The Log4j threat: What banks need to know
On December 10, 2021, a critical vulnerability in the popular Apache logging library Log4j was announced. The latest vulnerability is the most serious in decades, according to U.S. Homeland Security’s top cybersecurity official.
From Google and Amazon to the systems used by banks, militaries and hospitals, Log4j is used by thousands of applications, services and devices. The vulnerability presents a massive opportunity for remote adversaries to easily seize control of an affected system, steal information, and/or plant malicious software.
Here at Micah, we do not directly use Java technologies, so we are not impacted by this vulnerability. Learn more about how we’re responding.
What can banks do?
“The Log4j vulnerability is the most serious vulnerability I have seen in my decades-long career. Everyone should assume they’re exposed and vulnerable.”
The best action banks can take is to ensure every enterprise app is updated to the most recent version across all devices. As developers release patches to fix issues, downloading these quickly is critical.
It is possible that bad actors have already gotten access to your environment, and you may not know it. Periodic audits will no longer suffice – IT teams must continuously monitor the state of security.
Phishing emails and text messages are common ways that hackers exploit the vulnerability. Remind employees to be watchful for messages attempting to trick you into clicking a link, opening an attachment, or providing sensitive information.
If your bank uses old technology that no longer gets updated, consider replacing it altogether or making sure it is no longer connected to the Internet.
CISA has published an ongoing mitigation guide and maintains a list of affected software and patches as fixes become available.
Unfortunately, the Log4j threat is expected to linger well into 2022. There is no single solution that will fix the issue. Simply identifying affected systems is a challenge, as Log4j is often buried in layers of other software systems.
Micah will be posting critical updates as they become available at micah-group.com/log4j.
Additional Resources
Apache Log4j Vulnerability Guidance (CISA Resource Page)
CISA Insights: Preparing For and Mitigating Potential Cyber Threats (Dec. 15, 2021)
FBI Statement on Log4j Vulnerability (Dec. 15, 2021)
White House Letter: Protecting Against Malicious Cyber Activity before the Holidays (Dec. 16, 2021)
Apache Log4j 2.15.0 Announcement (Dec. 2021)