The top U.S. cybersecurity agency is warning that a new, easy-to-exploit software vulnerability has likely led to hundreds of millions of computer hacks around the world.
The flaw is in Log4j, a snippet of open-source code widely used in internet applications around the world to help track users’ activity. Since Log4j is used in so many applications, and most modern organizations’ computer networks rely on a hodgepodge of different programs, there are scores of opportunities to exploit that flaw.
In a call Monday with private companies and state cybersecurity officials, Jen Easterly, director of the Cybersecurity and Infrastructure Agency, said it’s likely that many computer systems have already been compromised, according to a description of the call provided by an agency spokesperson.
While the vulnerability is unlikely to threaten the security of people’s personal devices, it could be used to gain a foothold to hack practically any organization online that doesn’t update the software.
Cybersecurity professionals around the world have scrambled in the past few days to fix the flaw, which first gained attention on Thursday after they discovered hackers using it to trick victims into mining small amounts of cryptocurrency for them and to hack private Minecraft servers.
There are not yet many public reports of crippling hacks stemming from the Log4j vulnerability. Still, security professionals spent much of the weekend frantically trying to find and fix every potential place it can be exploited, said Wesley McGrew, a cybersecurity fellow at MartinFederal, a federal contracting company.
“It’s a combination of a new vulnerability being simultaneously widespread and easy to exploit,” McGraw said.
The Netherlands National Cyber Security Centre has identified hundreds of common software applications that are vulnerable to the flaw if not updated, and a number that may be not have a patch yet available.
But on Tuesday night, John Hultquist, vice president of intelligence analysis at the cybersecurity company Mandiant, said that state-sponsored hackers in China and Iran have begun taking advantage of the flaw. Microsoft said in a blog post it has observed China, Iran, North Korea and Turkey exploiting it.
“The Iranian actors who we have associated with this vulnerability are particularly aggressive,” Hultquist said in a statement.
The spokesperson for China’s embassy in Washington, Liu Pengyu, said in an emailed statement that “China is a staunch defender of cybersecurity,” adding that it was a Chinese cybersecurity researcher who first discovered the Log4j flaw.