The Cybersecurity and Infrastructure Security Agency (CISA) sent out an emergency?directive on Friday, requiring federal civilian departments and agencies?to?immediately?patch their internet-facing network?assets for the Apache Log4j vulnerabilities. If they can't patch, they're required implement other appropriate?mitigation measures.?

CISA previously said federal civilian agencies would have until December 24 to address the issue, but it noted that the latest directive "is in response to the active exploitation?by multiple threat actors of vulnerabilities found?in?the?widely used Java-based logging package Log4j."

more Log4j

• Log4j zero-day: How to protect yourself
• Apache releases new 2.17.0 patch
• Security firm discovers new attack vector
• 10 questions you need to be asking
• Governments release Log4j advisory
• So far, nearly half of corporate networks have been attacked
• US: Hundreds of millions of devices at risk

CISA Director Jen Easterly said they are urging organizations of all sizes to also assess their network security and adapt the mitigation measures outlined in the emergency directive. 

If you are using a vulnerable product on your network,?Easterly said you should consider your door wide open to?any number of threats. 

"The Log4j vulnerabilities pose an unacceptable risk to federal network security," Easterly explained.?"CISA has issued this emergency directive to drive federal civilian agencies to?take action?now?to?protect their networks, focusing first on internet-facing devices that?pose the greatest immediate risk."

According to CISA, the directive was handed down because these vulnerabilities are currently being exploited by threat actors. CISA's investigations showed just how prevalent the affected software is in the federal enterprise. 

CISA said there is a "high potential" for a compromise of agency information systems and expressed concern about the impact of a breach. 

VMware head of cybersecurity strategy Tom Kellermann said the exploitation of the Log4j vulnerability allows for full control of the target system that is running Apache. 

"So they have the capacity to just be on missions and spy on the activities of the users of the systems. They have the capacity to use that system to island-hop into other systems. They have the capacity to become disruptive. It really varies," said Kellermann, who served as a cybersecurity commissioner for the Obama administration.

"I would say that there is so much activity going on right now, that it'll probably weeks, if not months, before the true scope of this significant cybercrime wave for this vulnerability and the severity of its impact is discovered."

CISA created a dedicated webpage?with?Log4j mitigation guidance and?resources for network defenders, as well as a community-sourced?GitHub?repository?of affected devices and services. ?? 

CISA added the Log4j vulnerability, alongside 12 others, to its Known Exploited Vulnerabilities Catalog. It created the list last month as a way to provide government organizations with a catalog of vulnerabilities organized by severity.

Using their honeypot network to attract attackers, cybersecurity firm Bitdefender found that their honeypots were attacked 36,000 times from Dec. 9 to Dec. 16. Half of all attacks used TOR to mask true country origin and were based on endpoint telemetry. The lead countries of origin for attacks were Germany at 34% and the US at 26%. 

Bitdefender added that based on endpoint telemetry, the lead attack targets are the US at 48%, followed by the UK and Canada both at 8%.

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next

• 8 habits of highly secure remote workers
• How to find and remove spyware from your phone
• The best VPN services: How do the top 5 compare?
• How to find out if you are involved in a data breach -- and what to do next