Log4j attacks will expand, experts warn

Attacks based on a flaw in the widely used Log4j open-source library have continued in the week since the vulnerability was disclosed publicly. And cybersecurity experts warn there's no end in sight.

Why it matters: The problematic piece of code is used in hundreds of different pieces of enterprise software and networking gear, making it challenging for companies and governments to identify and patch all their affected systems.

Catch up quick: Government officials and security executives have been sounding the alarm over the issue, noting it likely affects hundreds of millions of systems and is easily exploited.

What's new: In an update on Tuesday, Sophos said the vast majority of attacks have come from China and Russia, with just one domain, associated with a Russian cryptocurrency mining organization, accounting for 11% of attacks.

• "What is certain is that we have not seen a significant reduction in exploit attempts since they peaked on December 15, and that these probes and exploits are coming from a globally distributed infrastructure," Sophos' Sean Gallagher said in a blog post.

Between the lines: There are hundreds of software and network products that remain vulnerable, Gallagher tells Axios, noting that some, but not all, have workarounds.

• "There’s still an extraordinarily large attack surface available, and we may not know its extent for weeks or months," Gallagher says.

Of note: The U.S. Cybersecurity and Infrastucture Agency has released an open-source scanner tool to help companies and agencies find Log4j instances within their systems.

The bottom line: "We keep saying that these events are a 'wake up call,' but all we have been doing is hitting the snooze button," says Mehul Revankar, a VP and security expert at Qualys.

• Revankar called the flaw "the single most vicious vulnerability" he has seen in two decades of work in cybersecurity.

Go deeper: 2021 was the year cybersecurity became everyone's problem