Civilian agencies have until Christmas Eve to use available patches for a critical exploit in widely used open source software, with the Cybersecurity and Infrastructure Security Agency spearheading federal efforts to respond to the evolving situation.
CISA added the “log4j” vulnerability to the Known Exploited Vulnerabilities Catalog on Dec. 10. The catalog was created under a Binding Operational Directive that gives agencies two weeks to address newly cataloged vulnerabilities.
Apache’s “Log4j” is a widely used open source software library. The vulnerability is “extremely concerning,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein said during a Tuesday evening call with reporters.
“The Log4j library is widely used in a variety of devices and products, both consumer and enterprise, across sectors and across functions,” he said. “Second, this particular vulnerability is extremely easy to exploit, and new ways to exploit it are being reported continuously over the last several days. And third, exploiting this vulnerability gives an adversary potentially deep access into a target network, possibly allowing them to exfiltrate information or cause other harmful attacks.”
No agencies are known to been compromised to date, Goldstein said.
“But of course, we are on extraordinarily heightened vigilance to detect and mitigate any such events, if they do arise,” he added. “If one looks at the catalog of known impacted products that CISA has put online, these are products that are used by every major organization around the world.”
Goldstein said CISA’s Joint Cyber Defense Collaborative, a public-private collective, has established a “dedicated action group” to identify vulnerable products, understand adversary actions, and aggregate guidance on defensive measures.
CISA is also updating a list of affected products and devices through its website, and Goldstein said agencies should quickly use patches as they become available.
CISA is working with agencies to first focus on “identifying and rapidly remediating” Internet-facing instances of vulnerable products, before they turn their attention to registering all instances of such products and devices on their networks, Goldstein said.
CISA is providing its vulnerability scanning service to federal agencies, as well as state and local partners who want to use it as well.
“Agencies have taken this with the utmost seriousness, and have made extraordinary progress since Friday, in either patching or taking other mitigating actions to reduce their exposure,” Goldstein said.
Meanwhile, the National Security Agency’s Cybersecurity Collaboration Center is providing “expertise” to the defense industrial base on the Log4j vulnerability, according to an NSA spokeswoman.
“The CCC’s specific efforts are focused on detecting exploitation and informing mitigation strategies to the active and widespread critical remote code execution vulnerability,” the spokeswoman said. “Additionally, the CCC is actively engaged with the Joint Cyber Defensive Collaborative hosted at CISA to work with industry to characterize the threat and mitigate the vulnerability as quickly as possible.”
The ubiquity of products that rely on Log4J combined with the scale of the federal enterprise is likely to have agencies scrambling in the coming weeks, experts said.
“When you have something like this emerge, it’s all hands on deck,” Michael Daniel, president and chief executive of the Cyber Threat Alliance, said in an interview. Daniel served as White House cybersecurity coordinator during the Obama administration.
Katie Moussouris, founder and chief executive of Luta Security, said the exploit has yet to show up in ransomware packages, but she “absolutely anticipates it’s going to be.”
She said chief information officers and their teams are likely to be busy through the holidays. The situation became even more complicated when it was revealed that hackers could bypass the latest Java upgrade to still take advantage of the vulnerability.
“What I think the CIOs are probably doing now, is they’re going back over all of their inventory and assets, and applying additional mitigations to the hosts that they thought were safe,” Moussouris said. “So unfortunately, we are still at the height of the response effort right now.”
John Cofrancesco, vice president of business development of Fortress Information Security, said attackers are likely going to target products from large, widely used companies at first. But he said bigger companies will also be the first to put out patches for their prodcuts.
“The reality is, the majority of software that’s on the [Defense Department] networks, that’s on the federal networks, does not come from Microsoft, from Oracle,” he said. “It comes from a lot of smaller organizations that, frankly, can create just as much exposure as the big boys. And those companies being smaller in size, less adept to dealing with these type of fast patch actions, are just less likely to have solved this.”
In a Sunday evening statement, CISA Director Jen Easterly said the vulnerability also underscores the need for organizations to use a “Software Bill of Materials.” President Joe Biden’s cybersecurity executive order called on agencies to start using SBOMs as part of the acquisition process.
“A SBOM would provide end users with the transparency they require to know if their products rely on vulnerable software libraries,” Easterly said in the Sunday statement.
With CISA quarterbacking the federal response, Daniel said he expects National Cyber Director Chris Inglis will help drive the “after-action” reports and subsequent improvements that will need to be made across the federal enterprise.
“What did we learn from this? What did we do, and where do we still need to make improvements?” Daniel said. “And then how do we actually focus on having agencies actually make those improvements over time, so that the next time there’s a vulnerability that emerges — and there will be a next time — we can do even better.”