Hackers have used the discovery of what appears to be the biggest critical vulnerability in Internet history to launch massive attacks on the servers of businesses and organizations around the world. Tesla, Microsoft, Apple, Twitter, or even the game Minecraft are among the victims.
You will also be interested
[EN VIDÉO] What is a cyberattack? With the development of the Internet and the cloud, cyber attacks are more and more frequent and sophisticated. Who is behind these attacks and for what purpose? What are the hackers’ methods and what are the most massive cyber attacks?
It has been dubbed “Log4Shell” and, in the opinion of experts, it is the worst flaw in Internet history. This critical zero day vulnerability has been identified at the end of last month in the library Apache Log4j Java by a member of the Alibaba security team. But it is only for two days that the Planet panics about this fault. Since last night, the government center for monitoring, alerting and responding to computer attacks (Cert France), affirms that it is currently widely used by hackers to execute code remotely and carry out attacks. The organization gave it a score of 10/10 in matter dangerous. And for good reason ! This flaw affects virtually all servers Java operator!
Hardly any high-tech giant is spared and this is also the case with many government sites and services all over the planet. So, as an example, Tesla, Apple, the game store Microsoft Steam, the Minecraft game, Twitter and even the security specialist Cloudflare are impacted. One fix was quickly set up by the Apache foundation but the damage is already done because the hackers have already taken the opportunity to carry out massive attacks. The time that this update is applied everywhere will give them a good leeway to carry out their misdeeds.
An easy to exploit flaw
Concretely, the flaw seems impressive in its simplicity. The attacker only needs to enter a few instructions to break into a target computer. It suffices that the address of a web page containing malicious code written in Java be inserted instead of an email address on a login page, for example Twitter, for this code to be executed. From this point on, the hacker can take control of the server by installing malwares. Likewise, the introduction of this malicious code into a Minecraft chat is a vector of contamination.
With malware, the attacker can easily remotely access computers and collect their data, use it to carry out malicious activities. cryptominage… According to some experts, this big flaw also shows that the software open source are now the easy target of attacks since they are heavily used on infrastructure.
Thus, hundreds of different open source components are used on the servers. It turns out that some have had critical vulnerabilities for several years without anyone noticing. It therefore remains difficult to secure complete architectures powered by this software.
This is precisely the kind of mission that the ethical hackers operating platforms like Hackerone with theInternet Bug Bounty, for example. The hackers called ” hunters »Earn bonuses for finding loopholes in open source software that does not have large means of funding.
Interested in what you just read?
.
