Government asks organisations to check server security

A cybersecurity flaw in Java-based utility Log4j, used by many major tech companies, can give hackers access to computer systems.

The National Cyber Security Centre (NCSC) has issued a warning to all organisations that use web servers to respond to a new cybersecurity threat posed by what is being dubbed as Log4Shell.

The flaw stems from Apache Log4j, a Java-based logging utility used by most of the world’s major tech companies for their web infrastructure, including Microsoft, Apple, Amazon, Cisco, Tesla, Twitter and Baidu. It can potentially give a hacker unrestricted access to a company’s computer systems.

Log4Shell first received wide public attention after Minecraft, owned by Microsoft, published a statement to its 140m-strong active monthly users alerting them to the flaw. The company said any player of the game’s Java edition that doesn’t host their own server needs to take mitigating steps.

However, Minecraft is likely one of thousands of technology companies across the world that are susceptible to the Log4Shell flaw, and governments, including the US, are rushing to advise organisations with web servers to take immediate steps before hackers get them first.

“It is likely that malicious actors will shortly begin using this vulnerability to attack web servers. The NCSC advises that organisations assess their web servers for exposure to this risk. This should include services administrated and provided by third party service providers,” the NCSC wrote in a statement.

It clarified that Apache, the company that makes and runs Log4j, has published an update to the Log4Shell flaw which companies should make use of immediately. It also noted that any attempts to exploit the flaw can be detected by the NCSC.

“There is no evidence of any successful exploitation of this vulnerability in the State, or any effect on services or data, but the risk of eventual compromise will persist for any entity until the vulnerability is addressed,” it added.

Threat hunting a ‘high priority’

Andrii Bezverkhyi, founder and CEO of cybersecurity start-up SOC Prime, said that the problem with the Log4Shell flaw is that Log4J is used by “every…