Technology experts and businesses worldwide are scrambling to put a lid on a new, and potentially widespread cyber threat that CERT NZ says is being “actively exploited”.
Log4j, a commonly used java logging system, was revealed to have a vulnerability late last week.
One which means hackers can take over entire computer servers far more easily than before, and access data that could be used for phishing or ransomware campaigns.
‘Logging‘ is when applications keep a running list of activities performed, and most security systems run some form of logging process.
Peter Membrey, a software engineer and tech expert, told 1News it’s “one of those issues where you hope it never happens”.
“It’s very bad. People will be able to do things that you really wouldn’t want them to do,” he said.
Membrey described the software loophole as “borderless”, and said this is “as bad as it gets”.
Simply by sending an email, a hacker can exploit the vulnerability and breach networks.
The issue has been given a 10/10 vulnerability score; rated in terms of ease of attack and it’s absolute impact.
“It hits everyone equally from the biggest names to the smallest businesses. But it is a reminder to be ever vigilant and to keep your software updated.”
It comes as a Kiwi IT company found an alarming number of small businesses are holding onto data and personal information for far longer than they need to.
Vertech’s Daniel Watson said he often sees companies from accountants to medical centres storing details like names, employment records, bank details, and drivers licenses.
“1500, 2000, 10,000 customer records in there that have never been readdressed or purged out.. and the scary thing is we’ve got this big vulnerability [Log4j] that’s been exposed on the internet which can directly impact those businesses,” he told 1News.
Watson said Log4j is less about individuals and home users, and more about businesses updating their systems.
“All organisations out there need to give their IT people a big of a nudge and ask those questions to get the reassurance they need... we’re doing our best to notify all our clients and the people who are most likely affected by it.”
CERT NZ, our national cyber security watchdog, was on of the first agencies in the world to blow the whistle on the Log4j fault.
Incident Response Manager, Nadia Yousef, said getting information out to organisations as fast as possible was critical.
“New Zealand organisations are not immune. Any New Zealand organisations using software that has this vulnerable component potentially could be impacted by this so it’s important we treat this seriously.”
She said 2021 has been a big year of cyber threats for the country and New Zealand businesses are becoming better at preparing for attacks.
“New Zealand organisations take these seriously and they really prioritise data sensitivity. We’ve seen that play out over the last year, or two or so years.”
Membrey believes the Log4j issue will last years.
“I suspect the fallout will be pretty big. This is one of those things that you don’t fix overnight.”
Yousef agrees.
“It’s a bigger clean up than we’re used to. It’s going to be a case of finding out what happens over the next coming weeks,” she said.
CERT NZ advises anyone running Log4j upgrade to the latest version in the first instance, and ask anyone needing further assistance to get in touch.
SHARE ME