U.S. cybersecurity officials are still sounding an alarm about the so-called Log4j software vulnerability more than a month after it was first discovered, warning some criminals and nation state adversaries may be waiting to make use of their newfound access to critical systems.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Monday that the vulnerability, also known as Log4shell, has been subject to widespread exploitation by criminals over the past several weeks, but that more serious and damaging attacking could still be in the works.
“We do expect Log4Shell to be used in intrusions well into the future,” CISA Director Jen Easterly told reporters during a phone briefing, adding, “at this time we have not seen the use of Log4shell resulting in significant intrusions.”
“This may be the case because sophisticated adversaries have already used this vulnerability to exploit targets and are just waiting to leverage their new access until network defenders are on a lower alert,” she said.
The vulnerability in the open-source software produced by the U.S.-based Apache Software Foundation, was first discovered in late November by the Chinese tech giant Alibaba. The first warnings to the public went out in early December.
Cybersecurity officials and experts initially described the flaw in the software as perhaps the worst vulnerability ever discovered, noting the software’s widespread use – in at least 2,800 products used by both private companies and governments around the world.
CISA on Monday said the vulnerability has impacted hundreds of millions of devices around the world, with many software vendors racing to issue security patches to their customers.
So far, U.S. agencies appear to be unscathed.