MISE & Agrave; DAY
A race against time has begun to address a critical vulnerability widespread across global computing, discovered Thursday and potentially disastrous if hackers manage to exploit it. & nbsp ;
This is “the biggest and most critical vulnerability of the past decade,” warned Amit Yoran, managing director of US cybersecurity firm Tenable.
The vulnerability is included in Log4j, a small module from the Apache foundation used in a large number of software programs for “logging” functions, that is to say “logs” (events occurring on the system).
In some versions of Log4j, the flaw makes it very easy to take control of the machine that hosts it.
The hacker can then start trying to circulate in the victim's computer network and deploy ransomware there. and spy tools.
“A first year computer science student, who has the basic tools” to develop a website, is able to exploit this flaw, told AFP Loïc Guézo, secretary general of Clusif, a French association of cybersecurity specialists.
The flaw has been patched, but hackers are trying to speed up companies that are slow to apply it. & Nbsp;
“Since Friday, scanners” used by hackers “Testing the servers to see if they have the vulnerability” and “it hasn't stopped for the whole weekend,” according to David Grout, one of the European officials at the US cybersecurity firm Mandiant.
For the moment, the cases of proven compromises seem rare or relatively benign.
“We have especially observed cases of installation of + cryptominers”, these cryptocurrency mining programs which come to be installed on the machines without the knowledge of their owner, described to AFP Philippe Rondel, of the company Checkpoint .
Stack of components
For this specialist, however, the worst is yet to come.
“State groups, ransomware groups, will first seek to gain access to other machines,” from the first machine, he explained.
“The attacks visible “, to ransomware for example,” will appear in a few days or weeks “, he anticipated.
On the side of computer defenders, the difficulty is to quickly identify which are company software and applications that use this small, universally popular module.
Two companies specializing in code verification and vulnerability hunting, the French YesWeHack and the US HackerOne, called on companies to quickly learn the lessons of this situation.
“This vulnerability comes to us remember that any modern computer system is made up of a stack of hundreds or thousands of components, and that the risk can come from the most unexpected or unknown of them, ”said YesWeHack.
“In this case, (it is) a component used by almost all systems, often without even knowing it, for an innocuous function (…), which today turns out to be the Achilles heel of internet “, she underlined.
For its part, HackerOne took the opportunity to ask companies to further fund its” Internet Bug Bounty “program, which allows ethical hackers to be paid for breaches that they find in free software programs.
“The average application uses 528 free software components,” the American company said in a statement, judging that “most organizations were not not able to easily fix “flaws” in these components when discovered.