Singapore Govt raises alert level on critical Log4j software bug, holds 2 emergency meetings

Hackers are rushing to exploit the bug in the widely used software that cyber-security experts called one of the worst in years. PHOTO: ST FILE

SINGAPORE - The Republic's national cyber-security watchdog on Friday (Dec 17) raised the alert level on the highly critical Log4j software security flaw that has been declared code red by experts and governments globally.

Hackers are rushing to exploit the bug in the widely used software that cyber-security experts called one of the worst in years.

The Cyber Security Agency of Singapore (CSA) said that it has held two emergency meetings this week with all government agencies overseeing the country's 11 critical information infrastructure (CII) sectors, including telecommunications, transport, as well as banking and finance.

The affected free and open source Apache Log4j software is popularly used for logging and keeping track of changes in many applications, ranging from social media and gaming to online shopping and banking.

The flaw is so serious that it could let hackers easily take full control of computer systems, allowing them to steal and delete data, lock up digital files with ransomware until the crooks are paid, make fraudulent bank transfers and more.

The bug is also so easy to exploit that just adding a line of code is enough, something experts said amateur cyber criminals could pull off.

CSA worked with the agencies to issue directions and technical details to CII sector organisations on the bug, such as patching their systems and taking immediate steps to minimise abuse of the exploit.

The agencies are also monitoring any unusual activities more closely.

Trade associations and chambers were also briefed by CSA on Friday morning "to underscore the seriousness of the vulnerability and urgency of implementing mitigation measures for all businesses and small- and medium-sized enterprises", the agency added.

The United States Cybersecurity and Infrastructure Security Agency on Monday warned that hundreds of millions of devices are likely to be affected. Its director Jen Easterly said the flaw "is one of the most serious I've seen in my entire career, if not the most serious".

While it is challenging to determine the exact impact on organisations due to the pervasive use of the affected software, CSA said, "it is estimated that most, if not all businesses and organisations, have some applications or software using Log4j".

On Friday, Minister for Communications and Information Josephine Teo said on Facebook that CSA and the Government Technology Agency of Singapore are checking and patching the country's government systems thoroughly.

"All businesses must act to quickly safeguard themselves," she added.

Time could be running out.

CSA said that "the situation is evolving rapidly and there have already been numerous observations of ongoing attempts by threat actors to scan for and attack vulnerable systems".

Active scans of CII systems for the flaw in Singapore have been detected but, for now, CSA has not received any reports of breaches related to the vulnerability.

"Most of these probing attempts were stopped at their network perimeters, the secured boundary between the Internet facing and private sections of company networks," said the agency.

Cyber-security firm Acronis said that last Friday (Dec 10), the day CSA first alerted the public on the flaw, there were single-digit attempts to exploit the security hole in Singapore and globally. But this surged 300 times at the weekend.

"While the situation is serious, there are always proactive steps we can take," said Mrs Teo. "I urge CII owners, business leaders or developers to identify the potential risks in your systems and close these gaps quickly. Stay vigilant for unusual activity in your networks and systems."

CSA advised organisations to patch their systems with the latest updates immediately, especially if they use affected versions of Log4j.

They should also figure out if Log4j is used in other instances in their system and do more to monitor for suspicious activities.

Developers that use Log4j in their products should identify, mitigate and develop patches for affected products, as well as inform their clients that the products have the vulnerability and need to be updated.

But fixing the bug is not so easy.

Many major technology firms - such as Cisco Systems, IBM, VMware and Splunk - still have multiple software used by customers that are affected and still lacking available patches as at Thursday, Reuters reported.

Mr C.K. Chim, cyber-security firm Cybereason's field chief security officer for the Asia-Pacific region, said that what makes the software bug so severe "is that organisations are not even aware that Log4j is part of their network that needs to be secured".

For example, when employees upload or share confidential information on Web applications, they are exposing the data to this vulnerability unknowingly, he said.

Mr Chim added that patching affected software takes time and that for some systems, this may not be possible immediately, if at all.

He advised companies to upgrade their software to new versions as soon as possible.

"Maintaining good security hygiene, such as timely detection, will minimise potential business disruption in the event of successful exploitation," he said.

Join ST's Telegram channel here and get the latest breaking news delivered to you.