Head of Cyber Incident Management
This month saw the identification of a significant computer software exposure in an Apache/Java open-source logging tool, Log4j2. The remote code execution (RCE) vulnerability — allowing attackers to remotely control computers — affects cloud servers and enterprise software across all industries. Without a fix, it gives outside parties the potential to access internal networks, creating the risk of loss or theft of data and implantation of ransomware or other malicious programmes.
A flaw in a commonly used Java logging library — Apache Log4j2 — was identified. This vulnerability is easily exploitable by permitting an unauthenticated RCE by a threat actor who could then gain full control of affected servers. Systems and services utilising certain versions of the tool may be impacted by the vulnerability. The flaw has been described as a “zero-day” — meaning hackers became aware of and had the opportunity to exploit it before the software developers Apache had published a viable patch or update.
The vulnerability impacts certain versions of Log4j2. It can affect any computing device, and is estimated to have potentially impacted over 3 billion systems globally. Cybersecurity analysts are reporting that threat actors are already actively scanning for the vulnerability as well as looking for ways to exploit it.
Clients should follow UK National Cyber Security Centre (NCSC) advice. The NCSC has issued useful guidance on managing the vulnerability that links to the patch and other tools. More technical detail on mitigation, scanning tools, and known vulnerabilities can be found at the GitHub repository curated by the Netherlands’ National Cyber Security Centre.
Below are key steps organisations can consider implementing as soon as possible.
It is widely anticipated that it is only a matter of time before threat actors will leverage the Log4j2 vulnerability to gain access to vulnerable organisations’ data and carry out malicious acts, such as ransomware attacks.
Accordingly, it is recommended that organisations running a possibly compromised version of Log4j2 should prepare as if a ransomware attack is imminent. It is advisable for them to back-up data in as close to real-time as possible, and to make sure that the backup is segmented from any live data. Endpoint solutions for detecting ransomware can be helpful in detecting and defeating threats. Lastly, it is worthwhile to be fully prepared to implement your organisation’s incident response plan.
It is advisable for organisations to assess whether:
If an organisation has cyber insurance and:
If an organisation does not have cyber insurance:
Finally, it is suggested that organisations record all actions taken to assess and manage the vulnerability. If vulnerability-related claims increase, an organisation may be asked by insurers to articulate, and possibly show evidence of, due diligence or remediation work during its next cyber insurance renewal. If a company is renewing its policy within the next 120 days, it may even be asked to confirm its remediation, regardless of any previous underwriter communications.
Zero-day exploits demonstrate the quick glide path for turning a sophisticated espionage operation into a widespread crime spree. Making matters worse, cyber threat actors are accelerating the time from when they compromise a network to when they launch an attack that leaves even less room for the margin of error.
Organisations are advised to apply a “defence-in-depth” approach that includes cybersecurity solutions coupled with threat intelligence, diligent patching of critical vulnerabilities, and regular data backup.
Overall, today’s landscape highlights the need for agile cyber risk management. Since cyber risk cannot be completely eliminated, having a well-constructed cyber insurance programme to address residual financial risk is widely regarded as essential.
For more information on Log4j2 and cyber risk in general, please contact your Marsh advisor or a member of the Marsh Cyber team listed below.
Head of Cyber Incident Management
Head of Cyber Claims Advocacy
Senior Product Development Specialist