Companies Facing FTC Legal Action Over Log4j Breaches

The U.S. Federal Trade Commission (FTC) intends to use its "full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of the Log4j vulnerability," the commission warned on Tuesday.

The Apache Software Foundation's (ASF) Log4j is a widely used open-source Java logging library. A critical-remote code execution (RCE) vulnerability (CVE-2021-44228) in that library, known as Log4Shell, was disclosed by cybersecurity experts in mid-December. Widely used in Apache Web servers, it's subject to simple remote attacks by just sending a text string to a server.

A general public alarm about widespread ongoing Log4Shell attacks was raised in mid-December.

Security researchers at CrowdStrike have been seeing Log4Shell exploits being used to deliver malware payloads such as crypto-miners and backdoors, with suspected nation-state actors also entering the fray.

The FTC's announcement, though, solely focused on the disclosure of consumer information as a problem it'll oversee.

The FTC may prosecute such data breaches if the Log4j vulnerability was used. Here's how the FTC couched its warning to companies:

When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known software vulnerabilities implicateslaws including, among others, the Federal Trade Commission Act,and the Gramm Leach Bliley Act.It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.

In that context, the FTC mentioned the Equifax exposure of consumer credit information, where the credit bureau company agreed to pay "$700 million" after the exposure of 147 million records. That settlement was deemed to be the largest of its kind at the time, per a 2019 Reuters story, but still deemed inadequate by its critics. Consumers had to document their costs due to the breach and file claims to get compensated.

It's not clear if the $700 million was actually paid by Equifax, or if it was just a floating estimate, depending on filed claims. In some cases, Equifax just offered free credit reports to the victims, but most people didn't volunteer their credit information to Equifax in the first place. The FTC, which could regulate such companies, noted in its Equifax settlement description that "you cannot opt out of this data collection" by companies like Equifax. Given such conditions, similar data breaches are likely to happen again.

The FTC directed companies to follow the Log4j guidance published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). It recommends conducting discovery of Log4j Java library use, detecting indicators of compromise, monitoring for odd Internet traffic patterns, and updating the Log4j software.

Advice from CISA on conducting scans for the Log4j vulnerability can be found at this GitHub page.
Attackers that successfully leverage the Log4j vulnerability can "steal information, launch ransomware, or conduct other malicious activity," CISA noted.

In a Dec. 28 update to its guidance, CISA noted that organizations should upgrade to the latest Log4j release, which varies based on which version of Java is used.

Here's that description:

(Updated December 28, 2021) Organizations are urged to upgrade to Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6), and review and monitor the  Apache Log4j Security Vulnerabilities webpage for updates and mitigation guidance.

The Apache Software Foundation's earlier release of Log4j version 2.15.0 was an intended fix for the vulnerability, but it was deemed inadequate, as noted at the foundation's Log4j security page:

While Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default, there are ways to bypass this, and users should not rely on this.

Log4j is "a ubiquitous piece of software," the FTC noted. Many organizations likely are affected. CISA has compiled a list of the affected software using Log4j, which can be accessed via a link at the end of this GitHub page.


About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.