What the Log4Shell vulnerability means for companies

This month saw the identification of a significant computer software exposure in an Apache/Java open-source logging tool, Log4j2. Marsh provides insight on how organisations can respond.

This month saw the identification of a significant computer software exposure in an Apache/Java open-source logging tool, Log4j2. The remote code execution (RCE) vulnerability — allowing attackers to remotely control computers — affects cloud servers and enterprise software across all industries. Without a fix, it gives outside parties the potential to access internal networks, creating the risk of loss or theft of data and implantation of ransomware or other malicious programmes.

What happened? 

A flaw in a commonly used Java logging library — Apache Log4j2 — was identified. This vulnerability is easily exploitable by permitting an unauthenticated RCE by a threat actor who could then gain full control of affected servers. Systems and services utilising certain versions of the tool may be impacted by the vulnerability. The flaw has been described as a “zero-day” — meaning hackers became aware of and had the opportunity to exploit it before the software developers Apache had published a viable patch or update.

What is the impact? 

The vulnerability impacts certain versions of Log4j2. It can affect any computing device, and is estimated to have potentially impacted over 3 billion systems globally. Cybersecurity analysts are reporting that threat actors are already actively scanning for the vulnerability as well as looking for ways to exploit it.

How can organisations respond?

Clients should follow UK National Cyber Security Centre (NCSC) advice. The NCSC has issued useful guidance on managing the vulnerability that links to the patch and other tools. More technical detail on mitigation, scanning tools, and known vulnerabilities can be found at the GitHub repository curated by the Netherlands’ National Cyber Security Centre.

Below are key steps organisations can consider implementing as soon as possible.

Actions for IT security teams and chief information security officers

  1. Use open-source scanning tools to check a current list of vulnerable software (see the above links). 
  2. Use tools (listed in the materials above) to determine if a system has been compromised. 
  3. Patch all implementations of Log4j to the latest version. 
  4. Ensure network security technology is actively blocking all known indicators for the vulnerability and that end-point detection (EDR) technology is running on all servers. 
  5. Monitor log files. Suspicious logs could represent scanning activity that may be an early indicator of a compromise of a system.  
  6. Ensure any third-party application that could be affected is kept updated to the latest version. Press for written confirmation, as soon as possible, from all service providers with access to networks or data that this vulnerability has been patched. The Apache software in question is often embedded in third-party programmes that can only be updated by their owners. This means a company could be at risk if its service providers do not patch.
  7. Vendors of any potentially affected software are advised to communicate with customers to enable them to apply mitigations or install updates where they are available. 
  8. If there are implementations of Log4j2 that cannot be patched, it is necessary to refer to the mitigation recommendations already noted. 
  9. If any remediation action is necessary, such as patching and rebooting, it is important to ensure that digital evidence for potentially affected systems is preserved.

Ransomware attack preparations

It is widely anticipated that it is only a matter of time before threat actors will leverage the Log4j2 vulnerability to gain access to vulnerable organisations’ data and carry out malicious acts, such as ransomware attacks.

Accordingly, it is recommended that organisations running a possibly compromised version of Log4j2 should prepare as if a ransomware attack is imminent. It is advisable for them to back-up data in as close to real-time as possible, and to make sure that the backup is segmented from any live data. Endpoint solutions for detecting ransomware can be helpful in detecting and defeating threats. Lastly, it is worthwhile to be fully prepared to implement your organisation’s incident response plan.

Insurance considerations

 It is advisable for organisations to assess whether:

  1. the Log4j2 vulnerability has resulted in any kind of unauthorised access to their computer systems (that is, a security breach) and;
  2. to determine the next steps, and whether they have cyber insurance.

If an organisation has cyber insurance and:

  • Suspects or has identified a security breach, it should notify its insurer promptly, in accordance with the terms and conditions of its policy. 
  • Has not identified a security breach and has no reason to suspect one has occurred, there may not be any obligation to notify the insurer, however, it should check the terms and conditions of its policy.

If an organisation does not have cyber insurance:

  • But suspects or has identified a security breach, it is advisable to follow best practice as recommended by the NCSC. Marsh can provide guidance and recommendations regarding resources to assist a full investigation and response. 

Finally, it is suggested that organisations record all actions taken to assess and manage the vulnerability. If vulnerability-related claims increase, an organisation may be asked by insurers to articulate, and possibly show evidence of, due diligence or remediation work during its next cyber insurance renewal. If a company is renewing its policy within the next 120 days, it may even be asked to confirm its remediation, regardless of any previous underwriter communications.

What does this mean moving forward?

Zero-day exploits demonstrate the quick glide path for turning a sophisticated espionage operation into a widespread crime spree. Making matters worse, cyber threat actors are accelerating the time from when they compromise a network to when they launch an attack that leaves even less room for the margin of error.

Organisations are advised to apply a “defence-in-depth” approach that includes cybersecurity solutions coupled with threat intelligence, diligent patching of critical vulnerabilities, and regular data backup. 

Overall, today’s landscape highlights the need for agile cyber risk management. Since cyber risk cannot be completely eliminated, having a well-constructed cyber insurance programme to address residual financial risk is widely regarded as essential. 

For more information on Log4j2 and cyber risk in general, please contact your Marsh advisor or a member of the Marsh Cyber team listed below.

Meet the Marsh UK Cyber Team

Image placeholder

Helen Nuttall

Head of Cyber Incident Management

Image placeholder

Patrick Cannon

Head of Cyber Claims Advocacy

Image placeholder

Neal Pal

Senior Product Development Specialist