Singapore's national cyber-security watchdog yesterday raised the alert level on the highly critical Log4j software security flaw that has been declared code red by experts and governments globally.

Hackers are rushing to exploit the bug in the widely used software that cyber-security experts called one of the worst in years.

The Cyber Security Agency of Singapore (CSA) said that it held two emergency meetings this week with all government agencies overseeing the country's 11 critical information infrastructure (CII) sectors, such as water, energy as well as banking and finance.

The affected free and open source Apache Log4j software is popularly used for logging and keeping track of changes in many applications, ranging from social media to banking.

The flaw could let hackers easily take full control of computer systems, allowing them to steal data, lock up digital files with ransomware, make fraudulent bank transfers and more.

The bug is so easy to exploit that adding a line of code is enough.

CSA worked with the agencies to issue directions and technical details to CII sector organisations on the bug, such as patching their systems and taking immediate steps to minimise abuse.

The agencies are monitoring any unusual activities more closely.

Trade associations and chambers were also briefed by CSA yesterday morning "to underscore the seriousness of the vulnerability and urgency of implementing mitigation measures for all businesses and small and medium-sized enterprises", the agency added.

The United States Cybersecurity and Infrastructure Security Agency on Monday warned that hundreds of millions of devices are likely to be affected. Its director Jen Easterly said the flaw "is one of the most serious I've seen in my entire career, if not the most serious".

CSA said "it is estimated that most, if not all, businesses and organisations have some applications or software using Log4j".

Yesterday, Minister for Communications and Information Josephine Teo said on Facebook that CSA and the Government Technology Agency are checking and patching the country's government systems thoroughly.

But time could be running out.

CSA said that "the situation is evolving rapidly and there have already been numerous observations of ongoing attempts by threat actors to scan for and attack vulnerable systems".

Active scans of CII systems for the flaw in Singapore have been detected but, for now, CSA has not received any reports of breaches related to the vulnerability.

"Most of these probing attempts were stopped at the secured boundary between the Internet-facing and private sections of company networks," said the agency.

Cyber-security firm Acronis said that on Dec 10, the day CSA first alerted the public on the flaw, there were single-digit attempts to exploit the security loophole in Singapore and globally. But this surged 300 times over the weekend.

"While the situation is serious, there are always proactive steps we can take," said Mrs Teo. "I urge CII owners, business leaders or developers to identify the potential risks in your systems and close these gaps quickly.

"Stay vigilant for unusual activity in your networks and systems."

Mr C.K. Chim, cyber-security firm Cybereason's field chief security officer for the Asia-Pacific region, said that what makes the software bug so severe "is that organisations are not even aware that Log4j is part of their network that needs to be secured".

He added that patching affected software takes time and that for some systems, this may not be possible immediately, if at all.

He advised firms to upgrade their software to new versions as soon as possible. "Maintaining good security hygiene, such as timely detection, will minimise potential business disruption in the event of successful exploitation," he said.