This is the story of a wave of panic that begins on December 9, 2021. Ten days earlier, a Chinese expert discovers an error in a line of code. He reports it, then makes it public, via Twitter. Immediately, the community of IT security managers was notified, but so did hackers …
And in the process, we detect the first attacks, coming from China, Iran, North Korea: massive scans of the Internet network to identify all vulnerable computers, take control and install invisible software that will ” work “remotely for hackers, doing what is known as cryptocurrency mining.
This technique consists in putting a computer – hacked, in this case – in the service of cryptocurrencies like Bitcoin, to be remunerated in return.
Every time a new bug is discovered, we are told of a disaster. This time, if the flaw is so serious, it is because it affects a small piece of open source software, free, used by almost all website servers, computers and most of our cellphones.
So much so that some of those who use this piece of computer code – a “library” of the Java language, called Log4J – are not aware of it. And that’s the problem: the risk is not to feel concerned and not to make the updates which correct the flaw and which are nevertheless available. Three updates already since 15 days! It must be said that the first two presented themselves, a flaw! It truly is a nightmare December for IT security managers.
The other reason for the gravity of the situation is that this flaw is very easy – almost childish – to exploit. It suffices – so to speak, in certain cases – of a copy and paste in a “chat”, in other words, on a messaging, to exploit it. The flaws are rated from 0 to 10, depending on whether they are critical or not. And Log4Shell is at 10.
Do we have a first idea of the damage caused by this flaw? The answer to this question is twofold. On the one hand, there is what we know: no proven disaster yet but spectacular precautionary measures as in Canada, these preventive shutdowns of government servers. In Germany, Bosch, which also makes connected objects, admitted to being affected but without further details.
What is certain is that companies are vulnerable: large, GAFA, Apple, Microsoft in particular through its game Minecraft, Tesla, Steam (the global video game platform), Twitter, etc … but also , in France, the PME-PMI – the administrations until the individuals but it will take time, several weeks still, to know the extent of the breach.
And then there is what we do not know, because this flaw, so simple, had perhaps already been discovered by hackers who had perhaps been exploiting it for a long time, without anyone being aware of it. be reported.
Guillaume Poupard, the director general of ANSSI, the national information systems security agency, prefers to remain optimistic. According to him, “In a month, we will probably not talk about it anymore”. There is only one condition: update without delay.