Apache Log4j Vulnerability in Java Applications May Pose Risk to Confidential Company and Personal Information

By: Kathie McDonald-McClure

On December 11, 2021, the United States Cybersecurity & Infrastructure Security Agency (CISA), issued a Statement regarding what it called a “critical vulnerability affecting products containing the log4j software library”.  This Statement emphasizes that end users are reliant on their vendors to inform them about the vulnerabilities and to develop patches to protect against the vulnerabilities.   Separately, CISA established a webpage for Apache Log4j Vulnerability Guidance that CISA is continually updating to impart further guidance and vendor information as they become available.  End users should be on the lookout for critical patches from their vendors.

According to the CISA Guidance, the Log4j vulnerability is being widely exploited by a growing set of malicious actors to steal information, launch ransomware attacks, or conduct other malicious activity such as taking over a company server to mine cryptocurrency.  At least 10 major technology vendors have issued statements that one or more of their products have been affected by the Log4j vulnerability: Cisco, IBM, VMware, Amazon Web Services (AWS), Fortinet, Broadcom, ConnectWise, HCL Connections, N-Able, and Okta.[1] On December 15, 2021, the Microsoft 365 Defender Threat Intelligence Team reported that a new family of ransomware, called Khonsari, is being deployed via the Log4j vulnerability on non-Microsoft hosted servers.

Most alarming is a report by cybersecurity researchers at Check Point that from December 10, 2021, when the vulnerability was announced, through December 16, 2021, bad actors had attempted to exploit the Log4j vulnerability on more than 48% of corporate networks worldwide.  The Check Point report contains a bar graph illustrating the percentage of organizations impacted by industry sector.  As of this writing, Education and Research topped the list at 59.9%. Following close behind are: Internet and Managed Service Providers (ISPs/MSPs), Computer System Integrators (SI) and Software/Hardware resellers (VAR) at 57.4; Finance and Banking at 53%, Government and Military at 40.2%, Healthcare at 49.6% and Insurance and Legal at 49.3%  The Check Point graphs reflect these industries as being impacted as well: Manufacturing, Consultant, Communications, Software/Hardware vendors, Utilities, Hospitality, Transportation and Retail/Wholesale.

KRONOS Payroll Ransomware Attack Could be Linked to Log4J, Implicating Potential Data Breach Notification Obligations to Affected Employees

UKG, a company that provides payroll support services known as KRONOS for many U.S. companies, notified its customers on December 12, 2021, that the KRONOS Private Cloud had been attacked by ransomware.  As of its December 16, 2021 update, UKG was still investigating whether the attack was linked to the Log4j vulnerability.  The company stated:

LG4j Update

Log4j is a Java-based logging tool that is directly embedded in popular software applications across many industries. As soon as the Log4j vulnerability was recently publicly reported, we initiated rapid patching processes across UKG and our subsidiaries, as well as active monitoring of our software supply chain for any advisories of third-party software that may be impacted by this vulnerability. We are currently investigating whether or not there is any relationship between the recent Kronos Private Cloud security incident and the Log4j vulnerability. 

The affected KRONOS products include Workforce Central, TeleStaff, Healthcare Extensions and Banking Scheduling Solutions. UKG reports that these KRONOS Private Cloud solutions may be unavailable for “several weeks.” 

In addition to the immediate payroll issues, if the ransomware attack compromises employee personal information, then it may trigger a data breach notification obligation for employers impacted by the KRONOS attack under state breach notification laws.  Companies impacted by a payroll vendor’s data security incident should quickly assess the types of personal identifiers stored on the vendor’s impacted servers, and also pull together a list of states in which its employees reside. With a list of the types of personal information and the states where employees reside, Wyatt lawyers with experience in data privacy and security matters can readily assist in assessing the company’s potential notification obligation. 

For a fuller discussion of potential data breach notification obligations triggered by the KRONOS incident, see our additional article, KRONOS Payroll Ransomware Attack Implicates Potential Data Breach Notification Obligations.

If you need additional information, please contact:

Kathie McDonald-McClure, Partner

Phone: 502.562.7526 

Email: kmcclure@wyattfirm.com

Margaret Young Levi, Counsel

Phone: 859.288.7469

Email: mlevi@wyattfirm.com

[1] Thanks to the reporting of C.J. Fairfield at CRN for tracking and reporting on these Log4j security announcements by major technology vendors.

One thought on “Apache Log4j Vulnerability in Java Applications May Pose Risk to Confidential Company and Personal Information

Comments are closed.