- The Cybersecurity and Infrastructure Security Agency issued an emergency directive due to Log4j, requiring all federal agencies to review and patch internet-facing applications amid growing threat activity. Multiple threat actors were actively exploiting Log4j vulnerabilities, CISA Director Jen Easterly said.
- Security researchers and others are concerned about potential risks during the upcoming holiday, as Christmas and New Years fall on consecutive weekends that will provide a huge window when operations teams will have limited visibility into enterprise systems, according to Roger Koehler, VP of threat operations at Huntress.
Federal agencies have particular vulnerabilities due to their reliance on legacy technology and have often failed to patch and supply timely security updates to existing systems.
"The CISA emergency directive is important because many agencies at the U.S. government have been slow to patch and a vulnerability like Log4Shell can have lasting effects if not properly addressed quickly," Koehler said.
Koehler cited an August 2021 report from the Senate Committee on Homeland Security and Government Affairs report which noted that six agencies failed to install patches and take other important measures two years after a 2019 report from the inspector general.
Seven agencies used legacy systems or applications that were no longer being supported with security updates, according to the report from Sens. Rob Portman, R-Ohio, and Gary Peters, D-Mich.
The concerns about Log4Shell are rising amid reports that threat actors are deploying Conti ransomware and installing cryptominers on vulnerable systems, Koehler said.
Similar to the Microsoft Exchange attacks earlier this year, the threats related to Log4Shell are escalating from the initial set of probes and coin mining, to exfiltration and ransomware, said Saumitra Das, CTO and co-founder of Blue Hexagon.
"Since ransomware initial access brokers typically already have foothold infections in enterprises, I fully expect them to scan internal hosts for Log4j vulnerabilities and use it to spread and deploy ransomware," Das said.
Organizations should not limit their search for signs of exploitation to just external locations but also check internally and in cloud environments. Log4j has also been used to steal cloud credentials like AWS keys as well, Das said.