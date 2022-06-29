Border agency New Zealand Customs Service had to scramble its cyber security resources to respond to the Log4j Apache web server vulnerability.

While systems have now been patched, attempts to breach the agency continued, according to a report to Minister of Customs Meka Whaitiri.

A critical vulnerability notification was announced affecting Apache web services (Log4j) on 10 December 2021 for one of the most severe vulnerabilities security researchers had ever discovered, affecting millions of devices worldwide.

Customs staff worked 24 hours a day to assess the vulnerability in its systems and to apply patches and mitigations to those affected, the agency reported in its third quarterly performance report for 2022.

"Customs continues to actively monitor the Log4j critical vulnerability first announced on 10 December 2021," the service reported. "While the number of attempts made to access systems declined over January and February, we saw a sharp rise in March 2022."

New Zealand cyber security agency Cert NZ issued a notification about the vulnerability with multiple subsequent updates starting in December.

"The widely-used java logging library, Log4j, has an unauthenticated remote code execution and denial of service vulnerability if a user-controlled string is logged," Cert said. "This could allow the attacker full control of the affected server or allow an attacker to conduct a denial of service attack."

Reports from online users show that the vulnerability was being actively exploited in the wild and that proof-of-concept code has been published.

Systems affected by the remote code execution vulnerability included services that use the Java logging library, Apache Log4j, between and including versions 2.0 and 2.15.0. This included many applications and services written in Java.

For prevention, Cert NZ advised upgrading Log4j to the latest version, which required Java 8 or greater or the use of Apache Log4j 2.12.2.

Local open source specialist service provider Catalyst reported in December it was not aware of any of its systems or any hosted and managed for clients having been compromised.

"We have prioritised client systems according to their criticality and risk, and are patching them to mitigate the potential for the exploit," the company said.

Reporting to Parliament's Health Committee in March, Bay of Plenty District Health Board told a similar story.

Listing the Waikato DHB ransomware cyber event, a Kaseya VSA cyber event and the Log4j security vulnerability, the DHB reported while no impact had been felt the spate of serious threats required "significant monitoring due to the level of targeted national threat".

"Appropriate preventative measures [were] reviewed and applied as needed" the DHB reported.

While most large organisations have addressed the Log4j threat, concerns persist. Last week, the Cybersecurity and Infrastructure Security Agency and United States Coast Guard Cyber Command released a joint advisory warning network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, continued to exploit Log4j in VMware Horizon and Unified Access Gateway (UAG) servers to obtain access to organisations that did not apply patches or workarounds.

"As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control," the agencies reported. "In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data."