The Federal Trade Commission (FTC) has issued a warning saying it will pursue legal action against any US company found to have put consumer data at risk by not properly mitigating Log4Shell.
The FTC said in its alert that Log4Shell poses a severe risk to millions of consumer products and enterprise applications, adding that there is a significant risk of data loss in a data breach made possible through the vulnerability, tracked as CVE-2021-44228.
"The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act," said the FTC. "It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action."
Equifax's infamous data breach was referenced by the FTC in its warning to all US businesses, saying it failed to patch a known vulnerability, lost data belonging to 147 million people, and paid $700 million (£517 million) to settle the actions by the FTC and Consumer Finance Protection Bureau.
"The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," it said.
The FTC encouraged businesses to follow guidance issued by the US Cybersecurity and Infrastructure Security Agency:
- Update your Log4j software package to the most current version found here
- Consult CISA guidance to mitigate this vulnerability.
- Ensure remedial steps are taken to ensure that your company’s practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act.
- Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.
Log4Shell is the exploitable vulnerability in the widely used log4j library, discovered in December, and is still under active exploitation from cyber attackers. The volume of ongoing attack attempts has prompted great concern from the cyber security community about how impactful a successful attack could be.
Microsoft updated its blog on Log4Shell earlier this week echoing the concerns of the wider industry about the scale of attacks leveraging the vulnerability in log4j. The company said the vulnerability presents a "complex and high-risk situation for companies across the globe".
RELATED RESOURCE
The security flaw is so widespread in applications and services that it's difficult to understand how vulnerable any given environment actually is. Microsoft advised customers to run scripts and scanning tools to assess their exposure.
"Exploitation attempts and testing have remained high during the last weeks of December," said Microsoft. "We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks. Organisations may not realise their environments may already be compromised.
"Microsoft recommends customers to do additional review of devices where vulnerable installations are discovered," it added. "At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments. Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance."
-
M&S suspends online sales as 'cyber incident' continuesNews Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
-
Manners cost nothing, unless you’re using ChatGPTOpinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
"Thinly spread": Questions raised over UK government’s latest cyber funding schemeThe funding will go towards bolstering cyber skills, though some industry experts have questioned the size of the price tag
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
