Information Technology

At the start of August 2018, Vodafone Australia was running services from 2G to 4G on a network that relied heavily on Huawei. Besides the core of its network, Huawei was everywhere else, and the telco relied on the Chinese vendor for its radio network and transmission network. Everything from a mobile device up to the data centre used a single vendor.

Given such reliance and the existing relationship, the telco intended to use Huawei when it began the move to offering 5G services. All that changed by the end of that month, however, as the situation had become untenable in the face of a government ban on Huawei and ZTE for supplying 5G services in Australia. In its reasoning, Canberra said vendors who were subject to “extrajudicial directions from a foreign government” would conflict with local laws, and carriers might not be able to protect their networks properly. For Vodafone Australia, that meant a rethink was needed. “We definitely didn’t expect the ban to come the way that it came. For example, if you look at the situation that they have in Europe — like in the UK, for example, they use Huawei — they have like seven years to vacate and they can still use Huawei on 5G on a limited number of sites. There is kind of a transition plan that has been created there,” formerly Vodafone Australia and now TPG Telecom general manager for wireless and transmission networks Yago Lopez tells ZDNet. “In Australia, probably we didn’t expect at the time, the outcome to be as black and white as it was. We’ve just got to accept what the guidance of the government is and get on with that.”

Lopez says that, since the ruling had little guidance, the mobile carrier needed to consider what its next steps would be. Key in its thinking was how it would handle the existing Huawei network. “You still have a network with Huawei with five million customers that you need to maintain the best experience possible. So you need to find a way to keep investing on Huawei until you get an alternative, and then how to transition from your investment in Huawei into the new vendor in a seamless way,” Lopez says. “[Because] it does not make any sense to stop maintaining the Huawei network where you have all your customers because then when you build a new network, you don’t have customers left.” For Vodafone, this meant the Huawei network needed to have some final upgrades performed, as it was planning to start fresh with 5G. In the end, the telco would select Nokia for radios and management, and Ericsson would supply its new virtualised core. According to Lopez, the ban gave the company, now known as TPG Telecom, the chance to reset and remove a lot of the legacy issues it had carried. The downside being it is set to cost well over AU$1 billion across the six years of the build, once TPG tallies up the full cost.SEE: Vodafone Australia and TPG merger: Everything you need to know”[It’s] more expensive because you need to start from scratch, but then you have benefits of [starting] from scratch. So we are not taking an old platform and upgrading just on the edges to make it 5G-ready. What we are doing is … every site that we swap from Huawei to Nokia, every piece of equipment that we put is new, brand new, and every piece of equipment that we put in is 5G-ready,” he says. “Then in the future, we want to move spectrum that we use today from 3G or 4G into 5G, we can do remotely; we can be very, very agile in the way that we manage our assets.”But on the technical side, we are building one of the most modern networks in the world, right now — so our engineers are happy.” With the new network, Vodafone Australia can switch from 4G to 5G as needed, and move between LTE, 5G non-standalone, and 5G standalone in software. The shift has been no small task. Last year, the telco put in over one million hours of work just on the radio side of its network, with Nokia having to scale up to handle TPG Telecom, Lopez says. Building a new network while keeping an existing one in place meant Vodafone Australia customers saw a lag of around 18 months compared to its competition for 5G, particularly the incumbent with an existing Ericsson network that could be easily upgraded. Optus also had to deal with the Huawei ban, but it chose not to talk to ZDNet for this story.SEE: TPG launches 5G fixed wireless as NBN alternative Throughout this period, Vodafone Hutchison Australia and TPG also had to deal with a protracted merger, announced days after the Huawei ban was imposed, that took just shy of two years to complete. At the time, TPG was beginning to deploy small cell sites in Australian cities, but that plan was abandoned at the start of 2019, with the blame for that decision and the subsequent AU$230 million accounting hit laid at the feet of the ban. While TPG could not bring a functioning mobile network to the merger, it brought spectrum and its fibre network that Vodafone was already paying to use. This approach allowed the merged entity to have end-to-end control of its mobile network and, thanks to weathering the case brought against it by the Australian Competition and Consumer Commission to prevent the merger, Lopez says the company has since moved its mentality to one described as a “very good vibe [and] lots of can-do attitude”. “You have a rollout plan, and that rollout plan is hundreds of millions of dollars that are going in one direction … You have something you have been doing in the same process for seven years … and then overnight you need to think, ‘Okay, I need to keep this alive but I need to stop everything I’m doing. I need to press the reset button and then I need to start to build something new’. “It’s a challenge technically, but also a challenge on the mentality of the company … because [it’s] easiest sometimes just to say, ‘Look, let’s think that is not happening. Let’s keep doing the way we do.’ But we would be in a very bad, a much worse situation right now.” Another change in mentality has been shifting from a single vendor to handling multiple ones on the user-facing side. Now that TPG’s 5G network is up and running, the telco is in trials with Samsung to use commodity hardware for a 5G virtualised radio network, and another area it is looking towards, along with its parent companies Vodafone Group and Hutchison, is Open RAN. In at least one way, the ban has been a blessing in disguise for the telco. “Technically, we are one of the most advanced networks in the world,” Lopez says. “Financially, obviously, there is a lot of extra cost that we have to [pay] upfront right now, which obviously, as a company, we would have preferred not to, but again, we accept the ruling of the government.” Lopez says something the telco would like to see is a program similar to the one in the United States that helps some of the nation’s smaller mobile carriers get funds to help make a transition out of the Huawei ecosystem. “We are still kind of waiting for the Australian government to take that path and help us to carry this burden,” Lopez says. More

Microsoft has disabled a Windows App Installer feature after its December Patch Tuesday disclosure that it was being actively exploited to install unwanted apps.   The flaw was bad news for Windows domains, with Microsoft confirming that attackers were using this vulnerability to install specially crafted packages and spread the Emotet/Trickbot/Bazaloader malware families. The Windows AppX Installer is a Windows 10 feature that allows users to install .appx packages. In a blogpost explaining why it’s switched off the ms-appinstaller protocol for the MSIX Windows app package format, Microsoft says that an attacker can use that protocol to “spoof App Installer to install a package that the user did not intend to install”. For now, it appears Microsoft hasn’t fully addressed the vulnerability detailed in its December advisory for CVE-2021-43890. With  protocol disabled, admins could see the download size for some app packages grow, and create a block for for enterprises that distribute apps directly from a web page versus, say, the Microsoft Store. “We are actively working to address this vulnerability,” Microsoft says in a blogpost. “For now, we have disabled the ms-appinstaller scheme (protocol). This means that App Installer will not be able to install an app directly from a web server. Instead, users will need to first download the app to their device, and then install the package with App Installer. This may increase the download size for some packages.”As Microsoft explains, MSIX brings a “modern packaging experience” to legacy Windows apps. “The MSIX package format preserves the functionality of existing app packages and/or install files in addition to enabling new, modern packaging and deployment features to Win32, WPF, and Windows Forms apps,” Microsoft notes. 

Microsoft has also updated its page for installing Windows 10 apps from a web page to reflect ms-appinstaller being disabled.Microsoft has a few workarounds in mind until it is able to re-enable the protocol, including “looking into introducing a Group Policy that would allow IT administrators to re-enable the protocol and control usage of it within their organizations.” But it notes: “We recognize that this feature is critical for many enterprise organizations. We are taking the time to conduct thorough testing to ensure that re-enabling the protocol can be done in a secure manner.”  More

The cost and risk of executing ransomware attacks is going up, making it harder for cyber criminals to carry them out, which could lead to a decline in the number of overall ransomware attacks. But that could mean some ransomware victims end up paying a heavier price.Ransomware is still running rampant, with several major incidents in the last week alone, but according to analysis by cybersecurity company Coveware, there are signs that recent changes could reduce the total number of ransomware attacks. But while the number of attacks could fall, there’s the possibility that the ransom demands made by successful ransomware groups could rise. The Biden administration’s executive orders across US government agencies, the Colonial Pipeline bringing ransomware to the forefront of CEO’s minds and moves by cyber insurance providers to require improved cybersecurity protocols before a policy is taken out or renewed are all developments that are likely to have improved cybersecurity of enterprises, making them more robust against attacks. SEE: A winning strategy for cybersecurity (ZDNet special report)But it’s the rise in arrests relating to involvement in ransomware attacks which is cited as the biggest change to the ransomware landscape, with the arrest of several suspected REvil ransomware affiliates in Russia described as the most notable. According to analysis by Coveware, this move has increased the risk profile of being involved with ransomware attacks, and thus decreases the pool of cyber criminals, because some will decide the potential for being arrested and extradited isn’t worth the risk – to the extent that some are quitting.  

“The cost and risk of executing ransomware attacks are up, and if this trend continues, we expect to see the aggregate volume of attacks begin to decrease,” said researchers. However, while a decrease in the number of attacks would be a positive overall, it could potentially come with an unwelcome side effect – the cost of ransom demands going up, particularly for less high-profile victims. SEE: Ransomware: Is the party almost over for the cyber crooks? According to Coveware, the average ransom payment during the final three months of 2021 was $322,168, more than double the figure of the previous quarter. This rise comes following what researchers describe as a “tactical shift” towards targeting companies which are large enough to pay significant ransom amounts but are small enough that the attackers don’t have to spend a lot of time and effort on preparing and launching the attack.Researchers warn that this shift in tactics is likely to continue, citing an interview with a LockBit ransomware affiliate as detailing the mindset behind the change.  “You can hit the jackpot once, but provoke such a geopolitical conflict that you will be quickly found. It is better to quietly receive stable small sums from mid-sized companies,” they said. MORE ON CYBERSECURITY More

The Federal Bureau of Investigations (FBI) has published a fresh warning about LockBit 2.0. recommending that companies enable multi-factor authentication (MFA) and use strong, unique passwords for all admin and high-value accounts to thwart the strain of ransomware that is used by one of the busiest attack groups on the internet today.MFA is vital to protecting against compromised user and admin passwords, but Microsoft has found that 78% of organizations using Azure Active Directory don’t enable MFA.  

ZDNet Recommends

LockBit 2.0 targets Windows PCs and now Linux servers too via bugs in VMWare’s ESXi virtual machines, and has hit tech consulting and services giant Accenture and France’s Ministry of Justice among others.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)LockBit’s operators use any method available to compromise a network, as long as it works. These include, but are not limited to, buying access to an already compromised network from “access brokers”, exploiting unpatched software bugs, and even paying for insider access, as well as using exploits for previously unknown zero-day flaws, according to the FBI’s report. The group’s techniques continue to evolve. The FBI says LockBit’s operators have started advertising for insiders at a target company to help them establish initial access into the network. Insiders were promised a cut of the proceeds from a successful attack. A month earlier it began automatically encrypting devices across Windows domains by abusing group policies in Active Directory.   After compromising a network, LockBit uses penetration-testing tools like Mimikatz to escalate privileges and use multiple tools to exfiltrate data (to threaten victims with a leak if they don’t pay) before encrypting files. LockBit always leaves a ransom note with instructions for how to obtain the decryption key.   

Like other Russia-based ransomware operations, LockBit 2.0 determines the system and user language settings and excludes an organisation from attack if the languages are one of 13 Eastern European languages. The FBI lists the language codes in LockBit 2.0 as at February 2022 – such as 2092 for Azeri/Cyrillic and 1067 for Armenian – that cause it not to activate. “If an Eastern European language is detected, the program exits without infection,” the FBI notes. Lockbit 2.0 identifies and collects an infected device’s hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices.It then attempts to encrypt data saved to any local or remote device but skips files associated with core system functions, according to the FBI. After this, it deletes itself from the disk and creates persistence at startup.  Besides requiring strong, unique passwords and MFA for webmail, VPNs and accounts for critical systems, the FBI also recommends a series of mitigations, including keeping operating systems and software up to date and removing unnecessary access to administrative shares. It also recommends using a host-based firewall and enabling “protected files” in Windows, referring to Microsoft’s controlled folder access.   It also recommends that companies segment their networks, investigate any abnormal activity, implement time-based access for accounts set at the admin level and higher, disable command-line and scripting activities and permissions, and – of course maintain – offline backups of data. More

Microsoft has detailed recent hacking activity of cyber actors, most likely aligned with the Russian Federal Security Service (FSB), who have targeted Ukraine government, security agencies and aid organizations. Microsoft says the hacking group, which it calls Actinium, has “targeted or compromised accounts” at Ukraine emergency response organizations since October. Actinium hackers also targeted organizations that would coordinate international and humanitarian aid to Ukraine, it says in a new report. 

ZDNet Recommends

“Since October 2021, Actinium has targeted or compromised accounts at organizations critical to emergency response and ensuring the security of Ukrainian territory, as well as organizations that would be involved in coordinating the distribution of international and humanitarian aid to Ukraine in a crisis,” Microsoft said.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)The Security Service of Ukraine (SSU), which heads up Ukraine’s counter-intelligence efforts, calls the group Armageddon. SSU has traced the group’s earliest activity to at least 2014 and says it focuses on intelligence gathering in Crimea, largely through phishing and malware. Armageddon is known for crude but brazen cyberattacks aimed at gathering intel from Ukraine security, defense and law enforcement agencies. Microsoft prioritized its report on Actinium’s recent activity as concerns mount over Russia’s apparent preparations to invade Ukraine. 

While perhaps not that sophisticated or stealthy, the group’s tactics are constantly evolving and do prioritize anti-malware evasion, according to Microsoft. It uses a range of targeted “spear-phishing” emails that employ remote document templates and remote macro scripts to infect only selected targets while minimizing the chance of detection through attachment scanning anti-malware systems. “Delivery using remote template injection ensures that malicious content is only loaded when required (for example, when the user opens the document),” says Microsoft’s Threat Intelligence Center (MSTIC). “This helps attackers to evade static detections, for example, by systems that scan attachments for malicious content. Having the malicious macro hosted remotely also allows an attacker to control when and how the malicious component is delivered, further evading detection by preventing automated systems from obtaining and analyzing the malicious component.”The group also employs ‘web bugs’ that allow the sender to track when a message has been opened and rendered. Lure documents include ones impersonating the World Health Organization containing updates about COVID-19. The phishing attachments contain a payload that executes secondary payloads on a compromised device. It uses a range of ‘staging’ scripts such as heavily obfuscated VBScripts, obfuscated PowerShell commands, self-extracting archives, and LNK files, backed up by curiously named scheduled tasks in scripts to maintain persistence. Over a month period, Microsoft saw Actinium using over 25 unique domains and over 80 unique IP addresses to support payload staging and its command and control (C2) infrastructure, indicating they often modify their infrastructure to frustrate investigations. Most of its DNS records for the domains also change once a day, with the domains registered through the legitimate company registrar REG.RU.Microsoft confirmed it has observed the group using Pterodo malware to gain interactive access to target networks. In some cases, it also used the legitimate UltraVNC program for interactive connections to a target. Actinium’s other key piece of malware is QuietSieve, used for exfiltration of data from the compromised host, and to receive and execute a remote payload from the operator. Microsoft notes that Actinium rapidly develops a range of payloads with lightweight capabilities via obfuscated scripts that are used to deploy more advanced malware at a later stage. Agile development of these scripts, which Microsoft describes as “fast-moving targets with a high degree of variance”, help evade antivirus detection. Examples of these downloaders include DinoTrain, DilongTrash, Obfuberry, PowerPunch, DessertDown, and Obfumerry.US, European and UK cybersecurity officials urged all organizations to shore up defenses following Microsoft’s warning in January that it had discovered destructive wiper malware on several Ukraine systems. More

Apple AirTags are great. Attach one to an item you want to keep track of, and that’s then one less thing to worry about.I love AirTags. But they can be abused. Or, more specifically, they can be used to abuse people. 

AirTags are small and can easily be tucked into a bag, coat pocket, or car by people with bad intentions. And Apple knows this.Apple has taken a few steps to keep users safe. iPhones running the latest iOS software will warn users if a tag that’s not registered to them is traveling with them. Tags will occasionally emit a weak beep. There’s an app that Android users can download to scan for errant tags that they might have “acquired” from others (this app is far from being great, however, in my experience).But now there’s another threat facing people: third-party modified AirTags. And no, I won’t be providing links.

I’ve come across a range of ways AirTags have been modified, from the speaker being disabled to AirTags being dismantled and put into different cases. Some of the modified AirTags look deceptively like regular AirTags, while others look nothing like them.Also: How tech is a weapon in modern domestic abuse — and how to protect yourselfFirst off, let me say that I don’t believe that modifying an AirTag is wrong, and I can see reasons why people might want an AirTag in a different shape or with the speaker disabled.But these create an increased risk of surreptitious tracking for people.AirTags that don’t beep — and let’s be honest that the beep from an AirTag is pretty weak at best — will go unnoticed by Android users not actively scanning for them. Without the beep, it might be challenging for even iPhone users to find.I believe that Apple needs to do more to protect users. Here are some steps the company could take:Make AirTags harder to modify, perhaps by filling them with epoxy or building them with tamper-proofing in mind.Work with Google to bring comprehensive tag tracking to both iOS and Android (much like both companies worked together to build a COVID framework for contact tracing).Introduce a way for users to report tags that might be being misused. How do you prevent this feature from being misused? That will require some thought.Bottom line, Apple and the rest of Big Tech need to do better. How simple it is to plant an AirTag on someone, how difficult they can be to find, how poor the Android app is, and how easy they are to modify are just the beginning of things that need to be addressed.Also: I just found my lost AirTag. You’ll never guess where it wentWhat should you do if you find a tag tracking you? My advice would be to remove the battery and decide whether you’re going to go to the police or not. With the battery out, the tag is harmless; it gives you some time to think about what you want to do next.And if you’re someone planning to use an AirTag or similar device to track someone, be aware that you could be breaking any number of laws.  More

Image: Getty Images
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) is looking to formalise the relationship between government and the nation’s telco providers as it says reliance on the current voluntary processes is insufficient. As it currently stands, under the Telecommunications Sector Security Reforms (TSSR), carriers need to “do their best” to protect their networks from unauthorised access or interference for the purpose of security, with carriers to notify the government of any changes to their services, systems, or equipment that could have a “material adverse effect” on their ability to comply with this duty. Although the committee said in its report that the highly regulated telcos are in a better position to handle security obligations from the critical infrastructure framework, formalisation was needed.”The regulatory concept of providers ‘doing their best’ to secure their networks in the national interest has served the Telco Act and the TSSR up until now, but the committee can not be assured that a reliance on industry alone to counter threats is sustainable, nor that the Telco Act as a whole can continue to uphold the security requirements for the industry,” the report said. The main result of the TSSR thus far has been the banning of Huawei from 5G deployments in Australia, which the committee said showed the government was able to step in when needed but only occurred when a threat was “overwhelmingly evident”. “In considering the evidence provided, the committee formed the view that, in many instances, the onus was on industry to carry the burden of information sharing and communication with government — in part due to the TSSR regime’s inherent reliance on voluntary engagement. While there are certainly circumstances of these arrangements being adequate, it is the committee’s view that it is insufficient to rely on voluntary practices, and dialogue, notifications, threat and information sharing between industry and government should be formalised,” it said. To boost these efforts, the PJCIS has recommended the Department of Infrastructure, Transport, Regional Development and Communications work with the Cyber and Infrastructure Security Centre within Home Affairs to determine “industry best practice risk identification, management, and mitigation”.

In an attempt to prevent telcos from having different interpretations of when notifications are needed — as demonstrated by Optus making up over half of all notifications — the committee wants a telecommunications security working group created that consists of representatives from the Communications department, Home Affairs, the telcos, Australian Security Intelligence Organisation, and  Australian Signals Directorate. “This working group could set agreed standards and best practice principles to inform the work of the Cyber and Infrastructure Security Centre’s advice and resources,” the committee said. “The Committee recommends that the working group … be tasked with scoping agreed carrier licence conditions, service provider rules, and codes and standards for security of networks and systems. “These can then be used to guide the resources to be produced by that group and inform directions or information gathering powers exercisable by the Minister for Home Affairs under the existing provisions of Part 14 of the Telecommunications Act 1997.” The working group would also be consulted on any duplicate obligations that arise from the interaction of TSSR and the amended Security of Critical Infrastructure Act 2018 (SOCI Act) prior to any activation of obligations. “If agreed, and once activated, the duplicated obligations or other mechanisms in Part 14 of the Telecommunications Act 1997 should be repealed, or deactivated by relevant mechanisms, so as to avoid regulatory duplication on telecommunications entities,” the report said. In its report, the committee said, as it conducted its review, it became clear its review had “significant crossovers” with the critical infrastructure review that was simultaneously taking place. “Calls for repeal of the TSSR or deactivation of duplicated obligations are reasonable from those affected, but the committee does not want to recommend repeal of any mechanisms that are in place and working to secure telecommunications in Australia. The importance of the sector to the nation is too strong to act in such a way without full consideration,” it said. “The committee trusts the assertions from government that any potential SOCI obligations will only be ‘switched on’ if the existing TSSR obligations are assessed as being unsuitable. However, the committee believes that this decision should be made in consultation with the potentially affected entities and is recommending that that occur through the working group.” Additionally, the committee recommended the Telco Act be amended to state that security is an object of the Act, and a “dedicated telecommunications security threat sharing forum” be created to allow ASIO and ASD to brief the telcos on threats to “the maximum classified level possible”. Although Huawei filed a submission to the review claiming Australia was isolating itself from “world’s best technology and innovation”, the Chinese tech giant declined an invitation to appear before the committee. Related Coverage More

The US Federal Communications Commission (FCC) said on Friday it has seen a “robust” response to its Secure and Trusted Communications Networks Reimbursement Program. Under the program, carriers that have under 10 million customers as well as some schools, libraries, and healthcare providers are able to access funds to rip out and replace network equipment and services from Huawei and ZTE, if they provide broadband services. For the purpose of the program, equipment would need to be capable of speeds above 200kbps in either direction. The fund was established with a pot of $1.9 billion, but the FCC has received requests amounting to $5.6 billion.”We’ve received over 181 applications from carriers who have developed plans to remove and replace equipment in their networks that pose a national security threat,” FCC chair Jessica Rosenworcel told Congress. “While we have more work to do to review these applications, I look forward to working with Congress to ensure that there is enough funding available for this program to advance Congress’s security goals and ensure that the US will continue to lead the way on 5G security.” Previously, the FCC said in those cases regarding older networks, replacing like-for-like may not be possible, and instances such as ripping out an older mobile network to be replaced by LTE or 5G-ready equipment would be allowed. Those receiving the funds will not be able to replace microwave backhaul or fixed wireless links with fibre links, however. Additionally, applicants would be able to claim vendor travel expenses and salary costs of internal employees dedicated purely to the replacement program.

The fund was first proposed in 2019, with the FCC officially designating Huawei and ZTE as national security threats in July 2020. Last month, the FCC removed the ability for China Unicom to operate in the US for national security reasons. “[China Unicom] is subject to exploitation, influence, and control by the Chinese government and is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight,” the commission said. Related Coverage More