Hackers backed by China are using a recently-discovered vulnerability in a common software tool to gain access to data and systems belonging to internet infrastructure companies.
The vulnerability, known as Log4Shell, was discovered by Chinese cybersecurity researchers from Alibaba last week and is found in an open-source software tool called Log4J used by enterprise software companies and cloud infrastructure providers. If exploited, the flaw allows hackers to gain access to a company’s data and internal networks.
Hackers backed by foreign governments, including China, are exploiting the vulnerability to attack internet infrastructure, according to cybersecurity firms and researchers.
The researchers said the vulnerability “is one of the most pervasive security vulnerabilities that organizations have had to deal with over the past decade” as it is “used by applications and systems deployed across organizations of all sizes.”
“This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives,” the report said.
The company identified one particular Chinese hacker syndicate, HAFNIUM, as using the Log4J flaw to attack internet infrastructure.
“In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems,” Microsoft said.
The Cybersecurity Infrastructure and Security Agency (CISA) issued a notice to critical infrastructure companies warning them of the Log4J vulnerability and urging them to take appropriate security actions.
“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” head of CISA, Jen Easterly, told leaders of critical infrastructure companies, according to CyberScoop.
Easterly added that the vulnerability “is one of the most serious I’ve seen in my entire career, if not the most serious.”
Android Users, Click Here To Download The Free Press App And Never Miss A Story. It’s Free And Coming To Apple Users Soon.