Hackers including Chinese state-backed groups have launched more than 840,000 attacks on companies globally since last Friday, according to researchers, through a previously unnoticed vulnerability in a widely used piece of open-source software called Log4J.
Cyber security group Check Point said the attacks relating to the vulnerability had accelerated in the 72 hours since Friday, and that at some points its researchers were seeing more than 100 attacks a minute.
Perpetrators include “Chinese government attackers,” according to Charles Carmakal, chief technology officer of cyber company Mandiant.
The flaw in Log4J allows attackers to easily gain remote control over computers running apps in Java, a popular programming language.
Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), told industry executives that the vulnerability was “one of the most serious I’ve seen in my entire career, if not the most serious,” according to US media reports. Hundreds of millions of devices are likely to be affected, she said.
Check Point said that in many cases, the hackers were taking control of computers to use them to mine cryptocurrency, or to become part of botnets, vast networks of computers that can be used to overwhelm websites with traffic, to send spam, or for other illegal purposes.
Both CISA and the UK’s National Cyber Security Centre have now issued alerts urging organizations to make upgrades related to the Log4J vulnerability, as experts attempt to assess the fallout. Amazon, Apple, IBM, Microsoft, and Cisco are among those that have rushed to put out fixes, but no severe breaches have been reported publicly so far.
The vulnerability is the latest to hit corporate networks, after the emergence of flaws in the past year in commonly used software from Microsoft and IT company SolarWinds. Both these weaknesses were initially exploited by state-backed espionage groups from China and Russia respectively.
Mandiant’s Carmakal said that Chinese state-backed actors were also attempting to exploit the Log4J bug but declined to share further details. Researchers at SentinelOne have also told media that they have observed Chinese hackers taking advantage of the vulnerability.
According to Check Point, nearly half of all attacks have been conducted by known cyber attackers. These included groups using Tsunami and Mirai—malware that turns devices into botnets, or networks used to launch remotely controlled hacks such as denial of service attacks. It also included groups using XMRig, a software that mines the hard-to-trace digital currency Monero.
“With this vulnerability, attackers gain almost unlimited power—they can extract sensitive data, upload files to the server, delete data, install ransomware or pivot to other servers,” Nicholas Sciberras, head of engineering at vulnerability scanner Acunetix, said. It was “astonishingly easy” to deploy an attack, he said, adding that it would “be exploited for months to come.”
The source of the vulnerability is faulty code developed by unpaid volunteers at the non-profit Apache Software Foundation, which runs multiple open source projects, raising questions about the security of vital parts of IT infrastructure. Log4J has been downloaded millions of times.
The flaw has existed unnoticed since 2013, experts say. Matthew Prince, chief executive of cyber group Cloudflare, said it started to be actively exploited from December 1, although there was no “evidence of mass exploitation until after public disclosure” from Apache the following week.