A top government cyber official said Tuesday that the Cybersecurity and Infrastructure Security Agency hasn’t seen hackers compromise federal agencies by exploiting the Apache Log4j vulnerability — but the agency’s still fearful of widespread attacks stemming from it.
Most of all, CISA’s Eric Goldstein said during a phone call Tuesday evening, the government is eager for help from the public in assembling a comprehensive list of all the products that might be susceptible to hackers using the vulnerability, known as Log4Shell in the widely deployed logging library, which the agency expects could affect hundreds of millions of devices or more.
CISA and private sector cybersecurity investigators have struck exceptionally dire notes about the potential fallout that have not, as of yet, come to fruition. It’s that unknown potential, however, that has prompted CISA to try to get organizations to patch their systems and take other steps to secure them.
“Certainly given the nature of this vulnerability, the triviality of exploitation, the ubiquity of the presence across enterprise, consumer and IoT [internet of things] products — really, our broad focus here is driving mitigation across the board, recognizing that malicious cyber actors of all types may decide to use this vulnerability to achieve a variety of attack types or drive a variety of malicious ends,” said Goldstein, executive assistant director of at CISA, a wing of the Department of Homeland Security.
Via the vulnerability, attackers could gain “potentially deep access into a target network, possibly allowing them to exfiltrate information or cause other harmful attacks,” Goldstein said.
Goldstein said that beyond no confirmation of federal agencies being compromised, CISA also has seen no impact on “national critical functions,” a category of potential targets that if attacked could have severe effects on national security, the economy or public health. CISA has directed federal agencies to take action in response to the Log4j vulnerability.
There have been signs, outside CISA’s warnings, of hackers working to seize on Log4Shell. Bitdefender on Monday said it had seen a specific ransomware family, Khonsari, spring up in connection to the vulnerability. Charles Carmakal, senior vice president and chief technology officer of Mandiant, said the company has seen Chinese government-connected hackers exploiting the flaw.
Goldstein said CISA has not verified Mandiant’s attribution on Chinese attackers and had no further information to share on Khonsari.
Mandiant said further on Tuesday that both Chinese and Iranian government hackers had been using the vulnerability, perhaps to create footholds for further activity and working from a “wish list” of targets.
“The Iranian actors who we have associated with this vulnerability are particularly aggressive, having taken part in ransomware operations that may be primarily carried out for disruptive purposes rather than financial gain,” said John Hultquist, the company’s vice president of intelligence analysis. “They are also tied to more traditional cyber espionage.”
CISA’s list of software related to the Log4j vulnerability is already extensive.
“One of our really important lines of effort here is ensuring that we have a complete and comprehensive list of impacted products,” Goldstein said.
“So we have a call to action for security researchers and the broader cyber community,” he said. “If you go to our GitHub page where we have created our list of vulnerable products, and if anybody sees a product that they think is vulnerable and is not on our page, please there’s a page to upload or notify us of that vulnerable product.”
Updated, 12/14/21: Included further Mandiant comment.