Singapore holds emergency meetings with CII sectors for Log4j vulnerability
Singapore has held emergency meetings with critical information infrastructure (CII) sectors to prepare them for potential threats stemming from the Log4j vulnerability. The country’s cybersecurity agency has issued alerts on the Apache Java logging library flaw and is “closely monitoring” developments.
The first alert had gone out on Dec 14, with Singapore’s Cyber Security Agency (CSA) warning that the “critical vulnerability”, when exploited successfully, could allow attackers to gain full control of affected servers. It noted that there was only a short window to deploy mitigation measures and organisations should do so quickly.
It said alerts were sent out to CII sector leads and businesses, instructing them to immediately patch their systems to the latest version. The government agency also was working with these CII representatives to roll out mitigation measures.
Singapore’s cybersecurity bill covers 11 critical information infrastructure (CII) sectors, which enables the relevant local authorities to take proactive measures to protect these CIIs. The bill outlines a regulatory framework that formalises the duties of CII providers in securing systems under their responsibility, including before and after a cybersecurity incident had occurred. These 11 “essential services” sectors include water, healthcare, energy, banking and finance, and aviation.
No reports of Log4j-related breaches had been reported at the time when CSA issued its December 14 alert.
CSA on Friday issued another update, raising the alert on the security flaw. It noted that because Log4j was widely used by software developers, the vulnerability could have “very serious consequences”.
“The situation is evolving rapidly and there have already been numerous observations of ongoing attempts by threat actors to scan for and attack vulnerable systems,” the government agency said. “There have been two emergency meetings by CSA with all the CII sector leads to issue directions and technical details and heighten monitoring for unusual activities.”
A briefing session also was held on Friday with trade associations and chambers to highlight the severity of the Log4j vulnerability and urgency for all organisations, including small and midsize businesses (SMBs), to immediately deploy mitigation measures.
In its advisory on dealing with the library flaw, Singapore CERT cautioned that some previous stop-gap measures were no longer recommended as they were determined to be insufficient. These included configuring the system property to true or modifying the logging configuration to disable message lookups.
Users who were unable to upgrade to versions 2.16.0 or 2.12.2–or Java 8 and Java 7, respectively–should disable lookups by removing the jndiLookup class from the log4j-core jar file, SingCERT advised.
It added that users of products with Log4j should implement the latest patch, especially those using Apache Log4j with affected versions between 2.0 and 2.14.1. They also should beef up monitoring for unusual activities and review their system logs.
Software developers that tapped Log4j in their products should identify and develop patches for affected products as well as notify users of these products to prioritise the deployment of software updates.
CSA said it was in contact with other international agencies and computer emergency response teams (CERTs) of Asean member states, to share information on the latest developments on Log4j.
It urged organisations affected by the vulnerability to report to SingCERT should they uncover evidence of any compromise.
The US Cybersecurity and Infrastructure Security Agency on Friday also sent out an emergency directive, requiring federal civilian departments and agencies to immediately patch their internet-facing network assets for Apache Log4j vulnerabilities.