FTC warns legal action against companies who fail to mitigate Log4Shell
The US Federal Trade Commission said on Tuesday that it intends to start legal actions and sue companies who leak consumer data by not patching applications vulnerable to the Log4Shell vulnerability.
"The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," the agency said in a press release yesterday.
The agency said that laws like the Federal Trade Commission Act and the Gramm Leach Bliley Act allow it to take actions against companies that ignore their duties to their own consumers.
This wouldn't be the first time the FTC would be taking legal action against companies that fail to patch security flaws. The most known of these cases would be the FTC's lawsuit against Equifax, the US credit monitoring service that leaked the data of more than 147 million Americans after failing to patch an Apache Struts server back in 2017.
Equifax settled the FTC lawsuit and agreed to pay $700 million to affected consumers.
With the Log4j library being widely used across the software ecosystem, the FTC anticipates that companies will take a lackadaisical approach to patching apps affected by the Log4Shell flaw, and lead to a wave of security breaches that expose US consumer data, which is a reasonable assumption to make.
Microsoft: Log4Shell attacks remain high
The FTC's warning of possible legal actions comes a day after Microsoft updated a blog post on the Log4Shell vulnerability to add that almost a month after its disclosure, attacks leveraging this bug have remained at high levels.
"Exploitation attempts and testing have remained high during the last weeks of December," Microsoft said on Monday.
"We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks. Organizations may not realize their environments may already be compromised," it added.
"At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments. Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance," Microsoft also said.
The OS maker said it observed Log4Shell attacks originating from the infrastructure of sophisticated adversaries like nation-state threat groups and commodity attackers alike.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.