Log4j: Sen. Peters Revisits Incident Reporting LegislationRenews Talks on Bill After Convening Log4j Briefing With CISA, Chris Inglis
U.S. Sen. Gary Peters, D-Mich., who chairs the Homeland Security and Governmental Affairs Committee, said this week that he convened a virtual briefing with both the U.S. Cybersecurity and Infrastructure Security Agency and National Cyber Director Chris Inglis to discuss the Biden administration's efforts to mitigate the threat posed by the Log4j vulnerability.
See Also: Case Study: The Road to Zero Trust
The briefing prompted Peters to renew talks about requiring incident reporting, a legislative provision that fell off the annual defense spending bill in December after lawmakers failed to come to a consensus on the scope of the requirements. At the time, Peters intended to pick up negotiations in early 2022, hoping to pass the measure, which has received bipartisan support, as stand-alone legislation or to embed it in another must-pass spending package (see: Cyber Incident Reporting Mandate Excluded From Final NDAA).
The remote code execution vulnerability in the Java-based logging utility Log4j was first reported Dec. 9, after allegedly being detected by Alibaba's cloud security unit. It immediately put security teams on high alert heading into the holiday season.
In a statement on Wednesday, Peters said, "I convened a committee briefing with administration officials to get additional information on how this cybersecurity threat is affecting the federal government, critical infrastructure, and other entities, and what the administration has been doing to help remediate the issue."
The Michigan senator continued: "I was pleased to hear how our government has swiftly mobilized to respond to this threat - including by requiring federal agencies to secure their systems and by offering support to impacted organizations."
Taking to Twitter after the briefing, CISA Director Jen Easterly said, "Great to join my teammate @ncdinglis to brief @HSGAC on the #log4j vulnerability. We discussed what we're doing w/ #JCDC partners & the research community to mitigate this threat. Appreciate @SenGaryPeters & @senrobportman for hosting!"
Agency Progress and Incident Reporting
The Apache Software Foundation, the nonprofit that manages Apache's open-source projects, continues to push out semi-regular updates for the logging library - the latest being 2.17.1 - to address another, less-severe RCE vulnerability - CVE-2021-44832 - disclosed last week by the firm Checkmarx (see: Apache's Log4j Version 2.17.1 Addresses New Flaw).
CISA this week cited progress among "large" agencies that are patching or mitigating against the threat. And a spokesperson for CISA, which imposed a pre-Christmas deadline on agencies to remediate Log4j, tells ISMG: "While we are not at this time tracking any confirmed incidents impacting critical infrastructure directly related to Log4j, the federal government simply does not have the level of information it needs to definitively understand the breadth or nature of intrusions occurring as a result of this severe vulnerability."
An incident reporting bill, the spokesperson says, would ensure CISA receives timely information, enabling it to mitigate the effects of comparable vulnerabilities.
Peters said, "I remain concerned that we will likely never know the full scope and impacts of this widespread vulnerability, or the risk posed to critical infrastructure. Our federal government still lacks the necessary insight to understand the threat facing our nation, protect our networks, and impose consequences on malicious hackers."
Peters said he will continue pushing his bipartisan legislation that would require critical infrastructure companies to report a substantial attack within 72 hours or - when the victim pays a ransom - within 24 hours, so the government can better assess risk, prepare for national security impacts and coordinate responses.
Other CISA Updates
CISA's first Log4j alert was issued Dec. 11, when the agency added the flaw to its vulnerability catalog and required federal agencies to remediate it prior to Christmas. CISA later issued an emergency directive that trumped its first alert and required agencies to patch or mitigate "immediately" (see: CISA to Agencies: Patch Log4j Vulnerability 'Immediately').
In an event on Dec. 28 with Information Security Media Group's CyberEdBoard - a members-only community of security executives and thought leaders - Eric Goldstein, executive assistant director for cybersecurity at CISA, said, "We have seen a proof of concept of an exploit as small as 12 characters that can be triggered through a chat message, through a text message or through an email header" (see: CISA, Vendors Refine Scanners for Log4j Vulnerabilities).
Also, this week the U.K.'s National Health Service issued an advisory indicating that unknown attackers are actively targeting Log4j vulnerabilities in VMware Horizon servers in an effort to establish persistence. NHS Digital says the attack likely consists of a reconnaissance phase to "call back to malicious infrastructure." Attackers then retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service. From there, officials warn, attackers can carry out a number of malicious activities, such as data exfiltration, ransomware and more.
Microsoft, in an update to its Log4j guidance this week, said, generally, exploitation attempts and testing for vulnerable systems and devices remained "high" through late December (see: Microsoft: Log4j Exploit Attempts, Testing Remain Rampant).
And the U.S. Federal Trade Commission, the nation's top consumer protection agency, issued notice that organizations failing to mitigate against Log4j vulnerabilities may face legal action (see: FTC Threatens Action Against Orgs Failing to Mitigate Log4j).