Tue, 25 Jan 2022

US Cyber Officials Bracing for 'Log4j Vulnerability Fallout

Voice of America
11 Jan 2022, 06:35 GMT+10

WASHINGTON - U.S. cybersecurity officials are still sounding an alarm about the so-called Log4j software vulnerability more than a month after it was first discovered, warning some criminals and nation state adversaries may be waiting to make use of their newfound access to critical systems.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Monday that the vulnerability, also known as Log4shell, has been subject to widespread exploitation by criminals over the past several weeks, but that more serious and damaging attacking could still be in the works.

"We do expect Log4Shell to be used in intrusions well into the future," CISA Director Jen Easterly told reporters during a phone briefing, adding, "at this time we have not seen the use of Log4shell resulting in significant intrusions."

"This may be the case because sophisticated adversaries have already used this vulnerability to exploit targets and are just waiting to leverage their new access until network defenders are on a lower alert," she said.

The vulnerability in the open-source software produced by the U.S.-based Apache Software Foundation, was first discovered in late November by the Chinese tech giant Alibaba. The first warnings to the public went out in early December.

FILE - Lydia Winters shows off Microsoft's Minecraft built specifically for HoloLens at the Xbox E3 2015 briefing before Electronic Entertainment Expo, June 15, 2015, in Los Angeles. FILE - Lydia Winters shows off Microsoft's Minecraft built specifically for HoloLens at the Xbox E3 2015 briefing before Electronic Entertainment Expo, June 15, 2015, in Los Angeles.

'The Internet's on Fire' as Techs Race to Fix Software Flaw

Cybersecurity officials and experts initially described the flaw in the software as perhaps the worst vulnerability ever discovered, noting the software's widespread use - in at least 2,800 products used by both private companies and governments around the world.

CISA on Monday said the vulnerability has impacted hundreds of millions of devices around the world, with many software vendors racing to issue security patches to their customers.

So far, U.S. agencies appear to be unscathed.

"We, at this point, are not seeing any confirmed compromises of federal agencies across the broader country, including critical infrastructure," CISA Executive Assistant Director for Cybersecurity Eric Goldstein told reporters.

But he cautioned the danger has not yet passed despite the lack of destructive attacks by sophisticated hacking groups and foreign adversaries.

"It is certainly possible that that may change, that adversaries may be utilizing this vulnerability to gain persistent access that they could use in the future, which is why we are so focused on remediating the vulnerability across the country and ensuring that we are detecting any intrusions if and when they arise," he said.

Yet there are reports that other countries have already been targeted by cyber actors seeking to exploit the software vulnerability.

Belgium's Ministry of Defense said last month that some of its computer systems went down last month following an attack, in which the Log4j vulnerability was believed to be exploited.

And some security experts warn other countries, including China, Iran, North Korea and Turkey, have sought to exploit Log4j.

"This activity ranges from experimentation during development, integration of the vulnerabilities to in-the-wild payload deployment, and exploitation against targets to achieve the actor's objectives," Microsoft's Threat Intelligence Center wrote in a blog post last week.

In particular, Microsoft said the Iran cyber threat actor known as Phosphorus, known for launching ransomware attacks, has already modified the Log4j vulnerability for use in attacks, while the Chinese group known as Hafnium has also used it for some targeting activities.

The private cybersecurity firm CrowdStrike separately assessed that a Chinese-based group called Aquatic Panda sought to use the Log4j vulnerability to target an unnamed academic institution.

CISA on Monday said it could not independently confirm such reports, and further said it had yet to discover any ransomware attacks in which the attackers used the Log4j vulnerability to penetrate the victim's systems.

CISA's director said one reason could be that "there may be a lag between when this vulnerability is being used and when it is being actively deployed."

Easterly also warned about information that U.S. officials are unable to see due to the failure of Congress to pass legislation that would require private companies to report cyberattacks - something the White House and many lawmakers have been advocating for some time.

FILE - In this Feb. 25, 2015 file photo, the Homeland Security Department headquarters in northwest Washington is shown. FILE - In this Feb. 25, 2015 file photo, the Homeland Security Department headquarters in northwest Washington is shown.

Cyber Regulation Could Be Coming Following Spate of Hacks, Ransomware Attacks

'We are concerned that threat actors are going to start taking advantage of this vulnerability and having impacts in particular on critical infrastructure, and because there is no legislation in place, we will likely not know about it,' she said.

More Iran News

Access More

Sign up for The Iran News

a daily newsletter full of things to discuss over drinks.and the great thing is that it's on the house!