The top U.S. cybersecurity agency is warning that a new, easy-to-exploit software vulnerability has likely lead to hundreds of millions of computer hacks around the world.
The flaw is in Log4j, a snippet of open-source code widely used in internet applications around the world to help track users’ activity. Since Log4j is used in so many applications, and most modern organizations’ computer networks rely on a hodgepodge of different programs, there are scores of opportunities to exploit that flaw.
In a call Monday with private companies and state cybersecurity officials, Jen Easterly, director of the Cybersecurity and Infrastructure Agency, said it’s likely that many computer systems have already been compromised, according to a description of the call provided by an agency spokesperson.
While the vulnerability is unlikely to threaten the security of people’s personal devices, it could be used to gain a foothold to hack practically any organization online that doesn’t update the software.
Cybersecurity professionals around the world have scrambled in the past few days to fix the flaw, which first gained attention on Thursday after they discovered hackers using it to trick victims into mining small amounts of cryptocurrency for them and to hack private Minecraft servers.
There are not yet many public reports of crippling hacks stemming from the Log4j vulnerability. Still, security professionals spent much of the weekend frantically trying to find and fix every potential place it can be exploited, said Wesley McGrew, a cybersecurity fellow at MartinFederal, a federal contracting company.
“It’s a combination of a new vulnerability being simultaneously widespread and easy to exploit,” McGraw said.
