The Canadian government was forced to pull the plug on its website for filing federal taxes after it became clear that cybercriminals had broken into the statistics bureau last week. The hack was reportedly made possible by a newly-disclosed bug in the software.
Statistics Canada says the good news is that the intrusion was stopped before any data when out the door.
The bad news is this is the first major hack attributable to a bug in Apache Struts 2 — software that is often used on government, bank and retail websites. Or, at least, this is the first known hack — various security firms believe more of these are coming because the exploit in Apache Strut 2 is easy to tap into and widely publicly known since word of it started appearing on security and hacking websites last week.
Techs are now working double-time to patch that hole around the world, Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint, told Reuters.
He said the vulnerability was actively being exploited by hackers, though offered no additional details.
The vulnerability was first found a week ago when the Apache Software Foundation released an update to fix the bug, saying it could enable hackers to gain remote control of a web server. Once the server is controlled via the bug, hackers can steal data, access the victim’s website or just crash the site entirely.
“This vulnerability is super easy to exploit,” Chris Wysopal, chief technology officer with security software maker Veracode, said. “You just point it to the web server and put in the command that you want to run.”