CISA sees no significant harm from Log4j flaws but worries about future attacks

Officials at the U.S. Cybersecurity and Infrastructure Security Agency (CISA) say that despite initial fears of widespread compromise, they have yet to see significant harm stemming from a vulnerability in the Java-based Log4j logging utility that became public in December. They can’t rule out that adversaries haven’t already used the vulnerability to monitor targeted machines silently, however, biding their time for later attacks.

“We’ve been actively monitoring for threat actors looking to exploit” the vulnerability, and “at this time we have not seen the use [of the vulnerability known as Log4Shell] in significant intrusions,” Jen Easterly, director of CISA, said at a press briefing. “Adversaries may be utilizing this vulnerability to gain persistent access that they could use in the future, which is why we are so focused on remediating the vulnerability across the country and ensuring that we are detecting any intrusions if and when they arise.”

[Note: Microsoft reported on the evening of 1/10 that as early as January 4, attackers started exploiting the Log4Shell vulnerability in internet-facing systems running VMware Horizon and that its investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware.]

However, the vulnerability has been exploited by threat actors in minor ways. “We are seeing some prevalence of what we would call low-level activities, such as installation of cryptomining and software installation of malware that could be used historically in botnets,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, said.

CISA’s binding operational directive immediately kicked into gear

CISA has taken a lead role in helping federal agencies and the private sector manage the widespread threat of the Log4Shell vulnerability, the first of four critical flaws discovered in the Log4j software deployed on hundreds of millions of machines worldwide. The same weekend news of the flaw stunned the information security industry, CISA added the flaw to its catalog of known exploited vulnerabilities.

By doing so, CISA triggered a binding operational directive issued in November, which mandates all civilian agencies urgently patch their systems wherever patches are available. The agency quickly realized, however, that it needed “to build upon the binding operational directive to further prioritize remediation and ensure that mitigations were in place for technology assets where patches were not yet available,” Goldstein said.

CISA set up a public catalog to receive submissions detailing products that contain potential Log4j vulnerabilities, which to date has more than 2,800 submissions. Pivoting to a shared service, a vulnerability disclosure platform run through disclosure company Bugcrowd, security researchers found 17 previously unidentified products that were vulnerable to Log4Shell, all of which were remediated before any intrusion could occur, Goldstein said

Even though CISA’s remit is restricted to the federal government, it also aims to send a “strong signal” to all organizations about how to deal with the Log4j flaws, prioritizing a few key areas. Chief among them is to make it easier “for organizations to understand and prioritize the prevalence of vulnerable libraries and components across their environments” through a software bill of materials (SBOM), an “ingredient list” of libraries. SBOMs are “invaluable to help an organization ideally and automatically understand if they are exposed to a given vulnerability and then quickly pivot to remediation.”

Lack of incident reporting requirement is a handicap

One handicap CISA faces in helping non-federal organizations is the absence of any mandatory incident reporting requirement, leaving the agency somewhat in the dark in terms of spotting Log4j-related incidents. In December, cyber incident reporting standards were included in the compromise version of the National Defense Authorization Act (NDAA) but were pulled at the last minute.

“We have not seen any significant intrusions, but none have been reported to us,” Easterly said. “We are concerned that threat actors are going to start taking advantage of this vulnerability having impacts in particular on critical infrastructure. Because there is no legislation in place, we will likely not know about it.”

No confirmed ransomware intrusions yet

Despite a rumored ransomware attack that exploited the Log4j flaw on Belgium’s Ministry of Defense in late December, “we have no confirmed ransomware intrusions where we can authoritatively state that Log4Shell was used as the originating vulnerability for the intrusion,” Goldstein said. “We know today that many ransomware intrusions are not reported to the U.S. government in the first instance. Those that are are often not accompanied by the sort of technical information that would be useful to understand which vulnerability was utilized by the threat actor.”

Even so, Easterly said that “one of the things that I continue to be very concerned about are the ransomware attacks we are seeing on hospitals, and so, we are keeping a very close eye.”

Industrial control systems should be disconnected from the internet

Industrial control systems are a particular source of concern that CISA has sought to address during this crisis. “In addition to being US-CERT, we are also the ICS-CERT. We have an incredible amount of expertise in this area. A lot of the outreach we’ve been doing includes hundreds of vendors of ICS components to affirmatively determine whether their products were indeed vulnerable and then coordinate communication to customers on needed steps.”

Goldstein reinforced the notion that operational technology networks of critical infrastructure organizations should be disconnected from the internet altogether as the best protection against Log4j vulnerability compromises. “These assets should not be facing the internet for control systems applications in almost every instance. Focusing on removing that as a threat factor will diminish a significant portion of the risk.”

The flaw’s origin remains murky

In terms of the origin of the flaw, a researcher at Alibaba’s cloud group in China reportedly called the Apache Foundation, which administers the Java logging framework, on November 24 to privately notify it of the flaw’s existence. Before Apache could release a patch, the researcher alerted the foundation that Chinese users were already discussing it, indicating that hackers might have been trying to exploit it before it became public.

Consequently, the Chinese government reportedly suspended its contract with Alibaba’s cloud group over what it perceived to be a failure to report the Log4j2 software flaw to Beijing in a timely fashion. Goldstein said that CISA could not independently confirm these reports, nor can it independently confirm any interactions between the Chinese state and the researcher.