Dec 29, 2021 - Technology

Attackers in China using open-source Log4j flaw

An illustration of a cursor hand blocking a glass with cracks and water leaking through
Illustration: Annelise Capossela/Axios

A group of Chinese attackers has been using the massive vulnerability in Log4j, a common piece of open-source code, to target a large academic institution, Crowdstrike says.

Why it matters: Experts say hundreds of millions of systems are vulnerable and that attacks based on the flaw are continuing.

The latest: CrowdStrike said its software observed an attack that exploited the Log4j flaw in software from VMware.

  • The attack came from a China-based group dubbed Aquatic Panda that has been conducting intelligence gathering and industrial espionage, CrowdStrike said.

The big picture: Some security experts, including Cybersecurity and Infrastructure Security Agency (CISA) head Jen Easterly, have called the flaw among the worst they have ever seen.

  • Experts have told Axios the Log4j flaw is especially pernicious because the open source software is widely used within business software and networking gear — often without companies even knowing it is being used. On top of that, the flaw is easily exploited and can provide extensive access.

Be smart: CISA is maintaining a list of known affected products here.

Go deeper:

Go deeper