The US Federal Trade Commission (FTC) warned in an announcement on Tuesday that it will go after any US company that fails to secure its users’ data against ongoing Log4j attacks.
“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” the US government agency said in the announcement.
“The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”
The FTC advised companies to follow the Cybersecurity and Infrastructure Security Agency’s (CISA) guidance on fixing the Log4j flaws. The agency also recommended that companies update their Log4j software package to the most current version and take corrective action to ensure that their practices do not violate the law (namely the FTC act).
Finally, the FTC advised companies to distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may potentially be vulnerable to Log4j attacks.
The warning follows a December emergency directive issued by CISA that ordered US Federal Civilian Executive Branch agencies to patch the Log4j bug until Dec. 23.
Additionally, federal agencies were given until Dec. 28 to report Log4Shell-impacted products in their environment. This included app and vendor names, the apps’ versions, along with actions taken to block attempted attacks.
CISA also provides a page on its website dedicated to Log4Shell flaws with patching information and has since launched a Log4j scanner to identify vulnerable Java-based apps.
With Five Eyes cybersecurity agencies and other US federal agencies, CISA issued a joint advisory on Dec. 22 with advice for addressing and fixing prominent Log4j security flaws.
“Microsoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities,” Microsoft security researchers warned on Jan. 3.
“Exploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” the researchers added.