‘Worst internet security threat in decades’ now being used to empty victims’ bank accounts

The Log4j vulnerability was only discovered last week, but already it has set alarm bells ringing around the world – with the flaw described as a “severe risk” to the entire internet. The critical issue was discovered in a Java library used in a wide range of popular services, such as the Java edition of hit game Minecraft, Apple’s iCloud service which is used to backup iPhone and Mac devices, as well as PC gaming service Steam. Apple moved swiftly the patch the vulnerability, while a fix has been rolled out for Minecraft – but for other affected services it could take weeks or even months till they’re out of the clear.

And now hackers have made the threat, which one expert said had set the internet “on fire”, even worse by using it to spread the notorious Dridex banking malware.

This trojan, which is also known as Meterpreter, originally was developed to steal online banking credentials – which in and of itself is dangerous enough.

But the malware has since evolved to also be capable of installing other payloads, taking screenshots and even spreading to other devices.

The use of Log4j to install the banking malware was revealed by cybersecurity group Cryptolaemus who on Twitter wrote: “We have verified distribution of Dridex 22203 on Windows via #Log4j”.

When the Log4j vulnerability was first discovered the severity of the threat was underlined by Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency (CISA).

Easterly, who has 20 years in federal cybersecurity roles, said Log4j posed a “severe risk” to the entire internet and was one of if not the worst threat she had seen in her career.

Easterly said: “This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use.

“This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious.

“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage.”

Jay Gazlay, from the CISA’s vulnerability management office, also added that hundreds of millions of devices were likely affected by the Log4j vulnerability.

While Adam Meyers – from cybersecurity firm Crowdstrike – warned: “The internet’s on fire right now. People are scrambling to patch, and all kinds of people scrambling to exploit it.”