Federal officials cautioned Monday that, while the widespread Log4j vulnerability hasn’t led to any major known intrusions in the U.S., there could be a “lag” between when the flaw became known, and when attackers exploit it.
Cybersecurity and Infrastructure Security Agency Director Jen Easterly said that there were months between the discovery of the vulnerability that led to the 2017 Equifax breach, which exposed the personal information of nearly 150 million Americans, and word of the breach itself, invoking one of the most notable hacks in history.
“We do expect Log4j to be used in intrusions well into the future,” Easterly said on a call with reporters. “There may be a lag between when this vulnerability is being used and when it is being actively deployed.”
Apache Struts, an open-source tool, was at the center of the Equifax breach, and Apache’s Log4j is a ubiquitous open-source logging tool. Easterly said that CISA, a division of the Homeland Security Department, has catalogued Log4j’s presence in more than 2,800 distinct commercial products. That means it’s likely present in hundreds of millions of tech assets, she said.
Further, exploiting the so-called Log4Shell vulnerability — which Easterly has deemed the most severe she’s seen in her career — “is pretty trivial,” she said.
“A threat actor can use the vulnerability to compromise the target system by typing only 12 characters into a text message, email subject line or chat window,” she said.
Easterly credited the work of her agency, industry, international governments and the research community for leading a patching effort that also might have stymied the influx of Log4j-related intrusions.
That doesn’t mean everyone has remained unscathed since its uncovering one month ago. Attackers took down the Belgian Defense Ministry using the exploit, and an unnamed “large academic institution” is among the victims, reportedly at the hands of Chinese hackers.
U.S. government agencies appear to have been spared so far, said Eric Goldstein, executive assistant director for cybersecurity at CISA. While CISA says that unspecified “large” agencies have met CISA’s patching deadlines, Goldstein didn’t say when smaller agencies that haven’t met the deadline would be up to speed.
“We’re working with each of these agencies, side by side and day by day. We have dedicated teams who are focusing on helping each of the agencies along in this process,” he said. “The number of impacted assets at these agencies are small and so we do hope that they will be able to fully remediate these assets in short order.”
Additionally, Goldstein said, “We have no confirmed ransomware intrusions where we can authoritatively say the Log4Shell was used at the originating vulnerability for the intrusion.”
Security researchers have said ransomware gangs are using the vulnerability in ransomware attacks.