Information Technology

Australia’s national intelligence agencies have dismissed concerns surrounding laws currently before Parliament that would provide them with expanded data-gathering powers in circumstances where an Australian person’s safety is in imminent risk. The Bill in question, if passed, would enable national intelligence agencies to undertake activities to produce intelligence where there is, or is likely to be, an imminent risk to the safety of an Australian person, such as from terrorist attacks or kidnappings. It would also allow these agencies to seek ministerial authorisation to produce intelligence on Australians involved with a listed terrorist organisation rather than having to obtain multiple, concurrent authorisations to produce intelligence on individual Australian persons who are suspected of being involved with a listed terrorist organisation. Opposition of the Bill has primarily come from the Law Council of Australia (LCA), which told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) it was unsure whether the expanded powers would be proportionate to their operational objectives. In a submission to the PJCIS, which is responsible for scrutinising Australia’s intelligence powers, the LCA said there are no safeguards to prevent agency heads from using its intelligence-gathering powers on an Australian in situations where they are not in imminent risk. “There is no requirement that the agency head must also assess the nature and degree of the imminent risk to the person’s safety, and be satisfied that it is sufficiently serious as to warrant the exercise of powers in the absence of a ministerial authorisation,” LCA wrote in its submission to the committee. “For example, there is no requirement to be satisfied that there is a risk of death or serious harm to the person.” The LCA added it was also concerned about expanding the influence of a single ministerial authorisation so it can enable intelligence-gathering of entire terrorist organisations due to the broad nature of such an authorisation. The council specifically noted the lack of an exhaustive list for what is deemed to be “involvement with a listed terrorist organisation”. “The Law Council notes that the concept of a person’s ‘involvement with’ a listed terrorist organisation has the potential to be extremely broad, covering both direct and indirect forms of engagement,” it said. “The Law Council suggests that consideration is given to placing more precise statutory parameters on the concept of ‘involvement with’ a listed terrorist organisation.” In response to these concerns, representatives from the Department of Home Affairs, Australian Security Intelligence Organisation, Australian Signals Directorate (ASD), and the Office of National Intelligence said these expanded powers would only be used in “niche circumstances”. “In an operational sense, when we kind of try to apply these new provisions to real-world situations what we’re trying to do is save minutes and possibly hours in operational circumstances where an Australian person has been kidnapped overseas,” ASD Director-General Rachel Noble said, when explaining the “imminent risk” powers. Noble said waiting for ministerial authorisations is not always possible in “imminent risk” situations as overseas kidnappings and mass casualty events can often occur in the middle of the night. Addressing the LCA’s concern regarding ministerial authorisations potentially being too broad for gathering intelligence on listed terrorist organisations, a Home Affairs representative said the authorisations would only be used by intelligence agencies to investigate members of the class that directly participate in listed terrorist organisations. Home Affairs electronic surveillance assistant secretary Paul Pfitzner said authorisations for agencies to perform intelligence activities on a listed terrorist organisation would only allow them to investigate individuals who recruit others, provide and receive training, provide financial or other forms of support, and advocate on behalf of the organisation. “We don’t want to pretend that we’ll necessarily be able to capture every scenario, situation, or circumstance that might arise in the course of an intelligence agency undertaking their work and finding how people may or may not be involved with a particular terrorist organisation,” Home Affairs electronic surveillance first assistant secretary Andrew Warnes added. In terms of accountability, Pfitzner said all intelligence agencies who collect data about terrorist organisation individuals through ministerial authorisations would have to keep a list of these identified individuals and provide reasons why they are classified as being part of those organisations.  Related Coverage More

Meta, formerly Facebook, has announced it has restricted access to several accounts, including some belonging to Russian state-media organisations, in Ukraine. “We have been in contact with the government of Ukraine. At their request, we have restricted access to several accounts in Ukraine, including those belonging to some Russian state media organisations,” Meta VP global affairs Nick Clegg wrote in a tweet.

Ukraine Crisis

“We are also reviewing other government requests to restrict Russian state-controlled media.” The steps taken by the social media giant are in response to Russia’s invasion of Ukraine, which began four days ago. Meta added it has also established a special operations centre staffed by “experts” from across the company, including native Russian and Ukrainian speakers, to monitor its platform and respond to misinformation issues in real time. “We have teams of native Russian and Ukrainian content reviewers to help us review potentially violating content. We’re also using technology to help us scale the work of our content review teams and to prioritise what content those teams should be spending their time on, so we can take down more violating content before it goes viral,” Meta said. Additionally, the company outlined it has introduced new security features to keep people in Ukraine safe. These include giving users the tool to lock their Facebook profile in one step, temporarily removing the ability to view and search the friends lists of Facebook accounts in Ukraine, and rolling out notifications for screenshots and activating the disappearing messages feature on Messenger. “View once media” has also been enabled on WhatsApp to allow users to send photos or videos that can vanish after being seen, as well as “disappearing mode” to automatically erase all new chats after 24 hours. Russian-state media have also been blocked from advertising and making money on its platform, the company said. “Our thoughts are with everyone affected by the war in Ukraine. We are taking extensive steps across our apps to help ensure the safety of our community and support the people who use our services — both in Ukraine and around the world,” Meta wrote in a post. Clegg also wrote on Twitter that Ukrainians have suggested that Meta remove access to Facebook and Instagram in Russia. However, he said: “People in Russia are using FB and IG to protest and organise against the war and as a source of independent information”.”The Russian government is already throttling our platform to prevent these activities. We believe turning off our services would silence important expression at a crucial time,” he said. Twitter said it has also taken similar steps, including pausing advertisements in Ukraine and Russia “to ensure critical public safety information is elevated and ads don’t detract from it”. Meanwhile, Twitch and OnlyFans have reportedly blocked all users from Russia from accessing their accounts, preventing users from being able to withdraw money earned on their respective platforms, amid tougher sanctions being introduced against Russia.  Related Coverage More

Singapore has issued an advisory note highlighting the need for local organisations to bolster their cyberdefence amidst the ongoing conflict between Ukraine and Russia. In particular, businesses should be on the lookout for possible ransomware attacks as such tactics are commonly used by threat actors. There were no immediate reports of any threats to local businesses related to the Ukraine conflict, but organisations here were urged to take “active steps” to beef up their cybersecurity posture, according to Cyber Security Agency of Singapore (CSA). The government agency noted that cyber attacks on Ukraine and developments in the conflict had fuelled warnings of increased cyber threats across the globe. Organisations in Singapore should increase their vigilance and strengthen their cyberdefences to safeguard against potential attacks, such as web defacement, distributed denial of service (DDoS), and ransomware. 

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

In an advisory note issued Sunday, Singapore Computer Emergency Response Team (SingCERT) pointed to the need to keep watch for ransomware attacks, which were one of the most common attacks launched by threat actors. “Falling victim to such attacks will adversely impact the operations and business continuity of any organisation,” said SingCERT, which sits within CSA. It said Singapore businesses should carry out necessary steps to secure their networks and review system logs to swiftly identify potential intrusions. These should include ensuring systems and applications were patched and updated to the latest version, disabling ports that were not essential for business purposes, and adopting strong access controls when using cloud services. In addition, system events should be properly logged to facilitate investigation of suspicious issues while both inbound and outbound network traffic should be monitored for suspicious communications or data transmissions, SingCERT said. It added that organisations also should have in place incident response and business continuity plans. Any suspicious compromise of corporate networks or evidence of such incidents should be reported to SingCERT. Australian Cyber Security Centre (ACSC) this past week also issued an advisory note urging local organisations to adopt an “enhanced cybersecurity position” and boost their cybersecurity resilience in light of the heightened threat landscape. “There has been a historical pattern of cyber attacks against Ukraine that have had international consequences,” it said. “Malicious cyber activity could impact Australian organisations through unintended disruption or uncontained malicious cyber activities. While the ACSC is not aware of any current or specific threats to Australian organisations, adopting an enhanced cybersecurity posture and increased monitoring for threats will help to reduce the impacts to Australian organisations.”Also stressing the need for vigilance to ransomware attacks, the Australian agency advised local businesses to review and enhance detection, mitigation, and response measures. They should, amongst others, ensure logging and detection systems in their environment were fully updated and functioning and apply additional monitoring of their networks where required.The Ukraine government reportedly had sought volunteers from the nation’s hacker community to protect critical infrastructure and run cyber spying missions against Russia. Citing sources involved in the call to action, a Reuters report said requests for volunteers popped up on hacker forums on Thursday. RELATED COVERAGE More

Can technology go too far in disturbing your peace?
Getty Images
The trend is inevitable.

more Technically Incorrect

And, as with so many trends, there’s pain too.Business owners have embraced technology as the elixir that offers speed and money-saving. Which has led to their permissiveness of its invasiveness running rampant.It’s not surveillance, many insist. It’s security. Meanwhile, their customers are left wondering who’s guarding the guardians.I wafted to this subject because of a tweet by a writer and drag queen. Joe Wadlington seemed excited that there was a new boutique hotel in the Castro district of San Francisco.But then he perused the rules perpetrated by the hotel’s management company, Kasa. It insists on quiet hours between 9 pm and 8 am. One person’s quiet is another person’s having a lovely time.So one section of Kasa’s rules offers: “Kasa apartments are proactively monitored for compliance with this noise policy.”Few enjoy the concept of proactive monitoring. It smacks of proactive snooping.Yet Kasa insists: “Decibel sensors notify the Company of sounds in the Kasa that exceed 75 decibels (dB). You hereby consent to the use of sound level monitoring.”I can hear you grunting at a minimum of 72 decibels. These people have sensors to monitor your every sound level? Isn’t that excessively, well, personal?And wait, how loud is 75 decibels? The University of Michigan tells me normal human conversation scores around 60. Office noise is a 70. And an average radio or vacuum cleaner scores a 75.You may, like me, find all this perplexing. Could it be that if you play the radio after 9 pm you’ll get a warning notice? And if you do it twice, you get a $500 fine or be kicked out of the hotel? (Them’s Kasa’s rules, you see.)For those who may not have visited the Castro district, it’s the home of the gay community and is a vibrant and sometimes loud place to be. The Bold Italic pointed out that if you claim your hotel is “community powered” — as the Hotel Castro does — its “current guest policies sit as an odious dichotomy to that very sentiment.”I fear some, though, may feel torn about the general principle.For many people, one of the more painful aspects of hotel existence is the prospect of thin walls and/or noisy people in adjacent hotel rooms.How many haven’t, at least once in their lives, called the front desk to complain about excessive noise coming from another guest — or, indeed, guests?If noise is being automatically monitored by technology, is this necessarily a bad thing?Then again, can technology really assess the true impact of noise? Is this better left to human judgment? And what if the people next door rather like the noise and even knock on their neighbor’s door to see if they can partake?Of course, many hotels are tending toward resisting human intervention because they’re resisting hiring humans. Indeed, as far as I can judge, the Hotel Castro has a virtual front desk.Ergo, once you’re in the grip of technological oversight, you’ll find it in places you don’t expect.Just as guests in Airbnbs these days have to ask whether the homeowner has an active camera system installed, so perhaps hotel guests may begin to ask questions about how they might be surveilled too.Sometimes, it’s hard to get a good night’s sleep, isn’t it? Or, as Wadlington put it: “I’m….so creeped out.”

ZDNet Recommends More

Two Zabbix vulnerabilities have been added to the US Cybersecurity Infrastructure and Security Agency’s catalog of known exploited vulnerabilities. Federal civilian agencies have until March 8 to patch CVE-2022-23131 and CVE-2022-23134 — a Zabbix Frontend authentication bypass vulnerability and a Zabbix Frontend improper access control vulnerability. Zabbix is a popular open-source monitoring platform. Patches for the issues were released in December. Zabbix explained that in the case of instances “where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified.””Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default),” Zabbix said. “To remediate this vulnerability, apply the updates listed in the ‘Fixed Version’ section to appropriate products or if an immediate update is not possible, follow the presented below workarounds.” Zabbix credited SonarSource’s Thomas Chauchefoin for discovering and reporting the issue. SonarSource released its own blog on the vulnerabilities where Chauchefoin goes into detail about the intricacies of the issue. He discovered it in November and noted that the initial patch proposed by Zabbix was able to be bypassed. BluBracket’s Casey Bisson explained that Zabbix is broadly used by businesses of all sizes to monitor servers and network equipment everywhere from data centers to branch offices. “A vulnerability that allows attackers past the authentication controls could give those attackers access to extensive details about the infrastructure,” Bisson said. “The details in Zabbix could reveal a map of sensitive company networks and equipment deep in company networks, including potentially vulnerable versions of software on that equipment. That information might be used to target further electronic attacks, social engineering, and spear phishing.”
CISA
Vulcan Cyber’s Mike Parkin added that Zabbix has a user base distributed worldwide, with a large portion of them in Europe, and spread across a range of verticals.  Both the National Cyber Security Center of the Netherlands and the Ukrainian Computer Emergency Response Team released notices about the issue in recent days. The Ukrainian notice says CVE-2022-23131 has a severity level of 9.1. Parkin noted that the attack surface is reduced because the target has to be in a non-default configuration, and the attacker needs to know a valid username. “Zabbix has included a workaround – disabling SAML authentication – and patches have been released, so it should be straightforward for affected organizations to mitigate this issue,” Parkin said.  More

NVIDIA has responded to reports that it was dealing with a wide-ranging cyberattack, telling ZDNet that it is in the process of investigating the cybersecurity incident. On Friday, British newspaper The Telegraph reported that the company had been facing two days of outages related to email systems and tools used by developers. “We are investigating an incident. Our business and commercial activities continue uninterrupted. We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time,” an NVIDIA spokesperson said on Friday. The spokesperson did not respond to follow up questions about the scope of the attack and whether it was a ransomware incident. The chipmaker was recently embroiled in controversy over its attempt to purchase Arm for $40 billion. The deal fell apart earlier this month, with both sides of the deal citing “significant regulatory challenges” as the reason why. NVIDIA is the biggest chipmaker in the US and reported a revenue of $7.64 billion in the last quarter.  More

Multiple ransomware groups and members of the hacktivist collective Anonymous announced this week that they are getting involved in the military conflict between Ukraine and Russia.On Thursday, members of Anonymous announced on Twitter that they would be launching attacks against the Russian government. The hacktivists defaced some local government websites in Russia and temporarily took down others, including the website of Russian news outlet RT. The group claimed on Friday that it would leak login credentials for the Russian Ministry of Defense website.The actions came hours after Yegor Aushev, co-founder of a Kyiv-based cybersecurity company, told Reuters that he was asked by a senior Ukrainian Defense Ministry official to publish a call for help within the hacking community. Aushev said the Defense Ministry was looking for both offensive and defensive cyber actors.Anonymous was not the only group to get involved in the conflict. On Friday, ransomware groups Conti and CoomingProject published messages saying they supported the Russian government. A message posted by members of the Conti ransomware group. 
Brett Callow
Conti said it was officially announcing full support for the Russian government, writing that “if any body will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy.”Many experts interpreted the message as a response to an NBC story that came out on Thursday indicating US President Joe Biden has already been presented with several options for devastating cyberattacks on Russian infrastructure. The White House vociferously denied the report. Shortly after releasing the message, Conti revised it, softening the tone and support for the Russian government. The updated statement said Conti would use its “full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.””We do not ally with any government and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression,” the new Conti message said.

The announcements came as Ukraine continued to face a barrage of DDoS incidents, phishing attacks and malware. CERT-UA said military personnel were being sent phishing messages and attributed the campaign to officers within the Belarus Ministry of Defense. Internet connectivity across the country continues to be intermittent, with Netblocks reporting outages in multiple cities. Experts were extremely wary of outside groups picking sides in the conflict and launching attacks on their behalf. The announcements further scared experts when NATO Secretary General Jens Stoltenberg said on Friday that “cyberattacks can trigger Article 5” of the NATO charter. Cybersecurity firm Sophos said the declarations from Conti and Anonymous “increase the risk for everyone, whether involved in this conflict or not.” “Vigilante attacks in either direction increase the fog of war and generate confusion and uncertainty for everyone,” Sophos said. Emsisoft threat analyst Brett Callow called the situation “unpredictable and volatile” but noted that Conti has made bold political claims in the past. “This is is probably just bluster too [but] it would be a mistake to assume the threat is empty. If your company hasn’t already gone Shields Up, now is the time,” Callow said. Bugcrowd CTO Casey Ellis said one of his primary concerns with recent developments is the relative difficulty of attribution in cyberattacks, as well as the possibility of incorrect attribution or even an intentional false flag operation escalating the conflict internationally. Conti’s position statement is noteworthy in light of Russia’s recent crackdowns on cybercrime and ransomware because it signals that they are either acting independently as the other groups seem to be or possibly operating with the Kremlin’s blessing, Ellis explained.Digital Shadows’ Chris Morgan noted that their data shows Conti was the second most active ransomware group in 2021 by number of victims. Morgan said they attributed several attacks against critical national infrastructure to Conti, including attacks on the healthcare sector in the United States, New Zealand and Ireland. The Irish government released a report this week saying the Conti ransomware attack that hit them last year may cost more than $100 million to recover from. “Conti’s activities have also recently been bolstered by hiring the developers of the infamous Trickbot trojan, which has also enabled them to control the development of another malware, the BazarBackdoor, which the group now use as their primary initial access tool. Conti consistently redefine and develop their working processes and should be considered a resourceful and sophisticated adversary,” Morgan said. Recorded Future expert Allan Liska told ZDNet the threat from ransomware groups deciding to retaliate is real and should be a concern. “Given what a hot mess Conti is right now, I have trouble believing they can organize an office luncheon much less a focused retaliation. That being said, we know ransomware groups have more targets than they can hit right now and we know when Ryuk decided to retaliate against the US in 2020 they were easily able to do so,” Liska said.”More broadly speaking, whether it is ransomware groups, anonymous, or Ukraine calling on ‘Cyber Patriots’ to assist Independent cyber activity is going to be part of any military action going forward. I am not saying it is a good idea, it is just the reality.”Others, like Flashpoint senior analyst Andras Toth-Czifra, said hacktivists getting involved in armed conflict is not a novel development, explaining that Anonymous has targeted governments before. But like Liska, Toth-Czifra said ransomware groups openly associating with the Russian government would be a “new and worrying development.””So far, Flashpoint analysts have not observed significant patriotic pride in illicit communities about Russia’s aggression against Ukraine, which is in line with the response of the Russian public in general. The situation is different from the emergence of “patriotic hackers” in the context of Russia’s 2008 war against Georgia: many Russian-speaking cybercriminals either live in Ukraine themselves or have Ukrainian associates or infrastructure,” Toth-Czifra explained. “But while the cyber underground has largely remained neutral so far, one shouldn’t forget that Ukraine has cooperated with Western law enforcement against ransomware gangs in recent years, which may influence the calculations of ransomware collectives. So far Flashpoint has seen another prolific ransomware gang (LockBit) suggesting that they would remain neutral.”On Friday the BBC reported on a Russian vigilante hacker group flooding Ukrainian government servers with DDoS attacks after work each day. One hacker admitted to emailing 20 bomb threats to schools, setting up an official Ukrainian government email address and hacking into the dashboard feeds of Ukrainian officials. The hacker openly boasted about the vigilante work they plan to take on in the future, which he said includes the use of ransomware. Allegro Solutions CEO Karen Walsh said the Conti declaration may also bring a measure of confusion to US companies with cyber insurance plans that have carve-outs for cyberattacks related to wars. “Depending on how the military legal experts classify Conti and any ransomware attacks perpetrated by cyber threat actors acting ‘on behalf of’ Russia, organizations may find that their cyber liability insurance doesn’t help them. In November, Lloyd’s Market Association published updates to their cyber liability policies that specifically address the war exclusion,” Walsh said.  “Notably, these changes mentioned cyber operations carried out in the course of war. As part of risk mitigation, companies should begin reviewing their cyber liability insurance exclusions and make sure that they question their carriers about their position on this issue.” More

Camera maker Axis said it is still struggling to deal with a cyberattack that hit its IT systems on February 20. In a message on its website, the Swedish camera giant said it got alerts from its cybersecurity and intrusion detection system on Sunday before it shut down all public-facing services globally in the hopes of limiting the impact of the attack. “Our ongoing investigation of the attack has come a long way but is not entirely finalized. So far, we have no indication that any customer and partner data whatsoever has been affected. As far as the investigation currently shows, we were able to stop the attack before it was completed, limiting the potential damage,” Axis said on Thursday. “Most prioritized external services have now been restored. Restoring the remaining services is our highest priority, together with doing it in a way that does not jeopardize security. The time of disconnected services and limited possibilities to communicate with Axis has been an unfortunate but necessary consequence. Our gradual entry into a post-attack normal is based on changes that help us avoid similar future situations.”The company announced the outages on Twitter but did not respond to requests for comment. On its status site Friday afternoon, Axis said its Case Insight tool in the US and the Camera Station License System were dealing with partial outages. The Device Manager Extend Device upgrades for OS and apps is dealing with a major outage, as of Friday afternoon. 

Update: The time of disconnected services over the past few days has been an unfortunate but necessary consequence. Our gradual reentry is based on changes that help us avoid similar future situations. Thank you for your patience. Read the full statement: https://t.co/0osAZjRJji— Axis Communications (@AxisIPVideo) February 24, 2022

Services are being restored gradually, the company said. Axis spokesman Chris Shanelaris told Bloomberg and SecurityInfoWatch.com that all public-facing internet services were disabled to protect the company’s systems. The attack was first reported by IPVM. Axis has not said if it is a ransomware attack.  More