Following the news that the China-backed APT41 hacking group has compromised at least six US state governments by exploiting the Log4j vulnerability, cyber security experts commented below.
The news of China’s APT41 hacking group breaching U.S. state government networks tracks with the typical time lapse we see with zero-day vulnerabilities like Log4Shell. The Equifax breach, which was similar in nature, took around five months to clear the airwaves from the initial exploit. So, from a historical perspective this isn’t surprising: a high-spread, low-complex vulnerability equals a 100 percent chance of being used.
What is more surprising and even more concerning is our data shows that nearly 40% of Log4Shell downloads are still of vulnerable versions. Meaning there’s a high chance that other state and national governments — not just in the U.S. — will be breached in the coming months by bad actors. What I advise now is what I’ve advocated for a long time: urge your software vendors to create and continuously update a software bill of materials and invest in a tool that includes software composition analysis (SCA). SCA provides a look at all the components in a project and determines the potential risk. These tools should be automated to monitor components across the entire Software Development Lifecycle.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics