More stories

  • in

    Log4j flaw: 10 questions you need to be asking

    The UK National Cyber Security Centre (NCSC) is urging company boards to start asking key questions about how prepared they are to mitigate and remediate the widespread, critical Log4Shell flaw in Java-based application error logging component Log4j.NCSC calls Log4Shell “potentially the most severe computer vulnerability in years” and called upon company boards to treat this bug with urgency. It stresses the Log4j bug – also known as Log4Shell – is a software component rather than a piece of software, which means it will be much more complicated to patch. Log4Shell is bad news today and will likely lurk in enterprise systems for years despite major efforts from the US government, big tech and open-source contributors to address flaws in the original Log4J version 2 project, its implementation in major software products, and its deployment in hundreds of millions of enterprise applications, servers and internet-facing devices. LOG4J FLAW COVERAGE – WHAT YOU NEED TO KNOW NOW There are ongoing efforts via the Apache Foundation to patch the core Log4j project, as well as downstream efforts by IBM, Cisco, Oracle, VMware and others to patch products containing vulnerable versions of the Log4j component. Google has also released tools to prevent developers using vulnerable Log4j versions in new builds of open-source software. And the US government has ordered all federal agencies to patch or mitigate Log4Shell by Christmas.   The urgency is justified. State-sponsored hackers have started scoping out the bug for potential future attacks, according to Microsoft and Google, while cyber criminals are figuring out how to profit from it. Meanwhile, the Belgian Ministry of Defense confirmed an attack on its network using the Log4j bug.   Key challenges NCSC outlines include organizations finding out what services use Log4j; identifying which of these services an organizations uses; and then finding out if these services are vulnerable. CISA has already required all US federal agencies to enumerate any external-facing devices with Log4j installed. That’s no small task, especially given the number of affected products from Cisco, IBM, Oracle and VMware. Because of the component’s widespread use in other products, CISA estimates hundreds of millions of devices worldwide are exposed.”How concerned should boards be?” NCSC asks. 

    Very, unless a business can afford disruptions to its operations from ransomware. While Microsoft has not found instances of the more dangerous human-operated ransomware using the vulnerability, it has seen Iranian threat actors tooling up to use it for ransomware attacks. NCSC has posed 10 questions for boards worried about the flaw:Who is leading on our response?What is our plan?How will we know if we’re being attacked and can we respond?What percentage visibility of our software/servers do we have?How are we addressing shadow IT/appliances?Do we know if key providers are covering themselves?Does anyone in our organisation develop Java code?How will people report issues they find to us?When did we last check our business continuity plans and crisis response?How are we preventing teams from burning out?Boards should also consider Log4Shell’s impact if the business needs to disclose where personal data was affected, as well as any costs linked to incident response and recovery, and damage to reputation. “Managing this risk requires strong leadership, with senior managers working in concert with technical teams to initially understand their organisation’s exposure, and then to take appropriate actions.”NCSC says Log4Shell warrants organizations creating a “tiger team” of core staff, including a leader, to address the threat. Boards should also ask ‘what’s our plan?’, and to understand how Log4j issues will be remedied. Boards should understand this will take weeks or months to remediate, not days.   Boards should know how the company is prepared to respond to a Log4Shell attack if and when it happens, and whether the company can detect if such an attack were to take place. It stresses that boards should understand what visibility its teams have of vulnerable software and servers, including IT assets that are centrally managed and unmanaged.LOG4J FLAW COVERAGE – HOW TO KEEP YOUR COMPANY SAFE The software supply chain is another key consideration. NSCS recommends organizations have an “open and honest conversation” with software-as-a-service suppliers that may also be trying to get a grip on which of their products are affected. Java is a hugely popular programming language in enterprise IT that’s used by an estimated 12 million developers worldwide. “Java developers may have legitimately used Log4j, so it’s important to ensure that any software written is not vulnerable,” NCSC notes. As it’s previously noted, Log4j version 2 ships with Log4j version 2 (Log4j2) popular Apache frameworks including Struts2, Solr, Druid, Flink, and Swift.   Finally, after two years of supporting remote work during the pandemic, a year of professional ransomware attacks and state-sponsored attacks on the software supply chain and of the critical Exchange Server zero-day vulnerabilities, NCSC is warning that some cybersecurity teams could suffer burnout during Log4Shell remediation. This is a board-level concern.”Remediating this issue is likely to take weeks, or months for larger organisations. The combination of an ever evolving situation (and the potential for severe impacts) can lead to burnout in defenders, if they’re not supported by leadership,” NSCS stressed.    More

  • in

    Police found 225 million stolen passwords hidden on a hacked cloud server. Is yours one of them?

    The UK National Crime Agency (NCA) and National Cyber Crime Unit (NCCU) have discovered a 225 million cache of stolen emails and passwords and handed them to HaveIBeenPwned (HIBP), the free service for tracking credentials stolen and/or leaked through past data breaches. The 225 million new passwords become a part of HIPB’s existing body of 613 million passwords in the Pwned Passwords set, which offers website operators a hash of the passwords to ensure users don’t use them when creating a new account. Individuals can use HIPB’s Pwned Password page to see whether their passwords have been leaked in previous breaches.

    ZDNet Recommends

    The service helps organizations meet the NIST’s recommendation that users should be prevented from using any password that was previously exposed in a breach. That requirement aims to address the increasing use of “credential stuffing”, where criminals test large lists of leaked and commonly-used username and password combinations against various online accounts. SEE: Hackers are turning to this simple technique to install their malware on PCsThe technique has been used to compromise 50,000 online bank accounts since 2017, the FBI warned last year, and works because many people still use the same password to protect multiple accounts; if any of those accounts protected with the common password was breached, the person’s other accounts become vulnerable to credential stuffing. The technique became a problem a decade ago after billions of credentials were leaked online following major data breaches, giving attackers huge credential data sets to test against accounts of varying importance, ranging from online game accounts to bank accounts and employee accounts. NCA and NCCU came across the cache of stolen credentials at a compromised but unnamed cloud storage facility. 

    “During recent NCA operational activity, the NCCU’s Mitigation@Scale team were able to identify a huge amount of potentially compromised credentials (emails and associated passwords) in a compromised cloud storage facility,” the NCA said in a statement to HIPB. “Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown. The fact that they had been placed on a UK business’s cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain, and could be accessed by other 3rd parties to commit further fraud or cyber offences.”The NCA told the BBC that last year working with UK police it identified that there had been a compromise of a UK organisation’s cloud storage facility, leading to over 40,000 files being uploaded to their servers by cyber criminals. Among these files was the collection of compromised emails and passwords.NCA handed the compromised passwords to HIBP’s operator, Troy Hunt, who verified NCCU’s findings that the passwords were not in the existing Pwned Passwords data set. New passwords included in the cache he said included: flamingo228Alexei200591177700123Testsaganesq”The NCCU’s Mitigation@Scale team conducted a comparison of the compromised data against the HIBP password repository to identify any previously unseen passwords now in the public domain,” NCA said.Organisations can download the hashed data set in SHA-1 format in a compressed 17.2GB file. It’s the first version to include a regularly updated list of compromised credentials that law enforcement, such as the FBI, discover during investigations.   Hunt stressed the passwords supplied to HIPB by the FBI and NCA are not for his service but for the community, since it can be used by anyone to meet NIST’s recommendations to mitigate credential stuffing. 

    “Today’s release brings the total Pwned Passwords count to 847,223,402, a 38% increase over the last version. More significantly, if we take the prevalence counts into consideration that’s 5,579,399,834 occurrences of a compromised password represented in this corpus,” explains Hunt.  More

  • in

    Cybersecurity company identifies months-long attack on US federal commission

    The United States Commission on International Religious Freedom (USCIRF) has been hit with a cyberattack, according to cybersecurity firm Avast. Avast did not identify the federal agency affected but The Record was able to determine it was the USCIRF.The Cybersecurity and Infrastructure Security Agency (CISA) declined to comment on the attack and said all requests for more information should go to USCIRF. USCIRF did not respond to requests for comment. Created in 1998, USCIRF describes itself as a US federal government commission that monitors the right to freedom of religion or belief abroad.  “USCIRF uses international standards to monitor religious freedom violations globally, and makes policy recommendations to the President, the Secretary of State, and Congress,” the organization said on its website. In Avast’s report, the company said attackers were able to compromise systems on USCIRF’s network in a way that “enabled them to run code as the operating system and capture any network traffic traveling to and from the infected system.” The report notes that there is evidence that the attack was done in multiple stages and may have involved “some form of data gathering and exfiltration of network traffic.”

    “Further because this could have given total visibility of the network and complete control of an infected system it is further reasonable speculation that this could be the first step in a multi-stage attack to penetrate this, or other networks more deeply in a classic APT-type operation,” Avast said.  “That said, we have no way to know for sure the size and scope of this attack beyond what we’ve seen. The lack of responsiveness is unprecedented and cause for concern. Other government and non-government agencies focused on international rights should use the IoCs we are providing to check their networks to see if they may be impacted by this attack as well.”Avast said the attack has been going on for months yet USCIRF and CISA refused to engage with them when notified. They allegedly tried multiple channels over the course of months to help resolve the issue but were ignored after initial communications. “The attempts to resolve this issue included repeated direct follow up outreach attempts to the organization. We also used other standard channels for reporting security issues directly to affected organizations and standard channels the United States Government has in place to receive reports like this,” Avast explained.  “In these conversations and outreach we have received no follow up or information on whether the issues we reported have been resolved and no further information was shared with us. Because of the lack of discernible action or response, we are now releasing our findings to the community so they can be aware of this threat and take measures to protect their customers and the community.”An Avast spokesperson told ZDNet that after the report was published, they were contacted by CISA. The company admitted that their analysis was based on two files they observed in the attack and noted that without more information from USCIRF, it was hard to know who the attackers are, what their motive is and the potential impact of the attack. The Avast spokesperson said that with the ability to intercept and possibly exfiltrate all local network traffic from USCIRF, the backdoor “had the potential to give the attackers total visibility of the network including information exchanged with other agencies, or international governmental or non governmental organizations, and complete control of the agencies’ system.” “Fixing the issue therefore is essential, however since the agency didn’t respond to us, we can’t tell whether the issues we reported have been resolved,” the spokesperson said. “Taken altogether, this attack could have given total visibility of the network and complete control of a system and thus could be used as the first step in a multi-stage attack to penetrate this, or other networks more deeply.”It has been about one year since the SolarWinds attack, where hackers for the Russian government spent months inside the systems of multiple US government agencies including the Justice Department, Treasury Department, Department of Homeland Security, State Department and Department of Energy.  More

  • in

    Belgian Defense Ministry confirms cyberattack through Log4j exploitation

    The Belgian Ministry of Defense has confirmed a cyberattack on its networks that involved the Log4j vulnerability. In a statement, the Defense Ministry said it discovered an attack on its computer network with internet access on Thursday. They did not say if it was a ransomware attack but explained that “quarantine measures” were quickly put in place to “contain the infected elements.”

    more coverage

    “Priority was given to the operability of the network. Monitoring will continue. Throughout the weekend, our teams were mobilized to contain the problem, continue our operations and alert our partners,” the Defense Ministry said. “This attack follows the exploitation of the Log4j vulnerability, which was made public last week and for which IT specialists around the world are jumping into the breach. The Ministry of Defense will not provide any further information at this stage.”Multiple reports from companies like Google and Microsoft have indicated that government hacking groups around the world are leveraging the Log4j vulnerability in attacks. According to Microsoft, state-sponsored hackers from China, Turkey, Iran and North Korea have started testing, exploiting and using the Log4j bug to deploy a variety of malware, including ransomware. A number of reports have noted that since the vulnerability was discovered nearly two weeks ago, cybercriminal groups have sought to not only use it to gain a foothold in networks but sell that access to others, including governments. Governments around the world have urged agencies and organizations to patch their systems or figure out mitigations in order to avoid attacks and breaches. The US’ Cybersecurity and Infrastructure Security Agency ordered all federal civilian agencies to patch systems before Christmas and Singapore held emergency meetings with critical information infrastructure sectors to prepare them for potential Log4j-related threats.

    Centre for Cybersecurity Belgium spokesperson Katrien Eggers told ZDNet that they too sent out a warning to Belgian companies about the Apache Log4j software issue, writing that any organization that had not already taken action should “expect major problems in the coming days and weeks.””Because this software is so widely distributed, it is difficult to estimate how the discovered vulnerability will be exploited and on what scale,” the Centre for Cybersecurity Belgium said, adding that any affected organizations should contact them. “It goes without saying that this is a dangerous situation.” More

  • in

    Cybersecurity company ZeroFox acquires IDX, merges with L&F to create $1.4 billion entity

    SaaS cybersecurity company ZeroFox said on Monday that it has completed a deal to acquire digital privacy protection platform IDX and merge with special purpose acquisition company L&F Acquisition Corp. to create a new entity with an expected equity value of approximately $1.4 billion.The company will be renamed ZeroFox Holdings once the deal goes through and will have the ticker symbol “ZFOX.” The companies expect the deal to close in the first half of 2022. Monarch Alternative Capital LP and several other firms are also investing $170 million in the deal to merge the companies. 

    James Foster, chairman and CEO of ZeroFox, said the transaction allows them to create “the industry’s first publicly traded company that is focused on providing an enterprise external cybersecurity SaaS platform.” “We intend to leverage this growth capital to continue investing in our artificial intelligence capabilities, scaling our go-to-market efforts, and expanding our world-class team,” Foster said. The company was founded in 2013 and now has customers in more than 50 countries. Foster told ZDNet that the merger is their best path forward in the current market environment because it provides all the benefits that come from an IPO and being traded on the New York Stock Exchange, without requiring them to go through a traditional IPO process, which he called “restrictive, time-consuming, costly and uncertain.”

    “Becoming a publicly traded company is the logical next step to supporting our development and accelerating our growth. This new source of capital will provide greater financial flexibility, in addition to the necessary scale and resources to effectively execute against our go-to-market strategy,” Foster explained, adding that IDX is “the nation’s largest provider of data breach response services.””The combined SaaS business will have over 650 employees and serve approximately 1,700 customers including five of the Fortune Top 10 and the largest companies in media, technology, retail, and energy. Collectively, over 90% of our revenues will be recurring platform subscriptions. The platform will process billions of data elements and protect tens of millions of digital assets around the world.” IDX CEO Tom Kelly said the deal with ZeroFox is the result of a long-standing partnership between the two companies. Adam Gerchen, CEO of LNFA and a new ZeroFox board member, noted that the company is aiming to get a slice of the $51 billion external cybersecurity and digital protection market. 

    Tech Earnings More

  • in

    After ransomware attack, global logistics firm Hellmann warns of scam calls and mail

    German logistics giant Hellmann has warned its customers and partners to be on the lookout for fraudulent calls and mail after the company was hit with a ransomware attack two weeks ago. In an update about the cyberattack that initially forced them to remove all connections to their central data center, the company said business operations are back up and running but the “number of so-called fraudulent calls and mails has generally increased.””The forensic investigation has meanwhile confirmed that data was extracted from our servers before our systems were taken offline on December 9. We are currently investigating what type of data was extracted and will proactively provide further information as soon as possible. We are in regular contact with relevant government authorities,” Hellmann said. 

    “Whilst communication with Hellmann staff via email and telephone remains safe (inbound and outbound), please make sure that you are actually communicating with a Hellmann employee and beware of fraudulent mails/calls from suspicious sources, in particular regarding payment transfers, change bank account details or the like.”When news of the attack first broke on December 9, the company said the shutdown was having a “material impact” on their business operations.The German company operates in 173 countries, running logistics for a range of air and sea freights as well as rail and road transportation services. Air Cargo News, which first reported the attack, said the company had a revenue of nearly $3 billion last year.BleepingComputer reported last week that ransomware group RansomEXX has claimed responsibility for the attack. After negotiations with Hellmann fell apart, the group published 70.64 GB of stolen documents on their leak site that included business agreements, intra-company emails, and more, the outlet explained. They added that the leaks explained the increase in scam calls. 

    In February, the criminal group that deploys the RansomExx ransomware was caught abusing vulnerabilities in the VMWare ESXi product allowing them to take over virtual machines deployed in enterprise environments and encrypt their virtual hard drives.They were also identified by the FBI in November as one of the ransomware groups that use “significant financial events” as leverage during their attacks.”Ransomware groups are using events like mergers and acquisitions to target companies and force them into paying ransoms,” the FBI said. “A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim’s network indicating an interest in the victim’s current and near-future stock share price. These keywords included 10-q, 10-sb, n-csr, nasdaq, marketwired, and newswire.” More

  • in

    $30 million stolen from Grim Finance, audit firm blames new hire for vulnerability

    DeFi protocol Grim Finance said about $30 million was stolen this weekend by hackers exploiting a vulnerability in their platform. In a statement posted to Twitter on Saturday, Grim Finance said “an advanced attack” was taking place and initially paused all vaults to prevent more attacks. 

    “The exploit was found in the vault contract so all of the vaults and deposited funds are currently at risk,” the company explained on Saturday night. “We have contacted and notified Circle (USDC), DAI, and AnySwap regarding the attacker address to potentially freeze any further fund transfers.”Solidity Finance, a DeFi auditing firm, released an apology for missing the vulnerability that led to the incident. They audited Grim Finance just four months ago. The company said the cause of the issue was “the ability of users to input arbitrary addresses and have them called within the depositFor function.” “Via reentrancy, the issue allowed users to falsely increase their shares in Grim’s vaults and subsequently withdraw more than they had deposited,” Solidity Finance wrote on their website before linking to a longer Twitter thread where they said a new analyst missed the vulnerability while their CTO was on vacation. “This audit was performed by an analyst who was new to the team… unfortunately this issue was not caught in our peer review process.”

    The thread goes on to explain the technical details of the attack and said the code that was exploited was present in multiple vaults, resulting in a loss of funds across the platform’s vaults.Some DeFi security experts noted that having a before-after pattern without reentrancy guard “is a big no-no.” RugDoc.io explained that a “before-after pattern is a section of code that checks the vault balance before and after your deposit to figure out how much was actually received by the vault.”Also: Ransomware in 2022: We’re all screwed”This helps with transfer-tax tokens where the amount sent does not equal the amount received. However, what happens if we can do a second deposit while the first deposit is still ongoing?” RugDoc.io wrote, adding that Grim Finance did not have a “reentrancy guard on a pattern that absolutely needs it” and gave users more privilege than is necessary.  Solidity Finance said they regularly recommend fixing the issue but it “slipped through” their process while they were “overwhelmed and onboarding new analysts in August.”They have scanned all of their earlier audits and confirmed that Grim Finance had the only codebase where the vulnerability was present. Of the 900 audits they’ve done, Grim becomes the second exploit that they have missed, according to their records. The attack on Grim Finance adds to a whirlwind year for DeFi hacks. Last week, more than $77 million was stolen from AscendEX. Days before that, blockchain gaming company Vulcan Forged said around $140 million had been stolen from their users.Crypto trading platform BitMart suffered from a devastating attack that caused about $200 million in losses.Just last month, cybercriminals stole about $120 million from DeFi platform Badger. Other attacks in 2021 include thefts of more than $600 million from Poly in August and $34 million from Cream Finance in September. In May, about $200 million was stolen from the PancakeBunny platform. The Record and Comparitech keep running tallies of cyberattacks on cryptocurrency platforms, noting recent attacks on Liquid, EasyFi, bZx, and many other platforms.  More

  • in

    Ruled by algorithms, gig workers remain powerless against automated decision-making

    Gig workers are being denied access to their personal data outright and are unable to challenge the outcome of automated decision-making systems
    Image: iStock/ Borislav
    “Weakly enforced” data protection laws have resulted in “woefully inadequate levels of transparency” around the use of algorithmic surveillance and decision-making systems in the gig economy, according to a report.A study published by the Worker Info Exchange (WIE), a campaign group advocating workers’ rights to the data held on them by employers, warned that gig workers were being subjected to unfair profiling and discrimination by automated systems that aimed to “maintain exploitative power” over them.The report, titled Managed by Bots: Data-Driven Exploitation in the Gig Economy, found that gig workers were routinely denied access to personal data held on them by companies that use machine-learning tools to allocate work and manage employees.

    Tech Jobs Explained

    WIE also accused platform employers of withholding performance and surveillance data “behind the label of anti-fraud prevention” and exploiting current data protection laws to “rubber-stamp unfair machine-made decisions” – leaving gig workers powerless to challenge them.Platform companies are operating in a space where they believe they can make the rules said Bama Athreya, Fellow at the Open Society Foundations. “Unfortunately, this isn’t a game; virtual realities have harsh consequences for gig workers in real life.”WIE’s report comes on the back of growing concerns about the prevalence of algorithmic surveillance and decision-making technologies in the workplace, particularly since the start of the COVID pandemic.

    A November 2021 study by workers union Prospect found that a third of employees reported being subjected to some form of monitoring by their employers. Electronic monitoring and surveillance systems were also the subjects of a report by the European Commission’s Joint Research Council (JRC), which warned of significant “psycho-social risks” to gig workers who were routinely subjected to automated decision-making and surveillance.See also: Remote-working job surveillance is on the rise. For some, the impact could be devastatingKirstie Ball, the University of St Andrews professor who authored the report, said excessive and intrusive monitoring also threatened to erode employer-employee relationships unless workers were granted greater insight into how their data was used and human agents played a greater role in overseeing machine-made decisions.WIE’s report said platform companies often used legal loopholes to excuse them from meeting certain employer obligations or paying tax or national insurance contributions. This has allowed many of these companies to become industry disruptors by enabling them to “rapidly scale and build competitive advantage from an excess supply of unpaid and underpaid workers who wait for work, while depressing their own wages.”Potential changes to the UK’s compliance with Europe’s general data protection regulation (GDPR), which would give employers more discretion over how they respond to data access requests and lessen their obligation to prepare data protection impact assessments around the processing of sensitive data, also present “a hammer-blow” to gig worker’s employment rights.”In the UK, these already weak digital rights for workers will be fatally compromised if the government’s proposals on GDPR divergence are passed into law,” said the report.”All of these problems are aggravated by the failure of platforms to respect the digital rights of workers. Our report shows woefully inadequate levels of transparency about the extent of algorithmic management and automated decision making workers are subject to in the gig economy.”Getting their cases through the courts presents another challenge to gig workers, the report said. As a result, wider recognition of the issues presented by the gig economy – specifically at government level – is lacking. “Even where worker rights have been asserted, such as in the UK, there has been no wider enforcement by the government. This leaves workers with few alternatives to litigation, if they have the resources to do so,” the report said.”That is why workers must improve their bargaining power through organising and collective action. The ability of workers therefore to access and pool their data is a powerful force in organising yet to be properly tapped.”

    Artificial Intelligence More