Officials at the Cybersecurity and Infrastructure Security Agency said they had not confirmed reports by multiple security companies of ransomware installations or attempts by other governments to steal secrets.
“We are not seeing widespread, highly sophisticated intrusion campaigns,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a call with reporters.
But he warned the threat would continue to evolve and the agency was still working to assemble reliable information on what types of software were subject to the attacks.
He said it was possible widespread consumer devices such as routers were vulnerable and his unit within the Department of Homeland Security was working with vendors to have them deploy fixes where needed.
The flaw was found in a common logging tool, known as Log4j, and it is carried forward by at least hundreds of other programmes that rely on the tool. Goldstein said the flaw is easy to exploit.
Although a patch in the tool has been available since December 6, many of those other programmes also have to implement the patch to ensure an attacker cannot get deep network access.
Under recently granted powers, CISA has directed all federal agencies to install patches as they become available.
Goldstein said there have been no reports of intrusions using the vulnerability in the government, but CISA expects “all manner of adversaries” to seek to exploit the flaw.
The logging function allows users to submit live code referring to an outside repository, which the programme will then seek out and install. Hackers can use that to take control of the servers, which may have access to other machines with more valuable data or network powers.
Though the flaw has existed in the free Log4j programme for years, it was recently discovered by a researcher at Chinese tech company Alibaba and reported to the group of volunteers who maintain the programme. Open discussion within the Chinese security company was detected and some exploitation of the flaw began before the Apache Software Foundation could issue the patch.
Goldstein said it was “concerning” any time a flaw is exploited before a patch is out. Under recent Chinese regulations, some security professionals must report their findings to the government quickly, often before patches are ready.
© Thomson Reuters 2021