Businesses are far from immune to the security breach that has forced governments around the world, including Quebec City and Ottawa, to shut down their sites. But the majority of them may not even know they are vulnerable, warn experts consulted by The press.
“That’s always the problem, I call it the chain of incompetence, laments Eric Parent, CEO of EVA Technologies, a Montreal cybersecurity firm. You ask your IT people who are not hooked, they will say that you do not have this software. And in three months, you find out you had it. ”
Since Friday, Mr. Parent’s firm has carried out preliminary verifications with around 40 of its clients, out of a total of 100. “They all have it. Until now, there is not one that does not have it. ”
“Companies should also close their sites while waiting to find out,” he said.
Unlike classic security vulnerabilities, which essentially affect a specific product, such as Microsoft Server Exchange last spring, “Log4Shell” concerns a tool developed in open source code. Developed by the Apache Foundation, the Log4j Java library has been integrated into thousands of platforms and software and installed on millions of servers. It essentially allows the production of activity logs, “logs”.
The vulnerability consists of a single line of code that a hacker can paste into a form on the web that takes control of the server. It can then install malicious software or recover personal data.
The vulnerability was discovered on November 24 by a computer scientist at Chinese e-commerce giant Alibaba, Chen Zhaojun. A fix was released on December 6. But it wasn’t until December 9 that most experts around the world learned of its existence. Since then, big companies like Apple, Tesla and Microsoft – in its game Minecraft – confirmed to be vulnerable to this flaw, which has also forced many organizations and governments to suspend access to their sites.
It would be the worst computer flaw in history. As of this writing, it has not yet been confirmed whether it has ever been exploited by cybercriminals.
Search for victims
At ESET, a cybersecurity company based in Slovakia which opened an office in Montreal, it is confirmed to investigate this vulnerability since December 10 and to have released a patch the next day for the 20 products of the company. Disturbingly, attacks using this flaw were identified as early as December 11, which were blocked.
It is unlikely that these were targeted attacks, says Marc-Etienne Léveillé, senior malware researcher at ESET.
Many scan the entire Internet to find potential victims, to identify the extent of the problem, to establish a list of vulnerable systems to come back and exploit them later.
The first indications, he reveals, point to groups of cyber hackers whose main objective is to install software on the computers of their victims to mine cryptocurrency.
Knowing whether a company’s servers are using the Log4j Java library can be a daunting task, if not impossible for small businesses. In Quebec, the Minister for Digital Transformation, Éric Caire, compared it to finding “how many rooms in all of the Quebec government buildings use 60-watt light bulbs.”
Asked on Monday about the cyberattack, Prime Minister François Legault reiterated that no personal data was at stake, but that “it is a risk that we are in the process of correcting to ensure that it does not there are no people with bad intentions who use that to get into our networks. We will keep them closed until the corrections are made, ”he said, referring to the Quebec government’s digital platforms.
Log4j is not software as such, but a tool that is grafted onto existing systems. And because it’s open source code, no IT company has a comprehensive list of its users, who number presumably in the millions.
“It is found on any system, it may very well be that you do not even know that it is installed in your company, believes Eric Parent. It should be the manufacturer who warns you that this specific type of equipment has this vulnerability. ”
The flaw could even affect the simple consumer, if he has for example network hard drives or webcams whose interfaces generate activity logs, warns Eric Parent.
Protect yourself … or close
Companies that have outsourced the management of their IT networks to large cloud-based companies can reasonably assume that their vendor has protected themselves, he notes. “I’m not a big fan of the cloud, but these are companies that have thousands of people looking after security. ”
For others, a complete overhaul of the computer network, by employees or specialized external firms, is essential. But the simple update of a tool like Log4j, which would eliminate the vulnerability, is not within everyone’s reach, warns Marc-Etienne Léveillé. “It would be the best thing to do. But in some cases, it’s part of a system that hasn’t been updated. ”
While waiting to make these verifications, and if it is impossible to temporarily close the servers, Eric Parent advises to modify certain configurations, in particular by stopping the update of the activity logs. “There, at least, the flaw cannot be exploited. Otherwise, you just sit there and wait to get screwed. ”
With the collaboration of Henri Ouellette-Vézina, The press