Federal civilian agencies have moved quickly to remediate their networks and bolster their defenses from a recently disclosed cybersecurity vulnerability, although small and medium-size agencies that are resource-constrained have needed help, a top cybersecurity official within the Department of Homeland Security said on Monday.
From the time the Log4Shell vulnerability was publicly disclosed a month ago, there haven’t been any confirmed significant intrusions into government or private sector networks, another DHS official said.
There has been “widespread exploitation by criminal actors” of networks installing malware and attempts to turn victim computers into botnets for future attacks but “at this time we have not seen the use of Log4Shell resulting in significant intrusions,” Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, said during a conference call with media.
Eric Goldstein, executive assistant director for cybersecurity at CISA, described the deployment of crypto-mining and other malware on victim computers as “low level activities” to date. He also said on the call that there is “widespread scanning by malicious actors” of network assets.
Easterly said there are two potential reasons for the lack of significant exploits of the vulnerability. One is that bad actors have already positioned themselves inside of networks and are biding their time until network defenders ease up. Another is that quick actions by defenders following the disclosure of the vulnerability “to rapidly mitigate the most easily exploitable devices such as those accessible directly from the internet,” she said.
“With that said, we do expect Log4Shell to be used in intrusions well into the future and for this reason we are remaining focused on driving remediation of vulnerable assets for months to come and on driving adoption of strong security practices like zero trust architecture that will help protect and limit the impact of potential intrusions,” Easterly said.
As for the federal government, Goldstein said, “we have seen extraordinary attention on this vulnerability across federal agencies. I think frankly the most dedicated focus that we have ever seen for a focused effort like this one. Agencies have remediated thousands of vulnerability internet connected assets across their networks.”
For smaller and medium-size agencies, CISA is providing assistance to help them remediate their networks through patching or other means, Goldstein said on the call.
Federal civilian agencies are required to patch known exploited vulnerabilities and the Log4Shell was added to a catalog of these vulnerabilities immediately after it was discovered.
Subsequently, CISA quickly realized the need for an emergency director to these agencies to prioritize mitigation efforts and take mitigating steps where patches for Log4Shell aren’t available yet for some vendors’ products, Goldstein said.
Belgium’s Ministry of Defense last month just before Christmas confirmed its computer network had been exploited via the Log4Shell vulnerability. Easterly said this attack “resulted in material impacts.” She also said that “several cybersecurity companies have also reported that nation-state adversaries are developing attacks using Log4Shell, although we cannot independently confirm these reports at the present time.”
Easterly, a veteran cybersecurity expert with experience in the military, the private sector, and as a government official, said the Log4Shell “is the most serious vulnerability I’ve seen in my career,” adding that a successful exploitation of the security gap potentially could lead to “deep access of a target network.”
The open-source software at the heart of the vulnerability is so widely used that it is “likely present in hundreds of millions of individual technology assets around the world,” and in “thousands of separate products,” each requiring each product vendor to produce a unique patch, she said.
CISA has authorities to direct federal civil agencies to take actions to strengthen their cyber defenses. The agency works with the private sector on a volunteer basis on improving its cybersecurity posture. Easterly said the Log4Shell event is the type her agency “was built for as the nation’s cyber defense agency.”
Easterly said the “operational collaboration” with the private sector, researchers and international partners on the vulnerability response is “unprecedented.” CISA has “worked to serve as a single authoritative source for information about the vulnerability, about threat activity and mitigations,” she said, highlighting a web page that the agency, with information provided by researchers and the vendor community, put together for this purpose.
The Joint Cyber Defense Collaborative (JCDC), a public-private partnership established last year to operationalize cyber defense efforts, has also “aggregated guidance” from the various partners to put information in one location and the agency developed a scanning tool based on work done by the open-source community for organizations to “determine whether they are exposed to Log4Shell,” Easterly said.
Using the Slack Technologies [WORK] messaging application, the JCDC created a “virtual collaboration platform” for sharing technical information among CISA, the FBI, National Security Agency, and nearly 20 of the largest cybersecurity and technology companies, she said. This “first of its kind collaboration effort” has resulted in the receipt of 14 analyses of the vulnerability and 17 technical submissions about threat activity, leading to a public advisory issued by CISA, the FBI, NSA, the Australia, Canada, New Zealand and the United Kingdom, she added.
This is the “first time such a product has ever been issued and really speaks to the coordinated international effort,” Easterly said.
CISA has also hosted two national conference calls with stakeholders—including state and local agencies and vendors of industrial control systems—to mitigate vulnerabilities across government and critical infrastructure, she said.