CISA to Agencies: Patch Log4j Vulnerability 'Immediately'Key Senate Leaders Also Renew Talks on Incident Reporting Requirements
In an emergency directive issued on Friday regarding the explosive Apache Log4j vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency has required federal civilian departments and agencies to immediately patch their systems or implement appropriate mitigation measures. CISA previously gave agencies until Dec. 24 to patch against Log4j exploits via its Known Exploited Vulnerabilities Catalog.
CISA officials say the agency's Emergency Directive 22-02 will be updated with additional mitigation actions. The agency has already created a central landing page with technical details and patch information on its site and added a GitHub repository of affected devices and services.
The nation's operational agency for cybersecurity says the directive responds to "active exploitation" of the Java-based logging package Log4j by "multiple threat actors." CISA officials say they have been "working with partners in the public and private sectors to identify vulnerable products, raise awareness, and encourage all potentially affected organizations to take immediate action."
CISA Director Jen Easterly says about the latest directive, "The Log4j vulnerabilities pose an unacceptable risk to federal network security. CISA has issued this emergency directive to drive federal civilian agencies to take action now to protect their networks.
"CISA also strongly urges every organization large and small to follow the federal government's lead and take similar steps to assess their network security and adapt the mitigation measures. ... If you are using a vulnerable product on your network, you should consider your door wide open to any number of threats."
Log4j - APT Activity
Cybersecurity experts continue to warn that nation-state attackers appear to be abusing or testing the Log4j vulnerability, with criminal groups targeting the flaw to drop malicious code - from ransomware to cryptomining software and more - and access brokers reportedly harvesting credentials for sale to other cybercriminals (see: Nation-State Attackers Wielding Log4j Against Targets).
On Thursday, John Graham-Cumming, CTO of web infrastructure provider Cloudflare, said the company was tracking more than 100,000 attempts to scan for, or exploit, Log4j per minute.
Experts at cybersecurity firms CrowdStrike and Mandiant have also warned that they have seen Chinese and Iranian APT groups targeting the vulnerability, tracked as CVE-2021-44228. And Wednesday, Microsoft reported related APT activity from actors affiliated with North Korea and Turkey.
Microsoft says that Iranian APT group Charming Kitten, aka Phosphorus and TA453, is "acquiring and making modifications" to the Log4j exploit. And the Chinese APT groups Hafnium, aka APT31, and APT40, which has been connected to earlier attacks against Microsoft Exchange servers, is also using the exploit to identify new targets, Microsoft says.
Push for Incident Reporting
Officials on Capitol Hill also continue to stress the severity of the Log4j flaw - and are now citing it as a way to revamp talks on mandatory incident reporting, a provision nixed at the eleventh hour during congressional negotiations on the must-pass defense spending bill (see: Cyber Incident Reporting Mandate Excluded From Final NDAA).
In a statement provided to Information Security Media Group, Sen. Gary Peters, D-Mich., chairman of the Senate Homeland Security and Governmental Affairs Committee, says, "Newly discovered vulnerabilities in the Log4j software that could have far-ranging and severe impacts are just the latest example of why Congress must urgently pass my bipartisan bill to ensure critical infrastructure is reporting to CISA when they are hit by a substantial cyberattack or when they pay a ransom."
In a statement provided to ISMG, Easterly says, "CISA estimates that hundreds of millions of devices around the world are potentially susceptible to the Log4j vulnerability. We know malicious actors are actively exploiting [it] in the wild. … The federal government simply does not have the level of information it needs to definitively understand the breadth or nature of intrusions occurring as a result of this severe vulnerability.
"A cybersecurity incident reporting law would ensure CISA and our partners receive timely information about successful exploitation of critical infrastructure networks quickly after they are discovered, enabling us to help victims mitigate the effects, stop the spread to additional victims, and better track the size, scope, and scale of any adversary campaigns to exploit widespread vulnerabilities like Log4j."
Some security experts, however, urge lawmakers to be careful when issuing requirements in response to specific vulnerabilities.
Jake Williams, a former member of the National Security Agency's elite hacking team and co-founder and CTO of the security firm BreachQuest, tells ISMG, "While Log4j is consuming the news cycle, it might seem like a good time to push additional reporting requirements. But policymakers should ensure that they don't inadvertently cause operational issues by mandating reporting."
The bipartisan Cyber Incident Reporting for Critical Infrastructure Act of 2021, first introduced in October, would require critical infrastructure organizations to report to CISA within 72 hours if they experience a substantial cybersecurity incident, and report within 24 hours of making a ransom payment to criminal gangs.
In a statement provided to ISMG, Senate Homeland Security Committee Ranking Member Rob Portman, R-Ohio, says: "CISA Director Jen Easterly has told me that with the discovery of the Log4j vulnerability, enacting my bipartisan cyber incident reporting bill is more urgent than ever. This vulnerability is widespread and I am concerned that many adversaries - like Russia, China, and cybercriminals - will exploit it without our knowledge.
"We cannot allow that to happen. We must pass the [bipartisan bill] to provide the needed visibility so that, as a nation, we can fully detect, coordinate, and defend against cyberattacks from foreign governments and criminal organizations. I am very disappointed it was not included in the NDAA and will be working to get it passed as soon as possible."
With Congress set to adjourn for the holidays, it is likely lawmakers will have to pick up these efforts in 2022, when they may again attempt to attach them to must-pass legislation.
Last week, an amendment to the National Defense Authorization Act for 2022 that housed Peters and Portman's incident reporting provisions stalled when Sen. Rick Scott, R-Fla., introduced a competing amendment limiting the scope of the reporting requirements. The lawmakers reportedly later came to an agreement on the verbiage, though the congressional deadline had passed.
In a statement, Sen. Mark Warner, D-Va., chairman of the Senate Intelligence Committee, says, "Our ability to respond to cyber incidents and minimize the damage from threat actors is critically dependent on the speed with which we can identify breaches. This is especially true in cases - like Log4j - where vulnerabilities are systemic and widespread, can be exploited by a varying set of threat actors, and can impact hundreds of millions of devices in short order. ... Rapid identification is paramount … which is why many of us … believe it is so urgent that we pass incident reporting legislation now."
Rep. Jim Langevin, D-R.I., chairman of the House Armed Services Committee’s Subcommittee on Cyber, Innovative Technologies, and Information Systems, also tells ISMG, "When serious, widespread vulnerabilities like Log4j arise, the federal government must be aware of how and where malicious actors are using these vulnerabilities. ... We need more information about the cyber incidents affecting our critical infrastructure, so we can respond more quickly and shore up our defenses.
"Log4j and vulnerabilities like it should encourage Congress to pass robust incident reporting legislation as soon as possible - we simply don’t have time to waste."
[Update: Dec. 17, 6 p.m.]: This article has been updated to include commentary from Rep. Jim Langevin, D-R.I.