Last week saw the identification of a significant vulnerability in an Apache / Java open-source logging tool, Log4j2. This is used with cloud servers and enterprise software across all industries. Without a fix, it grants outside parties access to internal networks risking loss of data, implantation of ransomware or other malicious programs, and theft.
A flaw in a commonly used Java logging library – Apache Log4j – was identified. This vulnerability is easily exploitable by permitting unauthenticated remote code execution, which can lead to threat actors gaining full control of affected servers. Systems and services utilizing certain versions of the tool may be impacted by the vulnerability.
As noted above, the vulnerabilities, also known as CVE-2021-44228 and CVE 2021-45046, may impact certain versions of Log4j2. Without a fix, it grants outside parties access to internal networks risking loss of data, implantation of ransomware or other malicious programs, and theft. It can affect any computing device and is estimated to have impacted over 3 billion systems globally. Threat actors are actively scanning for the vulnerability and looking for ways to exploit it.
Various National Cyber Security Centres in Europe have issued useful guidance on managing the vulnerability for organisations, as well as providing technical detail on mitigation, scanning tools and known vulnerabilities - for example:
It is recommended to follow and continuously monitor the afore mentioned sources for response and mitigation guidance, but below are some key steps to consider implementing as soon as possible:
Identify all external facing devices that run impacted versions of Log4j and upgrade them to the latest version as soon as possible.
If you have implementations of Log4j2 that cannot be patched, refer to the mitigation recommendations noted by Apache on their website here.
Investigate whether your systems have been compromised. If any remediation action is necessary, it is important to ensure that digital evidence for affected systems are preserved.
Insurer applications often require the policyholder at the application stage to confirm how quickly they patch critical software vulnerabilities once they are published. If there is a commitment to a particular time for implementation of patches, you may risk declinature of future claims following an incident that exploits this vulnerability if not patched quickly enough.
Currently, it is mainly observed that the vulnerability is being used by threat actors to get an initial foothold into the affected organizations’ IT systems. Such access may at a later stage be used by the criminals to continue the attack. Accordingly, it is recommended that organisations running a potentially compromised version of Log4j should also be preparing for the worst case – e.g. as if a ransomware attack is imminent. Companies should back-up data in as close to real time as possible, and make sure that the backup is segmented from live data. Endpoint solutions for detecting malicious events and code can be helpful in detecting and defeating threats. Lastly, be prepared to implement your organisation’s incident response plan.
Consider whether you have been impacted and whether you have cyber insurance to determine your next steps.
Zero-day exploits demonstrate the quick glide path for turning a sophisticated espionage operation into a widespread crime spree. Making matters worse, cyber threat actors are accelerating the time from when they compromise a network to when they launch an attack, which leaves even less room for the margin of error. Overall, today’s landscape highlights the need for agile cyber risk management. Marsh cyber risk advisors can help make your organization more resilient and better prepared for cyber threats.
Additionally, organizations should apply a defense-in-depth approach that includes cybersecurity solutions coupled with threat intelligence, diligent patching of critical vulnerabilities, and regular data backup. Finally, since cyber risk cannot be completely eliminated, having a well-constructed cyber insurance program to address residual financial risk is essential.
Marsh’s Cyber team is available to you at any time to provide best-in-class answers, service, and solutions for cyber incident response and management, cyber coverage review or placement, and cyber risk management planning and optimization. For more information, contact your Marsh representative or a member of the Marsh cyber team listed below.
Head of Cyber Incident Management – Continental Europe
Head of Cyber - Continental Europe
Cyber Risk Consulting Leader - Continental Europe - North
Cyber Risk Consulting Leader - Continental Europe - South
Head of Cyber Claims & Products – Continental Europe