Security Experts:

CISA Unaware of Any Significant Log4j Breaches in U.S.

CISA Concerned About Risk Posed by Log4Shell to Critical Infrastructure

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) says it’s currently unaware of any significant breaches related to the recently disclosed Log4j vulnerabilities.

In a briefing with reporters on Monday, CISA’s director, Jen Easterly, and Eric Goldstein, executive assistant director for cybersecurity at CISA, said they are not aware of any significant incident, which is likely due to the quick action taken by many organizations.

On the other hand, the CISA officials warned that malicious actors will likely continue to exploit the Log4j vulnerability known as Log4Shell. In addition, threat actors may have already exploited Log4Shell to gain access to the systems of major organizations, but they may be waiting for the right time to further leverage that access to achieve their goals.

Easterly pointed to the massive 2017 Equifax breach, which came to light only months after hackers had exploited a known Apache Struts vulnerability. The Equifax incident was also recently provided as an example by the FTC, which warned earlier this month that companies could face legal action if exploitation of the Log4j flaws leads to a significant data breach.

Log4Shell has impacted millions of systems around the world — thousands of products are affected — and it has been exploited in many attacks by both profit-driven cybercriminals and state-sponsored threat actors. However, CISA told SecurityWeek in late December that it had not been aware of any federal agencies being hit, and that does not seem to have changed.

While no critical infrastructure organizations appear to have been breached in Log4Shell attacks to date, the CISA officials are concerned that the vulnerability could be exploited against critical infrastructure.

Federal agencies have been ordered to patch the vulnerability by December 23 and at least large agencies have met the deadline, CISA said.

To date, the Belgian military appears to be the only government organization to have confirmed suffering a breach as a result of Log4Shell exploitation.

There have also been reports of the China-linked cyberespionage group Aquatic Panda was exploiting Log4Shell to compromise a large academic institution.

Related: Log4Shell Tools and Resources for Defenders - Continuously Updated

Related: Attackers Hitting VMWare Horizon Servers With Log4j Exploits

Related: ICS Vendors Respond to Log4j Vulnerabilities

Related: Another Remote Code Execution Vulnerability Patched in Log4j

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.