FTC to Go After Companies that Ignore Log4j

Companies that fail to protect consumer data from Log4J attacks are at risk of facing Equifax-esque legal action and fines, the FTC warned.

The Federal Trade Commission (FTC) will muster its legal muscle to pursue companies and vendors that fail to protect consumer data from the risks of the Log4j vulnerabilities, it warned on Tuesday.

“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” according to the warning.

Those companies that bungle consumer data, leaving vulnerabilities unpatched and thus opening the door to exploits and the resulting possible “loss or breach of personal information, financial loss and other irreversible harms,” are risking consequences tied to weighty laws that have resulted in fat fines, the FTC said.

Infosec Insiders Newsletter

It mentioned, among others, the Federal Trade Commission Act  and the Gramm-Leach-Bliley Act. The FTC Act, the commission’s primary statute, enables it to seek monetary redress and other relief for conduct injurious to consumers. Gramm-Leach-Bliley requires financial institutions to safeguard sensitive data.

“ It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action,” the FTC urged.

The FTC means it: Its warning included a reference to the complaints against Equifax, which agreed to pay $700 million to settle actions by the FTC, the Consumer Financial Protection Bureau, and all fifty states over its infamous 2017 data leak (consumers’ reaction at the time: Make it hurt more).

According to the Equifax complaint, its  failure to patch a known vulnerability “irreversibly exposed the personal information of 147 million consumers.” Expect more of the same if your company fails to protect consumer data from exposure as a result of Log4Shell or whatever similar, known vulnerabilities crop up, it said.

The FTC advised companies to use guidance from the Cybersecurity and Infrastructure Security Agency (CISA) to check if they’re using Apache’s Log4j logging library, which is at the heart of the cluster of vulnerabilities known as Log4Shell.

Companies that find that they are using Log4j should do the following, CISA recommended:

  • Update your Log4j software package to the most current version.
  • Consult CISA guidance to mitigate this vulnerability.
  • Ensure remedial steps are taken to ensure that your company’s practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act.
  • Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.

On Dec. 17, CISA issued an emergency directive mandating federal civilian departments and agencies to immediately patch their internet-facing systems for the Log4j vulnerabilities by Thursday, Dec. 23. Federal agencies were given five more days – until Dec. 28 – to report Log4Shell-affected products, including vendor and app names and versions, along with what actions have been taken – e.g. updated, mitigated, removed from agency network – to block exploitation attempts.

CISA provides a dedicated page for the Log4Shell flaws with patching information and has released a Log4j scanner to hunt down potentially vulnerable web services.

The Log4j Fire Rages Unabated

The initial flaw – CVE-2021-44228 – was discovered on Dec. 9 and came under attack within hours. As of Dec. 15, more than 1.8 million attacks, against half of all corporate networks, using at least 70 distinct malware families, had already been launched to exploit what became a trio of bugs:

  1. The Log4Shell remote-code execution (RCE) bug that spawned even nastier mutations and which led to …
  2. The potential for denial-of-service (DoS) in Apache’s initial patch. Plus, there was …
  3. A third bug, a DoS flaw similar to Log4Shell in that it also affected the logging library. It differed in that it concerned Context Map lookups, not the Java Naming and Directory Interface (JNDI) lookups to an LDAP server involved in CVE-2021-44228: lookups that allow attackers to execute any code that’s returned in the Log4Shell vulnerability.

At this point, the Conti ransomware gang has had a full attack chain in place for weeks.

In a Monday update, Microsoft said that the end of December brought no relief: The company observed state-sponsored and cyber-criminal attackers probing systems for the Log4Shell flaw through month’s end. “Microsoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities,” Microsoft security researchers warned.

“Exploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” the researchers said.

Hunting Down Log4j

One of the most challenging aspects of responding to the Log4j vulnerability is simply identifying the devices in an organization where Log4j is used. The word “ubiquitous” has applied since the get-go.

“Since it is a cross-platform, widely used software library, there is incredible diversity in where and how it is deployed: it can be an application package installed by itself, bundled with another application package as just another file on disk or embedded in another application with no visible artifact,” J.J. Guy, co-founder and CEO at Sevco Security, told Threatpost on Wednesday.

He added, “Even worse, it is used in everything from cloud-managed services to server applications and even fixed-function, embedded devices. That internet-connected toaster is very likely vulnerable to Log4Shell.”

We’re just in the middle of the triage phase now, Guy said, where basic tools like systems-management or software-management tools to check for the file on disk can provide initial triage.

One question: What’s the inventory of equipment that still needs to be triaged?

“For organizational leaders, such as the board, CEO, CIO or CISO, to have confidence in those triage results requires they report not only the machines that have been triaged but also how many are pending triage,” Guy remarked. “Reporting the ‘pending triage’ statistic requires a complete asset inventory, including which machines have been successfully triaged.”

He called this “one of the larger hidden challenges” in every organization’s response, given that so few have a comprehensive asset inventory, “despite the fact it has been a top requirement in every security compliance program for decades.”

Image courtesy of Quince Media. Licensing details.

Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.

Suggested articles