Canadian agency breached as hackers exploit new software bug

(Reuters) - Canada’s government said on Monday that it shut down its website for filing federal taxes after hackers broke into a web server at the nation’s statistics bureau last week by exploiting a newly disclosed software bug.

Statistics Canada, which said it stopped the intrusion before hackers stole any data, is the first high-profile organization to say it was hacked due to a new security bug in software known as Apache Struts 2. The software is commonly used in websites of governments, banks, retailers and other large organizations.

Other victims have not yet come forth, although security firms said they expect more attacks to surface after details on the easy-to-exploit vulnerability were posted on security forums and hacking websites last week.

Technicians at big corporations and government agencies around the world spent the weekend combing their networks for vulnerable software and patching it, said Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint.

He said the vulnerability was actively being exploited by hackers, but declined to provide details, citing client confidentiality.

The impact of the vulnerability surfaced in Canada late Friday when the federal government shut down the tax agency’s website to prevent attacks after it identified that it was running vulnerable software.

“We went after this one specifically because we recognized there was a specific and credible threat to certain government IT systems,” John Glowacki, a government security official, said at a press conference.

Glowacki said he that he understood some other countries “are actually having greater problems with this specific vulnerability,” but declined to identify the nations or discuss the problems.

The vulnerability surfaced last week when the Apache Software Foundation released an update to fix the bug, saying it could enable hackers to gain remote control of a web server.

That could allow them to steal data, secretly gain access to a victim’s network or shut down a website, said Chris Wysopal, chief technology officer with security software maker Veracode.

“This vulnerability is super easy to exploit,” Wysopal said. “You just point it to the web server and put in the command that you want to run.”

Reporting by Morgan Sharp, David Ljunggren and Jim Finkle; editing by Grant McCool and Phil Berlowitz