Vulnerability management

FBI to companies: Tell us if hackers target the Log4j vulnerability in your infrastructure

The FBI’s Cyber Division leads the nation’s efforts to investigate and prosecute internet crimes. (FBI)

The FBI will release on Wednesday information about how companies can report to the law enforcement agency incidents where the Log4j vulnerability was targeted in their infrastructure, the assistant director of the FBI’s cyber division told SC Media.

Speaking during a keynote at the SC Finance eConference Wednesday, Bryan Vorndran pointed to the concerted effort between the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) to respond to the vulnerability that first emerged Friday: CISA owns asset response, providing all the remediation steps and patching recommendations available based upon the current information about how the code may be exploited, while FBI pursues law enforcement efforts in cases where cybercriminals attempt to leverage the vulnerability to target networks.

“The broad vulnerability is very difficult to patch, because it’s a necessary logging component — meaning it’s serving a righteous function — and there are tremendous interdependencies on that Log4j command,” Vorndran said. “It’s not as simple as saying, for example, ‘there’s a vulnerability in Microsoft Word, let’s deploy a patch.’ Interdependencies make the patching process complicated.”

Beyond law enforcement, the FBI is limited in the actions it can take to mitigate the threat. Log4j is different, for example, than Microsoft Exchange Server vulnerabilities, which ultimately resulted in a court order to dismantle 'hundreds' of web shells installed after the bugs were patched by Microsoft.  

That approach is not an option, he said, “unless we’re able to see web shells that have been implemented by a specific cyber actor, through code that has been targeted at a vast number of potential victims.”

“If we see that broad overarching activity that generates the web shell, we may be able to do that,” he continued. “But the authorities in no way can close the Log4j vulnerability that exists today. … There’s nothing we in the government are going to do, other than provide recommendations to allow companies to control that vulnerability.”

SC Media Editor in Chief Jill Aitoro has 20 years of experience editing and reporting on technology, business and policy. She also serves as editorial director at SC Media’s parent company, CyberRisk Alliance. Prior to joining CRA, she worked at Sightline Media as editor of Defense News and executive editor of the Business-to-Government Group. She previously worked at Washington Business Journal and Nextgov, covering federal technology, contracting and policy, as well as CMP Media’s VARBusiness and CRN and Penton Media’s iSeries News.

prestitial ad