By Joseph Menn
SANFRANCISCO – The U.S. agency charged with defending the country against hacking said on Tuesday the majority of attacks it has seen using a recently disclosed flaw in widely used open-source software were minor, with many of them seeking to hijack computing power to mine cryptocurrency.
Officials at the Cybersecurity and Infrastructure Security Agency said they had not confirmed reports by multiple security companies of ransomware installations or attempts by other governments to steal secrets.
“We are not seeing widespread, highly sophisticated intrusion campaigns,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a call with reporters.
But he warned the threat would continue to evolve and the agency was still working to assemble reliable information on what types of software were subject to the attacks.
He said it was possible widespread consumer devices such as routers were vulnerable and his unit within the Department of Homeland Security was working with vendors to have them deploy fixes where needed.
The flaw was found in a common logging tool, known as Log4j, and it is carried forward by at least hundreds of other programs that rely on the tool. Goldstein said the flaw is easy to exploit.
Although a patch in the tool has been available since Dec. 6, many of those other programs also have to implement the patch to ensure an attacker cannot get deep network access.
Under recently granted powers, CISA has directed all federal agencies to install patches as they become available.
Goldstein said there have been no reports of intrusions using the vulnerability in the government, but CISA expects “all manner of adversaries” to seek to exploit the flaw.
The logging function allows users to submit live code referring to an outside repository, which the program will then seek out and install. Hackers can use that to take control of the servers, which may have access to other machines with more valuable data or network powers.
Though the flaw has existed in the free Log4j program for years, it was recently discovered by a researcher at Chinese tech company Alibaba and reported to the group of volunteers who maintain the program. Open discussion within the Chinese security company was detected and some exploitation of the flaw began before the Apache Software Foundation could issue the patch.
Goldstein said it was “concerning” any time a flaw is exploited before a patch is out. Under recent Chinese regulations, some security professionals must report their findings to the government quickly, often before patches are ready.