Log4j could be the most serious security threat ever seen, CISA head warns

News
By
last updated

Handling it will take a sustained effort, experts are saying

Representational image of data security
(Image credit: Kingston)

Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned the recently-revealed Log4j vulnerability was “one of the most serious” she’s seen in her entire career, “if not the most serious”.

“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” Easterly explained. 

Adding to the conversation was Jay Gazlay, of CISA’s vulnerability office, who said that “hundreds of millions of” endpoints were likely to be affected by the flaw.

Log4j threat

CISA is part of the US Department of Homeland Security, and is currently building a website for all affected parties to educate themselve, but also to “counter active disinformation”. 

To ensure organizations are safe from this flaw, a “sustained effort” will be needed, Gazlay added:  “There’s no single action that fixes this issue,” he added, before saying that this is not a problem that’s going to disappear in a fortnight. 

Besides patching up as soon as possible, companies should make sure all hands are on deck over the holidays. 

Numerous exploits

Earlier this month, a new zero-day vulnerability in the popular Java logging framework Log4j was discovered with huge destructive potential. It’s tracked as CVE-2021-44228, and allows malicious actors to run virtually any code. The skills required to take advantage of the flaw are very low, experts have warned, urging everyone to patch Log4j as fast as they can.

The flaw is being compared to the 2017 issue which led to the Equifax hack, leading to the personal data of almost 150 million people being exposed.

Organizations using Log4j in their software should upgrade it to the latest 2.15 version immediately which is available from Maven Central.

So far, experts have discovered multiple use cases for the vulnerability: to install malware, cryptominers, to add the devices to the Mirai and Muhstik botnets, to drop Cobalt Strike beacons, to scan for information disclosure, or for lateral movement throughout the affected network.

It’s yet to be used in a supply chain attack, though. 

You might also want to check out our list of the best firewalls today

Via: Cyberscoop

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
CISA tells agencies to patch BeyondTrust bug now
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
Representational image depecting cybersecurity protection
CISA says Oracle and Mitel have critical security flaws being exploited
Best free Linux firewalls
Fortinet warns a critical vulnerability in its systems could let attackers breach company networks
The best free firewall
Palo Alto warns another major firewall hack has been detected
Latest in Security
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
botnet
YouTubers targeted by blackmail campaign to promote malware on their channels
A close-up of a phone screen showing the Telegram, Signal and WhatsApp apps
Agentic AI has “profound” issues with security and privacy, Signal President says
botnet
Another top security camera maker is seeing devices hijacked into botnet
Bluetooth
Top Bluetooth chip security flaw could put a billion devices at risk worldwide
Latest in News
Apple's Craig Federighi demonstrates the iPhone Mirroring feature of macOS Sequoia at the Worldwide Developers Conference (WWDC) 2024.
Report: iOS 19 and macOS 16 could mark their biggest design overhaul in years – and we have one request
Google Gemini Calendar
Gemini is coming to Google Calendar, here’s how it will work and how to try it now
Lego Mario Kart – Mario & Standard Kart set on a shelf.
Lego just celebrated Mario Day in the best way possible, with an incredible Mario Kart set that's up for preorder now
TCL QM7K TV on orange background
TCL’s big, bright new mid-range mini-LED TVs have built-in Bang & Olufsen sound
Apple iPhone 16e
Which affordable phone wins the mid-range race: the iPhone 16e, Nothing 3a, or Samsung Galaxy A56? Our latest podcast tells all
An image of a Jackbox Games Party Pack
Jackbox games is coming to smart TVs in mid-2025, and I can’t wait to be reunited with one of my favorite party video games
More about security
botnet

YouTubers targeted by blackmail campaign to promote malware on their channels
A hacker wearing a hoodie sitting at a computer, his face hidden.

Experts warn this critical PHP vulnerability could be set to become a global problem
Half man, half AI.

Three key AI considerations for engineering leaders
See more latest
Most Popular
Vodafone logo outside a store in Sydney
Vodafone employees could lose bonuses if they’re not in office 8 days per month
An image of a Jackbox Games Party Pack
Jackbox games is coming to smart TVs in mid-2025, and I can’t wait to be reunited with one of my favorite party video games
Google Gemini Calendar
Gemini is coming to Google Calendar, here’s how it will work and how to try it now
Ryzen AI Max+ 395
Race to launch most powerful AI mini PC ever heats up as GMKTec confirms Ryzen AI Max+ 395 product for May 2025
Apple iPhone 16e
Which affordable phone wins the mid-range race: the iPhone 16e, Nothing 3a, or Samsung Galaxy A56? Our latest podcast tells all
Apple's Craig Federighi demonstrates the iPhone Mirroring feature of macOS Sequoia at the Worldwide Developers Conference (WWDC) 2024.
Report: iOS 19 and macOS 16 could mark their biggest design overhaul in years – and we have one request
Whirlwind I Computer
Happy birthday, Director! The first operating system in the world turns 70 today
Lego Mario Kart – Mario & Standard Kart set on a shelf.
Lego just celebrated Mario Day in the best way possible, with an incredible Mario Kart set that's up for preorder now
Tesla Model 3
Tesla's EV sales are plummeting – as used Model Y and Model 3 prices crash to bargain levels
TCL QM7K TV on orange background
TCL’s big, bright new mid-range mini-LED TVs have built-in Bang & Olufsen sound