Also known as the Log4Shell hack, the Log4j 0-day security vulnerability is the worst hack in internet history. Every internet company has been scrambling to patch the issue and prevent hackers from taking advantage of it. But it will take time for companies to fix the problem. Security researchers are seeing thousands of attempts to take advantage of the Log4j hack to get into computer systems. And the worst thing about this hack is that you might be impacted even if hackers don’t explicitly target you. And, worst of all, there’s nothing you can do to protect yourself.
Don't Miss: Wednesday’s deals: Ring Doorbell blowout, Roku sale, iPad Air discountWith Pegasus, Apple issued a patch that fixed the 0-day iPhone attack that allowed nation-states to spy on targets. You just had to install the iOS and iPadOS update. When the Spectre chip vulnerabilities surfaced a few years ago, it was up to chipmakers to issue fixes, as well as companies running operating systems on them.
But with the Log4j hack, there’s no single iPhone, Android, Windows, or Mac fix that will patch the vulnerability and alleviate your concerns.
As we saw already, the hack can impact something as trivial as Microsoft’s Minecraft game. Hackers sent a few lines of text via an in-app chat system to take over computers. And Microsoft patched the flaw.
But any company that offers internet services and internet-connected products is at risk. Each company has to update its servers so attackers can’t employ the Log4j hack.
The vulnerability issue allows hackers to bypass restrictions and get into a computer system without requiring a password. From there, they can run code remotely that will enable them to spy on those companies, steal information and or money.
The customers of these companies might be hurt, that’s always a risk with such hacks. But end-users can’t patch the Log4j hack themselves.
With the Log4j hack is not a matter of clicking on the wrong link and downloading the malicious program on your computer. It’s all out of your hands. As internet-savvy as you might be, there’s no way to prevent a hacker from attacking one of the internet companies that you’re a customer of.
Attackers are making over a hundred attempts every minute to exploit the Java logging utility vulnerability, according to Check Point researchers observing the Log4j hack. Sophos detected hundreds of thousands of attempts in the days since Log4Shell was disclosed.
Microsoft has already observed attacks that involve installing cryptocurrency-mining malware on servers. Separately, some hackers tried to install Cobalt Strike on vulnerable systems, which could lead to hackers stealing usernames and passwords. The company also detailed the Microsoft 365 Defender features that can protect against the Log4j hack. But that might not be good enough for most people — after all, this only covers Windows and Linux. And its IT teams that should employ fixes in servers and computer systems.
What end-users can do is pay attention to their internet properties. You should continue to use strong, unique passwords for your services. Add two-factor authentication to sensitive apps and emails that govern access to online financial transactions. Keep an eye on suspicious activity in those sensitive accounts, whether it’s email or home banking apps.
You can also check with the IT department in your organization and make sure they know what the Log4j hack is and that it needs fixing. Similarly, you can contact other tech companies to see what they’re doing to protect you. On the other hand, pressing customer reps for answers they might not have won’t help.
While you’re at it, update all the software on your devices to the latest versions available. That includes operating systems and apps. As these companies deploy Log4j fixes, you’ll want to make sure you get them as fast as possible.
Security researchers said a few days ago that it’d take time to see the harm the Log4Shell attacks will do. That’s still true. And, as we wait, we’ll probably get more information about how to protect ourselves against the Log4j hack.