FTC warns businesses to step up mitigation efforts to protect consumers
Microsoft this week offered Windows and Azure users updated guidance on mitigation strategies to contend with the Log4J vulnerability, first reported in December.
The exploit, known colloquially as Log4Shell and also as LogJam, was first noticed in the hugely popular game Minecraft. The zero-day exploit gives attackers full control over affected systems.
While Log4J patching began immediately, resolving the problem is a dog’s breakfast, thanks to the embedded nature of the app. The exploit impacts potentially any system using Log4J, whether it’s on the cloud or the desktop.
“This open-source component is widely used across many suppliers’ software and services,” said Microsoft. “By nature of Log4j being a component, the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment.”
A newer version of Log4J resolves the issue, but that’s left countless existing systems vulnerable to exploitation. Microsoft said it’s seen bad actors waste no time to leverage this recently discovered security flaw. What’s more, national security is at risk.
“Microsoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities,” said the company.
Microsoft said exploitation attempts and testing remained high through the end of December. The company expects Log4J exploits to be a regular part of the bad hacker’s toolkit from here on out.
“We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks. Organizations may not realize their environments may already be compromised. Microsoft recommends customers to do additional review of devices where vulnerable installations are discovered,” said the company.
FTC to US businesses: Fix this flaw, or else
The U.S. Federal Trade Commission (FTC) on Tuesday issued a warning to American businesses to get their acts together on Log4J, or face expensive consequences.
“ It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action,” said the FTC.
FTC then raised the specter of its 2019 settlement reached with credit reporting bureau Equifax as a warning against inaction. The company paid $700 million to settle suits filed by the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories. A 2017 Equifax data breach exposed the personal data of 147 million people.
“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” said the agency.