U.S. cybersecurity officials are still sounding an alarm about the so-called Log4j software vulnerability more than a month after it was first discovered, warning some criminals and nation state adversaries may be waiting to make use of their newfound access to critical systems.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Monday that the vulnerability, also known as Log4shell, has been subject to widespread exploitation by criminals over the past several weeks, but that more serious and damaging attacking could still be in the works.
“We do expect Log4Shell to be used in intrusions well into the future,” CISA Director Jen Easterly told reporters during a phone briefing, adding, “at this time we have not seen the use of Log4shell resulting in significant intrusions.”
“This may be the case because sophisticated adversaries have already used this vulnerability to exploit targets and are just waiting to leverage their new access until network defenders are on a lower alert,” she said.
The vulnerability in the open-source software produced by the U.S.-based Apache Software Foundation, was first discovered in late November by the Chinese tech giant Alibaba. The first warnings to the public went out in early December.
Cybersecurity officials and experts initially described the flaw in the software as perhaps the worst vulnerability ever discovered, noting the software’s widespread use – in at least 2,800 products used by both private companies and governments around the world.
CISA on Monday said the vulnerability has impacted hundreds of millions of devices around the world, with many software vendors racing to issue security patches to their customers.
So far, U.S. agencies appear to be unscathed.
“We, at this point, are not seeing any confirmed compromises of federal agencies across the broader country, including critical infrastructure,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein told reporters.
But he cautioned the danger has not yet passed despite the lack of destructive attacks by sophisticated hacking groups and foreign adversaries.
“It is certainly possible that that may change, that adversaries may be utilizing this vulnerability to gain persistent access that they could use in the future, which is why we are so focused on remediating the vulnerability across the country and ensuring that we are detecting any intrusions if and when they arise,” he said.
Yet there are reports that other countries have already been targeted by cyber actors seeking to exploit the software vulnerability.
Belgium’s Ministry of Defense said last month that some of its computer systems went down last month following an attack, in which the Log4j vulnerability was believed to be exploited.
And some security experts warn other countries, including China, Iran, North Korea and Turkey, have sought to exploit Log4j.
“This activity ranges from experimentation during development, integration of the vulnerabilities to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives,” Microsoft’s Threat Intelligence Center wrote in a blog post last week.
In particular, Microsoft said the Iran cyber threat actor known as Phosphorus, known for launching ransomware attacks, has already modified the Log4j vulnerability for use in attacks, while the Chinese group known as Hafnium has also used it for some targeting activities.
The private cybersecurity firm CrowdStrike separately assessed that a Chinese-based group called Aquatic Panda sought to use the Log4j vulnerability to target an unnamed academic institution.
CISA on Monday said it could not independently confirm such reports, and further said it had yet to discover any ransomware attacks in which the attackers used the Log4j vulnerability to penetrate the victim’s systems.
CISA’s director said one reason could be that “there may be a lag between when this vulnerability is being used and when it is being actively deployed.”
Easterly also warned about information that U.S. officials are unable to see due to the failure of Congress to pass legislation that would require private companies to report cyberattacks – something the White House and many lawmakers have been advocating for some time.
"We are concerned that threat actors are going to start taking advantage of this vulnerability and having impacts in particular on critical infrastructure, and because there is no legislation in place, we will likely not know about it," she said.