Security professionals will be dealing with the fallout from the Log4j bug for a long time to come, top officials for the Cybersecurity and Infrastructure Security Agency said Monday.
If left unpatched or otherwise unfixed, the major security flaw discovered a month ago in the Java-logging library Apache Log4j poses risks for huge swaths of the internet. The vulnerability in the widely used software could be exploited by cyberattackers to take over computer servers, potentially putting everything from consumer electronics to government and corporate systems at risk of a cyberattack.
No US federal agencies have been compromised as a result of the vulnerability, CISA Director Jen Easterly told reporters on a call Monday. In addition, no major cyberattacks involving the bug have been reported in the US, though many attacks go unreported, she said.
Easterly said the sheer scope of the vulnerability, which affects tens of millions of internet-connected devices, makes it the worst she has seen in her career. It’s possible, she said, that attackers are biding their time, waiting for companies and others to lower their defenses before they attack.
“We do expect Log4Shell to be used in intrusions well into the future,” Easterly said, using the name for the bug in the Log4j software. She noted thein 2017, which compromised the personal information of nearly 150 million Americans, stemmed from a vulnerability in open-source software.
Most of the attempts to exploit the bug, so far, have been focused on low-levelor attempts to draw devices into , she said.
One of the first known attacks using the vulnerability involved the computer game Minecraft. Attackers were able to take over one of the world-building game’s servers before Microsoft, which owns Minecraft, patched the problem.
There have been big attacks elsewhere. Last last month, the Belgian Defense Ministry confirmed at its systems had been breached as a result of the bug.