Hundreds of millions of devices around the world could be exposed to a newly revealed software vulnerability, as a senior Biden administration cyber official warned executives from major US industries Monday that they need to take action to address "one of the most serious" flaws she has seen in her career. As major tech firms struggle to contain the fallout from the incident, US officials held a call with industry executives warning that hackers are actively exploiting the vulnerability. "This vulnerability is one of the most serious that I've seen in my entire career, if not the most serious," Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), said on a phone call shared with CNN. Big financial firms and health care executives attended the phone briefing. "We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damaging incidents," Easterly said. CNN has reached out to CISA for comment on the call. CyberScoop, a technology news site, first reported on the contents of the call. It's the starkest warning yet from US officials about the software flaw since news broke late last week that hackers were using it to try to break into organizations' computer networks. It's also a test of new channels that federal officials have set up for working with industry executives after the widespread hacks exploiting SolarWinds and Microsoft software revealed in the last year. Experts told CNN it could take weeks to address the vulnerabilities and that suspected Chinese hackers are already attempting to exploit them. The vulnerability is in Java-based software known as "Log4j" that large organizations, including some of the world's biggest tech firms, use to log information in their applications. Tech giants like Amazon Web Services and IBM have moved to address the bug in their products. It offers a hacker a relatively easy way to access an organization's computer server. From there, an attacker could devise other ways to access systems on an organization's network. The Apache Software Foundation, which manages the Log4j software, has released a security fix for organizations to apply. But attackers had more than a week's head start on exploiting the software flaw before it was publicly disclosed, according to cybersecurity firm Cloudflare. Organizations are now in a race against time to figure out if they have computers running the vulnerable software that were exposed to the internet. Cybersecurity executives across government and industry are working around the clock on the issue. "We're going to have to make sure we have a sustained effort to understand the risk of this code throughout US critical infrastructure," Jay Gazlay, another CISA official, said on the phone call. Chinese-government-linked hackers have already begun using the vulnerability, according to Charles Carmakal, senior vice president and chief technology officer for cybersecurity firm Mandiant. Mandiant declined to elaborate on what organizations the hackers were targeting. "Over time, everybody can arm the damn thing," Mandiant CEO Kevin Mandia told CNN, referring to the vulnerability. "That's the problem. And there'll probably be great hackers hiding in the noise of the not-so-great." The "noise" is a real problem. For cybersecurity professionals, Twitter has been a constant churn of both useful information and, in some cases, misinformation that has nothing to do with the vulnerability. Learn more by visiting OUR FORUM.

Every version of Windows is at risk due to a scary zero-day vulnerability after Microsoft failed to properly patch a similar flaw, a cybersecurity researcher claims. The newly discovered exploit is currently a proof-of-concept, but researchers believe ongoing small-scale testing and tweaking is setting the stage for a wider-reaching attack. “During our investigation, we looked at recent malware samples and were able to identify several [bad actors] that were already attempting to leverage the exploit,” Nic Biasini, Cisco Talos’ head of outreach, told BleepingComputer. “Since the volume is low, this is likely people working with the proof of concept code or testing for future campaigns.” The vulnerability takes advantage of a Windows Installer bug (tracked as CVE-2021-41379) that Microsoft claims to have patched earlier this month. This new variant gives users the ability to elevate local privileges to SYSTEM privileges, the highest user rights available on Windows. Once in place, malware creators can use those privileges to replace any executable file on the system with an MSI file to run code as an admin. In short, they can take over the system. Over the weekend, security researcher Abdelhamid Naceri, who discovered the initial flaw, published to Github a proof-of-concept exploit code that works despite Microsoft’s patch release. Even worse, Naceri believes this new version is even more dangerous because it bypasses the group policy included in the admin install of Windows. “This variant was discovered during the analysis of the CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass. I have chosen to actually drop this variant as it is more powerful than the original one,” Naceri wrote. BleepingComputer tested Naceri’s exploit and, within “a few seconds,” used it to open a command prompt with SYSTEM permissions from an account with “standard” privileges. While you shouldn’t be too worried just yet, this vulnerability could put billions of systems at risk if it’s allowed to spread. It’s worth reiterating that this exploit gives attackers admin privileges on the latest Windows OS versions, including Windows 10 and Windows 11–we’re talking about more than 1 billion systems. This isn’t a remote exploit though, so bad actors would need physical access to your device to carry out the attack. Microsoft labeled the initial vulnerability as medium-severity, but Jaeson Schultz, a technical leader for Cisco’s Talos Security Intelligence & Research Group, stressed in a blog post that the existence of functional proof-of-concept code means the clock is ticking on Microsoft releasing a patch that actually works. As it stands, there is no fix or workaround for this flaw. Naseri, who told BleepingComputer that he didn’t give Microsoft notice about the vulnerability before going public as a way to petition against smaller payouts in Microsoft’s bug bounty program, advises against third-party companies releasing their own patches because doing so could break the Windows installer. Microsoft is aware of the vulnerability but didn’t provide a timeline for when it will release a fix. “We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim’s machine,” Microsoft told BleepingComputer. To follow this thread and learn more visit OUR FORUM.