A software vulnerability exploited in the online game Minecraft is rapidly emerging as a major threat to internet-connected devices around the world.
“The internet’s on fire right now,” said Adam Meyers, senior vice president of intelligence at cybersecurity firm Crowdstrike.
“People are scrambling to patch and there are script kiddies and all kinds of people scrambling to exploit it.”
He said on Friday that in the 12 hours since the bug’s existence was disclosed it had been “fully weaponised”, meaning malefactors have developed and distributed tools to exploit it.
The flaw may be the worst computer vulnerability discovered in years. It opens a loophole in software code that is ubiquitous in cloud servers and enterprise software used across industry and government.
It could allow criminals or spies to loot valuable data, plant malware or erase crucial information, and much more.
“I’d be hard pressed to think of a company that’s not at risk,” said Joe Sullivan, chief security officer for Cloudflare, whose online infrastructure protects websites from malicious actors.
Untold millions of servers have it installed, and experts said the fallout would not be known for several days.
Amit Yoran, chief executive of cybersecurity firm Tenable, called it “the single biggest, most critical vulnerability of the last decade” — and possibly the biggest in the history of modern computing.
The vulnerability, dubbed Log4Shell, was rated 10 on a scale of one to 10 by the Apache Software Foundation, which oversees development of the software.
New Zealand’s computer emergency response team was among the first to report that the flaw was being “actively exploited in the wild”, hours after it was publicly reported on Thursday and a patch released.
The vulnerability, located in open-source Apache software used to run websites and other web services, was discovered on November 24 by Chinese tech giant Alibaba, the foundation said.
🚨 New @CrowdStrike blog on Log4j2 vulnerability CVE-2021-44228 ("Log4Shell") from @Adam_Cyber. CrowdStrike Falcon OverWatch confirms active and ongoing attempts to exploit utility commonly used in Apache web servers.
Get the latest: https://t.co/FCVyepJ2PJ— CrowdStrike (@CrowdStrike) December 10, 2021
Finding and patching the software could be a complicated task. While most organisations and cloud providers should be able to update their web servers easily, the same Apache software is also often embedded in third-party programmes which often can only be updated by their owners.
Mr Yoran said organisations need to presume they have been compromised and act quickly.
The flaw’s exploitation was apparently first discovered in Minecraft, an online game hugely popular with children and owned by Microsoft.
Mr Meyers and security expert Marcus Hutchins said Minecraft users had already been using it to execute programmes on the computers of other users by pasting a short message in a chat box.
Microsoft said it had issued a software update for Minecraft users, adding: “Customers who apply the fix are protected.”
Researchers reported finding evidence that the vulnerability could be exploited in servers run by companies such as Apple, Amazon, Twitter and Cloudflare.
Mr Sullivan said there were no indications his company’s servers had been compromised.