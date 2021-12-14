So you can protect yourself from cryptocurrency theft 0:53

Washington (CNN) – Hundreds of millions of devices around the world could be exposed to a recently disclosed software vulnerability. A senior cyber official in the Biden administration on Monday warned executives of major US industries that they must take steps to address “one of the most serious” vulnerabilities he has seen in his career.

As major tech companies struggle to contain the fallout from the incident, US officials held a call with industry executives warning that hackers are actively exploiting the vulnerability.

“This vulnerability is one of the most serious I’ve seen in my entire career, if not the most serious,” said Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA). , in a phone call shared with CNN. Large financial firms and healthcare executives attended the telephone briefing.

“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take the necessary steps to reduce the likelihood of harmful incidents,” Easterly said.

CNN has reached out to CISA for comment on the call. CyberScoop, a technology news site, first reported on the content of the call.

Severe warning

It is the severest warning yet from US officials about the software flaw since it became known late last week that hackers were using it to try to break into organizations’ computer networks. It is also a test of new channels that federal officials have established to work with industry executives after widespread attacks exploiting SolarWinds and Microsoft software revealed in the last year.

Experts told CNN that it could take weeks to address the vulnerabilities and that suspected Chinese hackers are already trying to exploit it.

The vulnerability is in Java-based software known as “Log4j” that large organizations, including some of the world’s largest technology firms, use to log information in their applications. Technology giants such as Amazon Web Services and IBM have mobilized to address the error in their products.

It offers a hacker a relatively easy way to access an organization’s computer server. From there, an attacker could devise other ways to access systems on an organization’s network.

Apache Software Foundation, which manages Log4j software, has released a security solution for organizations to implement.

Race against time to fix the defect

But attackers had more than a week’s head start to exploit the software flaw before it was publicly disclosed, according to the cybersecurity firm. Cloudflare.

Organizations are now in a race against time to find out if they have computers running vulnerable software that was exposed to the Internet. Cybersecurity executives from across government and industry are working 24 hours a day on this issue.

“We will have to ensure that we make a sustained effort to understand the risk of this code across critical infrastructure in the US,” Jay Gazlay, another CISA official, said in the phone call.

Hackers linked to the Chinese government have already started using the vulnerability, according to Charles Carmakal, senior vice president and chief technology officer at cybersecurity firm Mandiant. Mandiant declined to give details about the organizations the hackers were targeting.

“Over time, everyone can put the damn thing together,” Mandiant CEO Kevin Mandia told CNN, referring to the vulnerability. “That’s the problem. And there will probably be great hackers hiding in the noise of the not-so-good ones.”

The “noise” is a real problem. For cybersecurity professionals, Twitter has been a constant stream of both useful information and, in some cases, misinformation that has nothing to do with vulnerability.

They tackle the problem

To address the problem, CISA said it would establish a public website with information on which software products were affected by the vulnerability and the techniques that hackers were using to exploit it.

“This will be a multi-week process in which new players are exploiting the vulnerability,” Eric Goldstein, CISA’s deputy executive director of cybersecurity, said in the phone call.

The ubiquity of the software forced cybersecurity professionals across the country to spend the weekend checking to see if their systems are vulnerable.

“For most of the information technology world, there was no weekend,” Rick Holland, director of information security at cybersecurity firm Digital Shadows, told CNN. “It was just another long set of days.”

CNN’s Geneva Sands contributed to this report.