With thousands of high-level, sophisticated hacking attempts using vulnerabilities in the Java-based Log4j software already detected, top US, British, Canadian, Australian and New Zealand cyber chiefs on Thursday released a joint-statement warning companies to act immediately.

US Cybersecurity and Infrastructure Security Agency director Jen Easterly said “these vulnerabilities are the most severe that I’ve seen in my career, and it’s imperative that we work together to keep our networks safe”.

“Log4j vulnerabilities present a severe and ongoing threat to organisations and governments around the world; we implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks,”

“CISA is working shoulder-to-shoulder with our interagency, private sector, and international partners to understand the severe risks associated with Log4j vulnerabilities and provide actionable information for all organisations to promptly implement appropriate mitigations.”

FBI cyber division assistant director Bryan Vorndran said they were working with federal and international partners to stymie “malicious cyber activity and arm the public and private sector with information to better shield their systems”.

In an interview with The Australian this week, Australian Cyber Security Centre acting head Jessica Hunter said millions of Australians face a “cyber security ticking time bomb”, with children, parents and businesses under threat of being “hunted” by sophisticated cyber hackers.

In the joint-statement, Ms Hunter said “malicious cyber actors are already scanning and exploiting some of the many thousands of vulnerable systems around the world. To address this threat we all need to be proactive in our efforts to patch, partner and monitor”.

NSA cyber security director Rob Joyce said “partnering to clearly define the problem, and how to mitigate, is critical to cut through the noise and arm responders with the proper information to act”.

“Given the severity of the Log4j vulnerabilities and the likelihood of increased exploitation, we strongly urge organisations to apply the mitigations recommended in our joint cybersecurity advisory,” Mr Joyce said.

The Log4j software affects more than 100,000 devices, software, cloud accounts, email servers and online gaming apps, including products offered from all major tech companies including Microsoft, Apple, Cisco, IBM and Amazon. Parents have been warned that devices and apps purchased ahead of Christmas must be immediately updated.

The cyber chiefs described the situation as “evolving” and said “every executive and leader is strongly encouraged to ensure their business, organisation, or government agency is taking appropriate action to mitigate these Log4j vulnerabilities”.

Cyber attackers can access the “heart of devices” after entering via the Log4j vulnerability, stealing user passwords, login details and sensitive data. Assistant Defence Minister Andrew Hastie said hackers could also infect networks with malicious software causing “widespread business interruption”.

MORE: For a list of Log4j affected software go to https://github.com/cisagov/log4j-affected-db

Advice and mitigations are available for all Australian organisations at cyber.gov.au.

The ACSC National Hotline 1300 CYBER1 (1300 292 371) is able to provide assistance as required.

More Coverage

This a big deal: millions face ‘cyber ticking time bomb’

Geoff Chambers

More related stories

Politics

Home Affairs hacking debacle

Cyber criminals have accessed sensitive visa and passport details, drivers’ licences and other personal information held by a Department of Home Affairs contractor.

Read more

Politics

Newspoll: Crisafulli squanders lead but LNP set for knife-edge victory

David Crisafulli is poised to become Queensland’s next premier in a knife-edge win, squandering a decisive lead in a campaign derailed by his small target strategy and attacks on the LNP’s stance on abortion | LATEST NEWSPOLL

Read more