(Source: The Wall Street Journal)

A flaw in widely used internet software has left companies and government officials scrambling to respond to a potentially glaring cybersecurity threat to global computer networks. The previously undiscovered bug, hidden inside software known as Log4j, could prove to be a boon for criminal and nation-state hackers, cybersecurity experts say. The Log4j vulnerability is turning out to be a cybersecurity nightmare that likely impacts a wide range of products from Apple’s iCloud to Twitter to Microsoft’ Minecraft and a number of other enterprise products.

What is Log4j?

Software developers use the Log4j framework to record user activity and the behavior of applications for subsequent review. Distributed for free by the nonprofit Apache Software Foundation, Log4j has been downloaded millions of times and is among the most widely used tools to collect information across corporate computer networks, websites and applications.

How are hackers taking advantage?

The Log4j flaw allows attackers to execute code remotely on a target computer, meaning that they can steal data, install malware or take control. Some cybercriminals have installed software that uses a hacked system to mine cryptocurrency, while others have developed malware that allows attackers to hijack computers for large-scale assaults on internet infrastructure. Security experts are particularly concerned that the vulnerability may give hackers enough of a foothold within a system to install ransomware, a type of computer virus that locks up data and systems until the attackers are paid by victims. For larger companies, these ransoms can total millions of dollars.

How widespread is it?

Internet-facing systems as well as backend systems could contain the vulnerability. Log4j software is widely used in business software development. “Likely millions of servers are at risk,” said Lou Steinberg, founder of CTM Insights LLC, a tech incubator. An Apache spokeswoman said the nature of how Log4j is inserted into different pieces of software makes it impossible to track the tool’s reach.

CISA has created an information page with recommendations.