CISA Says No Federal Agencies Compromised in Log4Shell Attacks to Date
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) says it’s currently not aware of any federal agencies suffering a breach as a result of Log4Shell attacks.
The agency told SecurityWeek that it does “not have any confirmed compromises of federal agencies” resulting from the recently disclosed Log4j vulnerability tracked as Log4Shell and CVE-2021-44228.
CISA last week issued emergency directive ED 22-02, which directs federal agencies to identify affected internet-exposed systems and address the flaw — either via patches, mitigations or removal of software — by December 23.
CVE-2021-44228 has been added to CISA’s catalog of known exploited vulnerabilities, which compels federal civilian agencies to take immediate action.
The binding operational directive BOD 22-01, which CISA issued in early November when it announced the catalog, instructs government agencies to quickly address actively exploited bugs.
Log4Shell has been exploited in attacks by profit-driven cybercriminals to deliver various types of malware, as well as by nation-state threat actors linked to China, Russia, Iran, North Korea and Turkey.
The Belgian military this week confirmed a breach resulting from Log4Shell exploitation, making it the first government organization to officially admit being hit by a Log4Shell attack.
Governments around the world have taken steps to mitigate the impact of Log4Shell. However, the Chinese government, which “encourages” researchers to inform it about the security holes they find, is reportedly unhappy with Alibaba, whose employees discovered the Log4j flaw.
The country’s Ministry of Industry and Information Technology (MIIT) said it will temporarily suspend its collaboration with Alibaba Cloud as a cyber threat intelligence partner due to the fact that the company did not inform the government first about the discovery of the vulnerability.