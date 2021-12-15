ContributorsPublishersAdvertisers
Technology

Feds scramble to assess security flaw that threatens 'hundreds of millions' of devices

By Eric Geller
POLITICO
POLITICO
 6 days ago
https://img.particlenews.com/image.php?url=0npvuP_0dMyhSpD00
The Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security estimates that “hundreds of millions” of devices are running software that uses the vulnerable code. | Manuel Balce Ceneta/AP Photo

Updated: 12/14/2021 08:51 PM EST

"Hundreds of millions" of internet-connected devices are vulnerable to hackers because of a newly discovered security flaw in a widely used piece of computer code, a federal official said Tuesday — though there is no indication that U.S. government agencies have been compromised.

“Across the federal government, we have no known reports of compromises using this vulnerability,” Eric Goldstein, the executive assistant director in charge of the cybersecurity division at the Cybersecurity and Infrastructure Security Agency, told reporters during a briefing about the expanding crisis around the flaw.

The vulnerability, which became widely known last week, affects a type of web server known as Apache that is ubiquitous across the internet. It could allow hackers to run malicious code on targeted computer systems for purposes including espionage and ransomware, researchers have warned.

The Biden administration remains “deeply concerned” about what Goldstein called “an extremely widespread, easy to exploit, and potentially highly damaging vulnerability that certainly could be utilized by adversaries to cause real harm.”

Federal scramble: The code, in a type of Apache logging software called Log4j, is so pervasive that government agencies are almost certainly using “many” products that contain it, Goldstein said. CISA has given agencies until Dec. 24 to apply patches produced by the makers of affected software.

“Agencies have taken this with the utmost seriousness and have made extraordinary progress” in applying patches and other mitigating measures since the vulnerability’s disclosure late last week, Goldstein said.

Vast array of targets: CISA currently estimates that “hundreds of millions” of devices are running software that uses the vulnerable code, Goldstein said, but that number is likely to grow as more software makers report their use of the code.

No major attacks yet: So far, Goldstein said, most of the attacks on vulnerable companies worldwide have involved cyber criminals seeking to deploy software that mines cryptocurrency on infected computers. CISA has not yet seen any “highly sophisticated” attacks by advanced, state-backed hackers, he said.

CISA also hasn’t seen any impact on the nation’s infrastructure, and Goldstein said that critical infrastructure companies have so far been able to mitigate the vulnerability “without a material impact to their critical functions or services.”

A call for help: CISA is building a catalog of software that contains the vulnerability code, but Goldstein said the agency needs the public’s help in filling in the gaps. “One of our really important lines of effort here is ensuring that we have a complete and comprehensive list of impacted products,” he said.

What’s next: CISA expects the number of hackers exploiting the vulnerability to grow as more of them assess its value to their operations, Goldstein said. The agency is also worried about how the flaw might impact home electronics and internet-of-things devices, because consumers may not be following security guidance as much as many businesses are.

Comments / 5

Related
Ars Technica

Thousands of AT&T customers in the US infected by new data-stealing malware

Thousands of networking devices belonging to AT&T Internet subscribers in the US have been infected with newly discovered malware that allows the devices to be used in denial-of-service attacks and attacks on internal networks, researchers said on Tuesday. The device model under attack is the EdgeMarc Enterprise Session Border Controller,...
PUBLIC SAFETY
CBS News

Nightmare before Christmas: What to know about the Log4j vulnerability

A vulnerability living inside a Java-based software known as "Log4j" shook the internet this week. The list of potential victims encompasses nearly a third of all web servers in the world, according to cybersecurity firm Cybereason. Twitter, Amazon, Microsoft, Apple, IBM, Oracle, Cisco, Google, and one of the world's most popular video games, Minecraft count themselves among the slew of tech and industry giants running the popular software code that U.S. officials estimate have left hundreds of millions of devices exposed.
SOFTWARE
IN THIS ARTICLE
#Infrastructure Security#Feds#Connected Devices#Ap Photo#Log4j#Cisa
americanmilitarynews.com

China creating ‘brain-control weapons’ and weaponizing biotech, US says

The U.S. Department of Commerce suspects a Chinese military academy and eleven of its associated research institutes are developing technology to support the Chinese military, including brain-control weaponry. On Friday, the Commerce Department added 37 Chinese, Georgian, Malaysian, and Turkish entities to the restricted Entity List. The Commerce Department took...
MEDICAL & BIOTECH
lifewire.com

How the Log4J Security Vulnerability Puts You at Risk

Hackers posted a code revealing an exploit in a widely used Java logging library. Cybersecurity sleuths noticed mass scanning across the web looking for exploitable servers and services. The Cybersecurity and Infrastructure Security Agency (CISA) has urged vendors and users to patch and update their software and services urgently. The...
SOFTWARE
CNN

The Log4j security flaw could impact the entire internet. Here's what you should know

New York (CNN Business) — A critical flaw in widely used software has cybersecurity experts raising alarms and big companies racing to fix the issue. The vulnerability, which was reported late last week, is in Java-based software known as "Log4j" that large organizations use to configure their applications -- and it poses potential risks for much of the internet.
INTERNET
YOU MAY ALSO LIKE
NewsBreak
Technology
News Break
Politics
omahadailyrecord.com

Software Flaw Seriously Worrying Security Experts

Lydia Winters shows off Microsoft’s “Minecraft” during an expo, June 15, 2015, in Los Angeles. Cybersecurity experts say users of the online game have already exploited a critical flaw in open-source code to breach other users by pasting a short message into in a chat box. (AP)
COMPUTERS
Shore News Network

‘Most Serious I’ve Seen’: Cybersecurity Flaw Could Expose ‘Hundreds Of Millions’ Of Devices

Cybersecurity officials are urging federal agencies and infrastructure companies to take action against a recently-discovered coding vulnerability in a common software tool that threatens to compromise millions of devices. The vulnerability, known as Log4Shell, is found in an open-source software tool called Log4J that is used by almost every major...
COMPUTERS
The Independent

log4j: Tech companies scramble to fix software vulnerability that ‘threatens entire internet’

Tech companies across the world are under pressure to fix a software vulnerability that many cybersecurity experts are calling one of the worst to be discovered in recent years.The vulnerability, known as Log4shell, was identified in Apache’s Log4j software library that helps developers keep track of changes in the applications they build.The software flaw was first noticed on sites catering to the popular video game Minecraft, and was officially reported to Apache on 24 November by Chen Zhaojun of Alibaba, according to Crowdstrike. But it soon became clear that the vulnerability had far-reaching implications since the software is ubiquitous, used...
SOFTWARE
PBS NewsHour

The security flaw that’s terrified the internet

BOSTON (AP) — Security pros say it’s one of the worst computer vulnerabilities they’ve ever seen. Firms including Microsoft say state-backed Chinese and Iranian hackers and rogue cryptocurrency miners have already seized on it. The Department of Homeland Security has sounded a dire alarm, ordering federal agencies...
INTERNET
capradio.org

Companies scramble to defend against newly discovered 'Log4j' digital flaw

Late last week, the staff of the popular world-building video game Minecraft published an unusual blog post announcing that a version of the game had a digital flaw that hackers could exploit to take over players' computers. The gaming company released a patch and encouraged players who run their own servers to do the same.
TECHNOLOGY
bleepingcomputer.com

Hundreds of thousands of MikroTik devices still vulnerable to botnets

Approximately 300,000 MikroTik routers are vulnerable to critical vulnerabilities that malware botnets can exploit for cryptomining and DDoS attacks. MikroTik is a Latvian manufacturer of routers and wireless ISPs who has sold over 2,000,000 devices globally. In August, the Mēris botnet exploited vulnerabilities in MikroTik routers to create an army...
TECHNOLOGY
POLITICO

Keeping hackers out of our medical devices

PROGRAMMING NOTE: Future Pulse won’t publish on Wednesday, Dec. 22 and 29. We’ll be back on our normal schedule on Wednesday, Jan. 5. Cyberattacks have become a grim reality for hospitals and other health care institutions during the pandemic, in some cases disrupting patient care and scrambling operations. As the Food and Drug Administration’s resident expert in medical device security, Kevin Fu oversees efforts to fortify insulin pumps, heart pacemakers and thousands of other devices that can be compromised or exploited during a security breach — and factor the vulnerabilities into the process for approving next-generation devices.
PUBLIC SAFETY
InformationWeek

5 Steps to an Effective Security Assessment

What should be included in my organization's security assessment? This question has become particularly critical and more challenging thanks to several factors, including the increase in organizations undergoing digital transformations, the technologies comprising the digital structures that support organizations growing increasingly complex, data existing outside of “business walls” and many staff, partners, and providers continuing to work remotely.
ECONOMY
FOX59

Ransomware persists even as high-profile attacks have slowed

In the months since President Joe Biden warned Russia’s Vladimir Putin that he needed to crack down on ransomware gangs in his country, there hasn’t been a massive attack like the one last May that resulted in gasoline shortages. But that’s small comfort to Ken Trzaska. Trzaska is president of Lewis & Clark Community College, a small Illinois school that canceled […]
PUBLIC SAFETY
hoiabc.com

Over 300 million affected by server flaw

PEORIA (Heart of Illinois ABC) - The popular online video game, Minecraft, fell victim to a cyber vulnerability that’s compromising data security for all it’s users. President of Pearl Technology David Johnson said, “this is, if not the largest vulnerability in history, it’s certainly one of the top five.”
TECHNOLOGY
POLITICO

POLITICO

Washington, DC
156K+
Followers
9K+
Post
79M+
Views
ABOUT

POLITICO is the dominant source for politics and policy news around the world. Nobody knows politics like POLITICO.

 https://www.politico.com

Comments / 0

Community Policy