used software with key vulnerability sends cyber defenders scrambling
Skip to main content
  • Home
  • Economy
  • Stocks
  • Analysis
  • World+Biz
  • Sports
  • Splash
  • Features
  • Videos
  • Long Read
  • Games
  • Epaper
  • More
    • COVID-19
    • Bangladesh
    • Infograph
    • Interviews
    • Offbeat
    • Thoughts
    • Podcast
    • Quiz
    • Tech
    • Subscribe
    • Archive
    • Trial By Trivia
    • Magazine
    • Supplement
  • বাংলা
The Business Standard
THURSDAY, MAY 26, 2022
THURSDAY, MAY 26, 2022
  • Home
  • Economy
  • Stocks
  • Analysis
  • World+Biz
  • Sports
  • Splash
  • Features
  • Videos
  • Long Read
  • Games
  • Epaper
  • More
    • COVID-19
    • Bangladesh
    • Infograph
    • Interviews
    • Offbeat
    • Thoughts
    • Podcast
    • Quiz
    • Tech
    • Subscribe
    • Archive
    • Trial By Trivia
    • Magazine
    • Supplement
  • বাংলা
Widely used software with key vulnerability sends cyber defenders scrambling

World+Biz

Reuters
14 December, 2021, 12:05 pm
Last modified: 14 December, 2021, 12:07 pm

Related News

  • Russia accuses US of massive 'cyber aggression'
  • HR software digiGO wins the Best Process Innovation Award
  • BSEC orders flurry of actions on back-office software use
  • Ukraine computers hit by data-wiping software as fears of full-scale Russian invasion rise
  • Software developed to monitor food warehouses in Brahmanbaria

Widely used software with key vulnerability sends cyber defenders scrambling

The US government sent a warning to the private sector about the Log4j vulnerability and the looming risk it poses on Friday

Reuters
14 December, 2021, 12:05 pm
Last modified: 14 December, 2021, 12:07 pm
A hooded man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. Top U.S. fuel pipeline operator Colonial Pipeline has shut its entire network after a cyber attack, the company said on Friday. REUTERS/Kacper Pempel/Illustration/File Photo
A hooded man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. Top U.S. fuel pipeline operator Colonial Pipeline has shut its entire network after a cyber attack, the company said on Friday. REUTERS/Kacper Pempel/Illustration/File Photo

A newly discovered vulnerability in a widely used software library is causing mayhem on the internet, forcing cyber defenders to scramble as hackers rush to exploit the weakness.

The vulnerability, known as Log4j, comes from a popular open source product that helps software developers track changes in applications that they build. It is so popular and embedded across many companies' programs that security executives expect widespread abuse.

"The Apache Log4j Remote Code Execution Vulnerability is the single biggest, most critical vulnerability of the last decade," said Amit Yoran, chief executive of Tenable, a network security firm, and the founding director of the US Computer Emergency Readiness Team.

The US government sent a warning to the private sector about the Log4j vulnerability and the looming risk it poses on Friday.

In a conference call on Monday, the leader of CISA said it was one of the worst vulnerabilities seen in many years. She urged companies to have staff working through the holidays to battle those using new methods to exploit the flaw.

Much of the software affected by Log4j, which bears names like Hadoop or Solr, may be unfamiliar to the public at large. But as with the SolarWinds program at the center  of a massive Russian espionage operation last year, the ubiquity of these workhorse programs makes them ideal jumping-off points for digital intruders.

Juan Andres Guerrero-Saade, principal threat researcher with cybersecurity firm SentinelOne, called it "one of those nightmare vulnerabilities that there's pretty much no way to prepare for."

While a partial fix for the vulnerability was released on Friday by Apache, the maker of Log4j, affected companies and cyber defenders will need time to locate the vulnerable software and properly implement patches. Log4j itself is maintained by a few volunteers, security experts said.

In practice, the flaw allows an outsider to enter active code into the record-keeping process. That code then tells the server hosting the software to execute a command giving the hacker control.

The issue was first publicly disclosed by a security researcher working for Chinese technology company Alibaba Group Holding Ltd, Apache noted in its security advisory.

It is now apparent that initial exploitation was spotted Dec. 2, before a patch rolled out a few days later. The attacks became much more widespread as people playing Minecraft used it to take control of servers and spread the word in gaming chats.

So far no major disruptive cyber incidents have been publicly documented as a result of the vulnerability, but researchers are seeing an alarming uptick in hacking groups trying to take advantage of the bug for espionage.

"We also expect to see this vulnerability in everyone's supply chain," said Chris Evans, chief information security officer at HackerOne.

Multiple botnets, or groups of computers controlled by criminals, were also exploiting the flaw in a bid to add more captive machines, experts tracking the developments said.

What many experts now fear is that the bug could be used to deploy malware that either destroys data or encrypts it, like what was used against US pipeline operator Colonial Pipeline of gasoline in some parts of the United States.

Guerrero-Saade said his firm had already seen Chinese hacking groups moving to take advantage of the vulnerability.

US cybersecurity firms Mandiant and Crowdstrike also said they found sophisticated hacking groups leveraging the bug to breach targets. Mandiant described those hackers as "Chinese government actors" in an email to Reuters.

software / cyber

Comments

While most comments will be posted if they are on-topic and not abusive, moderation decisions are subjective. Published comments are readers’ own views and The Business Standard does not endorse any of the readers’ comments.

Top Stories

  • Wheat stock at 3-year low and that may not be good for rice
    Wheat stock at 3-year low and that may not be good for rice
  • Photo: Collected
    Bangladesh among top 20 prospective solar farm capacity nations
  • Bangladesh Bank to sit with ABB, BAFEDA Thursday
    Bangladesh Bank to sit with ABB, BAFEDA Thursday

MOST VIEWED

  • Supporters of the Pakistan Tehreek-e-Insaf (PTI) political party sit atop of a crane after they removed the shipping containers, used to block the roads to prevent them from attending the protest march planned by ousted Prime Minister Imran Khan in Islamabad, in Rawalpindi, Pakistan 25 May 2022. Photo: REUTERS
    Pakistan’s political turmoil coincides with deepening economic woes
  • Pakistan SC allows PTI to stage protest at Islamabad's H-9, restrains govt from arresting marchers
    Pakistan SC allows PTI to stage protest at Islamabad's H-9, restrains govt from arresting marchers
  • Ears of wheat are seen in a field near the village of Hrebeni in Kyiv region, Ukraine July 17, 2020. REUTERS/Valentyn Ogirenko//File Photo
    UN's grain-for-fertiliser plan holds little appeal for Moscow
  • FILE PHOTO: People walk past the Central Bank headquarters in Moscow, Russia February 11, 2019. REUTERS/Maxim Shemetov/File Photo
    Brussels says about $24B of Russian central bank assets frozen in EU, less than expected
  • Imran Khan waves to supporters on a truck. —PTI/Twitter
    Azadi March: Imran expected to reach Islamabad soon, PTI asks supporters to take to the streets
  • Police and security personnel escort pro-independence party Jammu Kashmir Liberation Front chairman Yasin Malik (C) to holding area after a sentencing hearing at Patiala House court in New Delhi on May 25, 2022. — AFP
    Indian court orders life in jail for JKLF chief Yasin Malik

Related News

  • Russia accuses US of massive 'cyber aggression'
  • HR software digiGO wins the Best Process Innovation Award
  • BSEC orders flurry of actions on back-office software use
  • Ukraine computers hit by data-wiping software as fears of full-scale Russian invasion rise
  • Software developed to monitor food warehouses in Brahmanbaria

Features

Psycure has received various awards for their extraordinary contributions to promoting Sustainable Development Goals. Photo: Courtesy

Psycure: Meet the organisation serving the underserved university students (and beyond) with mental healthcare 

17h | Panorama
Underlying problems such as school dropouts need to be addressed first before taking a legal route to stop child labour. Photo: Reuters

‘Child labour in a country like Bangladesh is primarily a development issue, not so much of enforcement’

18h | Panorama
The balcony railings of the Boro Sardar Bari in Sonargaon. Made of cast iron, these railings feature vertical posts with intricate designs on top. Photo: Noor-A-Alam

The evolution of railing and grille designs

1d | Habitat
A Russian army service member fires a howitzer during drills at the Kuzminsky range in the southern Rostov region, Russia January 26, 2022. REUTERS/Sergey Pivovarov/File Photo

3 months of Ukraine war : Miscalculations, resistance and redirected focus

1d | Analysis

More Videos from TBS

Where the people have more weapons than military

Where the people have more weapons than military

6h | Videos
Govt plans to amnesty in the offing to bring back laundered money to meet dollar crises

Govt plans to amnesty in the offing to bring back laundered money to meet dollar crises

8h | Videos
Poet Nazrul Islam’s 123rd birth anniversary observed

Poet Nazrul Islam’s 123rd birth anniversary observed

8h | Videos
Soaring commodity prices put pressure on budget

Soaring commodity prices put pressure on budget

12h | Videos

Most Read

1
Tk100 for bike, Tk2,400 for bus to cross Padma Bridge
Bangladesh

Tk100 for bike, Tk2,400 for bus to cross Padma Bridge

2
Bangladesh at risk of losing ownership of Banglar Samriddhi
Bangladesh

Bangladesh at risk of losing ownership of Banglar Samriddhi

3
BSEC launches probe against Abul Khayer Hero and allies
Stocks

BSEC launches probe against Abul Khayer Hero and allies

4
Photo: Courtesy
Panorama

Misfit Technologies: A Singaporean startup rooted firmly in Bangladesh

5
Illustration: TBS
Banking

Let taka slide

6
Photo: Collected
Industry

Spanish recycled cotton producer opens new facility in Bangladesh

The Business Standard
Top
  • Home
  • Entertainment
  • Sports
  • About Us
  • Bangladesh
  • International
  • Privacy Policy
  • Comment Policy
  • Contact Us
  • Economy
  • Sitemap
  • RSS

Contact Us

The Business Standard

Main Office -4/A, Eskaton Garden, Dhaka- 1000

Phone: +8801847 416158 - 59

Send Opinion articles to - oped.tbs@gmail.com

For advertisement- sales@tbsnews.net

Copyright © 2022 THE BUSINESS STANDARD All rights reserved. Technical Partner: RSI Lab