Written by Tim Starks
Jan 10, 2022 | CYBERSCOOP
Federal officials cautioned Monday that, while the widespread Log4j vulnerability hasn’t led to any major known intrusions in the U.S., there could be a “lag” between when the flaw became known, and when attackers exploit it.
Cybersecurity and Infrastructure Security Agency Director Jen Easterly said that there were months between the discovery of the vulnerability that led to the 2017 Equifax breach, which exposed the personal information of nearly 150 million Americans, and word of the breach itself, invoking one of the most notable hacks in history.
“We do expect Log4j to be used in intrusions well into the future,” Easterly said on a call with reporters. “There may be a lag between when this vulnerability is being used and when it is being actively deployed.”
Apache Struts, an open-source tool, was at the center of the Equifax breach, and Apache’s Log4j is a ubiquitous open-source logging tool. Easterly said that CISA, a division of the Homeland Security Department, has catalogued Log4j’s presence in more than 2,800 distinct commercial products. That means it’s likely present in hundreds of millions of tech assets, she said.
Further, exploiting the so-called Log4Shell vulnerability