S'pore firms warned to quickly fix Log4j software security hole that world experts call worst in years

Public and private sector organisations are expected to be affected. PHOTO: REUTERS

SINGAPORE - Organisations should take swift action to patch a "critical vulnerability" in a widely used software that could allow hackers to take full control of computer systems, the Cyber Security Agency of Singapore (CSA) said on Tuesday (Dec 14).

The bug has been scored the maximum of 10 in terms of severity of computer system vulnerabilities.

Immediate action needs to be taken because "we only have a short window" to put in place measures to limit any abuse of the flaw, CSA warned.

The flaw, which affects a wide range of applications from social media and gaming to online shopping and banking, is likely to affect hundreds of millions of devices, the United States' national cyber-security agency said on Monday, adding that it could be one of the worst in years.

The affected Apache Log4j is a free, open source software that is popularly used to log and keep track of activities and changes in software applications, including system errors and messages from users.

Public and private sector organisations are expected to be affected.

Cyber-security experts warned that the flaw can be easily exploited by adding just a line of code.

This could allow cybercrooks to, among other things, abuse the vulnerability to steal and delete data, hijack a company's e-mail system to send phishing messages to other firms, and make fraudulent bank transfers.

Among the services and sites known to be vulnerable at some point include Apple's iCloud online back-up service, Valve's Steam online game store and Microsoft's Minecraft online game. Other firms reportedly at risk include Amazon, Baidu, Google, Tencent and Twitter.

While CSA has not received any report of breaches related to the vulnerability for now, it is closely monitoring the situation and working with critical information infrastructure businesses to put in place measures to address the bug immediately.

The Monetary Authority of Singapore, the country’s financial sector regulator, said that it is also providing recommendations to help financial institutions prevent and detect any exploitation of the vulnerability.

“Financial institutions that are using the affected software versions are expected to take appropriate and prompt actions to address the vulnerability,” it added.

Organisations here affected by the vulnerability are urged to report to the agency’s Singapore Computer Emergency Response Team if there is evidence their systems have been compromised.

CSA's urgent call to action follows an initial alert it sent out last Friday.

It also comes after US Cybersecurity and Infrastructure Security Agency (Cisa) director Jen Easterly said the flaw, also called Log4Shell or LogJam, "is one of the most serious I've seen in my entire career, if not the most serious", reported cyber-security news site CyberScoop.

Last Saturday, Germany's cyber-security watchdog BSI issued the highest red alert warning on the security hole, saying it posed an "extremely critical threat" to Web servers.

Apple and several companies have reportedly taken steps to patch the security hole, as was the case for iCloud, or alert customers on steps they can take to minimise the damage from the bug, which is what firms such as cloud computing giant VMware did.

Some businesses in Singapore also said they are on high alert and have taken steps to patch the flaw and investigate the impact of the bug.

For instance, local bank UOB said that it has implemented appropriate protection measures and will continue to monitor developments closely.

In the case of iCloud, files stored in it are encrypted and hackers are unlikely to be able to make sense of the content even if they break into the system.

But Mr Kevin Reed, chief information security officer of cyber-security firm Acronis, said that one way the flaw, if unpatched, could still be abused is to delete people's photos stored in iCloud.

Mr C.K. Chim, cyber-security firm Cybereason’s field chief security officer for the Asia-Pacific region, said that what makes the software bug so severe “is that organisations are not even aware that Log4j is part of their network that needs to be secured”.

For example, when employees upload or share confidential information on Web applications, they are exposing the data to this vulnerability unknowingly, he said.

In many cases, such as with bank apps, Mr Reed said “there are no steps consumers can take to prevent this vulnerability from happening”.

And if businesses do not step up to plug the Log4j issue in the coming days, “it will significantly affect consumers”, he said.

Cyber criminals appear to be rushing to find potential victims they can attack using the flaw.

"We are aware of botnets using this vulnerability to compromise computers at scale," said Mr Reed, referring to "zombie" devices linked to the Internet and infected with malware that allows hackers to control them and launch cyber attacks.

"Right now, the Internet is on fire. It's crazy - there are thousands and thousands of exploitation attacks happening every second," he added.

Mr Reed said that the number of attempts by hackers to exploit the flaw is rising exponentially.

Globally and in Singapore, his firm detected exploitation attempts in the single digits last Friday. But over the weekend, this spiked by 300 times.

"Normally, exploits do not grow as fast as that - this is on the scale of WannaCry," he said.

The WannaCry ransomware in 2017 struck many global systems and crippled hospitals in England and Scotland, government agencies in China and Russia, railway operations in Germany and car production facilities in France.

For now, because there are so many attack attempts, it is difficult to figure out if there are specific sectors being targeted, Mr Reed said.

But the worst is yet to come and time is running out, with companies reportedly scrambling to patch the flaw.

"Because (Log4j) is everywhere and easy to exploit, we will see a lot of exploitation in the coming days, weeks, and maybe months," said Mr Reed.

Join ST's Telegram channel and get the latest breaking news delivered to you.