If you've had an extended holiday break, or have simply not been checking your email or the news, maybe, just maybe, there's a chance you haven't heard of Apache's Log4j vulnerability that was discovered in the middle of December.
But if you're like most of us, you learned about it early on and heeded the warnings of Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), who called these vulnerabilities "the most severe that I've seen in my career."
So severe that security firm Check Point reported 40% of corporate networks worldwide were coming under attack, specifically due to this vulnerability.
And if that wasn't enough to capture your attention, the United States Federal Trade Commission (FTC) recently issued a warning to organizations that if Log4j is left unpatched, legal action will be taken.
Log4j poses severe risks to organizations
In a statement from the FTC, the importance and significance of patching the Log4j vulnerability is made clear.
It says that when vulnerabilities like this are discovered and exploited by threat actors, organizations risk a loss or breach of personal information, financial loss, and other irreversible harms.
Organizations that rely on Log4j must act now or face legal consequences. But what specific legal consequences?
The FTC uses one of the most infamous breaches as an example, the Equifax incident.
Equifax failed to patch a known vulnerability that exposed the personal information of 147 million consumers. As a result, the company agreed to pay $700 million to settle actions by the Federal Trade Commission, the Consumer Financial Protection Bureau, and all 50 U.S. states.
In regards to the Log4j vulnerability, here is what the FTC said:
"The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future."
Microsoft: Log4j exploits still on the rise
While the FTC has stated that it's pretty much now or never to patch Log4j, Microsoft recently said that exploits of the vulnerability continue to be a prevalent issue.
The Microsoft Threat Intelligence Center discusses these exploits:
"Exploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks.
Organizations may not realize their environments may already be compromised. Microsoft recommends customers to do additional review of devices where vulnerable installations are discovered. At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments.
Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance."
Follow the SecureWorld News page for updates on the situation.
