By John Stapleton: Michael West Media.

Australian governments and businesses have been warned they face their greatest hacking threat yet, Apache Log4j. John Stapleton reports on Australian Cyber Security Centre warnings of possible widespread systems failure.

There has always been a dystopian theory that in historical terms the internet was just a prelude to another Dark Age, that the remarkable connectivity we now all enjoy was little more than an illusion which could not last. The internet was so vast, complex and infested with bad actors it would inevitably collapse.

That is the era we are now entering. Whether it is old age pensions or car registration, Australians and their governments rely utterly on computers, and as developments over the past month have illustrated, these systems are extremely vulnerable.

The devil child of the moment, if you want to call it that, is the very technically named Log4j computer vulnerability, which has left governments and corporations world wide open to attack and scrambling to patch, or repair, their systems. It is being called the biggest cyber security breach in history.

With the news bandwidth consumed by Omicron and the public immured to cyber scare stories, the scale of the recent Log4j story and the implications it has for the secure operation of government services and infrastructure is only just becoming more broadly understood. 

A worse worse-case-scenario

News of the threat, a flaw in a ubiquitous piece of software called Apache Log4j, spread like wildfire through the industry after it became public knowledge on 10 December.

In a worst case scenario, the flaw could, for example, lead to the collapse of the Centrelink payment system. Such an eventuality, now regarded as a real possibility, would lead to social chaos across the country within weeks as millions of welfare recipients already living on the breadline struggled to feed themselves and their children. 

From Defence to Health, these types of disaster scenarios are now beginning to fester in the minds of security experts. 

There are widespread calls for change, from the urgency with which Australia’s public service mandarins deal with cyber security issues right through to a line by line review of dated or out of service software still in use.

Alarmingly, the flaw allows hackers to remotely take over entire computer systems.

A large menu of targets

Of particular concern in the Australian context is the use by government departments of out of date or unsupported software which may make systems impossible to patch. 

“Logging is a fundamental feature of most software, which makes Log4j very widespread,” writes Professor Santiago Torres-Arias at America’s Purdue University. “Hackers have a large menu of targets to choose from: home users, service providers, source code developers and even security researchers. 

“A large number of hackers are already trying to abuse Log4Shell. These range from groups trying to mine bitcoin to hackers associated with China and North Korea trying to gain access to sensitive information from their geopolitical rivals.”

Security experts say entire departments and organisations could already have been infiltrated without security experts being able to identify the intruders. 

Australia’s vulnerability

The Australian Cyber Security Centre has issued a series of updates calling on all organisations in the country to check for vulnerabilities immediately.

Their public warning read in part: “The ACSC is aware of widespread scanning and reconnaissance activity against Australian organisations by malicious actors to identify the Log4j vulnerability. The ACSC has observed successful exploitation of the Log4j vulnerability and the compromise of systems and networks within Australia and globally, across all sectors of the economy.

“The ACSC is also aware of reporting that malicious cyber actors have patched Log4j on systems after exploitation and compromise to avoid detection by security teams.”

In technical terms the ACSC notes: “An observed string substitution obfuscation technique which seeks to obscure exploitation of the remote code execution vulnerability can cause an infinite recursion resulting in a denial of service condition in versions of Log4j between 2.8.0 and 2.16.0.”

In plain English, a malicious actor can remotely throw a software system totally out of kilter; for instance bringing a payroll system to a complete standstill.

That would leave almost as many unhappy public servants as welfare recipients. 

There are many questions over whether vulnerabilities persist in the Australian government’s cyber systems.

Researcher at UNSW Professor Salil Kanhere puts it thus: “Software systems and web services are so complex, and so layered with dozens of stacked levels of abstraction, code running on code on code, that it could take months for all these services to update. It will likely take a long time, potentially even years till we can fully eliminate the effects of this vulnerability.

“Organisations need to understand that even if they have secured their infrastructure from exploitation against the Log4j vulnerability, it is highly possible and perhaps likely that many of these components were silently breached, and effectively hidden. 

“It is thus imperative that organisations undertake extensive monitoring and assessment of their systems. It is important to be super vigilant. 

“Attempts to leverage this vulnerability by malicious entities remain very high.”

While there have been initial patches made on vulnerable government systems, attack vectors may well remain open or have already been breached. 

Experts fear a reliance on out of date or inadequately supported software means some government systems remain vulnerable.

The crisis comes after a long history in Australia of a clunky or plain difficult relationship between government bureaucrats and the IT industry generally. 

Audit audit audit

While much happens beneath the surface, a recent widely reported and for the government embarrassing example of the use of outdated software was the Australian Defence Department still using Microsoft Windows XP long after it was out of support and therefore not being upgraded with security patches.

The slow moving nature of Australian bureaucracy and their traditionally fraught relationship with the IT industry makes securing these systems fraught with even more difficulty. 

Industry experts can call all they like for the use of the latest software with constant updates, but these calls can fall on very stony ground.

The central issue in terms of the threat to government departments comes in its use in enterprise software; that is system wide software. These have many components and are not just written by the one vendor. This is the difficulty where Apache software is used as sub components and therefore patches are issued by the vendor which will include the Apache updates, but on their own cycle. This leaves a window of vulnerability until the patching is completed.

IT expert George Fong said there was only one solution to the current situation exposed by Log4K: “Audit, audit, audit.”

He is also calling for a complete transformation in the way government’s approach cyber security.

“Change is more often than not driven by a major and sometimes catastrophic failure rather than longer term transitional planning.

“In terms of the overall structure of governance over systems in the Federal Government, I’d be concerned, not just in respect of Log4j but generally in terms of the levels of audit and risk management. Many different departments, many different systems, many different administrative and governance structures.

“The Australian Government has long had a problem listening to industry, whether on metadata retention, encryption, or many other issues. They would do well to change this culture.”

Don’t forget to change your password

Laurie Patton, former Chief Executive of Internet Australia, said:  “This government, in particular, refuses to accept advice from industry. The most glaring case is the NBN, where a host of broadband experts told it that using the old run-down Telstra copper network would be a disaster, as it has been.

“More recently there’s the COVIDSafe app. Within hours of its release a number of cryptographers had reverse-engineered it and found fundamental flaws. In a rare move Apple and Google came up with a solution but the Health Minister has simply ignored industry calls to fix the app.”

Experts uniformly warn that while Apache Log4j is getting all the attention right now, other threats could become equally pressing. 

The security of the systems we have come to rely on so utterly are at risk. During the Covid era the Australian government has placed itself front and centre of every citizen’s life; and yet at no other time in history has its ability to deliver been more at risk.

As Professor Kenhare notes: “The original attack possessed severe risk to millions of consumer products, enterprise software and web applications. While many organisations have proactively applied the provided updates and patches, it is very likely that a non-trivial fraction are yet to be fully updated. So far, attackers have exploited the flaw to install crypto-miners on vulnerable systems, steal system credentials, burrow deeper within compromised networks, and steal data. But there is potential for other exploits that are not yet known.”

A spokesperson said while it would not provide details the Australian Cyber Security Centre was aware of malicious cyber actors conducting reconnaissance scans in Australia, and compromising Australian networks through the critical Log4j vulnerability.

Their latest advisory, issued on 7 January, is aimed at Company Directors and Boards. It warns: “Australian organisations are being targeted and compromised. A large number of Australian organisations use products or services which use the Log4j library. The vulnerability is a serious business risk and has the potential to significantly disrupt business operations, incur significant incident response costs, damage your organisation’s brand and reputation, and depending on the response of the Board, may be a cause of shareholder or regulatory action.”

The Defence Minister Peter Dutton has been approached for comment. 

The question remains: Just how vulnerable are the Australian government systems. Have they already been breached?

John Stapleton worked as a staff reporter on The Sydney Morning Herald and The Australian for more than 20 years. His books include Thailand: Deadly Destination and Terror in Australia: Workers’ Paradise Lost. Currently edits A Sense of Place Magazine.