The US on Monday revealed a new software vulnerability and warned that hundreds of millions of devices are at risk.
According to internet infrastructure provider Cloudflare, Log4j exploits started on December 1. Since then, warnings have been issued by several national cyber security agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the UK's National Cyber Security Centre (NCSC) and Germany's federal cybersecurity watchdog, the BSI.
As major tech firms struggle to contain the fallout from the incident, US officials held a call with industry executives warning that hackers are actively exploiting the vulnerability.
"This vulnerability is one of the most serious that I've seen in my entire career, if not the most serious," said Easterly on a phone call shared with CNN. Big financial firms and health care executives attended the phone briefing.
"We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damaging incidents," Easterly said.
The vulnerability is in Java-based software known as "Log4j" that large organizations, including some of the world's biggest tech firms, use to log information in their applications. Tech giants like Amazon Web Services and IBM have moved to address the bug in their products.
Experts told CNN it could take weeks to address the vulnerabilities and that suspected Chinese hackers are already attempting to exploit them.
It offers a hacker a relatively easy way to access an organization's computer server. From there, an attacker could devise other ways to access systems on an organization's network.
The Apache Software Foundation, which manages the Log4j software, has released a security fix for organizations to apply.
What is Log4j?
Log4j is open-source software maintained by a group of volunteer programmers as part of the nonprofit Apache Software Foundation and is a key Java-logging framework. Through Log4j, which security experts said is used by millions of applications, that developers can put into applications to monitor, or 'log’, which can help programmers debug software.
Apache noted in its security advisory the issue was first publicly disclosed by a security researcher working for Chinese technology company Alibaba Group Holding Ltd. The flaw in the Log4j software could allow hackers unfettered access to computer systems.
Reports have said the initial exploitation was spotted on December 2, before a patch rolled out a few days later. While a partial fix for the vulnerability was released on Friday by Apache, the maker of Log4j.
Chinese-government linked hackers have already begun using the vulnerability, according to Charles Carmakal, senior vice president and chief technology officer for cybersecurity firm Mandiant, reported CNN.
To address the issue, CISA said it would set up a public website with information on what software products were affected by the vulnerability, and the techniques that hackers were using to exploit it.
