Information Technology

Brazil’s Ministry of Health has suffered a second cyberattack in less than a week, which has compromised various internal systems, including the platform that holds COVID-19 vaccination data.

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

The news emerged after a first major ransomware attack three days earlier, from which the department was still recovering. Confirming the second attack on Monday (13) evening, health minister Marcelo Queiroga said the latest event, which took place in the early hours of that same day, was smaller than the first attack. According to Queiroga, the department is working to recover the systems as soon as possible. However, he said the second attack means ConecteSUS, the platform that issues COVID-19 vaccine certificates, would not be back online today (14) as originally planned. Queiroga noted the attack had been unsuccessful and that no data had been compromised, but this second event “caused turmoil” and “got in the way” of bringing systems back online. The minister did not provide an estimate of when the impacted systems would be reestablished. The ministerial confirmation of the second cyberattack was preceded by a statement released by the Ministry of Health saying that Datasus, the department’s IT function, carried out a preventive systems maintenance exercise on Monday, meaning systems would be temporarily unavailable. The second attack meant civil servants had to be sent home on Monday since it was not possible to access the health ministry’s core systems, such as the platforms that generate reports relating to the COVID-19 pandemic. Also, last night, the Institutional Security Office (GSI) of the Brazilian government released a statement that confirmed new attacks against cloud-based systems run by government bodies had taken place. However, it did not specify which departments or services had been targeted. It added teams are being instructed to preserve evidence and that best practices around incident management are being followed.

In the first cyberattack, which became known on Friday (10), all websites under the Ministry of Health became unavailable. According to a message left by the Lapsus$ Group, which has claimed responsibility for the attack, some 50TB worth of data has been extracted from the MoH’s systems and subsequently deleted. Queiroga later said the department holds a backup for the supposedly accessed data in the cyberattack. According to the Federal Police, which is investigating the case, data on COVID-19 case notifications, as well as the broader national vaccination program, was compromised in the first attack, in addition to ConecteSUS. The National Data Protection Authority (ANPD) is also working on the case and has contacted the Institutional Security Office and the Federal Police to collaborate with the investigations. It also notified the Ministry of Health to provide clarifications on the case, as per Brazil’s general data protection rules. More

Top US government cybersecurity officials fear advanced hackers will have a field day with the Log4j vulnerability that’s likely present in hundreds of millions of devices.  Security experts are already seeing widespread scanning for the Log4j vulnerability (also dubbed ‘Log4Shell’) on internet-connected devices running vulnerable versions of Log4j version 2, which have been under attack since December 1, although the bug became common knowledge on December 9.  So far, Microsoft has seen attackers compromise machines to install coin miners, the Cobalt Strike pen-testing framework to enable credential theft and lateral movement, and exfiltration of data from compromised systems. LOG4J FLAW COVERAGE – WHAT YOU NEED TO KNOW NOW These attacks appear to be opportunistic cyber-criminal activity thanks to its ease of exploitation, but top officials at the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) fear “sophisticated actors” will also pounce on the bug soon.  “This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious,” Jen Easterly, director of CISA said in a call shared with CNN. Easterly has spent 20 years in various federal cybersecurity roles. “We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” she said. The call, with US critical infrastructure owners and operators, was first reported by CyberScoop.   Jay Gazlay of CISA’s vulnerability management office warned that hundreds of millions of devices are likely to be affected.

Log4J is a popular Java library for logging error messages in applications. It’s vulnerable to a critical flaw, tracked as CVE-2021-44228, that lets any remote attacker take control of another device on the internet, if it’s running Log4J versions 2.0 to 2.14.1. 

ZDNet Recommends

The remotely exploitable flaw is present in hundreds of major enterprise products, from the likes of Oracle, Cisco, RedHat, IBM, VMware and Splunk, and cloud features from Amazon Web Services and Microsoft Azure, as well as security appliances and developer tools. Google Cloud is investigating the impact of the Log4j bug on its products and services, and is working with VMware to deploy fixes to the Google Cloud VMware Engine. Google has updated WAF rules to defend against Log4j attacks.   The Apache Software Foundation has released version 2.15.0 to address the flaw, but product vendors still need to apply the fix in their products and then end-user customers need to update their devices once their vendor’s fix becomes available.           The flaw highlights known risks arising from software supply chains when a key piece of software is used within multiple products across multiple vendors and deployed by their customers around the world. LOG4J FLAW COVERAGE – HOW TO KEEP YOUR COMPANY SAFE It’s not a simple fix to address all vulnerable devices. As Sans Internet Storm Center notes: “There is no generic ‘log4j2′ patch to patch everything. In some cases, vendors including Log4j, need to patch their software to include the new version.” Rapid7 had a similar warning: “Organizations should be prepared for a continual stream of downstream advisories from third-party software producers who include Log4j among their dependencies.” SEE: Hackers are turning to this simple technique to install their malware on PCs Rapid7 itself has been investigating its products’ exposure to the Log4j bug and has deployed server-side fixes for several affected products.  Historically slow uptake of new security patches means attackers will likely have months if not years to find and exploit vulnerable devices, security experts warned this week.  The Log4j bug is internet-wide, prompting advisories from Australia, New Zealand, Canada, the UK, Sweden, Germany, Singapore, and elsewhere. Canada’s Revenue Agency took some services offline on Friday after learning of the flaw, according to CBC.   More

A ransomware attack has hit agencies and commissions within the Virginia legislature, according to a statement from the governor’s office to the Associated Press. Alena Yarmosky, spokesperson for Virginia Governor Ralph Northam, said the governor has been briefed on the attack, which currently affects Virginia’s Division of Legislative Automated Systems, the General Assembly’s IT agency. Yarmosky did not respond to requests for comment about the specifics of the attack. Legislative leaders in the state were emailed about the incident and told that hackers attacked the state systems on Friday. The website for the Division of Capitol Police was taken down by the attack and all of the internal systems for bill drafting or bill referrals were hit hard during the ransomware incident, according to The Associated Press. The Assembly’s voicemail system was down and many of the systems involved in budgeting were disrupted due to the attack. The Virginia Law Portal is also down because of the attack. The FBI and other law enforcement agencies are now involved. Cybersecurity firm Mandiant took to Twitter to confirm that they are assisting in response to the incident. Yarmosky told The Washington Post that the ransom note received by the agencies provided little information. Most of the organization’s servers were shut down to stop the spread of the ransomware. The Richmond Times-Dispatch reported that the attack began at the Department of Legislative Automated Systems on Sunday before spreading to “almost all legislative branch websites.” The only things spared were the Legislative Information System on the General Assembly site and the executive branch agencies.

In September, the Virginia Defense Force and the Virginia Department of Military Affairs revealed that they were impacted by a cyberattack in July. Ransomware groups have made millions from attacking local governments at the city, county and state level. Experts told The Washington Post in August that for 2020, at least 2,354 governments, healthcare facilities and schools across the US were hit with ransomware. Dozens of local governments have opted to pay ransomware actors to get their systems back. After being attacked by the Ryuk/Conti gang, Jackson County, Georgia; Riviera Beach, Florida; and LaPorte County, Indiana paid ransoms ranging from $130,000 to nearly $600,000.   More

A new data strategy was announced by the federal government on Tuesday morning, outlining a goal for Australia to have a modern, data-driven society by 2030. The data strategy, a first for Australia, will focus on initiatives based around maximising the value of data, trust and protection, and enabling data use. The strategy sits alongside an action plan that sets out those initiatives and their expected delivery timeframes up to 2025. At the end of 2025, the federal government will then update the data strategy to implement new initiatives up to 2030, said Stuart Robert, the Minister responsible for digital transformation. Robert said the strategy was developed in consultation with private, research, and not-for-profit sectors. “The data strategy is part of our commitment to deliver better services to all Australians, and it will power our national ambition to become a modern, data-driven society by 2030,” Robert said. In relation to the strategy’s focus of maximising the value of data, the government will look to create a new “front door” for accessing Australian government open data, communicating about data better, and implementing the Data Availability and Transparency Scheme. “Access to the right data and analytics can help government and private decision-makers tailor how they deliver these services. For example, Census data can not only be used to identify where services are needed, but also how to best tailor those services for the needs of Australians,” the strategy outlines.

Practically, this will entail transitioning the data.gov.au website to become the “one-stop shop” for all Australians interacting with Australian government data by the end of next year. On the trust and protection front, the strategy has called for the continued expansion of the consumer data right, as well as a review of the Privacy Act to see whether its enforcement mechanisms are fit for purposes in the digital age. The AU$40 million investment into extending the National Disability Data Asset announced last week also falls under the strategy’s scope. Other initiatives within the data strategy include measuring the data maturity of government agencies, developing guidance on embedding data professional roles within all parts of Australian government agencies, investigating new and enhanced data collection and reporting methods, and establishing a new International Data Policy function within the Australian Public Service. The national data strategy’s release comes a fortnight after the federal government updated its digital government strategy, which saw it place more emphasis on uplifting digital ecosystems and reusing technologies to deliver more value for money. When the digital government strategy refresh was announced, the federal government had been receiving backlash by a Senate committee for its lack of progress in auditing its IT capabilities, especially as it did not have a central data collection process related to IT expenditure across government.   Related Coverage More

For those unable to patch the Apache Log4Shell vulnerability, cybersecurity firm Cybereason has released what they called a “fix” for the 0-day exploit. Cybereason urged people to patch their systems as soon as possible, but for those who cannot update their systems or do so immediately, they have created a tool they are calling “Logout4shell.”

Log4j coverage

It is freely available on GitHub and Cybereason said it “is a relatively simple fix that requires only basic Java skills to implement.” “In short, the fix uses the vulnerability itself to set the flag that turns it off. Because the vulnerability is so easy to exploit and so ubiquitous—it’s one of the very few ways to close it in certain scenarios,” said Yonatan Striem-Amit, CTO of Cybereason. “You can permanently close the vulnerability by causing the server to save a configuration file, but that is a more difficult proposition. The simplest solution is to set up a server that will download and then run a class that changes the server’s configuration to not load things anymore.”The “vaccine” garnered a mixed response from experts, some of whom praised the company for stepping up while others said it wasn’t nearly enough to protect those affected by the vulnerability. Dr. Richard Ford, CTO of Praetorian, said the Log4j vulnerability can be subtle, and while it is sometimes revealed with simple scanning, it is also frequently found buried deep in customer infrastructure, where it can be trickier to trigger. “For this reason, I am concerned that some of the well-meaning responses I’ve seen from the industry can cause longer-term problems. In the case of Logout4Shell, it’s not always as trivial to exploit as entering a simple string into ‘a vulnerable field.’ Knowing which field is vulnerable can be tricky, and with many folks now filtering traffic en route knowing your string even reached the server intact is not trivial,” Ford explained.

“If we inadvertently give a customer the impression that just popping ${$jnfi… into a string is good enough, folks could end up with a false sense of security. In addition, generically patching a server could have unpleasant unintended consequences, and it’s up to customers to figure out what risks they can tolerate in a production system. Cybereason’s tool is an interesting approach, but would not recommend a customer solely rely on it.”Randori’s Aaron Portnoy said hot patching solutions such as this can be effective stop-gap mitigations, but this solution will only be effective for the lifetime of the Java Virtual Machine. “If the application or the system restart, the ‘vaccine’ would need to be re-applied. The best remediation is to upgrade the log4j2 library and apply default-deny firewall rules on outbound traffic for systems that may be susceptible,” Portnoy said. Bugcrowd CTO Casey Ellis noted that to run this without permission on someone else’s infrastructure “is almost certainly in violation of anti-hacking laws like the CFAA, which creates legal risk regardless of whether the intent is benevolent or malicious.” “While folks may be well-intentioned, it’s important for them to understand the legal risk it creates for them. It’s a similar technique to what the FBI and DOJ did earlier in the year to mitigate HAFNIUM web shells on Exchange servers, only the FBI had the legal blessing of the DOJ,” Ellis said. “Aside from that, I quite like the ‘chaotic good’ nature of this solution – especially given the chaos organizations are experiencing in finding all of the places that log4j might exist within their environment. The script basically takes the workaround first flagged by Marcus Hutchins which disables indexing and then uses the vulnerability itself to apply it. The fact that solutions like this are coming out so quickly is telling regarding the ubiquity of this vulnerability, the complexities of applying a proper patch, and the sheer number of ways that it can be exploited.”Ellis added that the tool’s effectiveness is limited because it does not work for versions prior to 2.10, requires a restart, and the exploit must fire properly in order to be effective. Even when it does run properly, it still leaves the vulnerable code in place, Ellis explained. Because of the complexity of regression testing Log4j, Ellis said he already heard from a number of organizations that are pursuing the workarounds contained in the Cybereason tool as their primary approach. He expects at least some to use the tool selectively and situationally but said it is critical to understand that this isn’t a solution – it’s a workaround with a number of limitations. “It has intriguing potential as a tool in the toolbox as organizations reduce log4j risk, and if it makes sense for them to use it, one of the primary reasons will be speed to risk reduction,” Ellis said.  More

Cybersecurity experts believe CVE-2021-44228, a remote code execution flaw in Log4j, will take months, if not years, to address due its ubiquity and ease of exploitation.

Log4j coverage

Steve Povolny, head of advanced threat research for McAfee Enterprise and FireEye, said Log4Shell “now firmly belongs in the same conversation as Shellshock, Heartbleed, and EternalBlue.” “Attackers began by almost immediately leveraging the bug for illegal crypto mining, or using legitimate computing resources on the Internet to generate cryptocurrency for financial profit… Further exploitation appears to have pivoted towards theft of private information,” Povolny told ZDNet.”We fully expect to see an evolution of attacks.”Also: Log4j zero-day flaw: What you need to know and how to protect yourselfPovolny added that the vulnerability’s impact could be enormous because it is “wormable and could be built to spread itself.” Even with a patch available, there are dozens of versions of the vulnerable component.Due to the sheer number of observed attacks already, Povolny said it was “safe to assume many organizations have already been breached” and will need to take incident response measures. 

“We believe log4shell exploits will persist for months if not years to come, with a significant decrease over the next few days and weeks as patches are increasingly rolled out,” Povolny said.  Since December 9, Sophos senior threat researcher Sean Gallagher said the attacks using the vulnerability evolved from attempts to install coin miners — including the Kinsing miner botnet — to more sophisticated efforts.”The most recent intelligence suggest attackers are trying to exploit the vulnerability to expose the keys used by Amazon Web Service accounts. There are also signs of attackers trying to exploit the vulnerability to install remote access tools in victim networks, possibly Cobalt Strike, a key tool in many ransomware attacks,” Gallagher said. Paul Ducklin, principal research scientist at Sophos, added that technologies, including IPS, WAF, and intelligent network filtering, are all “helping to bring this global vulnerability under control.” “The very best response is perfectly clear: patch or mitigate your own systems right now,” Ducklin said. Dr. Richard Ford, CTO at Praetorian, explained that because exploiting the vulnerability often does not require authentication or special access, it has exposed an incredible array of systems. “There are even unconfirmed reports that simply changing your phone’s name to a particular string can exploit some online systems,” Ford said. Ford and his company’s engineers said it is “one of the largest exposures [they] have seen at internet scale.” Also: Log4j RCE activity began on December 1 as botnets started using vulnerabilityOther experts who spent the weekend watching the vulnerability said hackers got to work almost immediately in exploiting the flaw. Chris Evans, CISO at HackerOne, said they have gotten 692 reports about Log4j to 249 customer programs, noting that major companies like Apple, Amazon, Twitter, and Cloudflare have all confirmed that they were vulnerable. “This vulnerability is scary for a few reasons: Firstly, it’s really easy to exploit; all the attacker has to do is to paste some special text into various parts of an application and wait for results. Secondly, it’s hard to know what is and isn’t affected; the vulnerability is in a core library that is bundled with many other software packages, also making remediation more complicated. Thirdly, it’s likely that many of your third-party vendors are affected,” Evans said. Imperva CTO Kunal Anand said that since rolling out updated security rules more than 13 hours ago, the company observed more than 1.4 million attacks targeting CVE-2021-44228. “We’ve observed peaks reaching roughly 280K attacks per hour. As with other CVEs in its class, we expect to see this number grow, especially as new variants are created and discovered over the coming days and weeks,” Anand said.  More

HR management platform Kronos has been hit with a ransomware attack, revealing that information from many of its high-profile customers may have been accessed. UKG, Kronos’ parent company, said the vital service will be out for “several weeks” and urged customers to “evaluate and implement alternative business continuity protocols related to the affected UKG solutions.”  

In a statement to ZDNet, UKG said it “recently became aware of a ransomware incident that has disrupted the Kronos Private Cloud,” which they said “houses solutions used by a limited number of our customers.” “We recognize the seriousness of the issue and have mobilized all available resources to support our customers and are working diligently to restore the affected services,” the company said.The statement comes hours after the company posted a message on the Kronos community message board, explaining that staff  noticed “unusual activity impacting UKG solutions using Kronos Private Cloud” on Saturday night. This private cloud houses data for UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions.”At this time, we are not aware of an impact to UKG Pro, UKG Ready, UKG Dimensions, or any other UKG products or solutions, which are housed in separate environments and not in the Kronos Private Cloud,” Kronos’ executive vice president Bob Hughes wrote. The attack caused a stir online, with some cybersecurity experts reporting multiple messages from companies that could no longer process payroll as of Monday morning due to the outage. 

Other sources said the outage would cause them to miss payroll for this week — a harrowing idea considering how close Christmas is — while many are scrambling to find alternative solutions. Many organizations use Kronos to organize timesheets, meaning schedules for the next few weeks will be thrown into disarray by the outage. “Every time they call in for help, they get a different answer about what is going on,” the source said, adding that in one initial call, the Kronos representative did not even know a ransomware attack had occurred. Kronos’ work management software is used by dozens of major corporations, local governments, and enterprises, including: the City of Cleveland’s government, Tesla, Temple University, Winthrop University Hospital, Clemson University, and UK supermarket chain Sainsburys. The City of Cleveland sent out an urgent message on Monday, telling WKYC that UKG contacted them and other clients to tell them that the ransomware attack may have compromised employee information like names, addresses, social security numbers, and employee IDs.Ransomware expert Allan Liska criticized how the conversation about the attack is playing out online. “Some people on Twitter are blaming the small businesses, who are victims here, for not having a backup plan in place for payroll. I feel that’s crap; you are outsourcing your payroll to a company that is supposed to have contingency plans in place for you,” Liska said.The company would not answer questions about which ransomware group was behind the attack.  More

The Tracker Detect app after scanning for nearby AirTags and other Find My devices. 
Jason Cipriani/ZDNet

In a move aimed at increasing users’ privacy, Apple has released… an Android app? That’s right. Tracker Detect allows anyone with an Android phone or tablet to scan their nearby surroundings for rogue AirTags or other Find My-equipped tracking devices, as reported by CNET. The potential for AirTags and similar devices to be used to track and locate unsuspecting people raised privacy concerns when AirTags was first released. The small trackers rely on nearby Apple devices to anonymously crowdsource their location, making it possible for someone to place an AirTag in a car or bag and retain the ability to view its current location. AirTags will begin to beep every few minutes after they’ve been disconnected from the owner for an unspecified amount of time as a way to alert those nearby that the AirTag is present. Additionally, if your iPhone detects an unknown AirTag is traveling with you, it’ll alert you and walk you through identifying who it belongs to or disabling it. The latter protection is something that Android owners didn’t have access to until now. Once you install Tracker Detect from the Play Store you’re presented with a simple screen that gives you an option to scan nearby. The app will then look for any unknown devices and present you with the option to play a sound on the device, along with instructions for scanning the tag to see who it belongs to or removing the battery to disable it. While the app requires you to proactively scan for tracking devices, instead of passively scanning for devices in the background, it’s a step in the right direction for elevating privacy and tracking fears. The way the app currently works means that if constantly scanned in the background you’d constantly receive alerts for any nearby devices — something that could get rather annoying if you’re traveling through an airport and an alert for every AirTag in a nearby suitcase or backpack. If you’re an Android user, what do you think of Tracker Detect? Does it do enough? Or not enough? Let us know in the comments below.  More