[ad_1]
While a “significant” Log4j-based attack on critical infrastructure systems has yet to be seen, a panel established by the Department of Homeland Security (DHS) is warning that the “endemic vulnerability” will continue to plague organizations for years to come as exploitation evolves.
The prediction comes as part of a 52-page report dissecting the exploitation, mitigation efforts and systemic security challenges of the ecosystem surrounding the Apache Log4j flaw in the more than six months since its public disclosure. The report is the first one released by the Cyber Safety Review Board (CSRB), a panel of private and public sector industry leaders that was tasked by the DHS in February with identifying key lessons learned, and developing non-binding recommendations based on those lessons, from significant cybersecurity events.
After reviewing publicly available material and talking to developers, end users and defenders from 40 separate organizations, the CSRB highlighted what went “right” and “wrong” in the days leading up to, and following, the disclosure of the Log4j flaw. Both the Apache Software Foundation (ASF) and the ecosystem recognized the criticality of the flaw and urgency of patches during the time of disclosure, with vendors and government organizations quickly coming out with guidance and tools, the board found. However, the process of updating vulnerable software has been strenuous, time-consuming and costly for impacted organizations. At the same time, security risks continue to exist across the open-source software ecosystem, mainly stemming from tight resources.
“To reduce recurrence of the introduction of vulnerabilities like Log4j, it is essential that public and private sector stakeholders create centralized resourcing and security assistance structures that can support the open source community going forward,” according to the report, released this week. “The Board predicts that, given the ubiquity of Log4j, vulnerable versions will remain in systems for the next decade, and we will see exploitation evolve to effectively take advantage of the weaknesses.”
The flaw was first reported on Nov. 24, 2021 by a security engineer from the People’s Republic of China (PRC)-based Alibaba Cloud Security team. Meanwhile, while ASF was working to devise a fix for the flaw, another PRC-based cybersecurity company, BoundaryX, disclosed the flaw on WeChat before ASF made a publicly available update. While there had been previous speculation that the PRC or another country may have exploited the flaw before it was disclosed, when looking at Log4j-based attacks, the board did not discover any evidence confirming that threat actors from the PRC, Iran, North Korea or Russia had exploited the flaw prior to its Dec. 9, 2021 disclosure date. While the earliest known exploitation of the flaw occurred on Dec. 1, 2021, the activity was linked to limited exploit testing of the Log4j flaw in the wild by Alibaba.
[ad_2]
Source link