A flaw in widely used computer code is prompting 100 new hacking attempts every minute, a security company says.
Check Point said it had seen attempts to exploit the vulnerability on over 40% of corporate networks globally.
One US official said the security flaw, Log4shell, posed a “severe risk”, with companies warning it was being actively used by criminal groups.
Fixes have been issued but need to be implemented. Popular applications and cloud services have been affected.
Written in the programming language Java, Log4J, the code containing the flaw, is used by millions of computers running online services.
In the last four months it had been downloaded 84 million times from the largest public repository of open-source Java components, Brian Fox of security company Sonatype, said.
And the ease with which hackers could exploit the vulnerability was, “akin to someone figuring out that mailing a letter into your postbox, with a specific address written on it, allows them to open all your doors in your house”.
Words such as “critical” and “emergency” are often bandied around by cyber-security people when a major flaw is discovered.
But in this crisis, another word has stuck out – “trivial”.
According to Crowdstrike, the weakness everyone is trying to fix is “trivial” to exploit.
Often when a vulnerability is found in a computer system, there is a little bit of time to fix it.
The cyber-criminals have to work out a way to attack and usually only the smartest crews can do so in the first few hours.
But in this case, it is, apparently, very easy.
We do not yet know how many of these attempted attacks are successful – but this incident has the potential to be extremely costly for corporations that become victims.
For the average person, there is not a lot we can do.
Make sure your apps and software are up to date – and send thoughts, prayers and hugs to the IT teams around the world trying to fix this problem.
Researchers at Chinese technology company Alibaba discovered the flaw last month.
But it gained widespread public attention after being found affecting some sites hosting versions of Minecraft using Java.
Before the flaw was made public, the Apache Software Foundation, which oversees the Log4j code, issued a fix for the problem, rating the problem a “10” – the highest level of seriousness.
Cloudflare chief technology officer John Graham-Cumming said, “This is the third really serious flaw that’s affected a wide range of Internet services: Heartbleed in 2012, ShellShock in 2014 and Log4Shell in 2021”.
US Cybersecurity and Infrastructure Security Agency director Jen Easterly also stressed the urgency of the situation.
“To be clear, this vulnerability poses a severe risk,” she wrote.
It was being widely exploited by hackers and “presents an urgent challenge to network defenders given its broad use”.
The UK National Cyber Security Centre said, “This is a significant vulnerability” and called on organisations to urgently follow advice on mitigating the problem.
Microsoft researchers said they had seen hackers using Log4shell to:
install malicious software that mined crypto-currency
steal passwords and log-ins
extract data from compromised systems