Cyber insurance carriers and media platforms are reporting on a dangerous zero-day vulnerability (i.e., a previously undetected software flaw) that was recently discovered in the popular Java logging library Apache Log4j.
The vulnerability is being actively exploited and scanned for by malicious actors since its discovery late last week. Threat actors are taking advantage and installing ransomware and cryptocurrency-mining software. Furthermore, additional post-exploitation activities could occur.
If you are using any of the vulnerable software (versions between 2.0 and 2.14.1), you should immediately do the following:
- Identify all internet-facing devices running Log4j and upgrade them to version 2.15.0.
- Identify all third-party software you run that uses Log4j. Investigate whether patches are available from the vendor or apply the vendor’s mitigation recommendations immediately.
- If you cannot patch, then block the Java Naming and Directory Interface (JNDI) from making requests to untrusted servers.
To help you respond, you may need to seek the counsel of your IT function leader.
If you have any indication that your system has been compromised, reach out to your insurance broker or cyber insurance carrier immediately to prevent losing the opportunity to submit a claim due to late reporting.
The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.