(Australian Associated Press)
The COVID-19 virus is affecting every aspect of our lives, and now a second bug is on the loose.
Hospitals and businesses with people working on the go or remotely are on the frontline, and this time the virus is digital.
The swelling Australian Immunisation Register and the Medicare and Pharmaceutical Benefits Scheme portals all needed an urgent upgrade over the Christmas break.
So far, they are winning the battle against intruders.
“We’re not aware of any data being exposed by third party vendors and we continue to actively work with developers to transition,” Services Australia general manager Hank Jongen told AAP.
But a first pass by experts scanning for intrusion may not be enough to protect against malicious attacks.
As well as being a “real and present danger”, intruders are nesting deep inside software systems and could lurk there for years, cyber detectives warn.
Cyber threats are on the rise as our lives and livelihoods increasingly go online, but the so-called Log4j vulnerability is particularly noxious.
The vulnerability in a software component affects the Log4j Java system used by millions of Australians, often unknowingly, on their work and home computers, phones, and seemingly secure apps.
Microsoft recommends ongoing reviews and scans for fresh bouts of malicious codes and messaging.
“Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance,” Microsoft says.
The United States announced last week it would sue companies that don’t protect themselves against the bug and its variants.
Australia would likely do the same if laws here allowed such decisive action.
The US Federal Trade Commission (FTC) says the vulnerability is being widely exploited by a growing set of attackers, posing a severe risk to millions of consumer products, enterprise software and web applications.
China-based groups Hafnium and Aquatic Panda rapidly went on the attack a few days after the first flaw was disclosed in December, as did hackers based in Iran, experts say.
“When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms,” the FTC warned in a blog post.
The US Cybersecurity and Infrastructure Security Agency warns no single action can fix the issue.
Under US law there is a duty to act, and that includes Australian organisations operating in the United States.
The FTC says it intends to use its “full legal authority” to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.
When credit firm Equifax failed to patch a known vulnerability and exposed the personal information of 147 million consumers, it had to pay a settlement of $US700 million ($A974 million)
Back home, Services Australia is responsible for the data of millions of Australians but is linked to hospitals, aged care homes and other service providers whose systems must be flexible but are often fragile.
Remote access software for applications and data, including the MobileIron products used in Australia and elsewhere, has proved to be an easy entry point for intruders.
The Australian Industry Group has warned that a large number of apps may be vulnerable, affecting individuals, businesses and business supply chains.
“A hole in their defences could allow malicious actors to create malicious ‘logs’ which could take control of computer systems and data,” Ai Group says.
The United Kingdom, United States, Canada and New Zealand are also tackling the bug and its variants.
“The Log4Shell vulnerability within MobileIron products is being actively targeted and exploited,” the UK’s National Health Service has warned.
Organisations and software developers, including Java’s Apache and MobileIron, have acted swiftly.
Apple’s iCloud, the game distribution platform Steam and Minecraft have also patched up holes.
Australia’s Employment Minister Stuart Robert has encouraged all businesses to take the issue seriously.
“It is a serious virus, serious piece of malware,” he says.
“I’ve been encouraging all businesses at a degree of urgency to ensure their servers, especially their web servers and any of their remote access through MobileIron are appropriately patched, and they should be doing it now.”
Australian companies, universities and all aspects of government have been warned to, at the very least, take basic steps to scan and upgrade software to protect themselves.
Microsoft says it has observed many attackers adding these vulnerabilities to their existing malware kits and tactics, from cryptocurrency miners to hands-on-keyboard attacks.
“Organisations may not realise their environments may already be compromised,” the firm says.
“At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments.”
Many of Australia’s health and aged care service providers make claims on taxpayer funds using ageing business to government (B2G) software and were warned to respond, but they may have missed the memo.
“We recommend that you transition your customers to web services as soon as possible,” Services Australia said in a note to developers in late December.
“The agency is committed to moving away from ageing adaptor technology for online claiming as soon as possible.
“This has become increasing urgent in light of the emerging global Java vulnerability.”
The agency already blocks about 14 million suspicious emails every month and constantly needs to undertake security reviews, upgrades and patches to fix bugs, a federal parliamentary committee heard last year.
Services Australia is now working closely with the Australian Cyber Security Centre on the evolving threat.
“Services Australia will continue to implement mitigation and detection recommendations as advised by the ACSC,” Mr Jongen said.
“The ACSC are working with all vendors to ensure that Log4j vulnerabilities are identified and mitigated.”