Just this past week, the Cybersecurity and Infrastructure Agency (CISA) issued a serious warning — the Log4j vulnerability, which is a common utility that just runs in the background on many software tools written in Java — might impact hundreds of millions of devices.
ABC News recently covered the announcement, citing a conference call where CISA Director Jenn Easterly sounded the alarm. During the call, she alerted both government officials and cybersecurity industry leaders.
“Basically, it’s an open door that could allow a bad actor in to either steal your data to launch a ransomware attack, you name it. It’s basically an open door to your system that allows an attacker in,” Rep. Jim Langevin, a Democratic Congressman from Rhode Island, told ABC News.
He is one of the founding members of the Cyberspace Solarium Commission and told the news network that Log4j could potentially “compromise an entire company’s system and their database, including customer records and data, on a more individual basis.”
“There’s no telling what the bad actors could do to carry out their ransomware attack or steal data, implant something onto a system,” Langevin added. “If Log4j is used let’s say on a utility could very easily in that, you know, in the in the middle of winter, go on to a compromise, a gas company’s website and shut down the gas pipeline, if you will. And so there could be people significant numbers of people that are without natural gas to heat their homes in the dead of winter. It could cause, obviously damage or loss of life, which is again all very disturbing.”
ZDNet reports that it could be very difficult for cybersecurity professionals to even assess if a piece of Log4j code is part of the applications or a possible risk. In fact, many companies are still trying to assess whether their products are affected at all to begin with.
In a year of troubling cybersecurity news, it provides yet another headache for security teams.
Right now, the likes of IBM and Amazon Web Services are attempting to put in software patches as a “stop gap to fix the vulnerability,” ABC News adds.
One thing needs to be made clear, so far, no federal government breaches tied to this vulnerability have been known to have occurred.
Eric Goldstein, executive assistant director for CISA added more context to underscore why this vulnerability is a major security concern.
”So, with SolarWinds, we had a targeted supply chain attack by a highly sophisticated but specific adversary intended to compromise specific organizations to achieve particular objectives,” Goldstein said in a call with reporters cited by ABC News. “What we have here is an extremely widespread easy to exploit and potentially highly damaging vulnerability that certainly could be utilized by adversaries to cause real harm.”