Microsoft's log4j vulnerability exploited by state-sponsored hackers | Facebook warns 50,000 users targeted by spyware industry | Former Japanese PM Abe calls for Japan-US-Taiwan defence tech sharing
Follow us on Twitter. The Daily Cyber Digest focuses on the topics we work on, including cyber, critical technologies & strategic issues like foreign interference.
Welcome to the final Cyber Digest of 2021. The team at the International Cyber Policy Centre are taking a break over the holidays and will return with daily updates on January 10th.
The log4j vulnerability, first discovered late last week, has set off alarm bells for cybersecurity professionals worldwide, as the vulnerability is fundamental to systems used by many organizations and difficult to fully patch. Microsoft on Tuesday updated its blog post on the log4j vulnerability, warning that the Microsoft Threat Intelligence Center (MSTIC) had seen evidence of nation-state hacking groups in China, Iran, North Korea and Turkey exploiting it. The Hill
Facebook is going in hard on the surveillance-for-hire industry, banning six companies and another mysterious Chinese law enforcement supplier from its platforms, removing hundreds of accounts linked to the organizations, and warning 50,000 people it believes have been targeted by them. Forbes
Former Japanese Prime Minister Shinzo Abe on Tuesday called for greater cooperation between Japan, the U.S. and Taiwan on technologies in new defense domains, while raising the alarm over China's military buildup.
The three sides must spare "no effort in building our capabilities in all domains," including land, sea, air, cyber and outer space. Nikkei Asia
ASPI ICPC
Software flaw leaves businesses vulnerable to attack
ABC Radio
Rachel Mealey
The latest is a flaw that's been discovered in widely-used software - known as log-4-j and its posing security risks across the internet. But even though the problem has been identified - the full extent of the damage may not be known for weeks and months. Featured: Karly Winkler, senior analyst with the International Cyber Policy Centre at the Australian Strategic Policy Institute.
World
China, Iran among those exploiting Apache cyber vulnerability, researchers say
The Hill
Maggie Miller
State-sponsored hackers from countries including Iran and China are actively exploiting a major vulnerability in Apache logging package log4j to target vulnerable organizations around the world, security researchers found this week. The log4j vulnerability, first discovered late last week, has set off alarm bells for cybersecurity professionals worldwide, as the vulnerability is fundamental to systems used by many organizations and difficult to fully patch.
Log4j cyber security flaw that has online experts fearing the worst
ABC
Security professionals say it is one of the worst computer vulnerabilities they have ever seen as agencies in the United States and Australia sound the alarm on Log4j software, which has a key weakness that is startling experts.Software Flaw Sparks Global Race to Patch Bug
The Wall Street Journal
Robert McMillan
Companies and governments around the world rushed over the weekend to fend off cyberattacks looking to exploit a serious flaw in a widely used piece of Internet software that security experts warn could give hackers sweeping access to networks. Cybersecurity researchers said the bug, hidden in an obscure piece of server software called Log4j, represents one of the biggest risks seen in recent years because the code is so widely used on corporate networks.Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation
Microsoft Threat Intelligence Centre
Microsoft’s unified threat intelligence team, comprising the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, RiskIQ, and the Microsoft Detection and Response Team (DART), among others, have been tracking threats taking advantage of CVE-2021-44228, a remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell”.
Australia
Australia more exposed to cyber attack after AUKUS: Karen Andrews
The Australian
Adam Creighton
Australia is more exposed to a major cyber-attack after joining the AUKUS security pact with the US and the UK, home affairs Minister Karen Andrews has warned, amid growing concern about hostile cyber attacks from China and Russia on critical infrastructure. In Washington to sign the Cloud Act agreement with the US, which will make it easier for US and Australian law enforcement agencies to share online information about potential criminals, Ms Andrews said Australia’s energy grid was a likely target of a future attack.
AFP ordered to strengthen privacy governance
Office of the Australian Information Commissioner
Australian Information Commissioner and Privacy Commissioner Angelene Falk has determined that the Australian Federal Police (AFP) failed to comply with its privacy obligations in using the Clearview AI facial recognition tool. Commissioner Falk found the AFP failed to complete a privacy impact assessment (PIA) before using the tool, in breach of clause 12 of the Australian Government Agencies Privacy Code, which requires a PIA for all high privacy risk projects. The AFP also breached Australian Privacy Principle (APP) 1.2 by failing to take reasonable steps to implement practices, procedures and systems in relation to its use of Clearview AI to ensure it complied with clause 12 of the Code.
China
Chinese tech wades into metaverse as state media warnings signal possible crackdown
Taiwan News
Liam Gibson
Chinese tech giants Alibaba and Baidu are making forays into the booming metaverse ecosystem as state media warn of the dangers in this unregulated new cyber frontier.
Scammers Are Using Dating Apps to Extort China’s Gay Men
Sixth Tone
Zhang Wanqing
Jiankang remembers the exact date and time he was scammed while searching for love online. It was the International Day Against Homophobia, Transphobia, and Biphobia on May 17 last year, and he was having dinner with his roommate in Shanghai — until a video call disrupted the evening. The caller — “Mind-Piercing Ice” — was the “cute-looking” man he had chatted and exchanged contacts with on the Chinese gay dating app Blued just the week before.
USA
Facebook Warns 50,000 Users Were Targeted By Spy-For-Hire Companies
Forbes
Thomas Brewster
Meta warns of “indiscriminate” targeting of “everyday people,” as it continues its fight against the spyware industry. Facebook is going in hard on the surveillance-for-hire industry, banning six companies and another mysterious Chinese law enforcement supplier from its platforms, removing hundreds of accounts linked to the organizations, and warning 50,000 people it believes have been targeted by them. The spyware businesses have also been sent cease and desist letters, and Meta has shared information with law enforcement agencies across the world.
Google Warns That NSO Hacking Is On Par With Elite Nation-State Spies
WIRED
Lily Hay Newman
The Israeli spyware developer NSO Group has shocked the global security community for years with aggressive and effective hacking tools that can target both Android and iOS devices. The company's products have been so abused by its customers around the world that NSO Group now faces sanctions, high-profile lawsuits, and an uncertain future. But a new analysis of the spyware maker's ForcedEntry iOS exploit—deployed in a number of targeted attacks against activists, dissidents, and journalists this year—comes with an even more fundamental warning: Private businesses can produce hacking tools that have the technical ingenuity and sophistication of the most elite government-backed development groups.
Project Zero: A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution
Google
Earlier this year, Citizen Lab managed to capture an NSO iMessage-based zero-click exploit being used to target a Saudi activist. In this two-part blog post series we will describe for the first time how an in-the-wild zero-click iMessage exploit works. Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we've ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.
U.S. builds new software tool to predict actions that could draw China's ire
Reuters
Mike Stone
U.S. military commanders in the Pacific have built a software tool to predict how the Chinese government will react to U.S. actions in the region like military sales, U.S.-backed military activity and even congressional visits to hotspots like Taiwan.
Biden administration concerned about U.S. investments in Chinese tech companies with military or surveillance ties
The Washington Post
Ellen Nakashima, Jeanne Whalen
Last year, a fast-rising artificial intelligence company in China won a little-noticed contract from a Chinese military academy to provide battlefield command software — technology that defense experts say could become part of the military’s operational network. A few months later, Goldman Sachs invested in the Beijing-based company, helping it raise $700 million, according to the company, 4Paradigm. So did Sequoia Capital China, a Chinese affiliate of the prominent Silicon Valley venture-capital firm, which markets funds that draw investment from U.S. university endowments and charitable trusts.
President Daniels responds to Chinese student's harassment
Purdue Exponent
Purdue President Mitch Daniels sent an email to Purdue students, faculty and staff Wednesday, criticizing the harassment of a Chinese student over speaking on Chinese politics. The email comes as a response to a ProPublica article written about Purdue student Zhihao Kong, who was allegedly harassed and threatened by other students from China about a post he made commending the heroism of students killed in the Tiananmen Square massacre in 1989. The students followed Kong around campus, according to the article, calling him a CIA agent and threatening to report him to the Chinese embassy.
Apple quietly pulls references to its CSAM detection tech after privacy fears
TechCrunch
Carly Page
Apple has quietly removed from its website all references to its child sexual abuse scanning feature, months after announcing that the new technology would be baked into iOS 15 and macOS Monterey. Back in August, Apple announced that it would introduce the feature to allow the company to detect and report known child sexual abuse material, known as CSAM, to law enforcement. At the time, Apple claimed — unlike cloud providers that already offered blanket scanning to check for potentially illegal content — it could detect known illegal imagery while preserving user privacy, because the technology could identify known CSAM on a user’s device without having to possess the image or device, or knowing its contents. Apple faced a monumental backlash in response.
Ransomware attack threatens paychecks just before Christmas
NBC News
Kevin Collier
A major payroll company has been crippled by ransomware hackers, leaving some companies around the country scrambling to cover employees’ last paychecks before Christmas and many workers wondering if they’ll get paid on time. Kronos, one of the largest workforce management companies in the U.S., was hit with ransomware Saturday, according to the company's public updates page, and announced Monday that its programs that rely on cloud services — which a number of companies use to pay employees and manage their hours — would be unavailable for “several weeks.” For many Americans who are paid biweekly, Dec. 17 is the final payday before Christmas.
ESF Members, NSA and CISA publish the fourth installment of 5G cybersecurity guidance
National Security Agency
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) published the fourth installment on securing integrity of 5G cloud infrastructures, Ensure Integrity of Cloud Infrastructure. As 5G networks and devices continue to increase in popularity, the importance of platform security to harden your systems against malicious cyber activity and persistence is apparent.
Facebook-Ray-Ban Smart Glasses Partnership Rests on One Optical Company
Bloomberg
Alex Webb
If you’re squinting a bit to read this—whether on a screen or on paper—you’re not alone. The pandemic has taken a terrible toll on our eyesight. But what’s a bummer for you and the three-fourths of Americans who use corrective vision is a big opportunity for the tech industry, which has its eye on those precious inches around the bridge of your nose. The Silicon Valley companies working on smart glasses are betting it will be easier to persuade people who already sport specs to try out their vision of the future.
TikTok to Adjust Its Algorithm to Avoid Negative Reinforcement
The Wall Street Journal
Liza Lin
Popular video-sharing app TikTok said it would adjust its recommendation algorithm to avoid showing users too much of the same content, as social-media platforms globally come under scrutiny for their potential harm to younger users. TikTok said on Thursday that it is testing ways to avoid pushing too much content from a certain topic, such as extreme dieting, sadness or breakups, to individual users to protect their mental well-being
Can we regulate social media without breaking the First Amendment?
The Verge
Nilay Patel
One of the hardest problems at the intersection of tech and policy right now is the question of how to regulate social media platforms. Everyone seems to think we should do it — Democrats, Republicans — even Facebook is running ads saying it welcomes regulation. It’s weird. But while everyone might agree on the idea, no one agrees on the execution. Everyone agrees the platforms should be more transparent but not about what — should the algorithms be public? Should researchers have access to data about users? What about data privacy? That seems good, but those bills have been stalled out forever.
North-East Asia
Japan, U.S. and Taiwan should share new defense tech: Abe
Nikkei Asia
Former Japanese Prime Minister Shinzo Abe on Tuesday called for greater cooperation between Japan, the U.S. and Taiwan on technologies in new defense domains, while raising the alarm over China's military buildup. The three sides must spare "no effort in building our capabilities in all domains," including land, sea, air, cyber and outer space, Abe said in a prerecorded speech for the Taiwan-U.S.-Japan Trilateral Indo-Pacific Security Dialogue.
South-East Asia
Efforts to increase cybercrime, cybersecurity awareness intensify
The Malaysian Reserve
Fayyadh Jaafar
The Ministry of Communications and Multimedia (MCMC) has launched the National Cyber Security Awareness Module and Cyber Security Enhancement Project for small and medium enterprises (SMEs) to educate the public about cyber threats and how they can protect themselves.
South and Central Asia
Someone Offered 'Harvard' Jobs to Known Women in India. It Was a Scam.
The New York Times
Jeffrey Gettleman, Kate Conger, Suhasini Raj
Mr. Jain believed foreign governments might have played a role. The suspicious file he uncovered on Ms. Razdan’s computer contained an IP address that had once been linked to a hacking group believed to be associated with Pakistani intelligence. Mr. Jain also discovered several other suspicious websites that purported to be career pages for other Ivy League universities, but were registered in China, making him believe the scam that targeted Ms. Razdan was part of a broader operation.
UK
The UK Government’s New Cyber Strategy: A Whole of Society Response
Royal United Services Institute
Conrad Prince CB
The UK government’s new national cyber strategy was launched on Wednesday, five years on from the influential 2016 strategy that, among other things, created the flagship National Cyber Security Centre (NCSC). Cyber is a more pressing issue than ever, and front-and-centre in the new era of great power competition. So, what does the new strategy have to say about the UK’s direction over the next few years?
National Cyber Strategy 2022
UK Government
This strategy sets out the government’s approach to protecting and promoting the UK’s interests in cyberspace. It is our plan to ensure that the UK continues to be a leading responsible and democratic cyber power.
Russia
Google Faces Huge Fines in Russia After Sanctioned TV Channel Wins Lawsuit
Bloomberg
Henry Meyer
Alphabet Inc.’s Google is facing potentially heavy fines in Russia after a court ruled it must unblock the YouTube account of a TV channel owned by a sanctioned ally of President Vladimir Putin. The Moscow Ninth Arbitration Court of Appeals on Thursday upheld an April ruling that ordered the U.S. technology giant to restore the Tsargrad account or face a daily fine, the channel said in a statement Thursday. Settlement talks between the two sides failed to yield a deal in August.
It's unclear whether Russia is cracking down on cyber attacks
The Washington Post
Joseph Marks, Aaron Schaffer
Six months ago today, President Biden warned Russian President Vladimir Putin in a face-to-face meeting that he must rein in criminal ransomware hackers operating on Russian territory or face consequences. Since then, there's been no reduction in the overall pace of ransomware attacks from Russia, government officials have said.
Misc
Srsly Risky Biz: Thursday December 16 - Stopping the next Log4Shell
Srsly Risky Biz
Tom Uren
The vulnerability disclosed in the Java Log4j logging library last week is, to put it mildly, quite bad. It also proves we need to pay more attention to little-known but pervasive software in the open source supply chain. First, let's talk about the actual vulnerability.
My trip into the metaverse with Facebook defender-in-chief Nick Clegg
Financial Times
Herry Mance
Nick Clegg may be available in Berlin. He has a slot in Paris. He’ll make time for lunch in Brussels. Then Omicron hits, and the vice-president of global affairs at Meta, formerly known as Facebook, is not coming to Europe after all. Instead Clegg offers to meet . . . in the metaverse, the immersive digital world hyped as the successor to the internet. In the metaverse, no one can give you Covid. So I put on a bulky virtual reality headset, sign away my data and log into a simulated meeting room.
The metaverse has a groping problem already
MIT Technology Review
Tanya Basu
Last week, Meta (the umbrella company formerly known as Facebook) opened up access to its virtual-reality social media platform, Horizon Worlds. Early descriptions of the platform make it seem fun and wholesome, drawing comparisons to Minecraft. In Horizon Worlds, up to 20 avatars can get together at a time to explore, hang out, and build within the virtual space. But not everything has been warm and fuzzy. According to Meta, on November 26, a beta tester reported something deeply troubling: she had been groped by a stranger on Horizon Worlds. On December 1, Meta revealed that she’d posted her experience in the Horizon Worlds beta testing group on Facebook.
Which search engine serves up the most conspiracy theories?
Input
Chris Stokel-Walker
More than three-quarters of search results for the six terms on Yandex served up sites that either mentioned or actively promoted conspiratorial thinking. On Yahoo, more than half did. Bing and DuckDuckGo saw conspiracy-mentioning or -promoting content take up slightly less than half of results. Only Google did a good job in not amplifying pro-conspiratorial thoughts. It acknowledged conspiracies in around one in four results — roughly the same proportion of results that debunked conspiracy thinking around the six terms.
Why our values should drive our technology choices
NATO
Dr Ulf Ehlert
It is fair to say that our relationship with technology is complicated. Just look at headline topics like renewable energy or Artificial Intelligence (AI), or consider pharmaceuticals, automotive, consumer electronics, social media and biotechnology. On the topic of any of these technologies, you’ll almost certainly hear a cacophony of voices that range from promising a new era of happiness to predicting the doom of humanity. How can we make sense of these confusing perspectives, and how can we maximise the benefits of emerging and potentially disruptive technologies while effectively minimising their risks?
Jobs
ICPC Senior Analyst or Analyst - China
ASPI ICPC
ASPI’s International Cyber Policy Centre (ICPC) has a unique opportunity for exceptional and experienced China-focused senior analysts or analysts to join its centre. This role will focus on original research and analysis centred around the (growing) range of topics which our ICPC China team work on. Our China team produces some of the most impactful and well-read policy-relevant research in the world, with our experts often being called upon by politicians, governments, corporates and civil society actors to provide briefings and advice. Analysts usually have at least 5 years, often 7-10 years’ of work experience. Senior analysts usually have a minimum of 15 years relevant work experience and, in addition to research, they take on a leadership role in the centre and tend to be involved in staff and project management, fundraising and stakeholder engagement.
ICPC Analyst / Project Lead - Cyber Capacity Building
ASPI ICPC
ASPI’s International Cyber Policy Centre (ICPC) has a unique opportunity for a talented Analyst / Project Lead to support a new project that looks at supporting states in the Indo-Pacific in defending against cyber-enabled theft of intellectual property. The successful candidate will work in a small, high-performing team to produce original research and analysis that directly informs broader diplomatic and cyber capacity building activities on the topic of equipping countries globally with tools to defend against the use of cyber tools to steal IP for commercial purposes. Together with a project lead on Learning and Development and the Project Director, the analyst will also participate in international workshops, provide training to foreign governments and present to other external stakeholders. Analysts usually have at least 5 years, often 7-10 years’ of work experience.
The best things to watch, read, and listen to over the break, selected by the Cyber Digest team.
Red Roulette: An Insider's Story of Wealth, Power, Corruption and Vengeance in Today's China
Desmond Shum
Red Roulette is a must-read for anyone interested in modern China. The book gives readers vivid insight into PRC corruption and elite politics. It's also just a rip-roaring read. Desmond Shum pulls back the curtain on the wheelings and dealings of China's elite revealing how he and his ex-wife rose to the highest echelons of wealth and power in China. Shum's ex-wife Whitney Duan disappeared a few years ago and remains captive of the Chinese secret police.
When We Cease to Understand the World
Benjamín Labatut
An extraordinary ‘nonfiction novel’ weaves a web of associations between the founders of quantum mechanics and the evils of two world wars. It explores the human "ecstasy of scientific discovery and the price it exacts."
I Spy
Foreign Policy
I Spy is a podcast series that hears from former intelligence agents mastering disguises to pull off risky heists to KGB sleeper agents, covering every corner of the globe. This podcast offers an insight into the intelligence community’s most interesting aspects.
Conversations with Tyler
Tyler Cowen
On the Conversations with Tyler podcast, economist Tyler Cowen engages with today’s most underrated thinkers in wide-ranging explorations of their work, the world, and everything in between. It contains deep and thoughtful conversations on the big issues. Great for idea discovery.
The Expanse
Amazon Original
A science fiction TV show in which humans have colonised the solar system in the future. This is a very compelling space thriller which explores a 'space cold war'.
Invasion
Amazon Original
Earth is visited by an alien species that threatens humanity's existence. Events unfold in real time through the eyes of five ordinary people across the globe as they struggle to make sense of the chaos unraveling around them.