Information Technology

Image: Getty Images
Huawei CFO Meng Wanzhou’s extradition lawsuit wrapped up over the weekend, ending a near three-year saga that saw her placed under house arrest for almost the entirety of that period. On the same day, two Canadians who were detained in China for over 1,000 days were similarly released and returned to Canada. Meng was allowed to return to China after she reached an agreement with United States prosecutors to admit to misleading global financial institutions. “In entering into the deferred prosecution agreement, Meng has taken responsibility for her principal role in perpetrating a scheme to defraud a global financial institution,” Eastern District of New York Acting Attorney-General Nicole Boeckmann said in a statement. “Her admissions in the statement of facts confirm that, while acting as the chief financial officer for Huawei, Meng made multiple material misrepresentations to a senior executive of a financial institution regarding Huawei’s business operations in Iran in an effort to preserve Huawei’s banking relationship with the financial institution.” The admission entails agreeing to a four-page statement of facts accepting that she knowingly communicated false statements to financial institutions. In January 2019, the United States government unsealed a pair of indictments against Huawei, with the first being against the company and Meng, and the second alleging Huawei conspired to steal intellectual property from T-Mobile and subsequently obstructed justice. For the indictment issued against Meng, she was accused of misrepresenting Huawei’s ownership and control of Iranian affiliate Skycom to banks to launder money via the international banking system, which breached United Nations, United States, and European Union sanctions. Meng was detained and arrested by Canadian authorities on the United States’ behalf just prior to the charges being unsealed.

By making those allegations, the United States wanted to extradite Meng to the United States to face those charges locally. This led to an extradition battle within Canada to determine whether Canadian authorities should pass Meng to the United States. Throughout the extradition proceedings, Meng was released on bail and placed under house arrest in Vancouver. Meanwhile, the Chinese government detained two Canadian citizens, Michael Kovrig and Michael Spavor, shortly after Meng’s arrest, accusing them of spying and stealing state secret secrets from China. By entering into the agreement, Meng admitted only to misleading global financial institutions, and did not plead guilty to the various fraud charges imposed against her. Huawei in a statement said it was happy to see “Meng Wanzhou returning home safely to be reunited with her family”. The company also continued to deny the allegations made by the United States in the statement, saying it would continue to defend itself in court as the indictments are still ongoing. China’s Foreign Ministry spokesperson Hua Chunying said the allegations were “political persecution against a Chinese citizen and its aim is to suppress Chinese high-tech companies”, according to a Chinese state media outlet. Meng and the two Canadians arrived back in their respective countries on Saturday, with Canadian Prime Minister Justin Trudeau posting pictures of Kovrig and Spavor’s return on Twitter. “Welcome home, Michael Kovrig and Michael Spavor. You’ve shown incredible strength, resilience, and perseverance. Know that Canadians across the country will continue to be here for you, just as they have been,” he tweeted. Huawei looking to fill $40 billion hole in revenue from handset businessSpeaking on Friday, Huawei rotating chair Eric Xu said other areas of the business have not compensated for the loss of revenue due to the company being added to the US Entity List in 2019.When a company is on the Entity list, US companies are banned from transferring technology to them unless the US company has received licence approval from the US government.In its latest yearly financial results, Huawei posted net profit of 64.6 billion yuan, but its growth in markets outside of China grounded to a halt. The company sold off its Honor business at the end of 2020, and has been focusing on increasing the use of 5G in areas such as mining.”Other areas [are] certainly not compensate for the revenue loss of the handset business. Not just in one year, even those revenues throughput 10 years combined cannot compensate for the decline in revenue,” Xu said through an interpreter.”It will take a rather long time for us to compensate for the $30-40 billion loss applying 5G and other technologies to other industry sectors.”Related Coverage More

Mastercard and the Digital Transformation Agency (DTA) are working together to see how the former’s digital identity service could enable Australians to digitally verify their age and identity.As part of the collaboration, Mastercard said it would work with the DTA to examine a series of private sector-led pilots and the impact its digital verification service could have on retailer and consumer experiences and expectations online.”Australians are increasingly expecting no disruptions between their online and physical lives, and identity is an area that must keep pace with those expectations. Public-private pilots have the potential to make it easier to use these verified identities securely, everywhere they travel,” Mastercard Australasia division president Richard Wormald said.Last year, Mastercard announced the quiet expansion of the trial for its digital identification service, following the successful completion of phase one with partners Deakin University and Australia Post.Announced in December, the three parties kicked off two trials: The first for an identity verification process of student registration and digital exams at Deakin’s Burwood and Geelong campuses in Victoria, and the second integrating Mastercard’s digital ID solution with the one the postal service has been working on.The pilot saw students create a digital identity in Australia Post’s Digital ID app and use it to gain access to Deakin University’s exam portal. Mastercard said the ID successfully orchestrated the sharing of verified identity data between the two parties, sending only the specific personal information required to permit entry using its network.The three organisations expanded the trial to verify students taking exams online.

The second phase of the trial built on work to integrate the Mastercard and Australia Post services, connecting with other third-party platforms to “extend the value and use of the service” to more providers and partner organisations in Mastercard’s ID network.A partnership with Optus was also launched around the same time. Under that trial, Optus customers could use Mastercard’s ID service to prove their identity online and in-store. “Connecting with trusted third-party digital identity platforms is key to scaling digital identity more broadly. Without interoperability, it’s very hard to build beyond local deployments,” Wormald said.”This is why Mastercard continues to collaborate with like-minded organisations, giving citizens new ways to verify their identity without having to hand over any physical documents or surplus information.”Additionally, Mastercard announced it has applied for accreditation under the Trusted Digital Identity Framework (TDIF), which sets out the operating model for digital identity in Australia. If granted, Mastercard said it would enable consumers to create a reusable digital identity using official identity documents, such as passports, driving licences, as well as protect digital identity data using encryption and facial biometrics.In June, the Australian government published a consultation paper on digital identity that indicated legislation would enter Parliament later this year to allow non-government entities to provide digital identification services to Australians.Under the TDIF, the set of rules can only be applied to Australian government entities — it can’t be applied to states and territories, or to the private sector – which is why legislation is required.The Digital Identity Legislation is hoping to ensure privacy safeguards are in place, such as limiting access to biometric information, but it will include the ability for users to consent to their biometric information being accessed for fraud or security investigations.Related Coverage More

Just got a new iPhone 13 and that new iPhone smell is still on it? Well, it might be new but that doesn’t mean that you don’t need to update it.Yes, it’s running iOS 15, but not the latest iOS 15.Yes, the update treadmill starts on day one.According to Apple, “[t]his update provides important security updates and fixes an issue where widgets may revert to their default settings after restoring from a backup.”It’s already time to update your brand new iPhone 13!Given that this is not only a bug fix, but the update also contains security updates, I’d recommend downloading this update as soon as possible. More

This week, the Washington Post reported that the FBI had the decryption keys for victims of the widespread Kaseya ransomware attack that took place in July yet did not share them for three weeks. Hundreds of organizations were affected by the Kaseya attack, including dozens of hospitals, schools, businesses and even a supermarket chain in Sweden. Washington Post reporters Ellen Nakashima and Rachel Lerman wrote this week that the FBI managed to obtain the decryption keys because they accessed the servers of REvil, the Russia-based criminal gang that was behind the massive attack.

Kaseya attack

REvil demanded a $70 million ransom from Kaseya and thousands from individual victims before going dark and shutting down significant parts of its infrastructure shortly after the attack. The group has since returned, but many organizations are still recovering from the wide-ranging July 4 attack. Despite the large number of victims of the attack, the FBI did not share the decryption keys, deciding to hold on to them as they prepared to launch an attack on REvil’s infrastructure. According to The Washington Post, the FBI did not want to tip off REvil operators by handing out the decryption keys.The FBI also claimed “the harm was not as severe as initially feared” according to The Washington Post. The FBI attack on REvil never happened because of REvil’s disappearance, officials told the newspaper. The FBI eventually shared the decryption keys with Kaseya on July 21, weeks after the attack occurred. Multiple victims spoke to The Washington Post about the millions that were lost and the significant damage done by the attacks. 

Another law enforcement source eventually shared the decryption keys with Bitdefender, which released a universal decryptor earlier this month for all victims infected before July 13, 2021. More than 265 REvil victims have used the decryptor, a Bitdefender representative told The Washington Post. During his testimony in front of Congress on Tuesday, FBI Director Christopher Wray laid blame for the delay on other law enforcement agencies and allies who they said asked them not to disseminate the keys. He said he was limited in what he could share about the situation because they are still investigating what happened.  “We make the decisions as a group, not unilaterally. These are complex…decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world. There’s a lot of engineering that’s required to develop a tool,” Wray told Congress. The revelation caused considerable debate among security experts, many of whom defended the FBI’s decision to leave victims struggling to recover from the attack for weeks. Critical Insight CISO Mike Hamilton — who dealt with a particularly thorny situation where a Kaseya victim was left in the lurch after paying a ransom right before REvil disappeared — said being careful about disclosing methods is a staple of the law enforcement and intelligence communities. “There is a ‘tell’ though, that we’ve confirmed ourselves. The FBI is quoted as saying that the damage wasn’t as bad as they thought and that provided some time to work with. This is because the event wasn’t a typical stealth infiltration, followed by pivoting through the network to find the key resources and backups. From all indications the only servers that were encrypted by the ransomware were the ones with the Kaseya agent installed; this was a smash-and-grab attack,” Hamilton said. “If you had it deployed on a single server used to display the cafeteria menu, you could rebuild quickly and forget the whole thing happened. The fact that the world wasn’t really on fire, again, created time to dig further into the organization, likely for the ultimate purpose of identifying individual criminals. Those organizations that WERE hit hard had the agent deployed on on-premises domain controllers, Exchange servers, customer billing systems, etc.”Sean Nikkel, senior threat intel analyst at Digital Shadows, said the FBI may have seen the need to prevent or shut down REvil’s operations as outweighing the need to save a smaller group of companies struggling in just one attack. Because of REvil’s increasing scale of attacks and extortion demands, a quickly-developing situation requiring an equally fast response likely preempted a more measured response to the Kaseya victims, Nikkel explained, adding that it is easy to judge the decision now that we have more information but that it must have been a tough call at the time. “Quietly reaching out directly to victims may have been a prudent step, but attackers seeing victims decrypting files or dropping out of negotiations en masse may have revealed the FBI’s ploy for countermeasures,” Nikkel told ZDNet. “Attackers then may have taken down infrastructure or otherwise changed tactics. There’s also the problem of the anonymous soundbite about decryption making its way into public media, which could also tip off attackers. Criminal groups pay attention to security news as much as researchers do, often with their own social media presence.” Nikkel suggested that a better approach may have been to open backchannel communications with incident response firms involved to better coordinate resources and response, but he noted that the FBI may have already done this. BreachQuest CTO Jake Williams called the situation a classic case of an intelligence gain/loss assessment. Like Nikkel, he said it’s easy for people to play “monday morning quarterback” and blame the FBI for not releasing the keys after the fact. But Williams did note that the direct financial damage was almost certainly more widespread than the FBI believed as it withheld the key to protect its operation. “On the other hand, releasing the key solves an immediate need without addressing the larger issue of disrupting future ransomware operations. On balance, I do think the FBI made the wrong decision in withholding the key,” Williams said. “However, I also have the convenience of saying this now, after the situation played itself out. Given a similar situation again, I believe the FBI will release the keys unless a disruption operation is imminent (hours to days away). Because organizations aren’t required to report ransomware attacks, the FBI lacked the full context required to make the best decision in this case. I expect this will be used as a case study to justify reporting requirements.”John Bambenek, principal threat hunter at Netenrich, said critics need to remember that first and foremost, the FBI is a law enforcement agency that will always act in a way that optimizes law enforcement outcomes. “While it may be frustrating for businesses that could have been helped sooner, law enforcement takes time and sometimes things don’t work out as planned,” Bambenek said. “The long term benefit of successful law enforcement operations is more important than individual ransomware victims.” More

Most people are still picking bad passwords and it’s probably because people are even more reliant on web services than ever.LastPass, a password management software vendor, found that many people still re-use passwords across accounts in a study looking at the psychology of password behavior. That’s bad because if a hacker breaches credentials on one account they can break into any other account with a common password. And that’s just one of the many risks that come with poor password choices for online accounts.      

ZDNet Recommends

The best password manager

Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

Read More

LastPass found that while 92% of 3,750 people surveyed know that using the same password is a risk, 65% re-use passwords across accounts. It also found that 45% of respondents didn’t change their passwords in the last year — even after they were affected by the data breach. And attitudes towards passwords vary by application; while 68% of respondents would create stronger passwords for financial accounts, only 32% said they would create strong passwords for work-related accounts.Most users are creating passwords that leverage personal information that has ties to possible public data, like a birthday or home address, the company said, and noted that only 8% of respondents said a strong password “should not have ties to personal information.”With so many accounts to remember, it’s perhaps no surprise that too many people pick one password and use it for every online account. For example, most people don’t know about password spraying, where attackers use dictionary words against online accounts and eventually crack a few of them. Cybercriminals use password spraying as do state-sponsored hackers because it works and it’s cheap. The company advises people should use “nonsensical phrases peppered with numbers and symbols as opposed to individual words to make your passwords longer, stronger, and easier to remember while also making them more difficult for hackers to crack.”

Also: Better than the best password: How to use 2FA to improve your securityThis advice lines up with the UK’s National Cyber Security Centre’s (NCSC) recommendation that people choose three random words to create a password.  The agency also reckons people who don’t want to use password manager software can safely write a password down on paper because it’s offline. Microsoft is trying to make the world passwordless by giving users the option to remove passwords as a login tool using standards like FIDO2 and hardware tied to Windows Hello biometric authentication. Two-factor authentication can also help boost protection so that attackers need more than just a password to access a service. But even with steps forward like that there are still an awful lot of services out there, simply secured by passwords — which means choosing wisely is still very important.

ZDNet Recommends More

Zloader malware, a tool often used to deliver ransomware, is now being spread through malicious Google ads, according to Microsoft.  The malware is a key part of the cybercrime industry and recently popped up on the radar of Microsoft and the US Cybersecurity and Infrastructure Security Agency (CISA). 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

CISA yesterday warned that ZLoader was being used to distribute the Conti ransomware service, which pays ransomware distributors a wage rather than a commission for new infections.  SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attack ZLoader is a banking trojan which uses web injection to steal cookies, passwords and any sensitive information. But it is also used to deliver ransomware and provides attackers with backdoor capabilities and the ability to install other forms of malware, according to security company SentinelOne. According to Microsoft, ZLoader operators are buying Google keyword ads to distribute various malware strains, including the Ryuk ransomware.  The techniques aren’t new but using Google to distribute links to malicious domains is notable because billions of people use Google. 

“While analyzing ZLoader campaigns in early September, we observed a notable shift in delivery method: from the traditional email campaigns to the abuse of online ad platforms. Attackers purchased ads pointing to websites that host malware posing as legitimate installers,” Microsoft said.  “The campaign abused Google Ads. While Microsoft 365 Defender protects customers by blocking malicious sites, behavior, payloads, we responsibly reported findings to Google. Activity related to this threat reduced in the last few days, but we continue to monitor as it evolves,” it added. The attackers also registered a fraudulent company in order to cryptographically sign the malicious files, which claims to install a legitimate Java-based app but instead deliver ZLoader, giving the attackers access to affected devices. Signing the apps helps avoid detection from anti-malware systems.  SEE: Four months on from a sophisticated cyberattack, Alaska’s health department is still recovering Microsoft highlights the maturity of the business ecosystem ZLoader operates within.  “The operators of this campaign can then sell this access to other attackers, who can use it for their own objectives, such as deploying Cobalt Strike or even ransomware,” it notes.  According to security firm Sentinal, this malware campaign primarily targets customers of Australian and German banks. The malware has the capability to disable all Windows 10 Defender anti-malware modules.

While analyzing ZLoader campaigns in early September, we observed a notable shift in delivery method: from the traditional email campaigns to the abuse of online ad platforms. Attackers purchased ads pointing to websites that host malware posing as legitimate installers. pic.twitter.com/8HkR4kmyO6— Microsoft Security Intelligence (@MsftSecIntel) September 23, 2021

Microsoft says the attackers use Google search keywords to target online ads, which redirect victims to a compromised domain and then bump them across to a domain owned by the attacker for the download. The malware users PowerShell to disable security settings and products like Windows Defender. On some machines, the Cobalt Strike penetration testing kit is downloaded.  “The operators of this campaign can then sell this access to other attackers, who can use it for their own objectives, such as deploying Cobalt Strike or even ransomware,” Microsoft warned.  More

A 75-year-old has been arrested by the Federal Bureau of Investigation (FBI) for allegedly placing pipe bombs outside mobile phone and carrier stores. 

According to the US Department of Justice (DoJ), a resident of Whittemore, Michigan, named as John Douglas Allen, was arrested on Wednesday in connection to homemade bombs being left outside stores in Cheboygan and Sault Ste Marie. The affidavit claims that on September 15, Allen placed a USPS box outside of an AT&T store, before moving on to place another USPS box outside of a Verizon outlet.  The boxes, taped up and with wires coming out of them, were seized and checked out by the FBI’s laboratory Explosive Unit, which determined they were pipe bombs.  “Based on video footage taken from the cell phone stores and other nearby businesses, as well as an exhaustive investigation by law enforcement, agents were able to determine that Allen was the person who allegedly left the packages outside of the stores,” the DoJ claims.  Together with the explosives, letters were also left at cell towers — described by prosecutors as being contained within “polka dot envelopes” — that allegedly contained threats against telecommunications firms.  As reported by the Washington Post, court documents claim the letters were addressed as from the “Coalition for Moral Telecommunication” and were aimed toward “AT&T, Verizon and all other Carriers.”

The letter, which allegedly reveals the reason behind the packages and mail, read: “All telecommunication containing immoral content must be stopped. This includes cursing, the transmission of pornography, and all manner of indecent communication.” In addition, the letters reportedly contained demands for $5 million.  According to the affidavit, Allen allegedly admitted responsibility for the scheme, claiming there was no coalition and he was “dissatisfied” with “immoral content” being spread.  Allen faces charges of extortion and attempted damage or destruction of buildings used in interstate commerce. If convicted, the 75-year-old faces up to 20 years behind bars for the extortion claim, and at least five years — and up to 20 years — for the destruction charge.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
Taiwan has applied to join the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), a week after China submitted its own application.The CPTPP currently has 11 members that represent about $13.5 trillion in GDP, or 13.4% of global GDP, making it one of the largest trade pacts in the world. Japan, a CPTPP member, has been in close communication with Taiwan and welcomed its application into the trade pact, Taiwan’s Ministry of Foreign Affairs said in a statement.In a separate statement, Taiwan reiterated its stance of being a separate government to the People’s Republic of China. It also accused China of bullying Taiwan in the international community, saying that China’s bid to join the CPTPP is aimed at blocking Taiwan from entering international trade blocs.In response, China’s foreign ministry spokesperson said his country was firmly opposed to Taiwan’s accession bid for the CPTPP. “There is only one China in the world and Taiwan is an inalienable part of China’s territory. With regard to the CPTPP, we firmly oppose Taiwan’s accession to any agreement or organisation of official nature,” China’s Ministry of Foreign Affairs spokesperson Lijian Zhao said.China also sent 19 aircraft into Taiwan’s air defence zone following the news, Taiwan’s Ministry of Foreign Affairs said.

For a government to join the CPTPP, all CPTPP members must unanimously approve the government’s application.Earlier in the week, Australia’s Trade Minister Dan Tehan said China would need to reopen dialogue with Australia “on a minister-to-minister level” if Australia were to consider allowing China to join the trade pact.”All parties will want to be confident that any new member will meet, implement, and adhere to the high standards of the agreement as well as to their WTO commitments and their existing trade agreements, because it’s in everyone’s interests that everyone plays by the rules,” Tehan said.The CPTPP applications follow Australia, alongside the UK and US, announcing a trilateral security pact aimed at addressing the defence and security concerns posed by China within the Indo-Pacific region.Although China was not mentioned when announcing AUKUS, Australian Prime Minister Scott Morrison said the Indo-Pacific region was increasingly becoming “more complex”. AUKUS will see the three countries create initiatives that increase cyber capabilities, artificial intelligence, quantum technologies, and undersea capabilities. The three countries will also promote deeper information and technology sharing between themselves.Alongside China and Taiwan, the United Kingdom also submitted a formal request to join the CPTPP earlier this year, and a working group for its accession has been established.  Current members of the CPTPP include Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, and Vietnam.RELATED COVERAGE More