The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued a statement regarding a new cyber vulnerability that could impact many sectors of the internet.
“This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use,” CISA Director Jen Easterly said in a statement.
“To be clear, this vulnerability poses a severe risk,” Easterly added.
The vulnerability is linked to Apache logging package Log4j, which is a utility that runs in the background of many common software applications ranging from cell phones, e-commerce, gaming consoles, and other internet-connected devices. Log4j’s wide use in company systems around the world for decades makes the vulnerability especially severe as a result.
Cybersecurity experts around the world spent the entire past weekend trying to respond to and fix the vulnerability. However, it will likely take months or even a year to fully address the issue.
Attackers have been actively exploiting the issue since Dec. 10, with over 800,00 attempted cyberattacks in 72 hours, averaging out to around 100 attacks per minute. More than 40 percent of corporate networks around the world were under attack by hackers.
In response to CISA’s statement, Microsoft issued an alert saying that the software company is “monitoring the threat landscape for attacks and developing customer protections.”
“Our security teams have been conducting an active investigation of our products and services to understand where Apache Log4j may be used and are taking expedited steps to mitigate any instances,” Microsoft added.
An Amazon Web Services blog post said, “This vulnerability is severe and due to the widespread adoption of Apache Log4j, its impact is large.”
Rob Joyce, the National Security Agency’s (NSA) director of cybersecurity, said in a tweet that the Log4j vulnerability is a “significant threat for exploitation due to the widespread inclusion in software frameworks.”
Other governments have also warned of the Log4j vulnerability. Germany, for example, said it is a “very high” threat.
CISA has also since released an announcement on its website explaining in detail the Apache Log4j vulnerability and what immediate action individuals and organizations can take to protect against its exploitation.