Early Prime Day Deals Roe v. Wade Overturned Surface Laptop Go 2 Review 4th of July Sales M2 MacBook Pro Deals Healthy Meal Delivery Best TVs for Every Budget Noise-Canceling Earbuds Dip to $100

CISA director: We'll be dealing with Log4j for a long time

The bug's impact will be massive, requiring lots of tech to be patched or locked down.

gettyimages-1322884631
CISA Director Jen Easterly says the Log4j security flaw is the worst she has seen in her career.
Getty

Security professionals will be dealing with the fallout from the Log4j bug for a long time to come, top officials for the Cybersecurity and Infrastructure Security Agency said Monday.

If left unpatched or otherwise unfixed, the major security flaw discovered a month ago in the Java-logging library Apache Log4j poses risks for huge swaths of the internet. The vulnerability in the widely used software could be exploited by cyberattackers to take over computer servers, potentially putting everything from consumer electronics to government and corporate systems at risk of a cyberattack.

No US federal agencies have been compromised as a result of the vulnerability, CISA Director Jen Easterly told reporters on a call Monday. In addition, no major cyberattacks involving the bug have been reported in the US, though many attacks go unreported, she said. 

Easterly said the sheer scope of the vulnerability, which affects tens of millions of internet-connected devices, makes it the worst she has seen in her career. It's possible, she said, that attackers are biding their time, waiting for companies and others to lower their defenses before they attack. 

"We do expect Log4Shell to be used in intrusions well into the future," Easterly said, using the name for the bug in the Log4j software. She noted the Equifax data breach in 2017, which compromised the personal information of nearly 150 million Americans, stemmed from a vulnerability in open-source software.

Most of the attempts to exploit the bug, so far, have been focused on low-level crypto mining or attempts to draw devices into botnets, she said.

One of the first known attacks using the vulnerability involved the computer game Minecraft. Attackers were able to take over one of the world-building game's servers before Microsoft, which owns Minecraft, patched the problem.

There have been big attacks elsewhere. Last last month, the Belgian Defense Ministry confirmed at its systems had been breached as a result of the bug.