Log4j vulnerability: Companies scramble to gird against hackers The vulnerability was publicly disclosed last week in an unexpected way — through the popular game Minecraft. Embedded in a common software tool, it could potentially impact billions of devices.

Companies scramble to defend against newly discovered 'Log4j' digital flaw

  • Download
  • <iframe src="https://www.npr.org/player/embed/1064123144/1064221062" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

AUDIE CORNISH, HOST:

A new and dangerous digital security flaw was publicly disclosed in an unexpected way - through Minecraft, the online game. To tell us more about it, we have NPR's cybersecurity correspondent Jenna McLaughlin.

Welcome, Jenna.

JENNA MCLAUGHLIN, BYLINE: Hi, Audie. Thanks.

CORNISH: So help us understand the intersection here. How did Minecraft get involved?

MCLAUGHLIN: So late last week, Minecraft game developers published a blog post where they revealed that they were impacted by a software bug where hackers can take over with one command using a digital hole that no one knew about before. So Minecraft did release a patch. But what the broader cybersecurity community quickly realized is that this was actually a much bigger problem and that it could impact big and small companies, even big names like Amazon and Apple, and potentially billions of devices. So it was a really rough weekend for digital defenders. Experts I spoke with didn't leave their desks. They were working on trying to figure out who might be at risk and what to do about it.

CORNISH: How does it work?

MCLAUGHLIN: So it's a really huge problem. When programmers write software, they don't want to have to create everything from scratch. So what they do is they often borrow basic building blocks that most programs need to function, and they take it from what's called open source code, which is free for anyone to use. So this flaw happened to be inside one of those very common open source tools, so common and simple that most developers don't even really think about it.

So this program is called Log4j. It's a library. It does basically what it sounds like. It logs everything that happens on a device. So a couple of days ago, a Chinese researcher discovered it and privately alerted the software developers before Minecraft actually published that blog post. He realized that a hacker could send a message to the logger and take over the device and make it do whatever they wanted.

CORNISH: Like what?

MCLAUGHLIN: It could let them inside the network, where they could steal data, take your files hostage, all kinds of bad things.

CORNISH: Right now, though, is this theoretical, or is there evidence of wrongdoing?

MCLAUGHLIN: So right now experts are seeing the early stages of attacks. The bad guys are scanning the internet for potentially vulnerable devices. For example, crypto miners are hijacking computers to mine Bitcoin, for example, and we could see worse attacks in the coming days and weeks. Meanwhile, the good guys out there are looking for these same devices to protect them. One cybersecurity expert called it a race between the hackers and defenders. And this is what normally happens when a new cyber flaw is discovered. So this is a really bad bug, but it might not be as dire as some are saying. I spoke to Katie Nickels, who's the head of intelligence at cybersecurity firm Red Canary. She doesn't think people should panic. Here's what she had to say.

KATIE NICKELS: Think of it as the unlocked door. An adversary has to charge through it somehow. That's what's reassuring about this, if anything - is that, yes, it's a new vulnerability. But the techniques, the behaviors that adversaries are using and the malware that they're deploying - it's known malware.

CORNISH: So, Jenna, how can people protect themselves from these kinds of attacks?

MCLAUGHLIN: So the U.S. government is reaching out to businesses to help. The burden right now really lies on the companies that make the software to fix it, and they're taking this problem very seriously. But it's going to take time. Nickels told me her advice to individuals is actually pretty basic.

NICKELS: It's not very exciting, but the average person should just do their normal security best practices.

MCLAUGHLIN: She says if a company reaches out and asks you to download a patch, do it immediately, and use antivirus software.

CORNISH: That's NPR's cybersecurity correspondent Jenna McLaughlin.

Thanks so much.

MCLAUGHLIN: Thank you so much.

(SOUNDBITE OF NEU!'S "WEISSENSEE")

Copyright © 2021 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.