CISA Concerned About Risk Posed by Log4Shell to Critical Infrastructure
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) says it’s currently unaware of any significant breaches related to the recently disclosed Log4j vulnerabilities.
In a briefing with reporters on Monday, CISA’s director, Jen Easterly, and Eric Goldstein, executive assistant director for cybersecurity at CISA, said they are not aware of any significant incident, which is likely due to the quick action taken by many organizations.
On the other hand, the CISA officials warned that malicious actors will likely continue to exploit the Log4j vulnerability known as Log4Shell. In addition, threat actors may have already exploited Log4Shell to gain access to the systems of major organizations, but they may be waiting for the right time to further leverage that access to achieve their goals.
Easterly pointed to the massive 2017 Equifax breach, which came to light only months after hackers had exploited a known Apache Struts vulnerability. The Equifax incident was also recently provided as an example by the FTC, which warned earlier this month that companies could face legal action if exploitation of the Log4j flaws leads to a significant data breach.
Log4Shell has impacted millions of systems around the world — thousands of products are affected — and it has been exploited in many attacks by both profit-driven cybercriminals and state-sponsored threat actors. However, CISA told SecurityWeek in late December that it had not been aware of any federal agencies being hit, and that does not seem to have changed.
While no critical infrastructure organizations appear to have been breached in Log4Shell attacks to date, the CISA officials are concerned that the vulnerability could be exploited against critical infrastructure.
Federal agencies have been ordered to patch the vulnerability by December 23 and at least large agencies have met the deadline, CISA said.
To date, the Belgian military appears to be the only government organization to have confirmed suffering a breach as a result of Log4Shell exploitation.
There have also been reports of the China-linked cyberespionage group Aquatic Panda was exploiting Log4Shell to compromise a large academic institution.
Related: Log4Shell Tools and Resources for Defenders – Continuously Updated
Related: Attackers Hitting VMWare Horizon Servers With Log4j Exploits
Related: ICS Vendors Respond to Log4j Vulnerabilities
Related: Another Remote Code Execution Vulnerability Patched in Log4j
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
Latest News
- Backslash Snags $8M Seed Financing for AppSec Tech
- ‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- Chrome 111 Update Patches High-Severity Vulnerabilities
- BreachForums Shut Down Over Law Enforcement Takeover Concerns
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Malware Trends: What’s Old Is Still New
- Burnout in Cybersecurity – Can It Be Prevented?
