A new informational Log4J advisory has been issued by cybersecurity leaders from the US, Australia, Canada, New Zealand and the United Kingdom. The guide includes technical details, mitigations and resources to address known vulnerabilities in the Apache Log4j software library.
The project is a joint effort by the US' Cybersecurity and Infrastructure Security Agency (CISA), FBI and NSA, as well as the Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Computer Emergency Response Team New Zealand (CERT NZ), New Zealand National Cyber Secure Centre (NZ NCSC), and the United Kingdom's National Cyber Security Centre (NCSC-UK).
The organizations said they issued the advisory in response to "active, worldwide exploitation by numerous threat actors, including malicious cyber threat actors." Numerous groups from North Korea, Iran, Turkey and China have been seen exploiting the vulnerability alongside a slate of ransomware groups and cybercriminal organizations.
CISA Director Jen Easterly said Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world
"We implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks," Easterly said. "These vulnerabilities are the most severe that I've seen in my career, and it's imperative that we work together to keep our networks safe."
Cybersecurity company Sonatype has tracked the number of total Log4j downloads since the vulnerability was discovered on Dec. 10, also noting the number of vulnerable versions of Log4j being downloaded in the last hour. Even with the massive mobilization effort around the issue, 43% of the Log4j downloads in the last hour are of vulnerable versions.
SonatypeJessica Hunter, acting head of the Australian Cyber Security Centre, said malicious cyber actors are already scanning and exploiting some of the many thousands of vulnerable systems around the world, prompting the need for world governments to be proactive in their efforts to patch, partner and monitor.
The FBI's Bryan Vorndran urged organizations attacked through the vulnerability to contact them or CISA about the issue. CISA built a Log4J web page with information, guidance and resources for network defenders, as well as a community-sourced GitHub repository of affected devices and services.
NSA cybersecurity director Rob Joyce said everyone should inventory their assets so they can stay on top of patches coming out.
"Start with internet exposed assets, but mitigate and update everything. Monitor and follow up. Malicious actors have been observed patching software they compromise to help retain control of the assets," Joyce said.
CISA ordered all federal civilian agencies to address the issue before Christmas and published an open sourced log4j-scanner derived from scanners created by other open source community members. The tool is intended to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.
"We cannot stress enough how important it is for everyone to patch this vulnerability as soon as possible. We know that malicious actors are constantly scanning for a way into systems worldwide, using the Log4j vulnerability," said CERT NZ Director Rob Pope.
"It is only through collective actions that we can effectively address these types of attacks, which is why we're proud to be part of an international effort to keep organizations safe and secure."