Intelligence agencies are warning of a cyber storm that could affect everyone from gamers to big and small businesses, hospitals, transport and power systems.
“This is an evolving situation, and new vulnerabilities are being discovered,” the Australian, United States, United Kingdom, Canadian and New Zealand agencies have warned in a joint alert.
“These vulnerabilities, especially Log4Shell, are severe,” the Five Eyes partners said.
The Log4Shell software vulnerability affects the Log4J Java system used by millions of Australians, often unknowingly, on their computers, phones, apps and online games.
Cyber security firm ESET said it had blocked hundreds of thousands of attack attempts, mostly in the US and UK, but warned nearly 180 countries were in the firing line.
Australia was number seven in the top 20 countries with the most exploit attempts, as of December 20.
The bug involves a software component that logs information so developers or IT support staff can look at what’s happening in the program, and it’s used by millions of computers worldwide running online services.
“It makes everyone a possible target from ransomware attacks,” technology expert Shane Day at Australian cyber security firm Unify Solutions said.
“It’s not the kind of Christmas present anyone wants to receive and could make for a very unhappy New Year.”
When it is breached, cyber criminals can install ransomware and back doors for future access.
Acting head of Australian Cyber Security Centre Jessica Hunter said malicious cyber actors are already scanning and exploiting many thousands of vulnerable systems around the world, including in Australia.
The UK’s cyber agency said Log4Shell was potentially the most severe computer vulnerability in years.
Fixing the bug is likely to take weeks, or months for larger organisations.
“If attackers gain full control of a vulnerable device, they can conduct cyber espionage, steal sensitive data, install ransomware, or otherwise sabotage a company’s IT systems,” ESET security expert Ondrej Kubovic said.
Popular gaming platform Minecraft was one of the first to be breached in early December, with hackers entering malicious text into a game chat that allowed them to take control of players’ devices.
The game has been updated to fix the problem, but people using unofficial versions remain vulnerable.
Advice for companies that are at risk includes checking whether key suppliers, including a third party with remote admin access, understand the severity of the threat.
The joint alert detailed the steps that organisations with IT and/or cloud assets should take to reduce the risk to themselves and clients.
TIPS FOR CYBER SAFETY
* Identify assets affected by Log4Shell and other Log4j-related vulnerabilities.
* Upgrade Log4j assets and affected products to the latest version as soon as patches are available.
* Initiate hunt and incident response procedures to detect possible exploitation.
* Remain alert to software updates and use them.