At the beginning of December, the Apache Software Foundation dropped a bombshell when it disclosed a zero-day vulnerability in popular Java logging package Log4j. With affected devices numbering over a hundred million, the Log4j vulnerability is so severe that Cybersecurity Infrastructure Security Agency (CISA) director Jen Easterly called it “one of the most serious I’ve seen in my entire career, if not the most serious.”
Although patches for the vulnerability have since been issued, businesses are still being affected into the first weeks of 2022 – a trend that will likely continue throughout the year. Consequently, the Federal Trade Commission (FTC) has issued a warning that organizations may be subject to legal penalties if they do not act to protect their customers.
Like similar incidents in the past, the Log4j vulnerability shows how the software supply chain can be leveraged by malicious actors to compromise thousands of businesses. With the threat of a lawsuit hanging over their heads, it should also serve as a sobering wake-up call for organizations to take their third-party code seriously and control their digital assets.
A Christmas Surprise
Disclosure of the Log4j vulnerability (CVE-2021-44228 – also known as ‘Log4Shell’) came on December 9th, prompting a frenzy of action leading up to the holiday season. Microsoft warned Minecraft players that Java-based versions of the game were affected, and web-hosting company Cloudflare revealed that attackers had been exploiting Log4j as early as December 1st.
A week after the issue came to light, CISA issued an emergency directive to government agencies, requiring them to address the issue by Christmas Eve. Shortly afterwards, it also published guidelines to help organizations determine whether they were affected – but this turns out to be more complicated than it seems, and understanding why shows how serious the Log4j vulnerability really is.
Log4j: A Needle in a Haystack
As a common and open-source software component, Log4j can be found across hundreds of millions of devices, including web servers and consumer hardware. It is buried in the code of enterprise software, cloud applications, mobile apps and more. This has made it difficult for organizations to know whether they are impacted by Log4j in the first place, and even more difficult to correct the problem.
Malicious actors have wasted no time taking advantage of this situation: since December, millions of Log4j-directed attacks have been detected every hour. As a remote code execution exploit, Log4Shell has enabled cyber actors to install ransomware, steal sensitive data, and jump from server to server.
Like other cybersecurity incidents of a similar magnitude, the potential impact of Log4j on consumers is devastating, potentially leading to breaches of personal information, identity theft and financial fraud. Furthermore – with foreign actors jumping on the exploit – it also represents a serious risk to national security.
All of this explains why the FTC has taken a hard and uncompromising stance towards organizations who fail to act.
FTC Joins the Chat
On January 4th, the FTC issued a warning via its website, stating: “it is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.” Moreover, the agency made it clear that this warning applies not only to Log4j, but also to “similar known vulnerabilities in the future.”
As grounds for legal action, the FTC cited the Federal Trade Commission and Gram Leak Bliley Acts, using the Equifax settlement to illustrate what can happen when an organization ignores known cybersecurity vulnerabilities.
In 2017, Consumer credit reporting agency Equifax failed to patch an Apache Struts vulnerability, leading to an attack that compromised the data of 147 million consumers. In 2019, Equifax was forced to pay a $700 million settlement following a lawsuit from the FTC, proving that the agency’s warnings have teeth.
Ultimately – despite the difficulties involved with tracking down and rectifying Log4j vulnerabilities – the FTC is holding organizations accountable to the following actions:
- Follow CISA’s guidelines for identifying Log4j vulnerabilities within IT infrastructure
- Update any software containing Log4j to the most recent version
- Take steps to mitigate the vulnerability. In cases where patching is impossible (software that is no longer supports updates), that may mean switching to an alternative.
- Distribute information about the vulnerability to third parties and consumers who may be vulnerable.
Controlling Your Third Parties
The Log4j vulnerability is likely to be remembered as the single greatest cybersecurity threat to emerge in 2021, and some predict that it will continue to affect businesses for years to come. However, it is not totally unique, and similar vulnerabilities are likely to occur in the future.
With the FTC threatening legal action against businesses who don’t protect their customers, it is also setting a significant precedent: organizations are responsible for cybersecurity flaws that affect their users, whether those flaws originated from a third-party software provider or from their own products.
In 2022, it has never been more important for businesses to understand the code deployed throughout their consumer-facing products, what it does, and who provides it. In the face of Log4Shell and similar threats, businesses should invest in Digital Vendor Risk Management to:
- Identify and document all code executing across their digital environment, with vendor attribution, domains, and more
- Analyze and classify code for relevance and contribution to website functionality
- Connect with partners to share policies and request information regarding functionality