U.S. cybersecurity officials see mainly low-impact attacks from logging flaw, so far

© Reuters. Bitcoin cryptocurrency representation is pictured on a keyboard in front of binary code in this illustration taken September 24, 2021. REUTERS/Dado Ruvic/Illustration/file photo

By Joseph Menn

SAN FRANCISCO (Reuters) – The U.S. agency charged with defending the country against hacking said on Tuesday the majority of attacks it has seen using a recently disclosed flaw in widely used open-source software were minor, with many of them seeking to hijack computing power to mine cryptocurrency.

Officials at the Cybersecurity and Infrastructure Security Agency said they had not confirmed reports by multiple security companies of ransomware installations or attempts by other governments to steal secrets.

“We are not seeing widespread, highly sophisticated intrusion campaigns,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a call with reporters.

But he warned the threat would continue to evolve and the agency was still working to assemble reliable information on what types of software were subject to the attacks.

He said it was possible widespread consumer devices such as routers were vulnerable and his unit within the Department of Homeland Security was working with vendors to have them deploy fixes where needed.

The flaw was found in a common logging tool, known as Log4j, and it is carried forward by at least hundreds of other programs that rely on the tool. Goldstein said the flaw is easy to exploit.

Although a patch in the tool has been available since Dec. 6, many of those other programs also have to implement the patch to ensure an attacker cannot get deep network access.

Under recently granted powers, CISA has directed all federal agencies to install patches as they become available.

Goldstein said there have been no reports of intrusions using the vulnerability in the government, but CISA expects “all manner of adversaries” to seek to exploit the flaw.

The logging function allows users to submit live code referring to an outside repository, which the program will then seek out and install. Hackers can use that to take control of the servers, which may have access to other machines with more valuable data or network powers.

Though the flaw has existed in the free Log4j program for years, it was recently discovered by a researcher at Chinese tech company Alibaba (NYSE:) and reported to the group of volunteers who maintain the program. Open discussion within the Chinese security company was detected and some exploitation of the flaw began before the Apache (NASDAQ:) Software Foundation could issue the patch.

Goldstein said it was “concerning” any time a flaw is exploited before a patch is out. Under recent Chinese regulations, some security professionals must report their findings to the government quickly, often before patches are ready.

Disclaimer: Fusion Media would like to remind you that the data contained in this website is not necessarily real-time nor accurate. All CFDs (stocks, indexes, futures) and Forex prices are not provided by exchanges but rather by market makers, and so prices may not be accurate and may differ from the actual market price, meaning prices are indicative and not appropriate for trading purposes. Therefore Fusion Media doesn`t bear any responsibility for any trading losses you might incur as a result of using this data.

Fusion Media or anyone involved with Fusion Media will not accept any liability for loss or damage as a result of reliance on the information including data, quotes, charts and buy/sell signals contained within this website. Please be fully informed regarding the risks and costs associated with trading the financial markets, it is one of the riskiest investment forms possible.

Read More

Leave a Reply