Also known as the Log4Shell hack, the Log4j 0-day security vulnerability is the worst hack in Internet history. All Internet companies have made efforts to correct the problem and prevent hackers from taking advantage of it. But it will take time for companies to resolve the problem. Security researchers see thousands of attempts to take advantage of the Log4j hack to break into computer systems. And the worst thing about this hack is that you could be hit even if the hackers don’t explicitly target you. And, even worse, there is nothing you can do to protect yourself.
Along with Pegasus, Apple released a patch that fixed the 0-day iPhone attack that allowed nation states to spy on targets. All you had to do was install the iOS and iPadOS update. When the vulnerabilities in the Specter chip first surfaced a few years ago, it was up to the chipmakers to release patches, as well as the companies that ran operating systems on them.
But with the Log4j hack, there is no single patch for iPhone, Android, Windows, or Mac that will fix the vulnerability and alleviate your concerns.
Log4j hack is a security nightmare
As we’ve seen before, hacking can impact something as trivial as Microsoft’s Minecraft game. The hackers sent a few lines of text through an in-app chat system to take control of the computers. And Microsoft fixed the flaw.
But any business that offers internet services and internet-connected products is in danger. Every business needs to update their servers so that attackers cannot use the Log4j hack.
The vulnerability issue allows hackers to bypass restrictions and enter a computer system without needing a password. From there, they can remotely execute code that will allow them to spy on these companies, steal information and / or money.
The customers of these companies could be harmed, it is always a risk with such hacks. But end users cannot fix Log4j hack on their own.
With the Log4j hack, it’s not about clicking the wrong link and downloading the malware to your computer. Everything is out of your hands. No matter how internet savvy you are, there is no way to stop a hacker from attacking one of the internet companies you are a customer of.
The attackers make more than a hundred attempts every minute to exploit the vulnerability of the Java logging utility, according to Check Point researchers observing the Log4j hack. Sophos detected hundreds of thousands of attempts in the days following the disclosure of Log4Shell.
What you can do to fix the problem
Microsoft already has observed attacks which involve installing cryptocurrency mining malware on the servers. Separately, some hackers have attempted to install Cobalt Strike on vulnerable systems, which could lead hackers to steal usernames and passwords. The company also detailed the features of Microsoft 365 Defender that can protect against Log4j hacking. But that might not be enough for most people – after all, it only covers Windows and Linux. And its IT teams who should be using patches in servers and IT systems.
End users can take care of their Internet properties. You should continue to use strong and unique passwords for your services. Add two-factor authentication to sensitive apps and emails that govern access to online financial transactions. Keep an eye out for suspicious activity on these sensitive accounts, whether it’s email apps or home banking.
You can also check with your organization’s IT department and make sure they know what the Log4j hack is and needs to be fixed. Likewise, you can contact other tech companies to see what they’re doing to protect you. On the other hand, asking customer reps for answers they might not have won’t help.
While you’re at it, update all the software on your devices to the latest versions available. This includes operating systems and applications. As these companies roll out the Log4j fixes, you need to make sure you get them as quickly as possible.
Security researchers said a few days ago that it would take time to see the damage Log4Shell attacks would do. It is still true. And, in the meantime, we’ll probably have more information on how to protect ourselves against Log4j hack.