Log4J: The first warnings came in November – then a breathless victim followed
This is a computer error that fortunately rarely happens. LogJ4 keeps the tech world in suspense. However, the race for a solution did not come in the public eye.
It’s a difference that rarely happens: Millions of servers, from small businesses to Internet giants like Apple, could theoretically be accessed remotely. The fault is a bug in the tiny application Log4J, which everyone uses equally as a component in their overly complex systems. Now more than one lakh attempts have been made to take advantage of this loophole. But the race against time had started long ago.
“I want to report a bug,” began an avalanche-starting email. But Sender, which is employed by Chinese retail giant Alibaba, already had an idea of what developers could expect. “The vulnerability has huge implications.” He then explained, according to “Bloomberg,” how attackers could gain full access to affected systems through the Log4J vulnerability.
race against time
The November 24 mail triggered a race of panic against time among the recipients, the software company Apache Foundation. Like all association software, Log4J is developed and maintained by volunteers in their spare time. The little tool really only logs what happens in the background of applications based on the Java development language. But since it is one of the few solutions for this and can be used completely free of charge, many other programs use it within themselves. And suddenly they all came under attack.
So the developers got down to work. At first they had no idea how serious the situation really was. “Many security messages are just clearly relevant,” Gary Gregory, who has been responsible for the software for nearly ten years, tells “Bloomberg.” “With this we quickly thought: Oh shit. We were surprised. Not because there was a security problem. But because of its limitation,” says the developer, who is actually the head of a software development department in his main job. Along with his teammates, who also work on Log4j in his spare time, he started working. Goal: To fill the gap before the world knows about it.
But after two weeks the situation worsened. In a second email, its tipster warned on December 8 that there was a vulnerability in Chinese chat groups. “Some WeChat security chat groups are already talking about the details and some experts have a loophole,” he warned. “We promise that we will keep this flaw a secret until you have an official solution. Please hurry.”
What the developers didn’t suspect: At this point, it had been a long time since the attacks started. Cloudflare experts later found that there had been earlier attacks a few days earlier that attempted to exploit the vulnerability. According to current knowledge, the first were already on 1st December. It is not yet known how the people behind it came to know about the gap at this time.
Simply (online) save the world quickly
It was a stressful time for Gregory and his volunteer companions. He dropped everything to fill the gap as quickly as possible. “They put everything on the sidelines and worked all weekends,” recalls Christian Grobmeier, Apache’s vice boss. “I know these people, they all have families and things to do.” Exactly 20 hours later, the repaired software was released – and for the first time publicly warned about the dangers of the older version.
But then it really started. If a few thousand attacks could be detected in the first few hours after the vulnerability was discovered, that number swelled to an incredible extent: just 72 hours later, security experts at the checkpoint reported 840,000 attacks – and the trend was accelerating. has been Malware using the vulnerability is also on the rise. Initially there were only twelve shows, 60 more have been added since then. There’s a simple reason why attacks continue despite available updates: the software must be installed by every provider that uses it. According to experts, it may take weeks or even months. And until then you can just keep trying.
The leisure developers behind Log4J should be asked uncomfortable questions. It is now believed that this difference has existed since 2013. And it was even discussed at a hacking conference in 2016, as reported by users on Twitter. Looks like the developers haven’t noticed. Maybe because they are actually being paid for other things.
Reader. Organizer. General creator. Zombie fanatic. Alcohol advocate. Food junkie. Bacon ninja.