The FBI will release on Wednesday information about how companies can report to the law enforcement agency incidents where the Log4j vulnerability was targeted in their infrastructure, the assistant director of the FBI’s cyber division told SC Media.
Speaking during a keynote at the SC Finance eConference Wednesday, Bryan Vorndran pointed to the concerted effort between the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) to respond to the vulnerability that first emerged Friday: CISA owns asset response, providing all the remediation steps and patching recommendations available based upon the current information about how the code may be exploited, while FBI pursues law enforcement efforts in cases where cybercriminals attempt to leverage the vulnerability to target networks.
“The broad vulnerability is very difficult to patch, because it’s a necessary logging component — meaning it’s serving a righteous function — and there are tremendous interdependencies on that Log4j command,” Vorndran said. “It’s not as simple as saying, for example, ‘there’s a vulnerability in Microsoft Word, let’s deploy a patch.’ Interdependencies make the patching process complicated.”
Beyond law enforcement, the FBI is limited in the actions it can take to mitigate the threat. Log4j is different, for example, than Microsoft Exchange Server vulnerabilities, which ultimately resulted in a court order to dismantle 'hundreds' of web shells installed after the bugs were patched by Microsoft.
That approach is not an option, he said, “unless we’re able to see web shells that have been implemented by a specific cyber actor, through code that has been targeted at a vast number of potential victims.”
“If we see that broad overarching activity that generates the web shell, we may be able to do that,” he continued. “But the authorities in no way can close the Log4j vulnerability that exists today. … There’s nothing we in the government are going to do, other than provide recommendations to allow companies to control that vulnerability.”