Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

CISA Unaware of Any Significant Log4j Breaches in U.S.

CISA Concerned About Risk Posed by Log4Shell to Critical Infrastructure

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) says it’s currently unaware of any significant breaches related to the recently disclosed Log4j vulnerabilities.

CISA Concerned About Risk Posed by Log4Shell to Critical Infrastructure

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) says it’s currently unaware of any significant breaches related to the recently disclosed Log4j vulnerabilities.

In a briefing with reporters on Monday, CISA’s director, Jen Easterly, and Eric Goldstein, executive assistant director for cybersecurity at CISA, said they are not aware of any significant incident, which is likely due to the quick action taken by many organizations.

On the other hand, the CISA officials warned that malicious actors will likely continue to exploit the Log4j vulnerability known as Log4Shell. In addition, threat actors may have already exploited Log4Shell to gain access to the systems of major organizations, but they may be waiting for the right time to further leverage that access to achieve their goals.

Easterly pointed to the massive 2017 Equifax breach, which came to light only months after hackers had exploited a known Apache Struts vulnerability. The Equifax incident was also recently provided as an example by the FTC, which warned earlier this month that companies could face legal action if exploitation of the Log4j flaws leads to a significant data breach.

Log4Shell has impacted millions of systems around the world — thousands of products are affected — and it has been exploited in many attacks by both profit-driven cybercriminals and state-sponsored threat actors. However, CISA told SecurityWeek in late December that it had not been aware of any federal agencies being hit, and that does not seem to have changed.

While no critical infrastructure organizations appear to have been breached in Log4Shell attacks to date, the CISA officials are concerned that the vulnerability could be exploited against critical infrastructure.

Federal agencies have been ordered to patch the vulnerability by December 23 and at least large agencies have met the deadline, CISA said.

To date, the Belgian military appears to be the only government organization to have confirmed suffering a breach as a result of Log4Shell exploitation.

There have also been reports of the China-linked cyberespionage group Aquatic Panda was exploiting Log4Shell to compromise a large academic institution.

Related: Log4Shell Tools and Resources for Defenders – Continuously Updated

Related: Attackers Hitting VMWare Horizon Servers With Log4j Exploits

Related: ICS Vendors Respond to Log4j Vulnerabilities

Related: Another Remote Code Execution Vulnerability Patched in Log4j

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.