FTC warns companies to secure consumer data from Log4J attacks

The US Federal Trade Commission (FTC) has warned today that it will go after any US company that fails to protect its customers' data against ongoing Log4J attacks.

"The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," the US government agency said.

"The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act.

"It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action."

The FTC advises companies to follow CISA's guidance on mitigating the Log4j flaws and:

• Update your Log4j software package to the most current version found here: https://logging.apache.org/log4j/2.x/security.html
• Consult CISA guidance to mitigate this vulnerability.
• Ensure remedial steps are taken to ensure that your company's practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act.
• Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.

Under active exploitation since early December

The warning follows an emergency directive issued by CISA that ordered US Federal Civilian Executive Branch agencies to patch the actively exploited Log4Shell bug until December 23.

Federal agencies were also given five more days until December 28 to report Log4Shell-impacted products in their environments, including app and vendor names, the apps' versions, as well as the actions taken to block attack attempts.

CISA provides a dedicated page for the Log4Shell flaws with patching information and has released a Log4j scanner to find vulnerable Java-based apps.

Together with Five Eyes cybersecurity agencies and other US federal agencies, CISA also issued a joint advisory with mitigation advice on addressing the CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 Log4j security flaws.

"Microsoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities," Microsoft security researchers warned on Monday.

"Exploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks."