Hackers from China Seek to Exploit the Open Source Log4j Software Bug

In Openness to Creative Destruction, I argue that open source software has severe drawbacks, compared to a system where firms receive higher profits for selling better software. The severe Log4j bug, discussed in the quoted passages below, is an example that strongly supports my argument. A blog entry posted on Dec. 17 also discussed the Log4j bug.

(p. B1) Hackers linked to China and other governments are among a growing assortment of cyberattackers seeking to exploit a widespread and severe vulnerability in computer server software, according to cybersecurity firms and Microsoft Corp.

The involvement of hackers whom analysts have linked to nation-states underscored the increasing gravity of the flaw in Log4j software, a free bit of code that logs activity in computer networks and applications.

Cybersecurity researchers say it is one of the most dire cybersecurity threats to emerge in years and could enable devastating attacks, including ransomware, in both the immediate and distant future. Government-sponsored hackers are often among the best-resourced and most capable, analysts say.

“The effects of this vulnerability will reverberate for months to come—maybe even years—as we try to close these doors and try to hunt down all the actors who made their way in,” said John Hultquist, vice president of intelligence analysis at the U.S.-based cybersecurity firm Mandiant Inc.

. . .

(p. B6) Researchers find the Log4j flaw particularly worrying because the free Java-based software is used in a broad range of products. It can be found in everything from security software to networking tools to videogame servers. The exact number of users of Log4j is impossible to know, but the software has been downloaded millions of times, according to the organization that builds it, the Apache Software Foundation.

The attack works reliably and is trivial to exploit, security researchers say. Although downloadable patches have already been made available, experts and U.S. officials said they expected the flaw to remain a problem for the long haul because some organizations will be slow to update their systems or might neglect to do so entirely.

“It’s a surprise it’s not more widespread,” said Adam Meyers, senior vice president of intelligence with CrowdStrike, a U.S.-based cybersecurity firm, which said they had detected Iranian actors leveraging the Log4j flaw. “The question that everyone is asking is, ‘What aren’t we seeing?’”

For the full story, see:

Robert McMillan and Dustin Volz. “Hackers Leap on Flaw in Log4j Software.” The Wall Street Journal (Thursday, December 16, 2021): B1 & B6.

(Note: ellipsis added.)

(Note: the online version of the story was updated Dec. 15, 2021, and has the title “Hackers Backed by China Seen Exploiting Security Flaw in Internet Software.”)

My book, mentioned above, is:

Diamond, Arthur M., Jr. Openness to Creative Destruction: Sustaining Innovative Dynamism. New York: Oxford University Press, 2019.

One thought on “Hackers from China Seek to Exploit the Open Source Log4j Software Bug”

Leave a Reply

Your email address will not be published. Required fields are marked *