The Biden administration remains “deeply concerned” about what Goldstein called “an extremely widespread, easy to exploit, and potentially highly damaging vulnerability that certainly could be utilized by adversaries to cause real harm.”
Federal scramble: The code, in a type of Apache logging software called Log4j, is so pervasive that government agencies are almost certainly using “many” products that contain it, Goldstein said. CISA has given agencies until Dec. 24 to apply patches produced by the makers of affected software.
“Agencies have taken this with the utmost seriousness and have made extraordinary progress” in applying patches and other mitigating measures since the vulnerability’s disclosure late last week, Goldstein said.
Vast array of targets: CISA currently estimates that “hundreds of millions” of devices are running software that uses the vulnerable code, Goldstein said, but that number is likely to grow as more software makers report their use of the code.
No major attacks yet: So far, Goldstein said, most of the attacks on vulnerable companies worldwide have involved cyber criminals seeking to deploy software that mines cryptocurrency on infected computers. CISA has not yet seen any “highly sophisticated” attacks by advanced, state-backed hackers, he said.
CISA also hasn’t seen any impact on the nation’s infrastructure, and Goldstein said that critical infrastructure companies have so far been able to mitigate the vulnerability “without a material impact to their critical functions or services.”
A call for help: CISA is building a catalog of software that contains the vulnerability code, but Goldstein said the agency needs the public’s help in filling in the gaps. “One of our really important lines of effort here is ensuring that we have a complete and comprehensive list of impacted products,” he said.
What’s next: CISA expects the number of hackers exploiting the vulnerability to grow as more of them assess its value to their operations, Goldstein said. The agency is also worried about how the flaw might impact home electronics and internet-of-things devices, because consumers may not be following security guidance as much as many businesses are.