Security professionals will be dealing with the fallout from the Log4j bug for a long time to come, top officials for the Cybersecurity and Infrastructure Security Agency said Monday. CNET reports: If left unpatched or otherwise unfixed, the major security flaw discovered a month ago in the Java-logging library Apache Log4j poses risks for huge swaths of the internet. The vulnerability in the widely used software could be exploited by cyberattackers to take over computer servers, potentially putting everything from consumer electronics to government and corporate systems at risk of a cyberattack. No US federal agencies have been compromised as a result of the vulnerability, CISA Director Jen Easterly told reporters on a call Monday. In addition, no major cyberattacks involving the bug have been reported in the US, though many attacks go unreported, she said.
Easterly said the sheer scope of the vulnerability, which affects tens of millions of internet-connected devices, makes it the worst she has seen in her career. It’s possible, she said, that attackers are biding their time, waiting for companies and others to lower their defenses before they attack. “We do expect Log4Shell to be used in intrusions well into the future,” Easterly said, using the name for the bug in the Log4j software. She noted the Equifax data breach in 2017, which compromised the personal information of nearly 150 million Americans, stemmed from a vulnerability in open-source software. Most of the attempts to exploit the bug, so far, have been focused on low-level crypto mining or attempts to draw devices into botnets, she said.