Eliana Willis

Data from various Japanese government entities has reportedly been stolen by hackers that gained access to Fujitsu’s ProjectWEB platform. Fujitsu’s software-as-a-service platform has since been taken down and the Japanese tech giant is currently investigating the scope of the attacks, Japan’s public broadcaster NHK said in a report. Among the impacted government entities are the Ministry of Land, Infrastructure, Transport, and Tourism; the Cabinet Secretariat; and Narita Airport. The land, infrastructure and transport ministry reportedly had at least 76,000 email addresses of its employees and business partners leaked, along with data on the ministry’s internal mail and internet settings. Meanwhile, the Cabinet Secretariat’s cybersecurity centre reportedly had data on the centre’s information system stolen from several of its offices. Narita Airport air traffic control data was also stolen, the report said, which has prompted the Cabinet Secretariat’s national cybersecurity centre to issue alerts about the use of the Fujitsu software. In the past three weeks alone, one of the US’ largest pipeline operators and healthcare institutions across Canada, New Zealand, and Ireland have faced cyber attacks. Related Coverage More

The Department of Home Affairs has said the recent ransomware attack earlier this month targeting the operator of the Colonial Pipeline in the United States was a “timely reminder” of why Australia’s Critical Infrastructure reforms are “so important”.Among other things, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 would allow government to provide “assistance” to entities in response to significant cyber attacks on Australian systems. Tech giants operating in Australia, such as Amazon Web Services, Cisco, Microsoft, and Salesforce, have all taken issue with these “last resort” powers.”In the absence of these measures, we will remain vulnerable in an increasingly hostile threat environment for our critical infrastructure,” Home Affairs secretary Mike Pezzullo told Senate Estimates on Monday.”You saw the pipeline attack … transnational criminal groups are holding whole economic sectors effectively to ransom — we’re seeing this with hospital systems, we’re seeing it with vaccine data, and we’re seeing it with healthcare providers. Typically, the criminals will chase opportunity, in the knowledge that it’s likely to achieve a benefit.”In justifying the passage of the legislation, the secretary said it makes “good business sense” to have common platforms and connected systems so that, in an example of an electricity grid going down, plant operators and others can remotely dial in to see how machinery is performing. “For all of those reasons — and I could keep adding more layers of explanation — the government has seen fit to propose to the parliament that the current regime known as the Security of Critical Infrastructure Act be significantly overhauled to add additional layers of mitigation,” he said.”Should the Parliament see fit to pass this legislation — and, hopefully, as the government has proposed, by 30 June — we can enliven these obligations from 1 July.”

Failing to pass the legislation, Pezzullo said, would see Australia left “perilous”.As part of the 2021-22 Budget, the government earmarked AU$42.4 million over two years to improve security arrangements for critical infrastructure assets, including those designated as systems of national significance, in accordance with the yet-to-be-passed Bill, and to assist critical infrastructure owners and operators to respond to significant cyber attacks. Pezzullo said the preponderance of the money is staffing resources. “There’s also some infrastructure mapping software and tools that we’re looking to put in place to understand the interdependencies of infrastructure,” he added. “It’s to assist us in designing what are called the rules under the legislation.”Department representatives later confirmed the funding would be spread across three components: Staffing expenses, supply costs, and capital. Staffing costs represent AU$21.4 million of the AU$42.4 million, and that is for 59 staff in 2021-22, and 83 in 2022-23. Supply costs are flagged as AU$14.9 million in 2021-22 and AU$6.1 million in 2022-23. Meanwhile, AU$1.1 million in 2021-22 and AU$1 million in 2022-23 are classed as “capital”, in particular, for an investment in the current regulatory management system to expand its capability and scope.Mandatory ransomware reporting under considerationPezzullo was asked if the government has considered the merits of a mandatory reporting requirement for any sort of cyber extortion or ransomware. “It’s currently considering that matter, as an extension of the cybersecurity strategy that was released last year … there was a specific commitment to put in place a national strategy to combat cybercrime, as an element of that,” Pezzullo said, pointing to the lacklustre Commonwealth cybersecurity strategy that was released in August.”Obviously, that work was well advanced. We’ve had a change of minister since that time. I have flagged with the minister that that will be one of the issues. I haven’t yet given her advice on that question. It is something on which I wish to consult with the Director-General of the Australian Signals Directorate, given the close working partnership that we necessarily need to have.”Pezzullo said he was also in the process of consulting with law enforcement and other colleagues due to the need to “balance the burden of reporting and the efficacy of reporting as against the value of that reporting”. “My inclination — I will not state it as an opinion — is that it’s likely that a regime of that character will be proposed, but there’s still some stakeholder engagement to undertake,” he said. “I don’t want to presume or preempt government policy. I think most advanced economies are at a point where, through some means, whether it’s mandatory reporting combined with the sorts of other measures that I’ve already described, a much more active defence posture will be required, simply because of the prevalence of the attacks, which I can state in those general terms.”Too much independence with government cloud useElsewhere on Monday, Pezzullo declared there is too much “independence” when it comes to the usage of cloud services across the government.Each government entity, in effect, contracts out their own cloud services, but in accordance with the Information Security Manual, the Secure Cloud Strategy, and the Data Hosting Strategy.”This is too much independence,” Pezzullo said. “The government has recently moved in that direction. So Minister Robert, who retains responsibility for digital services, has directed, through the promulgation of a data hosting policy framework and strategy, that departments are to consolidate their data hosting arrangements.”Internally, Michael Milford, group manager of technology and major capability within Home Affairs, said the department doesn’t have a heavy cloud presence “yet”. “Unlike most departments, we haven’t historically been a cloud department, but we do have a number of cloud services, primarily with a few of the systems we have been putting in place recently,” he said. “I don’t have the exact data on each of those, but there is Microsoft Azure Cloud, and others.”We do have a number, generally speaking, in scale they are small. We clearly get DTA’s guidance on those that are appropriate.”It is currently a requirement to have data stored in Australia, but historically that hasn’t always been the case. “We are in transition,” Milford said in response to being asked where Home Affairs’ data was located. “We are moving the data, or attempting to ensure that the data is 100% verified as being in Australia.”MORE ON THE CRITICAL INFRASTRUCTURE BILL More

Google has detailed its work discovering a new Rowhammer vulnerability dubbed “Half-Double”, which evolves the style of attack on DRAM memory first reported in 2014 and suggests the Rowhammer problem won’t go away soon. 

ZDNet Recommends

The Rowhammer attack is unusual because it aims to cause “bit flips” by rapidly and repeatedly accessing data in one memory row on a RAM chip to create an electrical charge that changes data stored in other addresses in an adjacent “memory row” on a chip. The attacking memory rows are called “aggressors” and the rows where bit flips occur are called “victim rows”.  Over the years since the first Rowhammer attack was discovered, researchers have demonstrated numerous ways to use the technique to alter data stored on RAM cards, including DDR3 and DDR4 generations. While initially limited to scenarios where an attacker had physical access to the target, researchers eventually showed a Rowhammer attack could be carried out remotely over the web and use the technique to gain control of Linux VMs in the cloud.As Google Project Zero (GPZ) researchers explained in 2015, Rowhammer attackers work because DRAM cells are gradually becoming smaller and closer together. Miniaturization and the ability to pack in more memory capacity has made it harder to prevent DRAM cells from interacting electrically with each other. “Accessing one location in memory can disturb neighboring locations, causing charge to leak into or out of neighboring cells. With enough accesses, this can change a cell’s value from 1 to 0 or vice versa,” GPZ researchers explained of bit flips.  The Half-Double, which Google details on a PDF on GitHub, “capitalizes on the worsening physics of some of the newer DRAM chips to alter the contents of memory,” Google researchers explain in a new blogpost. 

The style of attack is comparable to the speculative execution attacks on CPUs (Spectre and Meltdown), but rather focus on design vulnerabilities in DRAM. The consequences can be pretty nasty if the attacker successfully exploits these design issues. “As an electrical coupling phenomenon within the silicon itself, Rowhammer allows the potential bypass of hardware and software memory protection policies. This can allow untrusted code to break out of its sandbox and take full control of the system,” write Google’s research team, which includes Salman Qazi, Yoongu Kim, Nicolas Boichat, Eric Shiu & Mattias Nissler. Kim, now a software engineer at Google, was one of the researchers who reported the first Rowhammer vulnerability.  The Half-Double expands the original Rowhammer attack, which could cause bit flips at a distance of one DRAM row. The Half-Double shows the aggressor rows can cause bit flips on more distant victim rows.”With Half-Double, we have observed Rowhammer effects propagating to rows beyond adjacent neighbors, albeit at a reduced strength,” the team notes.       “Given three consecutive rows A, B, and C, we were able to attack C by directing a very large number of accesses to A, along with just a handful (~dozens) to B. Based on our experiments, accesses to B have a non-linear gating effect, in which they appear to “transport” the Rowhammer effect of A onto C.”The Half-Double is interesting because it’s a property of the underlying silicon substrate, and suggests the increasing density of cells means Rowhammer vulnerabilities will live on. They add that Half-Double also differs from the TRRespass attack on DDR4 RAM detailed in 2020, which relied on reverse engineering to undermine some of the Rowhammer mitigations that DRAM vendors had implemented to prevent these attacks in DDR4.   “This is likely an indication that the electrical coupling responsible for Rowhammer is a property of distance, effectively becoming stronger and longer-ranged as cell geometries shrink down. Distances greater than two are conceivable,” the researchers note. Google additionally has been working with the semiconductor engineering trade organization JEDEC to search for mitigations to Rowhammer. 
Google More

A dramatic increase in the number of ransomware attacks and their severity is causing harm on a significant scale, the UK’s National Crime Agency (NCA) has warned.The NCA’s annual National Strategic Assessment (NSA) of Serious and Organised Crime details how the overall threat from cyber crime has increased over the last year, with more severe and high profile attacks against victims.Ransomware attacks in particular have grown in frequency and impact over the course of the last year, to such an extent they rank alongside other major crimes “causing harm to our citizens and communities on a significant scale,” warns the report.One of the things which has made ransomware much more dangerous is the increase in attacks which don’t just encrypt networks and demand a ransom paid in Bitcoin or other cryptocurrency in exchange for the decryption, but also see cyber criminals steal sensitive information from the victim organisation which the crooks threaten to publish it if their extortion demands aren’t met, potentially putting employees and members of the public at risk of additional fraud. According to the NCA report, over half of ransomware attacks now deploy this double extortion techniques.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  In addition to this, ransom demands are rising, often reaching millions of pounds and the increased severity of attacks is reflected by the impacts on businesses and other organisations, which aren’t able to provide public services after falling victim to ransomware.

The paper details the ransomware attack against Redcar and Cleveland Borough Council in Februrary 2020 as an example of how cyber crime can have consequences for society. As a result of the ransomware attack, the local authority was briefly unable to deliver frontline services, including functions around vulnerable children and adult care. The attack encrypted data relating to school admissions, delaying the placement process for students.The NCA worked with the National Cyber Security Centre (NCSC), law enforcement and local authorities in order to help restore services.Since then, the cyber threat has increased as criminals have exploited the Covid-19 pandemic and the rise of remote working as a means of gaining access to networks, via phishing attacks or breaching cloud services, Remote Desktop Protocal services and VPNs. “The increase in home working has increased risks to individuals and businesses,” says the report.Universities and schools have become regular targets for ransomware attacks, while organisations including the Scottish Environment Protection Agency (SEPA) and UK Research and Innovation (UKRI) have become high profile victims of ransomware attacks against UK targets this year.SEE: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay upBut despite the increasing threat of ransomware and the scale of the damage that can be done, it’s possible to take steps to avoid falling victim to it in the first place. The NCA recommends organisations keep software up-to-date by applying patches in order to prevent cyber criminals from being able to exploit known vulnerabilities to gain access to the network.Organisations should also ensure that staff are using strong, unique passwords in order to prevent them being breached in brute-force attacks and that two-factor authentication should be applied where possible to provide an extra barrier to cyber criminals, should they successfully crack an account.It’s also recommended that organisations back up important data to an external hard drive or to cloud-based storage, so if the worst happens and they are hit by a ransomware attack, data can be recovered without paying cyber criminals for the decryption key.MORE ON CYBERSECURITY More

Threat actors could exploit vulnerabilities in the Bluetooth Core and Mesh specifications to impersonate devices during pairing, paving the way to man-in-the-middle (MITM) attacks. 

The vulnerabilities, disclosed by researchers at the Agence nationale de la sécurité des systèmes d’information (ANSSI) and disclosed on Monday, allow for “impersonation attacks and AuthValue disclosures” according to a Carnegie Mellon University CERT Coordination Center advisory.Bluetooth Core and Mesh are separate specifications suitable for low-energy and Internet of Things (IoT) devices or and many-to-many (m:m) device communication for large-scale networks.  The vulnerabilities are as follows: CVE-2020-26558: A vulnerability in the Passkey Entry protocol, used during Secure Simple Pairing (SSP), Secure Connections (SC), and LE Secure Connections (LESC) in Bluetooth Core (v.21 – 5.2). Crafted responses could be sent during pairing by an attacker to determine each bit of the randomly generated Passkey generated during pairing, leading to impersonation.  CVE-2020-26555: Another vulnerability in Bluetooth Core (v1.0B through 5.2), the BR/EDR PIN Pairing procedure can also be abused for the purposes of impersonation. Attackers could spoof Bluetooth device addresses of a target device, reflect encrypted nonces, and complete BR/EDR pin-code pairing without knowing the pin code. This attack requires a malicious device to be in wireless range.  CVE-2020-26560: Impacting Bluetooth Mesh (v.1.0, 1.0.1), this vulnerability could allow attackers to spoof devices being provisioned via crafted responses created to appear to possess an AuthValue.This may give them access to a valid NetKey and AppKey. An attacker’s device needs to be in the wireless range of a Mesh Provisioner.  

CVE-2020-26557: Affecting Bluetooth Mesh (v.1.0, 1.0.1), the Mesh Provisioning protocol could allow attackers to perform a brute-force attack and secure a fixed value AuthValue, or one that is “selected predictably or with low entropy,” leading to MiTM attacks on future provisioning attempts.  CVE-2020-26556: If the AuthValue can be identified during provisioning, the Bluetooth Mesh authentication protocol (v.1.0, 1.0.1) is vulnerable and may be abused to secure a Netkey. However, the researchers note that attackers must identify the AuthValue before a session timeout.  CVE-2020-26559: The Mesh Provisioning procedure used by Bluetooth Mesh (v.1.0, 1.0.1) allows attackers, with provision — but without access to the AuthValue — to identify the AuthValue without the need for a brute-force attack.  “Even when a randomly generated AuthValue with a full 128-bits of entropy is used, an attacker acquiring the provisioner’s public key, provisioning confirmation value, and provisioning random value, and providing its public key for use in the provisioning procedure, will be able to compute the AuthValue directly,” the advisory reads.  The researchers also identified a potential vulnerability in Bluetooth Core relating to LE Legacy Pairing in versions 4.0 to 5.2 which could allow an attacker-controlled device to perform pairing without knowledge of temporary keys (TK).  The Android open source project, Cisco, Cradlepoint, Intel, Microchip Technology, and Red Hat are cited as vendors with software vulnerable to the disclosed vulnerabilities, in some form or another.  The Android open source project said, “Android has assessed this issue as High severity for Android OS and will be issuing a patch for this vulnerability in an upcoming Android security bulletin.” Cisco said: “Cisco has investigated the impact of the aforementioned Bluetooth Specification vulnerabilities and is currently waiting for all the individual product development teams to provide software fixes to address them.” Microchip Technologies is also working on patches.  Red Hat, Cradlepoint, and Intel did not issue the team statements ahead of public disclosure.  Bluetooth Special Interest Group (SIG), which works on the development of global Bluetooth standards, has also published separate security advisories.  To mitigate the risk of exploit, updates from operating system manufacturers should be accepted once they are made available.  The research follows a separate Bluetooth-related security issue disclosed in September 2020 by Purdue University academics. Dubbed the Bluetooth Low Energy Spoofing Attack (BLESA), the vulnerability impacts devices running on the Bluetooth Low Energy (BLE) protocol, a system used when limited battery power is available. ZDNet has reached out to Red Hat, Cradlepoint, and Intel and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More