Officials at the Cybersecurity and Infrastructure Security Agency said Monday that “significant intrusions” related to the Log4j vulnerability have yet to be found in the systems of U.S. federal agencies or critical infrastructure sectors, but stressed that they lack the necessary visibility to fully assess the bug’s impact.
Speaking to reporters Monday, CISA Director Jen Easterly and Executive Director Eric Goldstein said that despite an “unprecedented” level of collaboration with industry and other stakeholders, the agency is not aware of any confirmed breaches within the federal government that relied on the bug, while across critical infrastructure they have seen widespread scanning by criminal threat actors and isolated instances of low-level exploitation, such as installing cryptomining software and takeovers of victim computers for use in botnets.
“At this time we have not seen the use of Log4Shell [aka "Log4j"] resulting in significant intrusions. This may be the case because sophisticated adversaries have already used this vulnerability to exploit targets and are just waiting to leverage their new access until network defenders are on lower alert,” Easterly said. She noted that in the 2017 Equifax breach, a similar vulnerability in open source Apache Struts software was not used to compromise the organization until months after it had been initially discovered.
There also appear to be few, if any, instances thus far of ransomware groups or advanced persistent threat groups (APTs) leveraging Log4j against the government or critical infrastructure, though several cybersecurity firms have put out research detailing just that. Easterly said her agency could not independently confirm those reports, but reiterated that the flaw was the most serious she had seen in her career, one that was still “trivial” to exploit and “likely present in hundreds of millions of individual technology assets around the world.”
Despite the lack of activity, CISA officials said they remain in a heightened state of concern, as there are several potentially troubling explanations for why activity has been so low, including the possibility that threat actors have already compromised some organizations and established other means of persistent access.
Adding to the complexity, Goldstein noted that because of the way Log4j is used and embedded in so many different products, each vendor must develop its own unique patch for the problem. In engagements with critical infrastructure, Goldstein said the agency was advising entities to focus first on public-facing systems, assets and websites before moving on to internal scrubs.
“This will be a long tail of remediation. … We are prioritizing remediation of internet-connected assets first and foremost because as adversaries conduct their mass scanning, they will be targeting those assets first," Goldstein said. "Organizations public and private will have a significant amount of work to do to get past those internet-facing assets and mitigate vulnerabilities that are internal to their network as well as with custom software.”
Easterly took an opportunity to repeat her calls for Congress to pass legislation that would require entities across critical infrastructure to report significant cyber incidents to CISA and the federal government, saying the agency will likely miss some compromises as a result.
“We are concerned that threat actors are going to start taking advantage of these vulnerabilities and having impacts on critical infrastructure and since there is no legislation in place, we will likely not know about it,” Easterly said.
The bill has broad support from members of Congress in both parties and a number of important industry trade groups, but was left out of the National Defense Authorization Act last year after Sen. Rick Scott, R-Fla., objected to language in a Democratic version of the legislation, CyberScoop reported last year.
That disagreement has yet to be resolved, a Democratic congressional source familiar with the matter told SC Media. If addressed, then proponents see their next major opportunity in a spending package that the federal government must pass before it runs out of funding Feb. 18, though those efforts could be stymied if Congress winds up settling on another continuing resolution.
That tracks with what leaders on the Senate Homeland Security and Governmental Affairs Committee communicated to CISA during a briefing on Log4j two weeks ago, with Chair Gary Peters, D-Mich., and ranking member Sen. Rob Portman, R-Ohio, telling Easterly they were attempting to attach the proposal to a larger legislative vehicle as soon as early this year. Following that briefing, Peters said he was concerned that we may never learn the full impact of the vulnerability.
Another piece of proposed legislation that didn’t make it into the latest NDAA would compel CISA to identify “systemically important” critical infrastructure entities and prioritize them for certain federal resources and programs. Easterly has said that CISA is not waiting for legislation to implement a similar program internally, but that it would be rolled out officially sometime this year.
“We’re moving aggressively this year to identify … primary important systemically important entities — looking at those entities that are systemically critical to national security, to economic prosperity and public health and safety so we can ensure we’re focused on cascading impacts when we see intrusions happen in those types of entities,” she said.
Meanwhile, the agency said it continues to engage with federal and industry stakeholders to reduce the available attack surface around Log4j. A virtual collaboration platform created to share technical information with other agencies like the NSA and FBI, as well as nearly 20 major technology companies, has produced 14 analyses of the vulnerability and 17 submissions of technical data around threat activity that underpinned a public advisory in December.
The agency has engaged with hundreds of vendors and hosted two national stakeholder calls to share updates on remediation that reached at least 13,000 participants. It has also helped develop a master list of products that have been vetted for signs of the corrupted software. Last week, two members of the cybersecurity community created a browser search tool to help defenders better manage the increasingly cumbersome master list, which is now approaching nearly 3,000 unique products and speaks to how widely embedded Log4J is within the broader IT ecosystem.