Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said that although there has been no major cyberattacks linked to a flaw in the Log4j software code so far, the vulnerability could pose long-term risks to large and small organizations and networks used to operate critical infrastructure, The Wall Street Journal reported Monday.
“The scale and potential impact of this makes it incredibly serious,” Easterly said of the Log4j problem, which records activity in applications and computer networks.
She said the Log4j flaw had resulted in “widespread criminal activity” that included the installation on vulnerable devices of botnet code or software used for cryptocurrency mining.
CISA created a public catalog of products known to contain the vulnerability and Easterly said more than 2,800 cases of problems linked to Log4j in various commercial offerings have been submitted for inclusion in the catalog.
In December, Easterly announced that CISA added the Log4j flaw to its “catalog of known exploited vulnerabilities” to incite federal civilian agencies and partners to immediately patch or remediate the issue.
