Five Eyes nations warn of cyber threats from Apache vulnerability

Federal agencies in the United States, as well as top cybersecurity agencies in the other countries that make up the Five Eyes intelligence alliance, warned Wednesday that hackers are “actively exploiting” a recently uncovered vulnerability in Apache logging library log4j.

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the top cybersecurity agencies in Australia, Canada, New Zealand and the United Kingdom outlined their concerns about the vulnerability in a joint alert published Wednesday. 

“Sophisticated cyber threat actors are actively scanning networks to potentially exploit Log4Shell, CVE-2021-45046, and CVE-2021- 45105 in vulnerable systems,” the agencies wrote in the alert, referring to multiple vulnerabilities in Apache’s log4j software library. “According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited.”

The vulnerability, uncovered earlier this month, has quickly snowballed into one of the most widespread cybersecurity vulnerabilities in recent years, with security professionals scrambling to deploy patches for a software that underlies the majority of organizations around the world. 

Security groups reported last week that nations including China and Iran were exploiting the vulnerability, with organizations including the Belgian Ministry of Defense being hacked through the exploit. 

“These vulnerabilities, especially Log4Shell, are severe,” the agencies warned. “These vulnerabilities are likely to be exploited over an extended period.”

CISA in particular has taken action, with the agency last week putting out an emergency directive ordering federal agencies to immediately investigate and patch against the vulnerability, and creating a team through its Joint Cyber Defense Collaborative to address the issue. 

Homeland Security Secretary Alejandro Mayorkas said Tuesday the recently announced Hack DHS bug bounty program would be extended to include incentives for vetted cybersecurity professionals to hunt through some external DHS systems for log4j-related vulnerabilities. 

CISA Director Jen Easterly last week underscored the threat from the vulnerability, which may take years to fully patch across all systems.

“CISA estimates that hundreds of millions of devices in use around the world are potentially susceptible to the log4j vulnerability,” Easterly said in a statement provided to The Hill last week. “We know malicious actors are actively exploiting this vulnerability in the wild.”