U.S. cyber officials issued an emergency directive Friday giving all federal civilian agencies until Dec. 23 to assess their internet-facing networks for the Apache Log4j vulnerability and immediately patch the systems, or take other measures to mitigate the software flaw.
The directive, issued by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, comes in response to “the active exploitation by multiple threat actors” of the Log4j bug, which has roiled the information security community since it emerged Dec. 10 as a vulnerability in widely used logging software. The directive also requires agencies to report to CISA by Dec. 28 all software applications affected by the bug by name and version, and what actions were taken.
“The log4j vulnerabilities pose an unacceptable risk to federal network security,” CISA Director Jen Easterly said in a statement. “If you are using a vulnerable product on your network, you should consider your door wide open to any number of threats.”
The directive is based on current exploitation of the Log4j vulnerabilities, the likelihood of exploitation, the prevalence of affected software among federal agencies, and the potential impact of a successful compromise, Easterly’s statement said.
The directive, first reported by CNN, comes amid escalating concern about how hackers would leverage the vulnerability to launch ransomware attacks or take remote control of affected systems. In comments first reported by CyberScoop, Easterly said Dec. 14 that the bug was perhaps “the most serious” she’d seen in her career, and expected it to be “widely exploited.” Another top CISA official, Jay Gazlay, estimated that hundreds of millions of devices” were likely to be affected.
The same day, threat intelligence analysts at Microsoft and cybersecurity firm Mandiant said they’d seen indications that nation-state hackers associated with the governments of China, Iran, North Korea and Turkey had begun to experiment with and leverage the bug in hacking campaigns.
On Friday, cybersecurity firm AdvIntel posted an analysis stating that hackers working with the Conti ransomware group, one of the most prolific and concerning ransomware operations, started to use the vulnerability in active ransomware attacks on Dec. 15.