“Mobile phones and iPads are not yet affected, you have to be very clear,” Arne Schönbühm, head of the British Standards Institute, said Monday in Bonn. Instead, authorities and businesses are affected and “in the end it is the consumer who uses these services.”
Over the weekend, BSI declared a red alert level due to a security hole in its widely used Java software library. The vulnerability could ensure that attackers could run malware on service providers’ servers. The vulnerability is limited to a few older versions of the library called Log4j. Schönbaum stressed the need to act urgently on Monday. Businesses and authorities should make updates as quickly as possible.
A race between attackers and defenders
A spokesman for the Federal Ministry of the Interior said that from federal authorities or companies that are part of critical infrastructure, there is still no evidence that the attacks were successful. Cases in the federal administration where this vulnerability exists have been “in the single-digit range.” There were no successful attacks in these individual cases either.
Schönbaum said criminals are very active. “We’re already seeing a huge survey.” There is a race between attackers and defenders. “It’s not targeted attacks, it’s about getting there through the board and taking advantage of that so you can go in and install other back doors before that gap is closed.”
Criminals can then take advantage of these back doors for a long time to come. In addition to the updates, he recommended that companies and authorities block certain functions, “which means that the possibility of an attack is much lower.”
Still in the processing stage
When asked how many companies have been affected, Schönbaum said: “You can’t say that yet, we’re in the processing phase.” His authority is in contact with the IT security authorities of other countries, such as the Netherlands, France and the USA. Whether full clarity can be provided soon depends on how quickly companies close the vulnerability.
According to IT security company F-Secure, some attackers have already succeeded in installing extortion Trojans and cryptocurrency-creating software on servers. “Log4j could be the most serious vulnerability of all. Especially since the problem is found across manufacturers,” said F-Secure expert Rüdiger Trost.
Log4j is what is called a logging library. It is there to log various events in the running of the server as in the logbook – eg for later evaluation of errors. The vulnerability can be activated simply by a certain string appearing in the log, for example through a message. This makes it easy to exploit, which has caused great concern to experts. At the same time, systems of major providers usually have multi-layered protection mechanisms.
© dpa-infocom, dpa: 211213-99-369309 / 4
“Certified gamer. Problem solver. Internet enthusiast. Twitter scholar. Infuriatingly humble alcohol geek. Tv guru.”