We're now living in the era of the mega-hack. More than ever, software flaws are being seized on by sophisticated hackers who take these bugs -- and use them to create attacks that compromise the computer systems of thousands of organisations, all at once.
Newly discovered vulnerabilities in Microsoft's Exchange Server provide a good example of this evolution. The flaws were seized on by (likely China-backed) hackers as a way to attack networks, with of systems apparently compromised in a widespread attack. At least 10 other groups are thought to be attempting to use the same exploits, and now cyber criminals are piggy-backing on the original attack in an attempt to deliver ransomware too.
Bugs exists wherever there is software, despite attempts to eradicate them. What we're seeing now is a growing ability and desire from hackers to turn these bugs into attacks. Increasingly, the same software applications and tools are being used by companies around the world. Some may not even be aware of the software code they are relying on, such is the interconnected world of tech products. And even if they do know the software they are using, too many companies fail to update it even when warned about vulnerabilities by software vendors.
Hacking groups have different motivations: state-backed hackers want to gain access to as many systems as possible before deciding which have strategic value (either a source of intelligence or as a stepping-stone to compromising other systems); cyber criminals want to break in where they can to either steal data or deliver money-making ransomware. Either way, threat actors are now sophisticated enough to respond to weaknesses quicker than ever before. That's bad for everyone.
A software flaw doesn't affect just one company, but can put thousands or even tens of thousands at risk as hacking groups seize on a new bug and race to exploit it, breaking into as many systems as possible before a fix is found and applied. Some companies used to think they were too small to be targeted, but will sadly discover that crooks will attack -- and potentially destroy -- their business, just on the off-chance that a ransom will be paid. Others will find that cutting costs by not patching software flaws is a false economy, to say the least.
So what can be done? Projects that aim to fix bugs in everything -- starting with programming languages and the basic code (often open-source) that underpins software applications -- are a start. Encouraging secure code as a standard is a must. Companies must also understand that legacy systems may contain vulnerabilities, and that patching is not optional. Longer-term, the ransomware threat must be addressed and better international rules around state-backed hacking put in place. Neither of those are going to be easy problems to tackle.
Right now, we need to realise that the stakes are increasing -- and rapidly.
ZDNET'S MONDAY MORNING OPENER
The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.
PREVIOUSLY ON MONDAY MORNING OPENER:
- AI ethics: How Salesforce is helping developers build products with ethical use and privacy in mind
- 3D printing, additive manufacturing sector arms up to scale
- Your working day will never be the same again. Here's what might replace it
- Salesforce: Combining AI and automation can give us superpowers and make us more productive
- If Bing is the answer then Australia is asking the wrong question
- COVID-19 vaccine distribution requires IT, data management, and a lot of iteration
- Returning to the 2021 office is anything but normal
- Ransomware reveals the hidden weakness of our big tech world
- CES 2021: Three trends business pros and CIOs should watch very closely