US cybersecurity officials are still sounding the alarm about the so-called Log4j software vulnerability that, more than a month after it was first discovered, is warning some criminals and nation-state adversaries not to allow their new access to critical systems. Waiting to use access.
The vulnerability, also known as Log4shell, has been subject to widespread exploitation by criminals over the past several weeks, the US Cyber Security and Infrastructure Security Agency (CISA) said on Monday, but a more serious and harmful attack is still in the works. could.
“We expect Log4Shell to be used well into the future,” CISA director Jane Easterly told reporters during a phone briefing.
“This may be the case because sophisticated adversaries have already used this vulnerability to exploit targets and are waiting to take advantage of their new reach until network defenders are on low alert. “
The vulnerability in open-source software produced by the US-based Apache Software Foundation was first discovered in late November by Chinese tech giant Alibaba. The first warnings to the public came out in early December.
Cybersecurity officials and experts initially described the software flaw as perhaps the worst ever, given the widespread use of the software – at least 2,800 used by both private companies and governments worldwide. in products.
CISA said on Monday that the vulnerability affected millions of devices worldwide, with many software vendors rushing to release security patches to their customers.
So far, US agencies seem useless.
“We are not, at this point, seeing any confirmed agreements, including critical infrastructure from federal agencies across the broader country,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, told reporters.
But he cautioned that the threat was not over, despite a lack of sophisticated hacking groups and devastating attacks by foreign adversaries.
“It is certainly possible that this could change, that adversaries could use this vulnerability to gain persistent access that they could use in the future, which is why we are working to address the vulnerability across the country and We are focusing on making sure that we are tracing any intrusion if and when they arise,” he said.
Yet there are reports that other countries have already been targeted by cyber actors trying to exploit software vulnerabilities.
Belgium’s Defense Ministry said last month that some of its computer systems were damaged after an attack last month that is believed to have exploited the Log4j vulnerability.
And some security experts warn other countries, including China, Iran, North Korea and Turkey, have sought to exploit Log4j.
“This activity ranges from experimentation during development, integration of vulnerabilities to in-the-wild payload deployment and exploitation against targets,” Microsoft’s Threat Intelligence Center wrote in a blog post last week.
Notably, Microsoft stated that the Iran cyber threat actor known as Phosphorus, which is known to launch ransomware attacks, has already modified the Log4j vulnerability for use in attacks, while The Chinese conglomerate known as Hafnium has also used it for some targeting activities.
Private cybersecurity firm CrowdStrike separately assessed that a Chinese-based group called Aquatic Panda sought to use the Log4j vulnerability to target an unnamed educational institution.
CISA said on Monday that it could not independently verify such reports, adding that it had not yet detected any ransomware attacks in which attackers used the Log4j vulnerability to break into victims’ systems. Was.
The CISA director said one reason could be that “there may be a lag between when this vulnerability is being exploited and when it is being actively deployed.”
Easterly also warned about information that US officials are unable to see due to a failure by Congress to pass legislation that would require private companies to report cyberattacks – something that the White House and many lawmakers are certain. Advocating from time to time.
“We are concerned that threat actors are starting to take advantage of this vulnerability and impact especially on critical infrastructure, and because there is no law in place, we probably won’t know about it,” she said.