Application security, Governance, Risk and Compliance, Asset Management, Incident Response, Critical Infrastructure Security
CISA sees low levels of Log4j exploitation against agencies and critical infrastructure

Officials at the Cybersecurity and Infrastructure Security Agency said Monday that “significant intrusions” related to the Log4j vulnerability have yet to be found in the systems of U.S. federal agencies or critical infrastructure sectors, but stressed that they lack the necessary visibility to fully assess the bug’s impact. (Photo: iStock/Getty Images)
Officials at the Cybersecurity and Infrastructure Security Agency said Monday that “significant intrusions” related to the Log4j vulnerability have yet to be found in the systems of U.S. federal agencies or critical infrastructure sectors, but stressed that they lack the necessary visibility to fully assess the bug’s impact.Speaking to reporters Monday, CISA Director Jen Easterly and Executive Director Eric Goldstein said that despite an “unprecedented” level of collaboration with industry and other stakeholders, the agency is not aware of any confirmed breaches within the federal government that relied on the bug, while across critical infrastructure they have seen widespread scanning by criminal threat actors and isolated instances of low-level exploitation, such as installing cryptomining software and takeovers of victim computers for use in botnets.“At this time we have not seen the use of Log4Shell [aka "Log4j"] resulting in significant intrusions. This may be the case because sophisticated adversaries have already used this vulnerability to exploit targets and are just waiting to leverage their new access until network defenders are on lower alert,” Easterly said. She noted that in the 2017 Equifax breach, a similar vulnerability in open source Apache Struts software was not used to compromise the organization until months after it had been initially discovered.There also appear to be few, if any, instances thus far of ransomware groups or advanced persistent threat groups (APTs) leveraging Log4j against the government or critical infrastructure, though several cybersecurity firms have put out research detailing just that. Easterly said her agency could not independently confirm those reports, but reiterated that the flaw was the most serious she had seen in her career, one that was still “trivial” to exploit and “likely present in hundreds of millions of individual technology assets around the world.” Despite the lack of activity, CISA officials said they remain in a heightened state of concern, as there are several potentially troubling explanations for why activity has been so low, including the possibility that threat actors have already compromised some organizations and established other means of persistent access.Adding to the complexity, Goldstein noted that because of the way Log4j is used and embedded in so many different products, each vendor must develop its own unique patch for the problem. In engagements with critical infrastructure, Goldstein said the agency was advising entities to focus first on public-facing systems, assets and websites before moving on to internal scrubs.“This will be a long tail of remediation. … We are prioritizing remediation of internet-connected assets first and foremost because as adversaries conduct their mass scanning, they will be targeting those assets first," Goldstein said. "Organizations public and private will have a significant amount of work to do to get past those internet-facing assets and mitigate vulnerabilities that are internal to their network as well as with custom software.”
An In-Depth Guide to Application Security
Get essential knowledge and practical strategies to fortify your applications.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds