The Australian Cyber Security Centre and law enforcement agencies have launched “around the clock” monitoring of cyber attacks linked to the compromised Log4j Java-based software and stepped up high-level co-operation with US cyber security counterparts.

After the software vulnerability was publicly identified by Chinese company Alibaba on December 10, ACSC acting head Jess Hunter confirmed that cyber actors had already successfully breached Australian devices.

“In my experience, this is the most serious cyber risk Australia has faced. We consider the Log4j a cyber security ticking time bomb. The fact that it is so commonly used is what makes this a big deal,” Ms Hunter told The Australian.

“It’s a big deal for mums and dads who are opening presents on Christmas Day, all the way through to large corporations who are running a series of capabilities for their whole customer set. The vulnerability could affect every sector of the economy and it is so easily taken advantage of.

“Examples are in the Minecraft game … it’s as easy as typing one line of code into the public chat box and then your device is owned by malicious cyber actors.”

The ACSC and Assistant Defence Minister Andrew Hastie have ramped up calls for Australians to urgently patch not only their devices but also other software impacted by the cyber threat, including emails, cloud accounts and online games.

After US Cybersecurity and Infrastructure Security Agency chief Jen Easterly described the Log4j vulnerability as one of the “most serious” threats in her career, ACSC officials are in talks with local software developers and the private sector to fast-track unique security patches.

Ms Hunter said the ACSC had already seen a “wide impact including sophisticated cyber actors hunting for vulnerable Australian citizens who have not been patched against this flaw and in some cases have been successful in gaining access to those devices”.

“The vulnerability will be continued to be exploited, this is not the end of it. So after Christmas we will continue to be focused and alert on Log4j and, even after patching, the ACSC anticipates more vulnerabilities will be identified or exploited,” she said.

“This issue is not going away quickly. We are already seeing impacts across all of Australia and we anticipate the impact will be felt for many months to come. We cannot discount that … there will continue to be serious breaches many years down the track.”

Mr Hastie said malicious cyber adversaries were conducting “thousands of scans in search of the Log4j software vulnerability”.

“This is a serious vulnerability in affected systems, akin to leaving every door and window in your home unlocked on Christmas Eve. It is absolutely critical that Australian businesses and households patch their systems and networks urgently before going on holidays,” Mr Hastie said. “Not doing so will give our cyber adversaries an early Christmas present. Cyber criminals don’t take a holiday for the Christmas season. They are ruthless and opportunistic.”

Mr Hastie said if not fixed, cyber attackers could “break into an organisation’s systems, steal user passwords and login details, extract sensitive data and infect its networks with malicious software causing widespread business interruption”.

“This requires immediate action. I am calling on all Australian businesses and households to ensure their applications and products are patched and up to date, and to follow the ACSC advisories. Even after patching, organisations must continue to monitor to see if any attackers are still lurking in their systems,” he said.

Ms Hunter, the ACSC head of cyber threat intelligence and cyber security services, said she had asked companies creating cyber security patches to “reach out to every one of their Australian customers and make sure that their customers are alert to this and are taking action”.

“These are systems used everyday by millions of Australians. The best advice … take this seriously. When your device asks whether it needs to be updated or patched … don’t delay, patch now.”

“Check the vendor list, to see if the products in your family, in your business, in your corporation are on that list and are vulnerable.”

MORE: For a list of Log4j affected software go to https://github.com/cisagov/log4j-affected-db

Advice and mitigations are available for all Australian organisations at cyber.gov.au.

The ACSC National Hotline 1300 CYBER1 (1300 292 371) is able to provide assistance as required.

Geoff ChambersChief Political Correspondent

Geoff Chambers is The Australian’s Chief Political Correspondent. He was previously The Australian’s Canberra Bureau Chief and Queensland Bureau Chief. Before joining the national broadsheet he was News Editor at The Daily and Sunday Telegraphs and Head of News at the Gold Coast Bulletin. As a senior journalist and political reporter, he has covered budgets and elections across the nation and worked in the Queensland, NSW and Canberra press galleries. He has covered major international news stories for News Corp, including earthquakes, people smuggling, and hostage situations, and has written extensively on Islamic extremism, migration, Indo-Pacific and China relations, resources and trade.

@Chambersgc

Geoff Chambers

More related stories

Politics

‘We have leadership role on climate change’

Anthony Albanese says Australia is playing a ‘leadership role’ in preparing the Pacific for climate change as he arrived in Samoa for a meeting of Commonwealth leaders.

Read more

Politics

Middle East ceasefire would help my CPI war: Chalmers

Jim Chalmers will make an economic case for a ceasefire in the Middle East and open a new front in Labor’s push to end conflict in the region, warning an escalation in fighting ‘risks persistent inflation for the global middle class’.

Read more