Log4j Security Breach Incidents
Microsoft is warning consumers and security firms of continuing attempts by cyber adversaries and commodity attackers to take advantage of security vulnerabilities uncovered in the Log4j open-source logging framework. Due to the vulnerabilities, hackers may be capable of deploying malware on vulnerable IT systems.
Microsoft released the following statement: “The Log4j vulnerabilities represent a complex and high-risk situation for companies across the globe. This open-source component is widely used across many suppliers’ software and services. By nature of Log4j being a component, the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment. Customers are encouraged to utilize scripts and scanning tools to assess their risk and impact. Microsoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities.”
The US Federal Trade Commission (FTC) has also warned that it will go after any US company that fails to protect its customers’ data against ongoing Log4J attacks.
The FTC said, “The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” citing the Federal Trade Commission Act and the Gramm Leach Bliley Act.
Log4j Security Breach Warnings
The FTC recommends the following actions:
- Update your Log4j software package to the most current version
- Consult CISA guidance to mitigate any vulnerability
- Ensure that your company’s practices do not violate the law (the failure to identify and patch instances of this software may violate the FTC Act)
- Distribute the above information to third-party subsidiaries
If you have suffered a data breach or cyberattack due to negligent security, contact the Lyon Firm for a free case review. Our data privacy attorneys can assist you in protecting yourself and taking legal action.