Information Technology

A new data strategy was announced by the federal government on Tuesday morning, outlining a goal for Australia to have a modern, data-driven society by 2030. The data strategy, a first for Australia, will focus on initiatives based around maximising the value of data, trust and protection, and enabling data use. The strategy sits alongside an action plan that sets out those initiatives and their expected delivery timeframes up to 2025. At the end of 2025, the federal government will then update the data strategy to implement new initiatives up to 2030, said Stuart Robert, the Minister responsible for digital transformation. Robert said the strategy was developed in consultation with private, research, and not-for-profit sectors. “The data strategy is part of our commitment to deliver better services to all Australians, and it will power our national ambition to become a modern, data-driven society by 2030,” Robert said. In relation to the strategy’s focus of maximising the value of data, the government will look to create a new “front door” for accessing Australian government open data, communicating about data better, and implementing the Data Availability and Transparency Scheme. “Access to the right data and analytics can help government and private decision-makers tailor how they deliver these services. For example, Census data can not only be used to identify where services are needed, but also how to best tailor those services for the needs of Australians,” the strategy outlines.

Practically, this will entail transitioning the data.gov.au website to become the “one-stop shop” for all Australians interacting with Australian government data by the end of next year. On the trust and protection front, the strategy has called for the continued expansion of the consumer data right, as well as a review of the Privacy Act to see whether its enforcement mechanisms are fit for purposes in the digital age. The AU$40 million investment into extending the National Disability Data Asset announced last week also falls under the strategy’s scope. Other initiatives within the data strategy include measuring the data maturity of government agencies, developing guidance on embedding data professional roles within all parts of Australian government agencies, investigating new and enhanced data collection and reporting methods, and establishing a new International Data Policy function within the Australian Public Service. The national data strategy’s release comes a fortnight after the federal government updated its digital government strategy, which saw it place more emphasis on uplifting digital ecosystems and reusing technologies to deliver more value for money. When the digital government strategy refresh was announced, the federal government had been receiving backlash by a Senate committee for its lack of progress in auditing its IT capabilities, especially as it did not have a central data collection process related to IT expenditure across government.   Related Coverage More

For those unable to patch the Apache Log4Shell vulnerability, cybersecurity firm Cybereason has released what they called a “fix” for the 0-day exploit. Cybereason urged people to patch their systems as soon as possible, but for those who cannot update their systems or do so immediately, they have created a tool they are calling “Logout4shell.”

Log4j coverage

It is freely available on GitHub and Cybereason said it “is a relatively simple fix that requires only basic Java skills to implement.” “In short, the fix uses the vulnerability itself to set the flag that turns it off. Because the vulnerability is so easy to exploit and so ubiquitous—it’s one of the very few ways to close it in certain scenarios,” said Yonatan Striem-Amit, CTO of Cybereason. “You can permanently close the vulnerability by causing the server to save a configuration file, but that is a more difficult proposition. The simplest solution is to set up a server that will download and then run a class that changes the server’s configuration to not load things anymore.”The “vaccine” garnered a mixed response from experts, some of whom praised the company for stepping up while others said it wasn’t nearly enough to protect those affected by the vulnerability. Dr. Richard Ford, CTO of Praetorian, said the Log4j vulnerability can be subtle, and while it is sometimes revealed with simple scanning, it is also frequently found buried deep in customer infrastructure, where it can be trickier to trigger. “For this reason, I am concerned that some of the well-meaning responses I’ve seen from the industry can cause longer-term problems. In the case of Logout4Shell, it’s not always as trivial to exploit as entering a simple string into ‘a vulnerable field.’ Knowing which field is vulnerable can be tricky, and with many folks now filtering traffic en route knowing your string even reached the server intact is not trivial,” Ford explained.

“If we inadvertently give a customer the impression that just popping ${$jnfi… into a string is good enough, folks could end up with a false sense of security. In addition, generically patching a server could have unpleasant unintended consequences, and it’s up to customers to figure out what risks they can tolerate in a production system. Cybereason’s tool is an interesting approach, but would not recommend a customer solely rely on it.”Randori’s Aaron Portnoy said hot patching solutions such as this can be effective stop-gap mitigations, but this solution will only be effective for the lifetime of the Java Virtual Machine. “If the application or the system restart, the ‘vaccine’ would need to be re-applied. The best remediation is to upgrade the log4j2 library and apply default-deny firewall rules on outbound traffic for systems that may be susceptible,” Portnoy said. Bugcrowd CTO Casey Ellis noted that to run this without permission on someone else’s infrastructure “is almost certainly in violation of anti-hacking laws like the CFAA, which creates legal risk regardless of whether the intent is benevolent or malicious.” “While folks may be well-intentioned, it’s important for them to understand the legal risk it creates for them. It’s a similar technique to what the FBI and DOJ did earlier in the year to mitigate HAFNIUM web shells on Exchange servers, only the FBI had the legal blessing of the DOJ,” Ellis said. “Aside from that, I quite like the ‘chaotic good’ nature of this solution – especially given the chaos organizations are experiencing in finding all of the places that log4j might exist within their environment. The script basically takes the workaround first flagged by Marcus Hutchins which disables indexing and then uses the vulnerability itself to apply it. The fact that solutions like this are coming out so quickly is telling regarding the ubiquity of this vulnerability, the complexities of applying a proper patch, and the sheer number of ways that it can be exploited.”Ellis added that the tool’s effectiveness is limited because it does not work for versions prior to 2.10, requires a restart, and the exploit must fire properly in order to be effective. Even when it does run properly, it still leaves the vulnerable code in place, Ellis explained. Because of the complexity of regression testing Log4j, Ellis said he already heard from a number of organizations that are pursuing the workarounds contained in the Cybereason tool as their primary approach. He expects at least some to use the tool selectively and situationally but said it is critical to understand that this isn’t a solution – it’s a workaround with a number of limitations. “It has intriguing potential as a tool in the toolbox as organizations reduce log4j risk, and if it makes sense for them to use it, one of the primary reasons will be speed to risk reduction,” Ellis said.  More

Cybersecurity experts believe CVE-2021-44228, a remote code execution flaw in Log4j, will take months, if not years, to address due its ubiquity and ease of exploitation.

Log4j coverage

Steve Povolny, head of advanced threat research for McAfee Enterprise and FireEye, said Log4Shell “now firmly belongs in the same conversation as Shellshock, Heartbleed, and EternalBlue.” “Attackers began by almost immediately leveraging the bug for illegal crypto mining, or using legitimate computing resources on the Internet to generate cryptocurrency for financial profit… Further exploitation appears to have pivoted towards theft of private information,” Povolny told ZDNet.”We fully expect to see an evolution of attacks.”Also: Log4j zero-day flaw: What you need to know and how to protect yourselfPovolny added that the vulnerability’s impact could be enormous because it is “wormable and could be built to spread itself.” Even with a patch available, there are dozens of versions of the vulnerable component.Due to the sheer number of observed attacks already, Povolny said it was “safe to assume many organizations have already been breached” and will need to take incident response measures. 

“We believe log4shell exploits will persist for months if not years to come, with a significant decrease over the next few days and weeks as patches are increasingly rolled out,” Povolny said.  Since December 9, Sophos senior threat researcher Sean Gallagher said the attacks using the vulnerability evolved from attempts to install coin miners — including the Kinsing miner botnet — to more sophisticated efforts.”The most recent intelligence suggest attackers are trying to exploit the vulnerability to expose the keys used by Amazon Web Service accounts. There are also signs of attackers trying to exploit the vulnerability to install remote access tools in victim networks, possibly Cobalt Strike, a key tool in many ransomware attacks,” Gallagher said. Paul Ducklin, principal research scientist at Sophos, added that technologies, including IPS, WAF, and intelligent network filtering, are all “helping to bring this global vulnerability under control.” “The very best response is perfectly clear: patch or mitigate your own systems right now,” Ducklin said. Dr. Richard Ford, CTO at Praetorian, explained that because exploiting the vulnerability often does not require authentication or special access, it has exposed an incredible array of systems. “There are even unconfirmed reports that simply changing your phone’s name to a particular string can exploit some online systems,” Ford said. Ford and his company’s engineers said it is “one of the largest exposures [they] have seen at internet scale.” Also: Log4j RCE activity began on December 1 as botnets started using vulnerabilityOther experts who spent the weekend watching the vulnerability said hackers got to work almost immediately in exploiting the flaw. Chris Evans, CISO at HackerOne, said they have gotten 692 reports about Log4j to 249 customer programs, noting that major companies like Apple, Amazon, Twitter, and Cloudflare have all confirmed that they were vulnerable. “This vulnerability is scary for a few reasons: Firstly, it’s really easy to exploit; all the attacker has to do is to paste some special text into various parts of an application and wait for results. Secondly, it’s hard to know what is and isn’t affected; the vulnerability is in a core library that is bundled with many other software packages, also making remediation more complicated. Thirdly, it’s likely that many of your third-party vendors are affected,” Evans said. Imperva CTO Kunal Anand said that since rolling out updated security rules more than 13 hours ago, the company observed more than 1.4 million attacks targeting CVE-2021-44228. “We’ve observed peaks reaching roughly 280K attacks per hour. As with other CVEs in its class, we expect to see this number grow, especially as new variants are created and discovered over the coming days and weeks,” Anand said.  More

HR management platform Kronos has been hit with a ransomware attack, revealing that information from many of its high-profile customers may have been accessed. UKG, Kronos’ parent company, said the vital service will be out for “several weeks” and urged customers to “evaluate and implement alternative business continuity protocols related to the affected UKG solutions.”  

In a statement to ZDNet, UKG said it “recently became aware of a ransomware incident that has disrupted the Kronos Private Cloud,” which they said “houses solutions used by a limited number of our customers.” “We recognize the seriousness of the issue and have mobilized all available resources to support our customers and are working diligently to restore the affected services,” the company said.The statement comes hours after the company posted a message on the Kronos community message board, explaining that staff  noticed “unusual activity impacting UKG solutions using Kronos Private Cloud” on Saturday night. This private cloud houses data for UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions.”At this time, we are not aware of an impact to UKG Pro, UKG Ready, UKG Dimensions, or any other UKG products or solutions, which are housed in separate environments and not in the Kronos Private Cloud,” Kronos’ executive vice president Bob Hughes wrote. The attack caused a stir online, with some cybersecurity experts reporting multiple messages from companies that could no longer process payroll as of Monday morning due to the outage. 

Other sources said the outage would cause them to miss payroll for this week — a harrowing idea considering how close Christmas is — while many are scrambling to find alternative solutions. Many organizations use Kronos to organize timesheets, meaning schedules for the next few weeks will be thrown into disarray by the outage. “Every time they call in for help, they get a different answer about what is going on,” the source said, adding that in one initial call, the Kronos representative did not even know a ransomware attack had occurred. Kronos’ work management software is used by dozens of major corporations, local governments, and enterprises, including: the City of Cleveland’s government, Tesla, Temple University, Winthrop University Hospital, Clemson University, and UK supermarket chain Sainsburys. The City of Cleveland sent out an urgent message on Monday, telling WKYC that UKG contacted them and other clients to tell them that the ransomware attack may have compromised employee information like names, addresses, social security numbers, and employee IDs.Ransomware expert Allan Liska criticized how the conversation about the attack is playing out online. “Some people on Twitter are blaming the small businesses, who are victims here, for not having a backup plan in place for payroll. I feel that’s crap; you are outsourcing your payroll to a company that is supposed to have contingency plans in place for you,” Liska said.The company would not answer questions about which ransomware group was behind the attack.  More

The Tracker Detect app after scanning for nearby AirTags and other Find My devices. 
Jason Cipriani/ZDNet

In a move aimed at increasing users’ privacy, Apple has released… an Android app? That’s right. Tracker Detect allows anyone with an Android phone or tablet to scan their nearby surroundings for rogue AirTags or other Find My-equipped tracking devices, as reported by CNET. The potential for AirTags and similar devices to be used to track and locate unsuspecting people raised privacy concerns when AirTags was first released. The small trackers rely on nearby Apple devices to anonymously crowdsource their location, making it possible for someone to place an AirTag in a car or bag and retain the ability to view its current location. AirTags will begin to beep every few minutes after they’ve been disconnected from the owner for an unspecified amount of time as a way to alert those nearby that the AirTag is present. Additionally, if your iPhone detects an unknown AirTag is traveling with you, it’ll alert you and walk you through identifying who it belongs to or disabling it. The latter protection is something that Android owners didn’t have access to until now. Once you install Tracker Detect from the Play Store you’re presented with a simple screen that gives you an option to scan nearby. The app will then look for any unknown devices and present you with the option to play a sound on the device, along with instructions for scanning the tag to see who it belongs to or removing the battery to disable it. While the app requires you to proactively scan for tracking devices, instead of passively scanning for devices in the background, it’s a step in the right direction for elevating privacy and tracking fears. The way the app currently works means that if constantly scanned in the background you’d constantly receive alerts for any nearby devices — something that could get rather annoying if you’re traveling through an airport and an alert for every AirTag in a nearby suitcase or backpack. If you’re an Android user, what do you think of Tracker Detect? Does it do enough? Or not enough? Let us know in the comments below.  More

The Federal Trade Commission’s (FTC’s) latest “data spotlight” release shows $148 million in gift card payment scams have been recorded for the first nine months of 2021. This growing trend exceeds the total number and dollar amount of similar scams logged by the agency throughout the entirety of 2020. This type of scam involves a malicious party convincing the target that they are required to provide some form or payment to settle a debt. The grift usually comes with threats of legal action, wage garnishment, or jail time, should they not comply with the request of the fictitious company or government agency the caller claims to be representing. Also: Log4j zero-day flaw: What you need to know and how to protect yourselfIn reality, these criminal actions are a way for unscrupulous individuals or criminal rings to secure gift card codes they can use illicitly or resell through online black markets for profit. The data spotlight shows more than 40,000 consumers were impacted by these scams during the first three quarters of 2021, with the practice peaking at $51 million and 14,000 reports during Q1 alone. Median losses for each of the incidents rose as well, from $700 in 2018 to $1,000 in 2021. Much larger thefts of $5,000 or more resulting from gift card scams also now represent more than 8% of reports, showing these thieves are becoming more brazen. The most popular gift card to request among scammers, by far, is one for Target stores. These represented $35 million in scam sales between January and September 2021. Google Play was a distant second at $17 million, followed by Apple ($16 million), eBay ($10 million), and Walmart ($6 million). Interestingly, even if the caller was directed to purchase a gift card for another retailer, Target was the most popular store to suggest victims use for their purchase. Walmart, Best Buy, CVS, and Walgreens were all also popular with scammers, the FTC said. 

If all of these facts weren’t unsettling enough, the agency noted that some scammers even groom their victims to avoid detection. The FTC has evidence of criminals instructing victims to visit multiple stores to avoid suspicion by making several smaller purchases, with some even providing coaching on what to tell cashiers that ask questions about their orders. The FTC once again urged consumers to immediately hang up on any caller that claims to be attempting to collect a debt via gift card. Just in case it needs to be said again, no government agency or commercial entity of any kind will actually attempt to collect a debt from you via gift card, ever. The Federal Trade Commission suggests that anyone that believes they may have been targeted by a scammer visit its informational site on gift card scams while also reporting the incident to its fraud division.  More

Europol’s European Cybercrime Centre has worked with the Romanian National Police and FBI on the arrest of a suspected ransomware affiliate who is alleged to have targeted high-profile organisations and companies for their sensitive data. Europol said a 41-year old Romanian man has been arrested in Craiova, Romania. It said the man is suspected of compromising the network of a large Romanian IT company which delivers services to clients in the retail, energy and utilities sectors.The suspect is accused of targeting organisations in ransomware attacks, encrypting files and stealing sensitive data. He’s suspected of demanding a “sizeable” ransom payment in cryptocurrency, threatening to leak the stolen data if the victim didn’t give into the extortion attempt.SEE: A winning strategy for cybersecurity (ZDNet special report)The attacker stole information included financial information about the company, personal information about employees, customer details and other sensitive details and attempted to blackmail the victim into paying a ransom with a threat to publish the data. It wasn’t revealed if this attempt at extortion was successful or not. Europol supported the investigation by tracing cryptocurrency payments, providing malware analysis and forensic support and deploying experts to Romania.The arrest is the latest in a string of arrests by the Romanian authorities, which last month arrested two individuals suspected of involvement in Sodinokibi/REvil ransomware attacks. 

A recent report by Europol warned that ransomware attacks are getting more sophisticated as cyber criminals look towards new tactics and techniques to maximise the chances of successfully receiving a ransom payment, something which regularly costs victims millions of dollars.”Perpetrators continue to be increasingly ruthless and methodical in their modi operandi,” said the report.  MORE ON CYBERSECURITY More

A flaw in Log4j, a Java library for logging error messages in applications, is the most high-profile security vulnerability on the internet right now and comes with a severity score of 10 out of 10.  The library is developed by the open-source Apache Software Foundation and is a key Java-logging framework. Since last week’s alert by CERT New Zealand that CVE-2021-44228, a remote code execution flaw in Log4j, was already being exploited in the wild, warnings have been issued by several national cybersecurity agencies, including the Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC). Internet infrastructure provider Cloudflare said Log4j exploits started on December 1.   What devices and applications are at risk?  Basically any device that’s exposed to the internet is at risk if it’s running Apache Log4J, versions 2.0 to 2.14.1. NCSC notes that Log4j version 2 (Log4j2), the affected version, is included in Apache Struts2, Solr, Druid, Flink, and Swift frameworks.   Mirai, a botnet that targets all manner of internet-connected (IoT) devices, has adopted an exploit for the flaw. Cisco and VMware have released patches for their affected products respectively.  Log4j flaw coverage – what you need to know now AWS has detailed how the flaw impacts its services and said it is working on patching its services that use Log4j and has released mitigations for services like CloudFront.      Likewise, IBM said it is “actively responding” to the Log4j vulnerability across IBM’s own infrastructure and its products. IBM has confirmed Websphere 8.5 and 9.0 are vulnerable.  Oracle has issued a patch for the flaw, too. 

“Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” it said.  Necessary actions: Device discovery and patching CISA’s main advice is to identify internet-facing devices running Log4j and upgrade them to version 2.15.0, or to apply the mitigations provided by vendors “immediately”. But it also recommends setting up alerts for probes or attacks on devices running Log4j.   “To be clear, this vulnerability poses a severe risk,” CISA director Jen Easterly said Sunday. “We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”   Additional steps recommended by CISA include: enumerating any external facing devices with Log4j installed; ensuring the security operations center actions every alert with Log4j installed; and installing a web application firewall (WAF) with rules to focus on Log4j. 

AWS has updated its WAF rule set – AWSManagedRulesKnownBadInputsRuleSet AMR – to detect and mitigate Log4j attack attempts and scanning. It also has mitigation options that can be enabled for CloudFront, Application Load Balancer (ALB), API Gateway, and AppSync. It’s also currently updating all Amazon OpenSearch Service to the patched version of Log4j.  SEE: A winning strategy for cybersecurity (ZDNet special report) NCSC recommends updating to version 2.15.0 or later, and – where not possible – mitigating the flaw in Log4j 2.10 and later by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath.  Part of the challenge will be identifying software harboring the Log4j vulnerability. The Netherland’s Nationaal Cyber Security Centrum (NCSC) has posted a comprehensive and sourced A-Z list on GitHub of all affected products it is aware are either vulnerable, not vulnerable, are under investigation, or where a fix is available. The list of products illustrates how widespread the vulnerability is, spanning cloud services, developer services, security devices, mapping services, and more.     Vendors with popular products known to be still vulnerable include Atlassian, Amazon, Microsoft Azure, Cisco, Commvault, ESRI, Exact, Fortinet, JetBrains, Nelson, Nutanix, OpenMRS, Oracle, Red Hat, Splunk, Soft, and VMware. The list is even longer when adding products where a patch has been released.     NCCGroup has posted several network-detection rules to detect exploitation attempts and indicators of successful exploitation. Finally, Microsoft has released its set of indicators of compromise and guidance for preventing attacks on Log4j vulnerability. Examples of the post-exploitation of the flaw that Microsoft has seen include installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems.   More