News

Hundreds of millions of devices around the world could be exposed to a newly revealed software vulnerability


Hundreds of millions of devices around the world could be exposed to a newly revealed software vulnerability.

It comes as a senior Biden administration cyber official warned executives from major US industries on Monday that they need to take action to address “one of the most serious” flaws she has seen in her career.

As major tech firms struggle to contain the fallout from the incident, US officials held a call with industry executives warning that hackers are actively exploiting the vulnerability.

US warns hundreds of millions of devices at risk from newly revealed software vulnerability.
US warns hundreds of millions of devices at risk from newly revealed software vulnerability. (9News)

“This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious,” Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), said on a phone call shared with CNN.

Big financial firms and health care executives attended the phone briefing.

“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damaging incidents,” Ms Easterly said.

CNN has reached out to CISA for comment on the call. CyberScoop, a technology news site, first reported on contents of the call.

It’s the starkest warning yet from US officials about the software flaw since news broke late last week that hackers were using it to try to break into organisations’ computer networks.

The emergence of extremely realistic deepfake videos has long been controversial in the online community, but now the technology is increasingly being adopted by cyber criminals who use it to scam innocent people out of thousands.
Hackers were using it to try to break into organisations’ computer networks. (9News)

It’s also a test of new channels that federal officials have set up for working with industry executives after the widespread hacks exploiting SolarWinds and Microsoft software revealed in the last year.

Experts told CNN it could take weeks to address the vulnerabilities and that suspected Chinese hackers are already attempting to exploit it.

The vulnerability is in Java-based software known as “Log4j” that large organisations, including some of the world’s biggest tech firms, use to log information their applications. Tech giants like Amazon Web Services and IBM have moved to address the bug in their products.

It offers a hacker a relatively easy way to access an organisation’s computer server. From there, an attacker could devise other ways to access systems on an organisation’s network.

The Apache Software Foundation, which manages the Log4j software, has released a security fix for organisations to apply.

A race against time to address flaws.

But attackers had more than a week’s head start on exploiting the software flaw before it was publicly disclosed, according to cybersecurity firm Cloudflare.

Organisations are now in a race against time to figure out if they have computers running the vulnerable software that were exposed to the internet. Cybersecurity executives across government and industry are working around the clock on the issue.

“We’re going to have to make sure we have a sustained effort to understand the risk of this code throughout US critical infrastructure,” Jay Gazlay, another CISA official, said on the phone call.

Apple iPhone owners, earlier in the week, were urged to install a quickly released security update after a sophisticated attack on an Emirati dissident exposed vulnerabilities targeted by cyber arms dealers.
Apple iPhone owners, earlier in the week, were urged to install a quickly released security update after a sophisticated attack on an Emirati dissident exposed vulnerabilities targeted by cyber arms dealers. (AFP via Getty Images)

Chinese-government linked hackers have already begun using the vulnerability, according to Charles Carmakal, senior vice president and chief technology officer for cybersecurity firm Mandiant. Mandiant declined to elaborate on what organisations the hackers were targeting.

“Over time, everybody can arm the damn thing,” Mandiant CEO Kevin Mandia told CNN, referring to the vulnerability.

“That’s the problem. And there’ll probably be great hackers hiding in the noise of the not so great.”

The “noise” is a real problem. For cybersecurity professionals, Twitter has been a constant churn of both useful information and, in some cases, misinformation that has nothing to do with the vulnerability.

To address the issue, CISA said it would set up a public website with information on what software products were affected by the vulnerability, and the techniques that hackers were using to exploit it.

“This will be a multi-week process where new actors are exploiting the vulnerability,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, said on the phone call.

The ubiquity of the software forced cybersecurity professionals around the country to spend the weekend checking if their systems are vulnerable.

Hacker working on laptop in the dark - scam - shadowy figure online

Why you need to be concerned if ‘Thomas Flynn’ contacts you

“For most of the information technology world, there was no weekend,” Rick Holland, chief information security officer at cybersecurity firm Digital Shadows, told CNN.

“It was just another long set of days.”



Source link

Leave a Reply

Your email address will not be published.