Cybersecurity official warns software vulnerability could affect 'hundreds of millions of devices'
CISA first warned about the vulnerability over the weekend.
The Cybersecurity and Infrastructure Agency (CISA) on Tuesday warned that the Log4j vulnerability could impact hundreds of millions of devices, according to a top government official.
The vulnerability is linked to a commonly used piece of software called Log4j, a utility that runs in the background of many commonly used software applications.
CISA convened a conference call on the vulnerability, according to a CISA official.
On the call, CISA Director Jenn Easterly told industry and government officials the vulnerability will be widespread and CISA officials stated hundreds of millions of devices are likely affected and can be exploited by a broad range of threat actors, according to that official.
Members of Congress and private businesses are also sounding the alarm about the vulnerability.
"Basically, it's an open door that could allow a bad actor in to either steal your data to launch a ransomware attack, you name it. It's basically an open door to your system that allows an attacker in," Rep. Jim Langevin, a Rhode Island Democrat, told ABC News.
Langevin, one of the founding members of the Cyberspace Solarium Commission, said this vulnerability could be a problem for companies, as it could "compromise an entire company's system and their database, including customer records and data, on a more individual basis."
Cybersecurity giant Mandiant said it is already seeing Chinese government actors exploit the vulnerability.
Companies like Amazon Web Services and IBM are working to issue patches in their software as a stop gap to fix the vulnerability.
Langevin said the seriousness of the vulnerability cannot be overstated.
"There's no telling what the bad actors could do to carry out their ransomware attack or steal data, implant something onto a system," Langevin said. “If Log4j is used let’s say on a utility could very easily in that, you know, in the in the middle of winter, go on to a compromise, a gas company's website and shut down the gas pipeline, if you will. And so there could be people significant numbers of people that are without natural gas to heat their homes in the dead of winter. It could cause, obviously damage or loss of life, which is again all very disturbing."
In a call with reporters Tuesday night, Eric Goldstein, the executive assistant director for CISA, said since the vulnerability was announced, the agency has seen "low level" activity but nothing that raises heightened concern.
There are currently no federal government breaches tied to this software vulnerability, he said.
To the average consumer, Goldstein said, there has been no impact but stresses companies take this vulnerability "very, very seriously."
Goldstein said this issue is much different from the SolarWinds hack.
"So, with SolarWinds, we had a targeted supply chain attack by a highly sophisticated but specific adversary intended to compromise specific organizations to achieve particular objectives. What we have here is an extremely widespread easy to exploit and potentially highly damaging vulnerability that certainly could be utilized by adversaries to cause real harm," Goldstein said.
"At this point in time, we are not seeing widespread, highly sophisticated damaging intrusion campaigns, but certainly we are deeply concerned about the prospects of adversaries using this vulnerability to cause real harm and even impacting national critical functions, which is why we have such a sense of urgency at CISA and across the cybersecurity community to drive urgent mitigation and adoption of controls wherever we can," he said.