After facilitating countless breaches, operational disruptions, and millions of dollars in losses over the past few years, it's no secret that ransomware is the top threat to watch out for when it comes to data security. Cyber criminals aren’t expected to pull back in 2022, and a new vulnerability discovered in a widely used software program last month has governments and corporations on high alert.But what exactly is the Log4Shell vulnerability, and how should legal teams prepare for a breach? Let’s take a look at this emerging threat, the damage it has done so far, and why it’s important for legal professionals to understand from a contract management perspective.
What Is Log4shell?
Log4Shell refers to a vulnerability that impacts the Java version of Log4j, an open-source library tool distributed and maintained by the Apache Software Foundation (ASF). Log4j is a framework utilized by numerous organizations across industries to collect and record information, most commonly the activity of users as it relates to a specific computer or application. The software has multiple use cases, runs on almost all modern platforms, including Windows and Mac OS, and is critical to the ability of many commercial software developers to log errors and diagnose operational inefficiencies.
Log4Shell is considered uniquely troubling for two key reasons.
First, the ease with which cyber criminals can exploit the vulnerability is astounding; as long as a hacker knows that a system is using the Java version of Log4j, they can gain access and begin manipulating the code without even needing to enter a password.
Secondly, what cyber criminals can do once a system is breached appears to be only limited by their imagination; a hacker can use Log4Shell to steal personal information, manipulate the behavior and functionality of a specific device, install malware, and yes, seize total control of a system and/or its resources in order to execute a ransomware attack.
Who Has Been Affected?
The first exploitations of Log4Shell were discovered on the Java version of the popular online gaming platform, Minecraft, but additional reports of the vulnerability being leveraged in higher-stakes environments have surfaced since the bug was made public. According to Romanian cybersecurity company, Bitdefender, Log4Shell is being used to install unauthorized cryptocurrency mining software. Additionally, while it has not yet been named as an official cause, a recent ransomware attack on a major HR company and payroll provider, Kronos, has many wondering if Log4Shell exploitation might have played a significant role. The most alarming revelation, at least in the eyes of the U.S. government, has been scanning activity that cybersecurity firms and Microsoft have traced back to potentially state-influenced hackers in China and Iran.
As ASF volunteers and cybersecurity experts attempt to patch up issues with the Log4j program, exploitations are expected to evolve and become increasingly widespread. Cybersecurity company Akamai, as reported by the Wall Street Journal, claims to track around 10 million attempted exploitations every hour in the U.S., with the most frequent targets being retail, technology, and financial services organizations.
How Can Legal Teams Respond?
First and foremost, ensure adequate preventative measures at the organizational level, which means patching up the Log4Shell vulnerability wherever it exists within your software stack. Official recommendations have been published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft has released a resource containing mitigation guidance related to its own products and services.
Secondly, legal teams need to review all existing contracts as quickly as possible to understand their obligations in the event of a breach, which may also mean reviewing their contract management processes and adopting more efficient solutions wherever necessary. If an attack has already occurred, impacted vendors and consumers need to be notified in a timely manner. Legal teams should be leveraging automation tools to speed up this notification process.
Legal teams must be aware of the situation and do their best to prepare for a potential attack. Don’t panic; if you need to update your contract management processes, contact LinkSquares today.