Eliana Willis

Microsoft has warned Windows and Azure customers to remain vigilant after observing state-sponsored and cyber-criminal attackers probing systems for the Log4j ‘Log4Shell’ flaw through December.  Disclosed by the Apache Software Foundation on December 9, Log4Shell will likely take years to remediate because of how widely the error-logging software component is used in applications and services.  Microsoft warns that customers might not be aware of how widespread the Log4j issue is in their environment. Over the past month, Microsoft has released numerous updates, including to its Defender security software, to help customers identify the issue as attackers stepped up scanning activity.  LOG4J FLAW COVERAGE – WHAT YOU NEED TO KNOW NOW  “Exploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” the Microsoft 365 Defender Threat Intelligence Team and the Microsoft Threat Intelligence Center (MSTIC) said in a January 3 update.  Microsoft said customers should “assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments.” Hence, it’s encouraging customers to utilize scripts and scanning tools to assess their risk and impact.  “Microsoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities,” Microsoft added. 

The flaw likely left some security teams without much of a break over Christmas and prompted warnings from the UK’s NCSC to beware of burnout among staff responsible for remediation.  Just ahead of New Year’s Day, Microsoft rolled out a new Log4j dashboard for threat and vulnerability management in the Microsoft 365 Defender portal for Windows 10 and 11, Windows Server, and Linux systems. This system aims to help customers find and fix files, software and devices affected by Log4j vulnerabilities. CISA and CrowdStrike also released Log4j scanners ahead of Christmas.  LOG4J FLAW COVERAGE – HOW TO KEEP YOUR COMPANY SAFE  CISA officials believe hundreds of millions of devices are affected by Log4j. Meanwhile, major tech vendors such as Cisco and VMware continue to release patches for affected products.  The Log4Shell vulnerabilities now include the original CVE-2021-44228 and four related flaws, the latest of which was CVE-2021-44832. However it was only a moderate severity issue addressed in the Log4j version 2.17.1 update on December 28. The Apache Software Foundation has details about each of the Log4j vulnerabilities in its advisory covering CVE-2021-44228, CVE-2021-45105, and CVE-2021-45046.  More

A retired military officer has disclosed a cyberattack that struck the UK Ministry of Defence (MoD) academy and had a “significant” impact on the organization. 

Air Marshal Edward Stringer, an officer in charge at the time, told Sky News that the cyberattack was discovered in March 2021. According to the retired officer, “unusual activity” was detected by IT outsourcer Serco but originally it was thought that this may have been due to some form of IT error rather than something malicious. The Defence Academy of the United Kingdom was the target. The organization is responsible for teaching and training thousands of military personnel, MoD employees, wider government figures, and overseas students. Courses on offer relate to topics including security, strategy, languages, and information warfare.  While full attribution is not available as to whom was responsible, the publication reports that China or Russia was “possibly” involved.  Iran and North Korea were also floated as potential sources of the cyberattack.  “It could be any of those or it could just be someone trying to find a vulnerability for a ransomware attack that was just, you know, a genuine criminal organization,” Stringer said. 

As academy staff worked to keep courses running, management was concerned that the reason behind the attack may not have been to disrupt the educational system – but rather, the academy could have been used as a “backdoor” to target the wider MoD. This prospect had severe ramifications and could have had potential consequences for national security.  Stringer added that despite these concerns, there appears to be no evidence of breaches beyond the Defense Academy.  An investigation has been launched and the National Cyber Security Centre (NCSC) is aware of the cyberattack.  During the interview, Stringer said the cyberattack was “significant, but then manageable” – and further prompted the academic institution to ramp up its security posture and network resiliency after accounting for the “operational cost” of dealing with the incident.  As of now, the IT infrastructure is still being rebuilt and the Defence Academy is set to launch a new website in the future. An MoD spokesperson told Sky News: “In March 2021 we were made aware of an incident impacting the Defence Academy IT infrastructure. We took swift action and there was no impact on the wider Ministry of Defence IT network. Teaching at the Defence Academy has continued.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, has received the backing of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) in its review of the laws. The TOLA Act, passed three years ago, was criticised heavily when it first became law as it gave intelligence and law enforcement agencies powers to request or demand assistance from communications providers to access encrypted communications.Since its passing, the most public display of these powers has been Operation Ironside, which AFP commissioner Reece Kershaw last year labelled as the Australian Federal Police’s (AFP) “most significant operation in policing history”.In the PJCIS’ review [PDF] of the legislation, it supported the powers enacted in the laws but recommended additional safeguards and oversight mechanisms aimed at providing the public with confidence the legislation would be used proportionally and for its intended purpose.”Agencies have made the case that these powers remain necessary to combat serious national security threats, and some of the worst fears held by industry at the time of passage have not been realised,” committee chair and Liberal Senator James Paterson said. Among those recommended safeguards are that any law enforcement requests cannot result in any persons being detained, as well as more authorisation checks prior to the issuance of notices and warrants through the TOLA Act. These recommended checks include a requirement for the Director-General of Security, who is currently the Australian Security Intelligence Organisation’s (ASIO) head Mike Burgess, to be satisfied with the reasonableness and proportionality of a voluntary assistance request prior to its issuance, external authorisation from the Attorney-General or issuing authority for any concealment activities in relation to executing computer access warrants, and ASIO retaining and requiring written reasons whenever a voluntary assistance request is made.

Read more: How the FBI and AFP accessed encrypted messages in TrojanShield investigation The committee has also called for the federal government, in consultation with relevant stakeholders, to develop a prescribed set of requirements for information that must be included in technical assistance requests. “These are intrusive powers that must be robustly overseen to ensure they are used appropriately, and there are improvements that can be made to the oversight framework which the committee has recommended,” Paterson said. The PJCIS also wants more reviews of the laws, such as a periodic survey in three year’s time to ascertain ongoing economic impacts of the TOLA Act legislation on Australia’s IT industry and a review of the concepts of “serious offence”, “relevant offence”, and others contained in the Act. The committee explained in the review that it hopes the ongoing reviews would address the concerns raised by industry bodies in about the impact of the various notices and requests contained in the TOLA Act. It also recommended that the ASIO brief the PJCIS on the acts or things implemented as part of any compulsory assistance order to facilitate and assist the ongoing review and oversight of the legislation. Another recommendation put forth by the PJCIS is for the Inspector-General of Intelligence to receive expanded functions so it can oversee the intelligence functions of the Australian Federal Police. Speaking to the concerns that the TOLA Act is potentially incompatible with the US CLOUD Act, the committee also said it was satisfied with the co-existence of the two laws as the US Department of Justice said it had no issues with the TOLA Act being in operation.The confirmation came shortly after Australia and the United States entered into a landmark CLOUD Act agreement in December, which gave Australia’s law enforcement agencies the ability to issue orders compelling US service providers to provide communications data for the purposes of combatting serious crime directly on US-based companies, and vice versa. Related Coverage More

An Australian Senate Committee at the end of last year recommended that a government entity be specifically delegated with the responsibility of keeping social media platforms and other government entities accountable in preventing cyber-enabled foreign interference. In an interim report [PDF], the Select Committee on Foreign Interference through Social Media said it made this recommendation as there is currently not a single body dedicated to performing this accountability function. The committee said the need for such an entity would continue to grow in importance as the use of cyber-enabled techniques to interfere in foreign elections and referendums has increased significantly in recent years.In making this finding, the committee considered submissions that said current trends indicated espionage and foreign interference would supplant terrorism as Australia’s principal security concern over the next five years. Another factor in making this recommendation was that there is currently no specific body responsible for combatting COVID-19 misinformation and disinformation. Alarmingly, the committee also wrote in its interim report that the Department of Home Affairs — the supposed policy lead for addressing foreign interference on social media — testified it was not aware which platforms were supposed to report foreign interference attempts. Social media companies also told the committee similar things, saying they have experienced confusion when trying to decipher how and who to report to when it comes to foreign interference residing on their platforms. “Given the impending Federal Election, it is imperative that the government establish clear policies and procedures for social media platforms to refer potential foreign interference for consideration by the relevant government departments or entities,” the report said.

As such, in addition to appointing a government entity to be accountable for cyber-enabled foreign interference, the committee has also recommended that the federal government establish clear requirements and pathways for social media platforms to report suspected foreign interference, including disinformation and coordinated inauthentic behaviour, and other offensive and harmful content. It also recommended for agency remits, powers, and resourcing arrangements regarding these reporting requirements to be formalised. The committee also called for more transparency regarding the extent of government’s awareness about online disinformation and misinformation. To address the lack of transparency, the committee has made the recommendation for the Australian Communications and Media Authority (ACMA) and the Election Integrity Assurance Taskforce (EIAT) to publicly release their findings and responsibilities in relation to foreign interference through social media platforms. Currently, ACMA files a report to government about the Australian Code of Practice on Disinformation and Misinformation, which covers the adequacy of digital platforms’ measures and the broader impacts of misinformation in Australia, but that information is not available for public viewing. Meanwhile, there is “no certainty” around the responsibilities and powers of EIAT members, which the committee warned could create vulnerabilities in Australia’s institutional arrangements that malign foreign actors could exploit. “Although the members can articulate their qualifications to be on the [EIAT] (for example, the Department of Communications is an expert on the social media platforms), there is no certainty about what their responsibilities and powers are, let alone the powers of others. The taskforce is governed by terms of reference have been kept secret to this committee and the public at large,” the committee wrote in the interim report The interim report comes off the heels of Australia announcing various initiatives in recent months to address issues residing in social media platforms and cyber. In December alone, Australia announced the Online Safety Youth Advisory Council, passed “Magnitsky-style” and Critical Infrastructure cyber attack laws, and proposed anti-trolling laws.  Meanwhile, in October, the federal government released an exposure draft for what it has labelled an Online Privacy Bill to make it mandatory for social media organisations to verify users’ age. Another senate committee recently received an update regarding the Online Privacy Bill during Budget Estimates, with Australia’s information commissioner saying it would receive AU$25 million of funding across three years to facilitate timely responses to privacy complaints as part of work on the aforementioned Bill. Related Coverage More

New South Wales’ electoral commissioner has revealed the iVote system failure during the state’s local elections last month may have materially impacted the councillor elections in Kempsey, Singleton, and the City of Shellharbour.  During those elections last month, an unknown number of voters were unable to cast a vote due to the state’s iVote online voting system suffering a failure for a portion of the voting period. In the immediate aftermath, the NSW Electoral Commission (NSWEC) attributed the iVote online voting system failure to a higher-than-expected elector load, with around 650,000 people using the system during the local elections last month.”Almost triple the number of voters have used iVote at these elections than any previous election,” NSWEC said.Since then, an NSWEC investigation into the system failure has concluded that there is a possibility that, if all individuals who registered to use iVote on election day had been able to vote, a different outcome might have occurred.On a technical level, people were unable to cast their vote due to iVote not issuing them with the necessary security credential before the close of voting on election day, which is a prerequisite for accessing the voting component of the system, the NSWEC explained.To address the risk of ongoing ambiguity about the materiality of the iVote issue for these elections, as well as to support the integrity of the electoral system more generally, the electoral commissioner will submit an application to the Supreme Court in the coming weeks for a declaration about the validity of the election results in these three elections.

The election declaration, if approved, will mean the currently elected councillors for the impacted councils will serve in the interim. The declaration will not be a determination that these three elections are valid more generally, however, the electoral commissioner noted.The electoral commissioner said he wanted to apply for the declaration as these elections have already been deferred twice due to the COVID-19 pandemic and it may be practically impossible to hold fresh elections until the middle of 2022.Dr Vanessa Teague, a cryptographer with a particular interest in privacy and election security, has repeatedly warned of the flaws within the iVote system.”Every serious investigation of iVote found serious problems,” Teague tweeted last month in light of the most recent iVote failure. Starting in 2015, she and her colleagues found numerous flaws in iVote, problems that NSWEC has often downplayed. RELATED COVERAGE More

This weekend, the Broward Health hospital system notified more than 1.3 million patients and staff members that their personal information was involved in a data breach that started on October 15. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

In a statement on Saturday, the Florida hospital system said that in addition to names, addresses and phone numbers, Social Security numbers, bank account information and medical history data was included in the breach.  Insurance account information, driver’s license numbers, email addresses and treatments received were also included. The hospital system said it waited months to notify victims because the Department of Justice told them to hold off on sending out breach notification letters. “On October 15, 2021, an intruder gained entry to the Broward Health network through the office of a third-party medical provider permitted to access the system to provide healthcare services. Broward Health discovered the intrusion on October 19, 2021, and promptly contained the incident, notified the FBI and the Department of Justice (DOJ), required a password reset for all employees and engaged an independent cybersecurity firm to conduct an investigation,” the hospital explained.”Broward Health also engaged an experienced data review specialist to conduct an extensive analysis of the data to determine what was impacted, which determined some patient and employee personal information may have been impacted. The DOJ requested the Broward Health briefly delay this notification to ensure that the notification does not compromise the ongoing law enforcement investigation.”The hospital system did not say how many people were involved, but in their submission to the Maine Attorney General’s office, they said 1,357,879 people were affected. The hospital is offering 24 months of identity theft protection services, implemented multifactor authentication for all users of its systems and “minimum-security requirements for devices not managed by Broward Health Information Technology with access to its network.”

The notice warned that people who had their information exposed are now vulnerable to medical identity theft, which is when someone uses a person’s name and information to get medical services or fraudulently bill for medical services. The hospital urged those affected to monitor their benefits statements and financial accounts. Joseph Carson, chief security scientist at ThycoticCentrify, said countries where healthcare is extremely expensive, are the leading targets for cybercriminals to steal and monetize personal health information.  In many instances, personal health information is much more valuable than stolen credit card information, Carson added, noting that it can be sold for up to $500 or more on the dark web because it can easily be abused for fake medical claims, fake prescriptions or fake identities.  “Personal health information can also be used for extortion or blackmail targeting victims who do not want sensitive information disclosed or even to abuse insurance claims and tax refunds,” Carson said. “Unfortunately, for medical records, you cannot change your medical history. Once stolen or disclosed, it is public knowledge, whereas a credit card you can change and get back on track quickly.” More