FTC warns businesses that failure to address critical vulnerability could result in legal action
On Dec. 9, the Apache Software Foundation issued a Log4j security alert that a vulnerability (CVE-2021-44228), aka Log4Shell, allows unauthenticated users to remotely execute or update software code on multiple applications via web requests. On a scale of severity, the NIST has graded the Log4Shell vulnerability as 10/10 (critical).
Shortly after on January 4, the FTC issued a bulletin warning of immediate legal action if companies fail to protect consumers against the Log4j “or similar known vulnerabilities.”
The security loophole is believed to be so widespread that it is said to affect more than three billion devices that use Java. Industry leaders like Microsoft, Twitter, iCloud, Amazon, Google Cloud and others are all reportedly affected by Log4Shell.
For security teams around the world, combating Log4Shell can seem extremely overwhelming. Below are some guidelines and recommendations that can help you get started:
The internet is about to start killing people, and the government regulates things that kill people
1). Fine-tune WAF (Web Application Firewall) Rules
WAF or Web Application Firewall, helps protect web applications by monitoring and filtering internet traffic. If one doesn’t have a WAF in place, it’s probably time they did and if they already have one, it’s important that it be tuned properly so that it can block any such exploits. In all likelihood, the WAF provider is already updating new rules automatically so make sure you accept them. Blocking every potential malicious signature might be cumbersome and tedious, however; ensure you continue to iteratively monitor and fine-tune over the next few months to address all emerging exploit techniques. Ever since the announcement happened, opportunistic attackers have made more than a million attempts to exploit Log4Shell and will continue to do so in the coming months and years.
2). Execute a Detailed Audit of Every Application, System and Website
Start the new year with a comprehensive audit of every application, every system, every website that is internet-facing. This also includes carrying out an extensive review of cloud-based services. Prioritize your infrastructure – be extra cautious to applications, software code and databases that contain sensitive data like credentials, customer details, intellectual property, etc. Ensure all applications are running the most updated software patches as any loophole can be easily exploited by this vulnerability.
If possible, try and get your infrastructure reviewed and pen-tested by an external third-party as this will provide an independent and unbiased opinion on your current security posture. Remember that software patching can only prevent future attempts to exploit this vulnerability; if attackers have already leveraged it prior to patching, they are already lurking around your network waiting for the right opportunity to strike.
This is another reason why an immediate and comprehensive audit is needed.
3). Review and Assess Vendor and Third-party Risks
In response to the vulnerability, software vendors around the globe have been announcing patches and fixes that plug this security loophole. It’s important that organizations pay particular attention to these updates and apply fixes in a timely manner.
It’s important to catalog and compare vendors that have issued a patch versus those that have not. In case a vendor hasn’t issued one, it’s probably a good idea to contact them and confirm whether they have been impacted or not. In addition to software vendors, remember to contact your key suppliers, business partners and affiliates to ensure they have conducted appropriate due diligence in safeguarding their own infrastructure and supply chains from Log4Shell.
4). Validate and Protect Users
One of the first things security teams must do is to raise the awareness of the security issues surrounding Log4j. Ensure employees (especially remote users) are alert and raise a red flag when something is amiss or not performing right. Implement the Principle of Least Privilege by granting minimum or restricted access to users as this can significantly minimize risk and lower the possibility of lateral movement. In addition to this, enabling multi-factor authentication (via a second device) can go a long way in preventing attackers from leveraging compromised credentials.
5). Remain Vigilant
Experts believe the worst is yet to come and it may take months or even years for a full cleanup of the Log4Shell. The Log4j application is so ubiquitous that attackers are likely to exploit it for the foreseeable future. Not to forget, patches aren’t always fully watertight. For example, Apache researchers discovered that their first patch was “incomplete” and had to release a second patch. It’s important that businesses remain vigilant for such updates and be on guard for any changes in their threat landscape.
It’s no surprise that the aftershocks of the Log4Shell quake will continue in the new year but eventually we’ll get through it. However, it would be ill-advised if we don’t start gearing up for the next security catastrophe today.
fraudster who tricked and threatened thousands of Spanish-speaking immigrants into paying for educational products has been sentenced to 110 months in prison in the United States.
Peruvian national and call center owner Henrry Adrian Milla Campuzano was part of a conspiracy to defraud victims using false statements and the threat of deportation or legal action in a non-existent “minor crimes court.”
Milla Campuzano, a 37-year-old resident of Lima, owned and operated two call centers in Peru, the Latinos en Accion and Accion Latino. He admitted that from April 2011 until his arrest in July 2019, he and his employees contacted victims via phone and falsely claimed to be lawyers, court officials, federal agents, and minor crimes court representatives.
Victims were erroneously informed that they were required to accept and pay for English-language courses and other educational products that were never delivered.
The conspirators didn’t stop at targeting the victims, but also contacted their family members and friends and fraudulently threatened them with legal consequences if they did not make payments.
Threats used against the victims included court proceedings, negative marks on their credit reports, imprisonment, and immigration consequences.
Milla Campuzano is the sixth individual to plead guilty to involvement in this conspiracy and to receive a lengthy prison term. He and four co-defendants were extradited to the Southern District of Florida in October 2020.
Jerson Renteria was sentenced to 100 months in prison, and Fernan Huerta, Omar Cuzcano, and Evelyng Milla were each sentenced to serve 90 months in prison.
California resident Angel Armando Adrianzen, who teamed up with the call centers in Peru to run the telemarketing scam, was sentenced in May to serve 121 months in prison followed by fifteen years’ supervised release.
Two additional defendants in the case – Carlos Espinoza Huerta and Josmell Espinoza Huerta – were extradited from Peru to the United States on June 25 and are due to be tried in Florida in February.
Acting US Attorney Juan Antonio Gonzalez for the Southern District of Florida said: “We will continue to bring American justice to transnational criminals who use fear tactics and intimidation to steal money from immigrants, seniors and others who live in this country.”