Critical vulnerability blowing up the internet

Dec 13, 2021

The federal government is warning public and private sector organizations to be on guard against a “critical internet vulnerability” which could be exploited by organized crime, spies and other “bad actors.”

The move comes after a number of government departments, including the Canada Revenue Agency (CRA), took some services offline over the weekend in order to assess the threat posed by the open-source Java-language utility used to log website users’ activity.

The free software developed by the Maryland-based Apache Software Foundation was first released in 1995 and now is used by an estimated two-thirds of web servers worldwide. As the latest threat began to evolve and spread, the AFS released an updated version Dec. 9 which it said should address the problem.

When the CRA confirmed Dec. 11 that it had suspended online tax services, it said the decision was precautionary and “that services will be available as soon as possible.” It also said there was no indication that its systems had been compromised or that there had been unauthorized access to taxpayers’ information.

The Canadian Centre for Cyber Security (CCCS), an arm of the Communications Security Establishment which falls within Defence Minister Anita Anand’s mandate, had already issued a Security Advisory as agencies around the world raced what was acknowledged to be one of the worst computer vulnerabilities discovered in years.

Anand said in a statement that the government has systems and tools in place to monitor, detect and investigate potential threats and she reiterated that the CRA and other unnamed departments had taken services offline for the time being and that there was “no indication” the problem had been exploited on government servers.

“I’d be hard-pressed to think of a company that’s not at risk,” said Joe Sullivan, chief security officer at Cloudflare, a California-based web infrastructure and security company. Adam Meyers, senior vice president of intelligence at Crowdstrike, a cybersecurity company also based in California, said “the internet’s on fire” and that the software “has been fully weaponized . . . by all kinds of people scrambling to exploit it.”

Ken Pole