Stock Groups

U.S. cybersecurity officials see mainly low-impact attacks from logging flaw, so far -Breaking

by Mike Robinson

[ad_1]

© Reuters. In this September 24th, 2021 illustration, a representation of Bitcoin is shown on a keyboard surrounded by binary code. REUTERS/Dado Ruvic/Illustration/file photo

Joseph Menn

SAN FRANCISCO – A U.S.-based agency that is charged with defending the nation from hacking claims Tuesday that most attacks made using a newly disclosed flaw within open-source software have been minor. Some of these attackers are trying to steal computing power in order to mine cryptocurrency.

Officials at the Cybersecurity and Infrastructure Security Agency said they had not confirmed reports by multiple security companies of ransomware installations or attempts by other governments to steal secrets.

“We are not seeing widespread, highly sophisticated intrusion campaigns,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a call with reporters.

He warned that the threat will continue to grow and that the agency was working hard to gather reliable information about the types of software at risk.

He stated that it is possible for widespread vulnerabilities to routers and other consumer devices. The Department of Homeland Security’s unit was working with vendors in order to deploy the necessary patches.

Log4j is a commonly used logging tool. The flaw has been carried on by hundreds of other programs which rely upon it. The flaw can be easily exploited, Goldstein stated.

Even though the tool is patched since Dec. 6, most other programs must also implement it to prevent an attacker from gaining deep network access.

CISA recently gave power to all federal agencies and directed them to use patches when they became available.

Goldstein said there have been no reports of intrusions using the vulnerability in the government, but CISA expects “all manner of adversaries” to seek to exploit the flaw.

You can submit live code to the logging function, which will search for and then install it. Hackers may use this to access servers and gain more control.

Although the bug has been known for many years in Log4j, it was discovered recently by a Chinese researcher. Alibaba (NYSE:), and was reported to the volunteer group that maintains the program. The flaw was discovered by the Chinese security firm and exposed to the public before the Apache Software Foundation (NASDAQ:) could release the fix.

Goldstein said it was “concerning” any time a flaw is exploited before a patch is out. Recent Chinese laws require security personnel to report any flaws quickly to the government, sometimes before patch releases.

Disclaimer: Fusion MediaWe remind you that this site does not contain accurate or real-time data. CFDs are stocks, indexes or futures. The prices of Forex and CFDs are not supplied by exchanges. They are instead provided by market makers. As such, the prices might not reflect market values and could be incorrect. Fusion Media is not responsible for trading losses that may be incurred as a consequence of the use of this data.

Fusion MediaFusion Media and anyone associated with it will not assume any responsibility for losses or damages arising from the use of this information. This includes data including charts, buy/sell signal, and quotes. You should be aware of all the potential risks and expenses associated with trading in the financial market. It is among the most dangerous investment types.

[ad_2]