Although the bug’s impact has so far been muted, US official says there are limits to what CISA can know
Still, officials said the threats posed by Log4j – a free bit of code that logs activity in computer networks and applications – are likely to be a serious and long-lasting problem for organizations large and small due to the ubiquity of the software. .
“The scale and potential impact of this makes it incredibly serious,” said Jane Easterly, director of the Cybersecurity and Infrastructure Security Agency. Despite the lack of major attacks so far, Ms Easterly said she considered the log4j problem to be “the most serious vulnerability” in her decades-long career, and she was concerned about the long-term risks to networks that are critical of US infrastructure. control the.
Ms Easterly said the flaw has so far led to “widespread criminal activity” that mostly involved installing cryptocurrency mining software or botnet code on vulnerable devices. He said some hackers wait to do more damage after entering the network and added that what may be known about CISA is because victim organizations often don’t report intrusions to the government.
Researchers have said the publicly disclosed Log4j flaw a month ago after it was discovered by a Chinese security team was particularly worrisome because free Java-based software has been used in a range of products including security software, networking tools and videogame servers. is done in. The exact number of users of Log4j is impossible to know, but according to the organization that built it, the Apache Software Foundation, the software has been downloaded millions of times.
Ms Easterly said a public list of products found to contain defects, which CISA established in the wake of its discovery, has received more than 2,800 submissions, including issues related to Log4J in various commercial products that include the code. details have been given. She said millions of personal devices are likely to be at risk.
The administration did not confirm that hackers backed by foreign governments are exploiting the Log4j flaw, but “it is certainly possible that this could change,” said Eric Goldstein, executive assistant director of cybersecurity at CISA. Senior officials have separately stated that they expect such activity to be inevitable.
Multiple US-based cyber security firms and Microsoft Corporation
In December it said it had identified hackers linked to China, Iran and other governments taking advantage of the Log4j vulnerability. Given the added geopolitical importance of doing so, the US government is often slower than private companies to formally attribute cyberattacks to foreign governments.
The impact of the Log4j bug overseas has been far more pronounced than in the US, with the Belgian Defense Ministry reporting a breach of its system. In addition, businesses ranging from a German chemical company to a Milwaukee-based industrial-parts supplier have rushed to shore up their networks while participating offline as a precaution.
The Federal Trade Commission last week urged organizations to remove the Log4j flaw in available patched products to avoid the risk of potential legal action from the agency.
Write Dustin Volz at [email protected]