What the Log4Shell vulnerability means for companies

This month saw the identification of a significant computer software exposure in an Apache/Java open-source logging tool, Log4j2. Marsh provides insight on how organisations can respond.

Last week saw the identification of a significant vulnerability in an Apache / Java open-source logging tool, Log4j2. This is used with cloud servers and enterprise software across all industries. Without a fix, it grants outside parties access to internal networks risking loss of data, implantation of ransomware or other malicious programs, and theft.

What happened?

A flaw in a commonly used Java logging library – Apache Log4j – was identified. This vulnerability is easily exploitable by permitting unauthenticated remote code execution, which can lead to threat actors gaining full control of affected servers. Systems and services utilizing certain versions of the tool may be impacted by the vulnerability.

What is the impact?

As noted above, the vulnerabilities, also known as CVE-2021-44228 and CVE 2021-45046, may impact certain versions of Log4j2. Without a fix, it grants outside parties access to internal networks risking loss of data, implantation of ransomware or other malicious programs, and theft. It can affect any computing device and is estimated to have impacted over 3 billion systems globally. Threat actors are actively scanning for the vulnerability and looking for ways to exploit it.

Various National Cyber Security Centres in Europe have issued useful guidance on managing the vulnerability for organisations, as well as providing technical detail on mitigation, scanning tools and known vulnerabilities - for example:

How can companies respond?

It is recommended to follow and continuously monitor the afore mentioned sources for response and mitigation guidance, but below are some key steps to consider implementing as soon as possible:

  1. Use open-source scanning tools to check a current list of vulnerable software. See above links for more detail.
  2. There are a number of tools that can be used to determine if a system has potentially been compromised. See above links for more detail.
  3. Update all implementations of log4j to the latest version as soon as possible.
  4. Ensure network security technology is actively blocking all known indicators of compromise in relation to the vulnerability and that end-point detection and response (EDR) technology is running on all servers.
  5. Monitor log files. Suspicious logs could represent scanning activity, which may be an early indicator of compromise of the system.
  6. The Apache software in question is often embedded in third-party programs, which can only be updated by their owners.  This means that you could be at risk if your service providers do not patch.  You should therefore ensure that any third-party application that might be affected are kept updated to the latest version, and press for written confirmation as soon as possible from all service providers with access to networks or data that this vulnerability has been patched.
  7. If you are vendors of any potentially affected software, you should communicate with customers to enable them to apply mitigations or install updates where they are available.

For the CISO / IT Security Team:

Device discovery and patching

Identify all external facing devices that run impacted versions of Log4j and upgrade them to the latest version as soon as possible.

If you have implementations of Log4j2 that cannot be patched, refer to the mitigation recommendations noted by Apache on their website here.

Investigate whether your systems have been compromised. If any remediation action is necessary, it is important to ensure that digital evidence for affected systems are preserved.

Insurer applications often require the policyholder at the application stage to confirm how quickly they patch critical software vulnerabilities once they are published.  If there is a commitment to a particular time for implementation of patches, you may risk declinature of future claims following an incident that exploits this vulnerability if not patched quickly enough.

Prepare for severe Attacks

Currently, it is mainly observed that the vulnerability is being used by threat actors to get an initial foothold into the affected organizations’ IT systems. Such access may at a later stage be used by the criminals to continue the attack. Accordingly, it is recommended that organisations running a potentially compromised version of Log4j should also be preparing for the worst case – e.g. as if a ransomware attack is imminent.  Companies should back-up data in as close to real time as possible, and make sure that the backup is segmented from live data.  Endpoint solutions for detecting malicious events and code can be helpful in detecting and defeating threats.  Lastly, be prepared to implement your organisation’s incident response plan.

For the Risk Manager:

Consider whether you have been impacted and whether you have cyber insurance to determine your next steps. 

  • If your organization has been impacted and you have cyber insurance, you should notice your carrier promptly. Marsh can assist you with this.
  • Cyber insurance typically covers costs for investigating and responding to cyber incidents. Upon notification an initial triage will be conducted by the appointed incident response manager (IRM). The IRM will then determine whether panel response vendors – such as IT forensics services – should be engaged.
    Note: if your organisation has not been impacted, there is no need to notify your cyber insurer
  • If your company has been impacted but you do not have a cyber insurance policy, the Marsh Cyber Incident Management team can provide guidance and recommendations regarding resources to assist your full investigation and response.
  • If you are unsure whether your organization has been impacted or breached and you want to make a clear determination, we suggest you follow the best practices detailed above and notice your insurer of a circumstance which could give rise to a claim under the policy. Marsh can assist you with this.
  •  Finally, if you have an upcoming cyber insurance renewal, be prepared to answer questions pertaining to this vulnerability. Further details will be provided by your Marsh broker in due course.

What does this mean moving forward?

Zero-day exploits demonstrate the quick glide path for turning a sophisticated espionage operation into a widespread crime spree.  Making matters worse, cyber threat actors are accelerating the time from when they compromise a network to when they launch an attack, which leaves even less room for the margin of error.  Overall, today’s landscape highlights the need for agile cyber risk management.  Marsh cyber risk advisors can help make your organization more resilient and better prepared for cyber threats.

Additionally, organizations should apply a defense-in-depth approach that includes cybersecurity solutions coupled with threat intelligence, diligent patching of critical vulnerabilities, and regular data backup.  Finally, since cyber risk cannot be completely eliminated, having a well-constructed cyber insurance program to address residual financial risk is essential.

Marsh Can Help:

Marsh’s Cyber team is available to you at any time to provide best-in-class answers, service, and solutions for cyber incident response and management, cyber coverage review or placement, and cyber risk management planning and optimization. For more information, contact your Marsh representative or a member of the Marsh cyber team listed below.

Florian.Saettler@marsh.com 
Head of Cyber Incident Management – Continental Europe

Jean.BayonDeLaTour@marsh.com
Head of Cyber - Continental Europe

Gregory.vandenTop@marsh.com
Cyber Risk Consulting Leader - Continental Europe - North

Nelia.Argaz@marsh.com 
Cyber Risk Consulting Leader - Continental Europe - South

Pablo.Constenla@marsh.com
Head of Cyber Claims & Products – Continental Europe 

Related articles