Aussies in hospitals and businesses and are working on the go or remotely are now on the frontline in the fight against a global digital bug.
The swelling of the Australian Immunisation Register and the Medicare and Pharmaceutical Benefits Scheme portals required an urgent upgrade over the Christmas break.
Fortunately, there have been no reports of any leaked data from the portals.
“We’re not aware of any data being exposed by third party vendors and we continue to actively work with developers to transition,” Services Australia general manager Hank Jongen said.
However, scanning for intrusions may not be enough against malicious attacks. Cyber detectives have warned that there may be intruders are nesting and lurking deep inside software systems for years.
Due to the vulnerability in a software component that affects the Log4j Java system, millions of Australians are unknowingly left exposed to cyber attacks on their computers, phones, and seemingly secure apps.
Because of this, Microsoft recommends ongoing reviews and scans for fresh bouts of malicious codes and messaging as many software and services are heavily impacted by the vulnerability.
The US Federal Trade Commission (FTC) said that the digital bug is being widely exploited by a growing set of attackers such as China-based groups Hafnium and Aquatic Panda and Iran-based hackers.
“When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms,” the FTC warned.
The FTC says it intends to use its “full legal authority” to pursue companies, including Australian organisations operating in the US, that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.
Meanwhile, the Australian Industry Group has warned that a large number of apps may be vulnerable as remote access software for apps and data has proved to be an easy entry point for intruders, affecting individuals, businesses and business supply chains.
“A hole in their defences could allow malicious actors to create malicious ‘logs’ which could take control of computer systems and data,” AI Group said.
While the UK, US, Canada and New Zealand tackle the digital bug and its variants, Minister of Employment Stuart Robert has encouraged all Aussie businesses to take the issue seriously.
“It is a serious virus, serious piece of malware,” he said.
“I’ve been encouraging all businesses at a degree of urgency to ensure their servers, especially their web servers and any of their remote access through MobileIron are appropriately patched, and they should be doing it now.”
Australian companies, universities and all aspects of government have been told to take basic steps to scan and upgrade their software to protect themselves.
“We recommend that you transition your customers to web services as soon as possible,” Services Australia said in a note to developers in late December.
“The agency is committed to moving away from ageing adaptor technology for online claiming as soon as possible. This has become increasingly urgent in light of the emerging global Java vulnerability.”
Services Australia already blocks about 14 million suspicious emails every month. However, a federal parliamentary committee that was heard last year revealed that the agency constantly needs to undertake security reviews, upgrades and patches to fix bugs.
Services Australia is now working closely with the Australian Cyber Security Centre on the evolving threat.
“Services Australia will continue to implement mitigation and detection recommendations as advised by the ACSC,” Manager Jongen said.
“The ACSC is working with all vendors to ensure that Log4j vulnerabilities are identified and mitigated.”
This article was first published on Public Spectrum
Eliza Sayon is an experienced writer who specialises in corporate and government communications. She is the content producer for Public Spectrum, an online knowledge-based platform for and about the Australian public sector.