Officials with the US Cybersecurity and Infrastructure Security Agency (CISA) said on Monday that they have not seen the exploitation of Log4Shell result in significant intrusions since the vulnerability came to light in December.
CISA director Jen Easterly and executive assistant director for cybersecurity Eric Goldstein fielded questions from reporters during a briefing on Monday, telling attendees that outside of an attack on the Belgian Defense Ministry, they have not seen any damaging incidents that resulted directly from the exploitation of the Log4j vulnerability.
“At this time, we have not seen the use of Log4Shell resulting in significant intrusions. This may be the case because sophisticated adversaries have already used this vulnerability to exploit targets and are just waiting to leverage their new access until network defenders are on a lower alert. Everybody remembers the Equifax breach that was revealed in September of 2017 was a result of an open-source software vulnerability discovered in March of that year,” Easterly said.
“It may also be due in part to the urgent actions taken by defenders and many organizations to rapidly mitigate the most easily exploitable devices, such as those accessible directly from the internet,” Easterly added. “We do expect Log4Shell to be used in intrusions well into the future.”
Easterly added that they could not confirm multiple reports from cybersecurity companies that ransomware groups were leveraging the Log4j vulnerabilities for attacks.
Goldstein noted that even though they have not seen any significant attacks, there has been widespread scanning and exploitation of Log4Shell by cybercriminals who use it to install cryptomining software on victim computers or to capture victim computers for use in botnets.
He added that CISA has not seen any confirmed compromises related to federal agencies or critical infrastructure organizations. According to Goldstein, CISA is “not seeing destructive attacks or attacks attributed to advanced persistent threats.”
Easterly touted the agency’s efforts to deal with the Log4j crisis, explaining that their catalog of the more than 2,800 products affected by Log4j got hundreds of thousands of views and their Log4j scanner was downloaded nearly 4,000 times.
Even though CISA has not seen a confirmed attack resulting from Log4j, cybersecurity companies are reporting millions of attempts to exploit the vulnerability.
Cybersecurity firm NETSCOUT told ZDNet that the number of Log4j exploits it has blocked is approaching eight digits, and it recently blocked five million in a single day. ClearDATA founder Chris Bowen said his company has witnessed over 2.1 million security events specifically related to Log4j.
“Of those, roughly 268,000 are considered with high confidence to be valid threat events,” Bowen explained. “When combined with TOR metrics, this number increases to 365,247 attacks prevented before execution.”