Threats

CISA to brief critical infrastructure companies about urgent new Log4j vulnerability

Log4j is a widely-used open-source logging tool popular in apps including Minecraft, Apple Cloud, Cloudflare and Twitter.

By Tonya Riley

December 13, 2021

(Getty Images)

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency will host a call with critical infrastructure stakeholders Monday afternoon about a critical vulnerability affecting products with the Log4j software library, according to a statement.

CISA sent out an alert Friday that the agency had added the flaw to its list of exploited vulnerabilities, and urged federal and civilian organizations to patch and take steps to mitigate harm immediately. Log4j is a widely-used, open-source logging utility used in numerous cloud and enterprise apps including Minecraft, Apple iCloud, Cloudflare and Twitter, to track software activity. The ubiquity of the tool makes the extent of the zero-day’s potential damage likely wide-reaching.

“CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library,” CISA director Jen Easterly said in a statement. “This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use.”

Cybersecurity researchers noted over the weekend that cybercriminals were racing to take advantage of the newly announced vulnerability.

“We are proactively reaching out to entities whose networks may be vulnerable and are leveraging our scanning and intrusion detection tools to help government and industry partners identify exposure to or exploitation of the vulnerability,” Easterly said.

Botnets launching malicious cryptocurrency-generation operations have begun to exploit the vulnerability, Sophos researcher Sean Gallagher wrote Sunday. Sophos since Dec. 9 has observed thousands of attempts to exploit the Log4j flaw, including attempts to exfiltrate information from Amazon Web Services keys and other private data.

Researchers have compared the severity of the vulnerability to EternalBlue, which was used in the global WannaCry ransomware attack and the 2014 ShellShock exploit.

While most of the activities researchers have noticed so far are crimes of opportunity with criminals scanning for any vulnerable systems, research firm GreyNoise has noticed the potential for more targeted attacks. Researchers at Microsoft have also noticed attacks using CobaltStrike, which can be used to further compromise vulnerable systems.

CISA to brief critical infrastructure companies about urgent new Log4j vulnerability

More Like This

‘Large volume’ of data stolen from UN agency after ransomware attack

Decade-old malware haunts Ukrainian police

Ex-White House cyber official says ransomware payment ban is a ways off

Top Stories

House passes bill to limit personal data purchases by law enforcement, intelligence agencies

Mandiant: Notorious Russian hacking unit linked to breach of Texas water facility

More Scoops

Cyber Safety Review Board needs stronger authorities, more independence, experts say

North Korean hacking ops continue to exploit Log4Shell

Top 12 vulnerabilities list highlights troubling reality: many organizations still aren’t patching

DHS Cyber Safety Review Board to focus on Lapsus$ hackers

Iranian hackers use Log4Shell to mine crypto on federal computer system

Chinese state-sponsored hackers have become more brazen, prompting an NSA advisory

China could be reviewing security bugs before tech companies issue patches, DHS official says

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics