Complications stemming from the Log4j vulnerability will likely persist well into 2022, putting a new focus on cyber insurers’ ability to help their insureds quickly mitigate their risk.
The zero-day vulnerability, dubbed Log4Shell, affects a widely used Java software library called Log4j developed by the Apache Foundation. It can be exploited to allow attackers to gain control of a device or system, and it was first detected in early December 2021 on servers hosting the popular video game Minecraft.
During a CNBC interview, Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), called this the most serious vulnerability she had seen in her decades-long career. CISA joined with the FBI and other agencies in releasing guidance for organizations that may be affected.
“Sophisticated cyberthreat actors are actively scanning networks to potentially exploit Log4Shell, CVE-2021-45046, and CVE-2021-45105 in vulnerable systems,” federal officials warned. “According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited.”
Security researchers have emphasized that Log4Shell’s danger hinges on how ubiquitous the vulnerable software is. Researchers at Sophos have said that the Log4j library is embedded in almost every familiar internet service or application, including Twitter, Amazon, Microsoft and Minecraft.
“If security teams don’t quickly update their network’s security, threat actors can exploit the Apache Log4j logging library vulnerability to launch attacks that will persist years from now,” Chris Swagler of SpearTip said in a blog post.
“It will be particularly important to communicate to stakeholders that Log4j is a marathon and not a sprint. You’ll likely sound the ‘all clear’ multiple times before the situation really is ‘all clear,’” cybersecurity firm BreachQuest said in a statement.
With Log4Shell, it’s essential to understand the distinctions between systemic events and systemic vulnerabilities, according to Roger Francis, cyber claims director at CFC Underwriting.
Log4Shell marks a systemic vulnerability in that it is a widespread issue with the potential for a cyber incident to occur. There are thousands of vulnerabilities at any given moment, Francis noted, but a systemic event refers to an actual breach or attack affecting multiple organizations. For example, the ransomware attack against IT solutions provider Kaseya is considered a systemic event.
“There are going to be vulnerabilities and the potential for them to be exploited,” Francis said. “One of the small graces is there is a finite number of cybercriminals out there to chase them all down. This is going to be a long-tail systemic vulnerability.”
In the case of Log4Shell, there will be cyber gangs, system access brokers, and hackers at all levels looking to compromise as many systems as possible. Reports indicate hundreds of attempts to deploy malware, steal credentials or otherwise infiltrate systems.
“You can imagine this is a time to make hay,” said Francis. For the cyber risk and insurance world, it’s a time to offer meaningful, actionable insight to insureds.
The growing trend of continuous monitoring throughout the lifecycle of a cyber policy has come into play in a big way for the cyber risk market with the reveal of Log4Shell. Francis said CFC has invested significant resources into reaching out with specific information to insureds and scanning for vulnerabilities on systems of insureds who have opted into the service. Log4Shell has some unique aspects that make it more challenging to detect, he added.
“The difference with this, you are unable to passively scan to see if the system is vulnerable,” Francis said. “More active testing is necessary, and CFC emphasized the need for explicit permission from insureds to perform the heightened scanning. Most customers find it ‘massively helpful.’ It’s another set of eyes to add to their own internal capabilities.”
For additional industry updates and insurance solutions, contact us today.
© Zywave, Inc. All rights reserved.
