Following the news that the China-backed APT41 hacking group has compromised at least six US state governments by exploiting the Log4j vulnerability, cyber security experts commented below.

Subscribe
Notify of
guest

1 Expert Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Brian Fox
Brian Fox , CTO and co-founder
Industry Leader
March 9, 2022 12:07 pm

The news of China’s APT41 hacking group breaching U.S. state government networks tracks with the typical time lapse we see with zero-day vulnerabilities like Log4Shell. The Equifax breach, which was similar in nature, took around five months to clear the airwaves from the initial exploit. So, from a historical perspective this isn’t surprising: a high-spread, low-complex vulnerability equals a 100 percent chance of being used.

What is more surprising and even more concerning is our data shows that nearly 40% of Log4Shell downloads are still of vulnerable versions. Meaning there’s a high chance that other state and national governments — not just in the U.S. — will be breached in the coming months by bad actors. What I advise now is what I’ve advocated for a long time: urge your software vendors to create and continuously update a software bill of materials and invest in a tool that includes software composition analysis (SCA). SCA provides a look at all the components in a project and determines the potential risk. These tools should be automated to monitor components across the entire Software Development Lifecycle.

Last edited 8 months ago by Brian Fox
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x