The US agency responsible for protecting the country against hacking said on Tuesday the majority of attacks it has seen use a recently disclosed vulnerability in widely used open source software. small, with many of them seeking to usurp computing power to mine cryptocurrencies.
Officials at Network security and the Infrastructure Security Agency said they have not confirmed reports by multiple security companies of ransomware installations or other government-stealing efforts.
Eric Goldstein, executive assistant director of cybersecurity at CISA, said in a call with reporters: “We don’t see widespread and very sophisticated intrusion campaigns.
But he warned the threat would continue to evolve and that the agency was still working to gather reliable information on what types of software were the subject of attacks.
He said it’s possible that common consumer devices like routers are vulnerable, and his unit in the Department of Homeland Security is working with vendors to have them deploy fixes as needed. .
The vulnerability was found in a popular logging tool, called Log4j, and it was carried by at least hundreds of other programs that rely on the tool. Goldstein said the vulnerability is very easy to exploit.
Although the patch in the tool has been available since December 6, many other programs must also implement the patch to ensure that the attacker can’t get deep into the network.
Under the recently granted authority, CISA directed all federal agencies to install patches as they become available.
Goldstein said there have been no reports of intrusions using the vulnerability in government, but CISA expects “all manner of adversaries” to find ways to exploit the vulnerability.
Logging allows the user to submit code that directly references an external repository, which the program then searches and installs. Hackers can use that to take control of servers, which can gain access to other machines with more valuable data or network power.
Although the vulnerability has existed in the free Log4j program for many years, it was recently discovered by a researcher at Chinese technology company Alibaba and reported to the group of volunteers who maintain the program. . Open discussion within the Chinese security company was discovered, and several exploits of the vulnerability began before the Apache Software Foundation could release a patch.
Goldstein said it is “concerned” whenever a vulnerability is exploited before a patch is released. Under recent Chinese regulations, some security professionals must quickly report their findings to the government, often before patches are ready.
© Thomson Reuters 2021
