The Cybersecurity and Infrastructure Security Agency (CISA) sent out an emergency directive on Friday, requiring federal civilian departments and agencies to immediately patch their internet-facing network assets for the Apache Log4j vulnerabilities. If they can't patch, they're required implement other appropriate mitigation measures.
CISA previously said federal civilian agencies would have until December 24 to address the issue, but it noted that the latest directive "is in response to the active exploitation by multiple threat actors of vulnerabilities found in the widely used Java-based logging package Log4j."
CISA Director Jen Easterly said they are urging organizations of all sizes to also assess their network security and adapt the mitigation measures outlined in the emergency directive.
If you are using a vulnerable product on your network, Easterly said you should consider your door wide open to any number of threats.
"The Log4j vulnerabilities pose an unacceptable risk to federal network security," Easterly explained. "CISA has issued this emergency directive to drive federal civilian agencies to take action now to protect their networks, focusing first on internet-facing devices that pose the greatest immediate risk."
According to CISA, the directive was handed down because these vulnerabilities are currently being exploited by threat actors. CISA's investigations showed just how prevalent the affected software is in the federal enterprise.
CISA said there is a "high potential" for a compromise of agency information systems and expressed concern about the impact of a breach.
VMware head of cybersecurity strategy Tom Kellermann said the exploitation of the Log4j vulnerability allows for full control of the target system that is running Apache.
"So they have the capacity to just be on missions and spy on the activities of the users of the systems. They have the capacity to use that system to island-hop into other systems. They have the capacity to become disruptive. It really varies," said Kellermann, who served as a cybersecurity commissioner for the Obama administration.
"I would say that there is so much activity going on right now, that it'll probably weeks, if not months, before the true scope of this significant cybercrime wave for this vulnerability and the severity of its impact is discovered."
CISA created a dedicated webpage with Log4j mitigation guidance and resources for network defenders, as well as a community-sourced GitHub repository of affected devices and services.
CISA added the Log4j vulnerability, alongside 12 others, to its Known Exploited Vulnerabilities Catalog. It created the list last month as a way to provide government organizations with a catalog of vulnerabilities organized by severity.
Using their honeypot network to attract attackers, cybersecurity firm Bitdefender found that their honeypots were attacked 36,000 times from Dec. 9 to Dec. 16. Half of all attacks used TOR to mask true country origin and were based on endpoint telemetry. The lead countries of origin for attacks were Germany at 34% and the US at 26%.
Bitdefender added that based on endpoint telemetry, the lead attack targets are the US at 48%, followed by the UK and Canada both at 8%.