CISA director: Log4Shell has not resulted in 'significant' government intrusions yet

Top officials at the US Cybersecurity and Infrastructure Security Agency on Monday said the Log4Shell vulnerability has mostly resulted in cryptomining and other minor incidents at federal agencies, but warned that threat actors may soon start actively exploiting the vulnerability to disrupt critical infrastructure and other assets.

“We’ve been actively monitoring for threat actors looking to exploit [Log4Shell],” said CISA director Jen Easterly at a press briefing Monday morning, referring to a zero-day vulnerability in a widely-used Java logging framework that was publicly announced one month ago. “Over the past several weeks we have seen widespread exploitation of Log4Shell by criminal actors who use it to install cryptomining software on victim computers or to capture victim computers for use in botnets.”

“At this time we have not seen the use of Log4Shell resulting in significant intrusions,” she added. “This may be the case because sophisticated adversaries have already used this vulnerability to exploit targets and are just waiting to leverage their access until network defenders are on lower alert.”

Such a scenario was seen in 2017, when credit-reporting giant Equifax was compromised in a high-profile breach several months after an exploit was discovered in the open-source Apache Struts web application framework. The company’s failure to patch the bug resulted in the compromise of information related to more than 100 million consumers.

Eric Goldstein, CISA’s executive assistant director for cybersecurity, echoed Easterly’s assessment and said that—despite the widespread nature of the vulnerability and its ease of use—there have not yet been serious incidents related to government computer systems.

“We are not seeing confirmed compromises of federal agencies, including critical infrastructure,” he said. “We’re seeing widespread scanning by malicious actors, we’re seeing some prevalence of what we would call low level activities like installation of cryptomining malware, but we’re not seeing destructive attacks or attacks attributed to advanced persistent threats.”

Goldstein added that there would be a "long tail remediation” because of how widespread the issue is — CISA estimates that hundreds of millions of devices are impacted.Easterly said CISA is aware of reports of attacks affecting foreign government agencies, including the Belgian Defense Ministry, as well as reports from cybersecurity firms that  nation-state adversaries are developing attacks using Log4Shell, but said CISA cannot independently confirm those reports at this time.