New cyber vulnerability poses 'severe risk,' DHS says
The vulnerability is linked to a commonly used piece of software called Log4j.
Late Saturday, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent statement about a new cyber vulnerability that could touch a wide swath of the internet.
"This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use," CISA Director Jen Easterly said in a statement.
"To be clear, this vulnerability poses a severe risk," Easterly said.
The vulnerability is linked to a commonly used piece of software called Log4j, a utility that runs in the background of many commonly used software applications.
"It's probably one of the most ubiquitous software components on the internet today," Tony Turner, VP of Security Solutions for the cyber-security company Fortress, told ABC News. Turner said the vulnerability impacts everything from gaming systems and consumer platforms to critical infrastructure and the Department of Defense.
"Why this is so important is it is trivial to exploit," Turner said. "Anyone can do this, like teenagers and kids are playing around with this [vulnerability] like it's a game."
Cybersecurity experts inside and outside the government have been working around the clock this weekend to try to get their arms around this problem. "IT security teams around the world have been burning midnight oil all weekend and will continue and this is not a weekend problem, this is a months and months from now problem," Turner said.
Microsoft issued an alert saying the software giant is "monitoring the threat landscape for attacks and developing customer protections."
"Our security teams have been conducting an active investigation of our products and services to understand where Apache Log4j may be used and are taking expedited steps to mitigate any instances," an alert from Microsoft said.
An Amazon Web Services blog post said, "This vulnerability is severe and due to the widespread adoption of Apache Log4j, its impact is large."
Rob Joyce, who serves as the National Security Agency's director of cybersecurity, said in a tweet the Log4j vulnerability is a "significant threat for exploitation due to the widespread inclusion in software frameworks."
Other countries have also warned of the software vulnerability. Germany said it is a "very high" threat.
Sources say it may be weeks before the vulnerability -- and how it has been exploited -- is better understood.
The problem is that Log4j is widely used and touches large swaths of the internet -- from cell phones to e-commerce to gaming platforms to internet connected devices in homes and offices.
"I think this is bigger than SolarWinds, it's bigger than Colonial [pipeline] or Kaseya. That's just because of the reach just because of the ubiquitous nature and the ease of exploitation here," Turner told ABC News.
"This is probably one of the most important vulnerabilities of all time… we're still trying to understand the ultimate reach of this and I think we're going to be unpacking this for years to come," Turner said.