Singapore urges ‘vigilance’ over critical software bug
Singapore’s Cyber Security Agency (CSA) has raised the country’s alertness level on the Log4j software flaw, joining a growing list of governments and industry experts to sound the alarm over the critical vulnerability.
The CSA said on Friday that it had held two emergency meetings over the past week with government agencies in charge of the country’s 11 critical information infrastructure (CII) sectors, including telecommunications, transport, banking, and finance.
In a Facebook post, Minister for Communications and Information Josephine Teo said both the CSA and the Government Technology Agency were patching official systems “thoroughly,” but warned CII firms to “stay vigilant” as the flaw’s “ease of attack” makes it “too attractive for bad actors.”
Noting that the “situation is evolving rapidly,” the CSA said it had detected “ongoing attempts by threat actors” to “scan and attack vulnerable systems.” The agency added that it had not received reports of breaches relating to the bug, which stems from the Apache Software Foundation’s widely-used open-source Java logging utility, Log4j.
Described by the security company Tenable as the “single biggest, most critical vulnerability of the last decade,” the flaw allows hackers to easily overpower systems running the tool and mount ransomware attacks by stealing, deleting, and locking data. Some estimates have pegged the number of attacks that have exploited the bug over the past week at more than 1.2 million.
Several US government officials and agencies have issued warnings about the bug’s seriousness. Homeland Security Secretary Alejandro Mayorkas reportedly told the German Marshall Fund of the US on Thursday that the problem was “uppermost in our action plans.”
The challenge it presents is its prevalence, because they attacked a software that is omnipresent, and then there’s a vulnerability that has been exposed and others can jump in in the exploitation of that vulnerability and really multiply the harm.
Meanwhile, a senior Biden administration official revealed that a number of federal government systems have been affected by the flaw. Speaking to Bloomberg Television on Thursday, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said she expects the number of systems affected by the vulnerability “to grow.” The US Patent and Trademark Office was thought to be among those affected.