The Log4j vulnerability is a major threat because of the sheer amount of dark corners of code in which it is hiding. Manual patching of all of this is difficult and potentially expensive, but organizations are now being pressured to do it by the Federal Trade Commission (FTC). Legal action may be forthcoming for those that do not patch the issue out of their networks; the FTC has issued an alert that references the Equifax breach (which ended in a settlement of $700 million) as a precedent.
US government gets involved in Log4j campaign
The threats of legal action have been prompted by the threat level that Log4j presents. The Java logging tool is very commonly found in software packages, particularly those that are open source. The vulnerability is a relatively simple one to execute, so much so that non-technical actors could potentially exploit it. Estimates have put three billion devices at risk globally.
Log4j publisher Apache has since issued a patch that closes up the vulnerability, but it cannot be pushed out centrally to all instances of the software. Administrators must update each instance in the wild manually to the newest version, and tracking them all down can be tricky.
The FTC did not name specific penalties or actions in its January 4 alert, but did cite its previous actions against Equifax. The 2017 data breach of that company is thought to have exposed some 147 million records containing sensitive personal and financial information, and was traced back to a failure to patch a known vulnerability.
The FTC called for all organizations to take “reasonable steps” to take care of the Log4j issue, including following the current CISA guidance and informing any relevant third-party subsidiaries. The agency specified that failure to identify and patch Log4j instances could be considered a violation of the Federal Trade Commission Act (FTCA) and the Gramm Leach Bliley Act.
Amit Yoran, Tenable CEO, sees the threat of legal action as a necessary move to get the problem under control: “About time. Hallelujah! The FTC warning about potential legal repercussions for companies that fail to address the Log4j vulnerability is long overdue. Not addressing Log4j is worse than leaving your doors and windows unlocked and inviting an intruder in to raid your shelves, because it puts the data so many organizations collect on individuals at risk as well. Log4j in particular is the most significant vulnerability in history. Not addressing it proactively IS the definition of negligence! If the threat of government penalties shakes people out of their complacency, that’s a win for everyone. Now let’s get to it.”
Legal action threatened as Log4Shell attacks proliferate
The announcement follows a recent warning from Microsoft’s security team indicating that threat actors are taking full advantage of Log4j and that immediate patching is badly needed as even lower-skilled attackers pile in while the window is open.
Given the prevalence of Log4j (and the slow pace at which organizations sometimes go about patching), some security experts are expecting to see this attack pop up here and there for years to come. Most of the big names in tech and online services have issued press releases at this point indicating that they have either patched out Log4j or performed an investigation determining that they are not vulnerable to it. The prospect of legal action may be the only thing that can motivate those that have yet to get to it.
The laggards are expected to be smaller organizations with less of an IT budget and lower awareness of security issues, but many of these companies could be in the supply chain of larger and better-equipped firms. Some organizations are reticent about patching without testing first, or without first watching what happens to other firms before deciding on rolling out the patch, something that security experts stress is the wrong approach in this particular case.
While organizations may not want to take chances with legal action, it remains to be seen exactly how serious the FTC is on this issue. The agency has been widely panned on its enforcement of the Equifax case, allowing the company to settle on providing consumers with a year of free credit monitoring but also granting its request to delay this for four years. The Register notes that the agency did not require tests of Equifax’s security upgrades, subpoena any of its executives or force any of them to testify during its legal action against the credit monitoring firm.
Check Point Software reported at least 1.8 million attempts to exploit Log4j by late December, and it was targeted on more than 48% of corporate networks by early January. Attacks have tended to deliver botnet malware for the purposes of distributed denial of service (DDoS) and crypto mining, and one particular strain of malware that attacks financial institutions (called Dridex) has been seen in numerous incidents. Threat actors appear to be casting a wide net, attempting to compromise any and all devices possible while the vulnerability is still prevalent in the wild. Windows machines are most commonly targeted, but at least one very active group is focusing on Linux ransomware.
A recent estimate from Wiz indicates that 93% of all cloud environments are vulnerable to a Log4j attack, but at this point at least 45% of them have been patched. There have been few high-profile incidents involving the vulnerability as of yet; it has been tenuously connected to breaches of Ultimate Kronos Group and the Belgian Defense Ministry, but not yet confirmed. The biggest crypto platform in Vietnam, ONUS, was hit with ransomware in late December after what is thought to be a Log4j attack.