Log4j is a utility found in cloud servers and enterprise software used by private companies, county, state and the federal governments, according to The Associated Press. It is ranked by law enforcement and information technology security officials as the worst computer vulnerability uncovered in years.
Unless found and fixed, it grants cyber criminals, foreign intelligence operatives and programming novices alike easy access to internal networks where they can steal valuable data, plant malware, erase information and perform other operations, the AP reported.
On Thursday, U.S. Indo-Pacific Command Public Affairs said it had not completed an assessment of Hawaii assets to determine whether the Department of Defense in Hawaii was experiencing any system, network, application or operational disruptions or intrusions due to Apache Log4j vulnerability.
INDOPACOM is also evaluating whether the recent global attack on Kronos cloud-based software—used by companies and governments to track work times, leave requests and workforce management—hit DOD operations.
The Kronos attack recently forced more than 8,000 employees at The Queen's Health Systems, 400 to 500 employees at the Honolulu Board of Water Supply, 250 employees at the city Emergency Medical Services division and 400 workers with the state Department of Health to instead use manual timekeeping and paycheck payroll operations.
Vincent Hoang, chief information security officer with the state Office of Enterprise Technology Services, said Thursday that state networks and systems did not appear affected by the Log4j vulnerability.
"At this point, we have not experienced any operational impacts from the current Log4j vulnerabilities. We continue to work closely with federal and industry partners who are providing guidance and assistance to address issues that may arise, " Hoang said.
Mark D. Wong, chief information officer and director of the city Department of Information Technology, said the city has a process for finding vulnerabilities.
First, workers review security support sites to find vulnerable applications and available patches. Sometimes the vendor or security community notifies the department directly, Wong said.
"Another way we look for potential problems is to scan all our servers for instances of files associated with vulnerability. Finally, we conduct an extensive network scan to probe for vulnerable applications. This approach works for a wide range of vulnerabilities, not just Log4j, " said Wong.
Members of the Chamber of Commerce of Hawaii and the Retail Merchants Association of Hawaii have not reported any impacts.
According to the Cybersecurity and Infrastructure Security Agency, Log4j is "very broadly used in a variety of consumer and enterprise services, websites, and applications."
The Federal Bureau of Investigation and CISA are looking for affected U.S. governmental bodies, companies and individuals who believe they were victims of the software vulnerability.
"If you feel your systems have been compromised as a result of the Log4j vulnerability or are seeking remediation, we encourage you to employ all," an FBI news release stated.
"If you think your organization has been compromised as a result of the Log4j vulnerability, visit to report to the FBI. Please include as much information as possible to assist the FBI and CISA in determining prioritization for victim outreach."
CISA and the Joint Cyber Defense Collaborative are responding to active, widespread exploitation of Apache's Log4j software library, versions 2.0-beta9 to 2.14.1, known as Log4Shell, according to a post Thursday on CISA's website.
Log4Shell was configured to spread ransomware and is also used by foreign intelligence services that team with like-minded hacking gangs to hammer U.S. operating networks and systems with an endless barrage of cyber attacks.
©2021 The Honolulu Star-Advertiser, Distributed by Tribune Content Agency, LLC.
