The US Federal Trade Commission (FTC) has sent a stark warning to companies that hold consumer data in the light of recent attacks exploiting a vulnerability inside Log4J, a java logging framework used by millions of devices and systems worldwide.
Discovered just a few weeks ago, the vulnerability – called Log4Shell – garnered swathes of media attention after being dubbed the worst software flaw “possibly in the history of modern computing” by outlets and security experts alike.
With the FTC planning to pursue companies that fail to provide adequate protection to consumers, for the sake of both customer and company, it’s of tantamount importance that security provisions are updated.
Fining Thoughtless Companies
The FTC has made it clear that it will use the full force of the law to ensure that as little consumer data as possible is deleted or stolen via attacks exploiting the Log4J vulnerability.
“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future”. – Federal Trade Commission.
Companies that do not do so are likely to face multi-million-dollar fines and possibly other legal action, the agency says, referencing its $700 million settlement with Equifax in 2019 in case anyone was thinking of calling its bluff.
The regulatory body also set out four steps to take for those using the Log4J software library:
- Update your Log4j software package to the most current version found here: https://logging.apache.org/log4j/2.x/security.html
- Consult CISA guidance to mitigate this vulnerability.
- Ensure remedial steps are taken so that your company’s practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act.
- Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.
Prior to its warning to the private sector, last month the government ordered that all Federal Civilian Executive Branch agencies (such as the Department of Agriculture and the Department of Defence) take steps to mitigate the threat posed by Log4Shell.
What is the Log4J Vulnerability?
In Short, Log4Shell is a vulnerability found in an open-source logging tool Log4J, which is part of the Apache code library. It’s a zero-day vulnerability, which means hackers were taking advantage of it long before it was identified as a problem.
Log4Shell allows for remote code execution, which makes it quite dangerous – malicious strings of data just need to be processed by the vulnerable component of Log42, and then there’s little limit to what a threat actor can do
“The Log4J vulnerabilities represent a complex and high-risk situation for companies across the globe. This open-source component is widely used across many suppliers’ software and services”. – Microsoft 365 Defender Threat Intelligence Team.
Microsoft’s Security Team also explained on Monday that “By nature of Log4J being a component, the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment”.
What Should I do if my Business Uses Log4J?
Well, the chances are that you do use it, at least somewhere in your systems. If this is the case, the optimal action to take at this moment is to follow the FTC guidance, both for the sake of your clients and your company, and consult the CISA guidance referenced in the FTC's instructions.
If your business’s security provisions don’t fill you with confidence, this might be the time to think about an audit and subsequent upgrade. After all, as Microsoft says, ” organizations may not realize their environments may already be compromised”, and customers should conduct an “additional review of devices where vulnerable installations are discovered.”
Importantly, the latest, most reliable antivirus software your company's budget can accommodate for – and in turn, the latest version/iterations of that software – will ensure you’ll be able to remove any malware that may have been inserted into your device via the exploit.