Information Technology

The Belgian Ministry of Defense has confirmed a cyberattack on its networks that involved the Log4j vulnerability. In a statement, the Defense Ministry said it discovered an attack on its computer network with internet access on Thursday. They did not say if it was a ransomware attack but explained that “quarantine measures” were quickly put in place to “contain the infected elements.”

more coverage

“Priority was given to the operability of the network. Monitoring will continue. Throughout the weekend, our teams were mobilized to contain the problem, continue our operations and alert our partners,” the Defense Ministry said. “This attack follows the exploitation of the Log4j vulnerability, which was made public last week and for which IT specialists around the world are jumping into the breach. The Ministry of Defense will not provide any further information at this stage.”Multiple reports from companies like Google and Microsoft have indicated that government hacking groups around the world are leveraging the Log4j vulnerability in attacks. According to Microsoft, state-sponsored hackers from China, Turkey, Iran and North Korea have started testing, exploiting and using the Log4j bug to deploy a variety of malware, including ransomware. A number of reports have noted that since the vulnerability was discovered nearly two weeks ago, cybercriminal groups have sought to not only use it to gain a foothold in networks but sell that access to others, including governments. Governments around the world have urged agencies and organizations to patch their systems or figure out mitigations in order to avoid attacks and breaches. The US’ Cybersecurity and Infrastructure Security Agency ordered all federal civilian agencies to patch systems before Christmas and Singapore held emergency meetings with critical information infrastructure sectors to prepare them for potential Log4j-related threats.

Centre for Cybersecurity Belgium spokesperson Katrien Eggers told ZDNet that they too sent out a warning to Belgian companies about the Apache Log4j software issue, writing that any organization that had not already taken action should “expect major problems in the coming days and weeks.””Because this software is so widely distributed, it is difficult to estimate how the discovered vulnerability will be exploited and on what scale,” the Centre for Cybersecurity Belgium said, adding that any affected organizations should contact them. “It goes without saying that this is a dangerous situation.” More

SaaS cybersecurity company ZeroFox said on Monday that it has completed a deal to acquire digital privacy protection platform IDX and merge with special purpose acquisition company L&F Acquisition Corp. to create a new entity with an expected equity value of approximately $1.4 billion.The company will be renamed ZeroFox Holdings once the deal goes through and will have the ticker symbol “ZFOX.” The companies expect the deal to close in the first half of 2022. Monarch Alternative Capital LP and several other firms are also investing $170 million in the deal to merge the companies. 

James Foster, chairman and CEO of ZeroFox, said the transaction allows them to create “the industry’s first publicly traded company that is focused on providing an enterprise external cybersecurity SaaS platform.” “We intend to leverage this growth capital to continue investing in our artificial intelligence capabilities, scaling our go-to-market efforts, and expanding our world-class team,” Foster said. The company was founded in 2013 and now has customers in more than 50 countries. Foster told ZDNet that the merger is their best path forward in the current market environment because it provides all the benefits that come from an IPO and being traded on the New York Stock Exchange, without requiring them to go through a traditional IPO process, which he called “restrictive, time-consuming, costly and uncertain.”

“Becoming a publicly traded company is the logical next step to supporting our development and accelerating our growth. This new source of capital will provide greater financial flexibility, in addition to the necessary scale and resources to effectively execute against our go-to-market strategy,” Foster explained, adding that IDX is “the nation’s largest provider of data breach response services.””The combined SaaS business will have over 650 employees and serve approximately 1,700 customers including five of the Fortune Top 10 and the largest companies in media, technology, retail, and energy. Collectively, over 90% of our revenues will be recurring platform subscriptions. The platform will process billions of data elements and protect tens of millions of digital assets around the world.” IDX CEO Tom Kelly said the deal with ZeroFox is the result of a long-standing partnership between the two companies. Adam Gerchen, CEO of LNFA and a new ZeroFox board member, noted that the company is aiming to get a slice of the $51 billion external cybersecurity and digital protection market. 

Tech Earnings More

German logistics giant Hellmann has warned its customers and partners to be on the lookout for fraudulent calls and mail after the company was hit with a ransomware attack two weeks ago. In an update about the cyberattack that initially forced them to remove all connections to their central data center, the company said business operations are back up and running but the “number of so-called fraudulent calls and mails has generally increased.””The forensic investigation has meanwhile confirmed that data was extracted from our servers before our systems were taken offline on December 9. We are currently investigating what type of data was extracted and will proactively provide further information as soon as possible. We are in regular contact with relevant government authorities,” Hellmann said. 

“Whilst communication with Hellmann staff via email and telephone remains safe (inbound and outbound), please make sure that you are actually communicating with a Hellmann employee and beware of fraudulent mails/calls from suspicious sources, in particular regarding payment transfers, change bank account details or the like.”When news of the attack first broke on December 9, the company said the shutdown was having a “material impact” on their business operations.The German company operates in 173 countries, running logistics for a range of air and sea freights as well as rail and road transportation services. Air Cargo News, which first reported the attack, said the company had a revenue of nearly $3 billion last year.BleepingComputer reported last week that ransomware group RansomEXX has claimed responsibility for the attack. After negotiations with Hellmann fell apart, the group published 70.64 GB of stolen documents on their leak site that included business agreements, intra-company emails, and more, the outlet explained. They added that the leaks explained the increase in scam calls. 

In February, the criminal group that deploys the RansomExx ransomware was caught abusing vulnerabilities in the VMWare ESXi product allowing them to take over virtual machines deployed in enterprise environments and encrypt their virtual hard drives.They were also identified by the FBI in November as one of the ransomware groups that use “significant financial events” as leverage during their attacks.”Ransomware groups are using events like mergers and acquisitions to target companies and force them into paying ransoms,” the FBI said. “A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim’s network indicating an interest in the victim’s current and near-future stock share price. These keywords included 10-q, 10-sb, n-csr, nasdaq, marketwired, and newswire.” More

DeFi protocol Grim Finance said about $30 million was stolen this weekend by hackers exploiting a vulnerability in their platform. In a statement posted to Twitter on Saturday, Grim Finance said “an advanced attack” was taking place and initially paused all vaults to prevent more attacks. 

“The exploit was found in the vault contract so all of the vaults and deposited funds are currently at risk,” the company explained on Saturday night. “We have contacted and notified Circle (USDC), DAI, and AnySwap regarding the attacker address to potentially freeze any further fund transfers.”Solidity Finance, a DeFi auditing firm, released an apology for missing the vulnerability that led to the incident. They audited Grim Finance just four months ago. The company said the cause of the issue was “the ability of users to input arbitrary addresses and have them called within the depositFor function.” “Via reentrancy, the issue allowed users to falsely increase their shares in Grim’s vaults and subsequently withdraw more than they had deposited,” Solidity Finance wrote on their website before linking to a longer Twitter thread where they said a new analyst missed the vulnerability while their CTO was on vacation. “This audit was performed by an analyst who was new to the team… unfortunately this issue was not caught in our peer review process.”

The thread goes on to explain the technical details of the attack and said the code that was exploited was present in multiple vaults, resulting in a loss of funds across the platform’s vaults.Some DeFi security experts noted that having a before-after pattern without reentrancy guard “is a big no-no.” RugDoc.io explained that a “before-after pattern is a section of code that checks the vault balance before and after your deposit to figure out how much was actually received by the vault.”Also: Ransomware in 2022: We’re all screwed”This helps with transfer-tax tokens where the amount sent does not equal the amount received. However, what happens if we can do a second deposit while the first deposit is still ongoing?” RugDoc.io wrote, adding that Grim Finance did not have a “reentrancy guard on a pattern that absolutely needs it” and gave users more privilege than is necessary.  Solidity Finance said they regularly recommend fixing the issue but it “slipped through” their process while they were “overwhelmed and onboarding new analysts in August.”They have scanned all of their earlier audits and confirmed that Grim Finance had the only codebase where the vulnerability was present. Of the 900 audits they’ve done, Grim becomes the second exploit that they have missed, according to their records. The attack on Grim Finance adds to a whirlwind year for DeFi hacks. Last week, more than $77 million was stolen from AscendEX. Days before that, blockchain gaming company Vulcan Forged said around $140 million had been stolen from their users.Crypto trading platform BitMart suffered from a devastating attack that caused about $200 million in losses.Just last month, cybercriminals stole about $120 million from DeFi platform Badger. Other attacks in 2021 include thefts of more than $600 million from Poly in August and $34 million from Cream Finance in September. In May, about $200 million was stolen from the PancakeBunny platform. The Record and Comparitech keep running tallies of cyberattacks on cryptocurrency platforms, noting recent attacks on Liquid, EasyFi, bZx, and many other platforms.  More

Gig workers are being denied access to their personal data outright and are unable to challenge the outcome of automated decision-making systems
Image: iStock/ Borislav
“Weakly enforced” data protection laws have resulted in “woefully inadequate levels of transparency” around the use of algorithmic surveillance and decision-making systems in the gig economy, according to a report.A study published by the Worker Info Exchange (WIE), a campaign group advocating workers’ rights to the data held on them by employers, warned that gig workers were being subjected to unfair profiling and discrimination by automated systems that aimed to “maintain exploitative power” over them.The report, titled Managed by Bots: Data-Driven Exploitation in the Gig Economy, found that gig workers were routinely denied access to personal data held on them by companies that use machine-learning tools to allocate work and manage employees.

Tech Jobs Explained

WIE also accused platform employers of withholding performance and surveillance data “behind the label of anti-fraud prevention” and exploiting current data protection laws to “rubber-stamp unfair machine-made decisions” – leaving gig workers powerless to challenge them.Platform companies are operating in a space where they believe they can make the rules said Bama Athreya, Fellow at the Open Society Foundations. “Unfortunately, this isn’t a game; virtual realities have harsh consequences for gig workers in real life.”WIE’s report comes on the back of growing concerns about the prevalence of algorithmic surveillance and decision-making technologies in the workplace, particularly since the start of the COVID pandemic.

A November 2021 study by workers union Prospect found that a third of employees reported being subjected to some form of monitoring by their employers. Electronic monitoring and surveillance systems were also the subjects of a report by the European Commission’s Joint Research Council (JRC), which warned of significant “psycho-social risks” to gig workers who were routinely subjected to automated decision-making and surveillance.See also: Remote-working job surveillance is on the rise. For some, the impact could be devastatingKirstie Ball, the University of St Andrews professor who authored the report, said excessive and intrusive monitoring also threatened to erode employer-employee relationships unless workers were granted greater insight into how their data was used and human agents played a greater role in overseeing machine-made decisions.WIE’s report said platform companies often used legal loopholes to excuse them from meeting certain employer obligations or paying tax or national insurance contributions. This has allowed many of these companies to become industry disruptors by enabling them to “rapidly scale and build competitive advantage from an excess supply of unpaid and underpaid workers who wait for work, while depressing their own wages.”Potential changes to the UK’s compliance with Europe’s general data protection regulation (GDPR), which would give employers more discretion over how they respond to data access requests and lessen their obligation to prepare data protection impact assessments around the processing of sensitive data, also present “a hammer-blow” to gig worker’s employment rights.”In the UK, these already weak digital rights for workers will be fatally compromised if the government’s proposals on GDPR divergence are passed into law,” said the report.”All of these problems are aggravated by the failure of platforms to respect the digital rights of workers. Our report shows woefully inadequate levels of transparency about the extent of algorithmic management and automated decision making workers are subject to in the gig economy.”Getting their cases through the courts presents another challenge to gig workers, the report said. As a result, wider recognition of the issues presented by the gig economy – specifically at government level – is lacking. “Even where worker rights have been asserted, such as in the UK, there has been no wider enforcement by the government. This leaves workers with few alternatives to litigation, if they have the resources to do so,” the report said.”That is why workers must improve their bargaining power through organising and collective action. The ability of workers therefore to access and pool their data is a powerful force in organising yet to be properly tapped.”

Artificial Intelligence More

Cryptocurrency-based scammers and cyber criminals netted a whopping $7.7 billion worth of cryptocurrency from victims in 2021, marking an 81% rise in losses compared to 2020, according to blockchain analysis firm, Chainalysis.  Some $1.1 billion of the $7.7 billion in losses were attributed to a single scheme which allegedly targeted Russia and Ukraine, it said. 

ZDNet Recommends

“As the largest form of cryptocurrency-based crime and one uniquely targeted toward new users, scamming poses one of the biggest threats to cryptocurrency’s continued adoption,” said Chainalysis.SEE: Hackers are turning to this simple technique to install their malware on PCsAt the same time though, the number of deposits to scam addresses fell from just under 10.7 million to 4.1 million, which it said could mean there were fewer individual scam victims – but they are losing more.A major source of rising cryptocurrency losses in 2021 were so-called “rug pulls”, where the developers of a new cryptocurrency vanish and take supporters’ funds with them. Rug pulls accounted for 37% of all cryptocurrency scam revenue in 2021, totaling $2.8 billion – up from just 1% in 2020. “Rug pulls are prevalent in DeFi because with the right technical know-how, it’s cheap and easy to create new tokens on the Ethereum blockchain or others and get them listed on decentralized exchanges (DEXes) without a code audit,” it warned. 

The characteristics of the investment scam networks are changing. Chainaylsis found that the number of active financial scams rose from 2,052 in 2020 to 3,300, while their individual lifespan has decreased from over 500 days in 2016 to 291 days in 2020 and just 70 days in 2021.     “Previously, these scams may have been able to continue operating for longer. As scammers become aware of these actions, they may feel more pressure to close up shop before drawing the attention of regulators and law enforcement,” it said.SEE: Dark web crooks are now teaching courses on how to build botnetsUnsurprisingly, scams also increase in line with the rise in value of popular cryptocurrencies such as Ethereum and Bitcoin, although that link may have been broken in the last year. Chainalysis notes: “The most important takeaway is to avoid new tokens that haven’t undergone a code audit. Code audits are a process through which a third-party firm analyzes the code of the smart contract behind a new token or other DeFi project, and publicly confirms that the contract’s governance rules are iron clad and contain no mechanisms that would allow for the developers to make off with investors’ funds.”It added: “Investors may also want to be wary of tokens that lack the public-facing materials one would expect from a legitimate project, such as a website or white paper, as well as tokens created by individuals not using their real names.” More

A demonstration of Cellebrite technology being used.
Image: Getty Images
Services Australia has rejected a senator’s request to disclose its contract with Cellebrite for the company to provide technology to help prevent criminal activity. Cellebrite, an Israeli digital intelligence company, is best known for its controversial phone-cracking technology, which it previously claimed could download most data from almost any device on behalf of government agencies. During Senate Estimates in October, Greens Senator Janet Rice had asked Services Australia various questions about the agency’s decision to procure vendor services from Cellebrite, with a request to see a copy of the Cellebrite contract being among them. Services Australia at the time took that request on notice. Rice had also asked about the scope of Services Australia’s usage of the Cellebrite technology, which Services Australia acting-deputy CEO of payments and integrity Chris Birrer said has only been used in fraud and identity theft cases, such as when people have falsely claimed the government disaster relief payments, uploaded false information to commit fraud, and stolen the identities of actual customers to hijack payments. Birrer added that his agency does not deploy these capabilities in relation to any general payment accuracy compliance activities. In providing a response to Rice’s request for the Cellebrite to be disclosed, Services Australia said disclosure of the requested documents would be contrary to the public interest as it would prejudice its criminal intelligence and investigation functions, and not be consistent with the agency’s commercial interests.

“Specifically, disclosure of the agency’s lawful methods or procedures for preventing, detecting, investigating, or dealing with matters arising out of breaches or evasions of the law would, or would be reasonably likely to, undermine the effectiveness of those methods or procedures,” Services Australia said in its response. “Disclosure would also reveal commercially sensitive information provided to the agency in confidence by Cellebrite, potentially causing the agency to be in breach of its contractual obligations, and commercially disadvantaging the Cellebrite in the marketplace.” Social Services hires Deloitte to assess Cashless Debit Card efficacyAs part of the responses to Senate Estimate questions taken on notice, Rice and Labor Senator Malarndirri McCarthy also received responses from the Department of Social Services about its progress in analysing the efficacy of the Cashless Debit Card program (CDC). The CDC, which kicked off in 2016 as a trial, governs how some individuals in receipt of welfare spend their money, with the idea behind the program being to both prevent the sale of alcohol, cigarettes, and some gift cards and block the funds from being used on activities such as gambling. The program has repeatedly been labelled as racist by the Opposition as it has disproportionately impacted Indigenous Australians. Labor Senators have also said there is no evidence that compulsory, broad-based income management actually works. In one of the responses, Social Services revealed most of its advertising of the CDC program in the Northern Territory, which is where most of the program trials have taken place, was put towards ads on 13 Indigenous radio stations, while only placed three regional and two national/metro radio stations received ads, respectively.To address concerns about the CDC’s efficacy, Social Services also revealed in responses to questions on notice that it has paid Deloitte AU$675,000 to undertake data repository services of the CDC program. This will entail analysing CDC data to provide a more complete evidence base of the program’s success and inform policy decisions for the future of the program. The department said the data that will be considered relates to changes in social harm and a range of data relating to social security, drug and alcohol use, gambling, financial management, child protection, police records relating to drug and alcohol-related crime, domestic violence hospital admissions, employment and training, and education data. The procurement of Deloitte’s services follows the Australian National Audit Office (ANAO) announcing last month it would commence a follow-up audit into the effectiveness of the CDC program. The federal auditor is conducting another audit as Social Services did not have an adequate program for monitoring and evaluation CDC program’s effectiveness, which meant it was difficult to conclude whether the program helped reduce social harm or whether the card was a lower cost welfare quarantining approach. At the moment, CDC card providers like Indue are being paid AU$1,100 per participant in the program. In total, the federal government has paid AU$70 million to Indue since the program commenced. Related Coverage More

Singapore has held emergency meetings with critical information infrastructure (CII) sectors to prepare them for potential threats stemming from the Log4j vulnerability. The country’s cybersecurity agency has issued alerts on the Apache Java logging library flaw and is “closely monitoring” developments.  The first alert had gone out on Dec 14, with Singapore’s Cyber Security Agency (CSA) warning that the “critical vulnerability”, when exploited successfully, could allow attackers to gain full control of affected servers. It noted that there was only a short window to deploy mitigation measures and organisations should do so quickly.  It said alerts were sent out to CII sector leads and businesses, instructing them to immediately patch their systems to the latest version. The government agency also was working with these CII representatives to roll out mitigation measures. 

more coverage

Singapore’s cybersecurity bill covers 11 critical information infrastructure (CII) sectors, which enables the relevant local authorities to take proactive measures to protect these CIIs. The bill outlines a regulatory framework that formalises the duties of CII providers in securing systems under their responsibility, including before and after a cybersecurity incident had occurred. These 11 “essential services” sectors include water, healthcare, energy, banking and finance, and aviation. No reports of Log4j-related breaches had been reported at the time when CSA issued its December 14 alert.  CSA on Friday issued another update, raising the alert on the security flaw. It noted that because Log4j was widely used by software developers, the vulnerability could have “very serious consequences”.  “The situation is evolving rapidly and there have already been numerous observations of ongoing attempts by threat actors to scan for and attack vulnerable systems,” the government agency said. “There have been two emergency meetings by CSA with all the CII sector leads to issue directions and technical details and heighten monitoring for unusual activities.”

A briefing session also was held on Friday with trade associations and chambers to highlight the severity of the Log4j vulnerability and urgency for all organisations, including small and midsize businesses (SMBs), to immediately deploy mitigation measures.  In its advisory on dealing with the library flaw, Singapore CERT cautioned that some previous stop-gap measures were no longer recommended as they were determined to be insufficient. These included configuring the system property to true or modifying the logging configuration to disable message lookups.   Users who were unable to upgrade to versions 2.16.0 or 2.12.2–or Java 8 and Java 7, respectively–should disable lookups by removing the jndiLookup class from the log4j-core jar file, SingCERT advised.  It added that users of products with Log4j should implement the latest patch, especially those using Apache Log4j with affected versions between 2.0 and 2.14.1. They also should beef up monitoring for unusual activities and review their system logs.  Software developers that tapped Log4j in their products should identify and develop patches for affected products as well as notify users of these products to prioritise the deployment of software updates.  CSA said it was in contact with other international agencies and computer emergency response teams (CERTs) of Asean member states, to share information on the latest developments on Log4j.  It urged organisations affected by the vulnerability to report to SingCERT should they uncover evidence of any compromise.  The US Cybersecurity and Infrastructure Security Agency on Friday also sent out an emergency directive, requiring federal civilian departments and agencies  to  immediately patch their internet-facing network assets for Apache Log4j vulnerabilities.  RELATED COVERAGE More