The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released Wednesday an advisory offering vendors and affected organizations a detailed guide on how to deal with potential risks to IT and cloud services posed by an exploit in Apache Log4j’s software library.
“This joint CSA expands on the previously published guidance by detailing steps that vendors and organizations with IT and/or cloud assets should take to reduce the risk posed by these vulnerabilities,” the advisory states.
The warning was issued alongside the FBI and National Security Agency and the security agencies of Five Eyes intelligence partners, Australia, Canada, New Zealand, the United Kingdom.
“Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world; we implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks,” CISA Director Jen Easterly said in a statement.
The alert follows previous guidance from CISA that organizations immediately patch for the vulnerability as well as an emergency directive last week that all U.S. federal civilian executive branch agencies need to assess their internet-facing systems for the vulnerability, known as Log4Shell, and immediately patch or mitigate by Dec. 23.
The guidance focuses on securing internet-facing devices and systems against Log4Shell-related attacks. However, the alert warns that Java is also ubiquitous throughout IT and OT systems and unsegmented networks present a risk of invaders moving laterally between systems. The alert warns organizations to treat any products that use Log4j as suspect and keep a meticulous record of patching in order to monitor for unusual behavior.
The joint agencies “assess that exploitation of these vulnerabilities, especially Log4Shell, is likely to increase and continue over an extended period” and “strongly urge all organizations to apply the recommendations…to identify, mitigate, and update affected assets.” The most recent patch was issued on Dec. 18.
CISA, FBI, and NSA previously released an alert providing organizations with details on a state-sponsored threat actor, including notes on previous malicious cyber operations as well as mitigations.
Researchers have already seen attackers rushing to use the bug to launch ransomware and cryptocurrency mining schemes. Researchers at Mandiant and Microsoft have also observed cybercriminals tied to the governments of China, Iran, North Korea and Turkey exploiting the vulnerability.