The Scottish Business Resilience Centre (SBRC) is urging all organisations to ensure computer systems and devices are updated to mitigate the impact of a newly detected global vulnerability.
A free piece of software on the Apache open-source platform, reported the risk.
The software, called Log4j, is often used on applications and servers to record or log activity by developers and IT professionals,
Dubbed log4shell, the vulnerability could allow hackers and cybercriminals to send malicious code to Log4j – potentially resulting in irreparable harm to devices globally.
SBRC, which combines emergency services, businesses and the Scottish Government, has also published guidance on what log4shell is, what it can do and the steps individuals and organisations should take to mitigate the fallout.
There is no time to waste here; the SBRC is calling on all businesses to take action now to avoid potentially catastrophic results.”
Jude McCorry, chief executive, Scottish Business Resilience Centre.
In a year where the National Cyber Security Centre (NCSC) has reported more cyber incidents than ever before, SBRC is monitoring the situation and recommending immediate action from organisations, irrespective of sector.
As well as following this advice, businesses are being urged to download the SBRC app in order to further mitigate business and cyber risk.
This will ensure firms get the latest updates on Log4j as they come out.
The app is available to download from the Android and Apple app stores.
‘All organisations must consider themselves at risk’
SBRC chief executive Jude McCorry said: “While the impact of log4shell is yet undetermined, organisations could still be in the dark if they even use Log4j in their systems.
“All organisations must consider themselves at risk of this global vulnerability until it has been confirmed that they are not.
“There is no time to waste here; the SBRC is calling on all businesses to take action now to avoid potentially catastrophic results.”
‘Personal devices are also at risk’
Ms McCorry added: “It is not just work devices that are on the line – personal devices are also at risk and so must be part of the updating process.
“Acting now and looking into other services that are used, including third-party software, will help to provide peace of mind.
“Given the meteoric rise in cyber incidents this year, individuals and organisations must turn to trusted sources to keep up to date on credible threats to operations like this.
“The SBRC app provides push notifications within minutes of the insight being received, covering cyber threats with accurate guidance.”
Microsoft says on its website it has not identified any “exploitation of our enterprise services as a result of the Log4j vulnerability at this time”.
The software giant adds: “Our security teams have been analysing our products and services to understand where Apache Log4j might be in use.
“As our investigation continues, if we identify any impact to our services or action required by customers, we will provide additional communications.”
Incident response line
Organisations concerned they have been the victim of a log4shell can contact the SBRC incident response line on 01786 437 472.
SBRC is a non-profit organisation that exists to support and help protect Scottish businesses.
Its links to Police Scotland, the Scottish Fire and Rescue Service and Scottish Government gives it exclusive access to the latest information to advise citizens and businesses how to digitally interact in safety.
Log4Shell explained in simple terms
What is Log4j?
Log4j is a small piece of free software often used on apps and servers to record or log activity.
These logs can be used by developers and IT professionals to identify issues on apps and servers.
Logs are very important and so this means Log4j is very popular due to it being freely available and easy to set up.
What’s the problem?
A major vulnerability in Log4j has recently been discovered – dubbed log4shell.
It allows hackers and cybercriminals, with very little expertise, to send malicious code to Log4j that can do harmful things to the affected device.
This ranges from giving a hacker unwanted access to stealing sensitive data, and spreading the vulnerability to other devices on the same network.
How bad is it?
Many media outlets are reporting “the internet is on fire” over this vulnerability.
Whilst nothing is actually on fire, it is not an exaggeration to say this is one of the most serious and most dangerous vulnerabilities of the past decade.
Huge numbers of devices and services are affected, including many popular software applications and online service providers.
Am I affected?
It is difficult to determine the extent of who is affected by this vulnerability, so you should assume you are vulnerable until you have verified you are not.
Most of the apps people use on their phones and computers have a risk of being affected.
If you or your organisation has a website, there is also a high chance the webserver is affected.
What can I do?
The first thing you should do is make sure all updates are completed as soon as possible.
The best way to mitigate log4shell is to ensure any device that could potentially use log4j is running the latest version of the software.
Even if you are unsure if you have an app or service that uses log4j, doing updates routinely ensures the app or device has enhanced protection against cyber attacks.
Secondly, you should contact your IT provider and ask them to make sure all your devices and servers are up to date – especially servers that are used by your website.
If they are unsure about the vulnerability, you can direct them to technical notices from the SBRC and the NCSC.
Thirdly, check your third-party software and service providers for their advisories on the vulnerability.
Major vendors like Microsoft and Google have all released advisories on mitigating the damage from this vulnerability.
Video games vulnerable too
Finally, update personal devices. This vulnerability affects all devices, not just those used for work.
The vulnerability can even affect video games, so make sure any family members devices are updated.
For updates on the situation as it unfolds, download the SBRC app – available on iOS and Android – and check out SBRC’s website blog on the topic at www.sbrcentre.co.uk/log4shell-vulnerability