Five Eyes intelligence agencies are warning of a rapidly evolving cyber storm that could hit everyone from gamers to big and small businesses, hospitals, transport and power systems.
“This is an evolving situation, and new vulnerabilities are being discovered,” the Australian, United States, United Kingdom, Canadian and New Zealand agencies have warned in an alert.
“The ACSC has observed malicious cyber actors using this vulnerability to target and compromise systems globally and in Australia,” the Australian Cyber Security Centre told AAP on Friday.
The joint alert issued out of the US said the vulnerabilities, especially Log4Shell, are “severe”.
The Log4Shell vulnerability affects software used by millions of Australians, often unknowingly, on their home and work computers, phones, apps, online games or when saving data in the cloud.
Microsoft says state-backed hackers from China, Iran, North Korea and Turkey are using the weakness to deploy malicious software, or malware, including ransomware.
Belgium’s defence department was breached this week, via a computer with internet access, the ministry said in a statement.
Cyber security firm ESET said it had blocked hundreds of thousands of attack attempts, mostly in the US and UK, but warned nearly 180 countries were in the firing line.
Australia was number seven in the top 20 countries with the most exploit attempts, as of December 20.
The bug involves a software component that logs information so developers or IT support staff can look at what’s happening in the program, and it’s used by millions of computers worldwide running online services.
Cyber criminals can use the weakness to get access to set up ransomware and install back doors for future access.
“It makes everyone a possible target from ransomware attacks,” technology expert Shane Day at Australian cyber security firm Unify Solutions said.
“It’s not the kind of Christmas present anyone wants to receive and could make for a very unhappy New Year.”
The UK’s cyber agency said Log4Shell was potentially the most severe computer vulnerability in years.
Fixing the bug is likely to take weeks, or months for larger organisations.
“If attackers gain full control of a vulnerable device, they can conduct cyber espionage, steal sensitive data, install ransomware, or otherwise sabotage a company’s IT systems,” ESET security expert Ondrej Kubovic said.
Popular gaming platform Minecraft was one of the first to be breached in early December, with hackers entering malicious text into a game chat that allowed them to take control of players’ devices.
The game has been updated to fix the problem, but people using unofficial versions remain vulnerable.
Advice for companies includes checking whether key suppliers, including software or a third party with remote admin access, understand the severity of the threat.
The ACSC declined to identify specific Australian companies or sectors that have already been hit.
The joint alert detailed the steps that organisations with IT and/or cloud assets should take to reduce the risk to themselves and clients.
TIPS FOR CYBER SAFETY:
- Identify assets affected by Log4Shell and other Log4j-related vulnerabilities.
- Upgrade Log4j assets and affected products to the latest version as soon as patches are available.
- Initiate hunt and incident response procedures to detect possible exploitation.
- Remain alert to software updates and use them.