Businesses urged to protect systems over Java code vulnerability

Flaw could allow attacker to remotely control the system the software is on

The  National Cybersecurity Centre says the vulnerability poses a ‘serious risk to the security and integrity of data’.  Photograph: iStock
The National Cybersecurity Centre says the vulnerability poses a ‘serious risk to the security and integrity of data’. Photograph: iStock

Businesses have been warned to urgently check and protect their systems for a new vulnerability in Java code, or risk being hit with ransomware and other security issues.

The warning comes following a report from the National Cybersecurity Centre (NCSC) over the Log4J vulnerability discovered in the open source code. It could allow an attacker to remotely control the system the vulnerable software is on.

Security analyst Brian Honan said it was a serious problem that needed to be addressed as a matter of urgency. "Given the widespread use of this software it has meant that many systems and vendors have been hit by this," he said.

“It’s embedded in many systems that people may not even be aware they are using and, therefore, it could be a way for criminals to break into many systems and networks, steal data or hold them to ransom.”

READ MORE

Log4j is a Java-based logging system designed by the open source Apache Software foundation. It is widely used in services such as AWS, various Cisco services, Microsoft Azure, and gaming platforms such as Valve's Steam and video game Minecraft.

A full list of the affected software services compiled by the Dutch National Cyber Security Centre is available here. The list also provides information on how the relevant vendors propose to manage the vulnerability.

In a warning issued at the weekend, the NCSC said it posed a “serious risk to the security and integrity of data”.

Experts said it could leave businesses vulnerable to ransomware.

"Essentially, the threat actor can remotely deploy malicious commands on a sever to give themselves administrator rights to a system, extract information or deploy a secondary compromise like malware or ransomware," said Richard Ford, group technical director with cybersecurity specialist Integrity 360.

A patch for the vulnerability has been developed, but it needs to be rolled out by the different companies using the affected software.

Updates

Mr Honan said an added complication was that at this time of the year, a lot of organisations put in a “change freeze” on their system, meaning no updates would be installed. However, an exception should be made for fixing this vulnerability.

“If you can, scan any interfacing systems or services that you have and that you’re using for this vulnerability. If you’re using any third-party software, contact those vendors and ask them does the vulnerability impact their software and, if it does, what are they doing about it. Also actively monitor your systems for suspicious activity,” Mr Honan said.

That could reveal potential threats to or the compromising of a company’s systems. That should be a business’s incident response plan immediately, Mr Ford said. “There have been a lot of reports of active scanning of the vulnerability but less so of active exploitation,” he said.

“It is likely that your server has been scanned but does not indicate active exploitation. The initial reports show exploitation was by dropping coin miners but newer information suggests ransomware operators are now taking advantage of this vulnerability.”

Jason Ward, vice-president and managing director of Dell Technologies Ireland, said the warning highlighted the ever-evolving cyber challenges facing businesses and organisations. Cyber attacks take place every 11 seconds globally, making it a case of “when” rather than “if” for businesses.

“From malware to phishing, Irish businesses need to consider the cyber risks they face as many employees continue to work from home and how they can best protect data wherever it resides,” he said.

“Organisations can no longer simply focus on just protecting individual IT systems or devices – they need to assess their ability of their entire business to withstand and recover from a cyber attack. From my discussions with business leaders, it is apparent that there is confusion with organisations believing they have cyber resilience when in fact all they have is data protection. Cyber resilience requires an off-grid cyber vault which is fundamentally different from traditional back-up and recovery systems.”

Ciara O'Brien

Ciara O'Brien

Ciara O'Brien is an Irish Times business and technology journalist