A number of government departments have taken some services offline as a preventative measure following the discovery of a software flaw that Defence Minister Anita Anand says “has the potential to be used by bad actors.”
Groups using the popular Apache Log4J system should “pay attention to this critical, internet vulnerability affecting organizations across the globe,” Anand said in a statement.
“Given the critical nature of this vulnerability and reports of active exploitation, we are urging Canadian organizations of all types to follow the recommended guidance,” she said, adding any incidents should be reported to the Canadian Centre for Cyber Security, part of the Communications Security Establishment.
On Friday the Canada Revenue Agency took some services offline as a precaution after it learned of a global security vulnerability. It says there is no indication its systems have been compromised or that there was any unauthorized access to taxpayer information.
Quebec shut down nearly 4,000 government sites
Over the weekend, Quebec shut down close to 4,000 government websites out of precaution, including those related to health, education and public administration.
Éric Caire, Quebec’s minister for government digital transformation, said Sunday there is no indication the government was the victim of a successful cyber attack.
“Out of an abundance of caution, some departments have taken their services offline while any potential vulnerabilities are assessed and mitigated,” said Anand.
“At this point, we have no indication these vulnerabilities have been exploited on government servers.”
‘People are scrambling to patch’
The vulnerability — located in open-source software used to run websites and other web services — has been described as one the worst computer vulnerability discovered in years.
Unless it’s patched, it allows grants hackers access to impose code, meaning they could steal valuable data and unleash malware.
“The internet’s on fire right now,” Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike, told The Associated Press.
“People are scrambling to patch,” he said, “and all kinds of people scrambling to exploit it.”