Економіка

U.S. cybersecurity officials are still sounding an alarm about the so-called Log4j software vulnerability more than a month after it was first discovered, warning some criminals and nation state adversaries may be waiting to make use of their newfound access to critical systems.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Monday that the vulnerability, also known as Log4shell, has been subject to widespread exploitation by criminals over the past several weeks, but that more serious and damaging attacking could still be in the works.

“We do expect Log4Shell to be used in intrusions well into the future,” CISA Director Jen Easterly told reporters during a phone briefing, adding, “at this time we have not seen the use of Log4shell resulting in significant intrusions.”

“This may be the case because sophisticated adversaries have already used this vulnerability to exploit targets and are just waiting to leverage their new access until network defenders are on a lower alert,” she said.

The vulnerability in the open-source software produced by the U.S.-based Apache Software Foundation, was first discovered in late November by the Chinese tech giant Alibaba. The first warnings to the public went out in early December. 

Cybersecurity officials and experts initially described the flaw in the software as perhaps the worst vulnerability ever discovered, noting the software’s widespread use – in at least 2,800 products used by both private companies and governments around the world.

CISA on Monday said the vulnerability has impacted hundreds of millions of devices around the world, with many software vendors racing to issue security patches to their customers.

So far, U.S. agencies appear to be unscathed.

“We, at this point, are not seeing any confirmed compromises of federal agencies across the broader country, including critical infrastructure,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein told reporters.

But he cautioned the danger has not yet passed despite the lack of destructive attacks by sophisticated hacking groups and foreign adversaries.

“It is certainly possible that that may change, that adversaries may be utilizing this vulnerability to gain persistent access that they could use in the future, which is why we are so focused on remediating the vulnerability across the country and ensuring that we are detecting any intrusions if and when they arise,” he said.

Yet there are reports that other countries have already been targeted by cyber actors seeking to exploit the software vulnerability.

Belgium’s Ministry of Defense said last month that some of its computer systems went down last month following an attack, in which the Log4j vulnerability was believed to be exploited.

And some security experts warn other countries, including China, Iran, North Korea and Turkey, have sought to exploit Log4j.

“This activity ranges from experimentation during development, integration of the vulnerabilities to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives,” Microsoft’s Threat Intelligence Center wrote in a blog post last week.

In particular, Microsoft said the Iran cyber threat actor known as Phosphorus, known for launching ransomware attacks, has already modified the Log4j vulnerability for use in attacks, while the Chinese group known as Hafnium has also used it for some targeting activities.

The private cybersecurity firm CrowdStrike separately assessed that a Chinese-based group called Aquatic Panda sought to use the Log4j vulnerability to target an unnamed academic institution.

CISA on Monday said it could not independently confirm such reports, and further said it had yet to discover any ransomware attacks in which the attackers used the Log4j vulnerability to penetrate the victim’s systems.

CISA’s director said one reason could be that “there may be a lag between when this vulnerability is being used and when it is being actively deployed.”

Easterly also warned about information that U.S. officials are unable to see due to the failure of Congress to pass legislation that would require private companies to report cyberattacks – something the White House and many lawmakers have been advocating for some time.

“We are concerned that threat actors are going to start taking advantage of this vulnerability and having impacts in particular on critical infrastructure, and because there is no legislation in place, we will likely not know about it,” she said. 
…

Six months ago, pilot Hana Khan saw her picture on an app that appeared to be auctioning scores of Muslim women in India. The app was quickly taken down, no one was charged, and the issue shelved – until a similar app popped up on New Year’s Day.

Khan was not on the new app called Bulli Bai – a slur for Muslim women – that was hawking activists, journalists, an actor, politicians and Nobel Laureate Malala Yousafzai as maids.

Amid growing outrage, the app was taken down, and four suspects arrested this week.

The fake auctions that were shared widely on social media are just the latest examples of how technology is being used – often with ease, speed and little expense – to put women at risk through online abuse, theft of privacy or sexual exploitation.

For Muslim women in India who are often abused online, it is an everyday risk, even as they use social media to call out hatred and discrimination against their minority community.

“When I saw my picture on the app, my world shook. I was upset and angry that someone could do this to me, and I became angrier as I realized this nameless person was getting away with it,” said Khan, who filed a police complaint against the first app, Sulli Deals, another pejorative term for Muslim women.

“This time, I felt so much dread and despair that it was happening again to my friends, to Muslim women like me. I don’t know how to make it stop,” Khan, a commercial pilot in her 30s, told the Thomson Reuters Foundation.

Mumbai police said they were investigating whether the Bulli Bai app was “part of a larger conspiracy”.

A spokesperson for GitHub, which hosted both apps, said it had “longstanding policies against content and conduct involving harassment, discrimination, and inciting violence.

“We suspended a user account following the investigation of reports of such activity, all of which violate our policies.”

Misconception

Advances in technology have heightened risks for women across the world, be it trolling or doxxing with their personal details revealed, surveillance cameras, location tracking, or deepfake pornographic videos featuring doctored images.

Deepfakes – or artificial, intelligence-generated, synthetic media – are used to create porn, with apps that let users strip clothes off women or swap their faces into explicit videos.

Digital abuse of women is pervasive because “everybody has a device and a digital presence,” said Adam Dodge, chief executive of EndTAB, a U.S.-based nonprofit tackling tech-enabled abuse.

“The violence has become easier to perpetrate, as you can get at somebody anywhere in the world. The order of magnitude of harm is also greater because you can upload something and show it to the world in a matter of seconds,” he said.

“And there is a permanency to it because that photo or video exists forever online,” he added.

The emotional and psychological impact of such abuse is “just as excruciating” as physical abuse, with the effects compounded by the virality, public nature, and permanence of the content online, said Noelle Martin, an Australian activist.

At 17, Martin discovered her image had been photoshopped into pornographic images and distributed. Her campaign against image-based abuse helped change the law in Australia.

But victims struggle to be heard, she said.

“There is a dangerous misconception that the harms of technology-facilitated abuse are not as real, serious, or potentially lethal as abuse with a physical element,” she said.

“For victims, this misconception makes speaking out, seeking support, and accessing justice much more difficult.”

Persecution

Tracking lone creators and rogue coders is hard, and technology platforms tend to shield anonymous users who can easily create a fake email or social media profile.

Even lawmakers are not spared: in November, the U.S. House of Representatives censured Republican Paul Gosar over a photoshopped anime video that showed him killing Democrat Alexandra Ocasio-Cortez. He then retweeted the video.

“With any new technology we should immediately be thinking about how and when it will be misused and weaponized to harm girls and women online,” said Dodge.

“Technology platforms have created a very imbalanced atmosphere for victims of online abuse, and the traditional ways of seeking help when we are harmed in the physical world are not as available when the abuse occurs online,” he said .

Some technology firms are taking action.

Following reports that its AirTags – locator devices that can be attached to keys and wallets – were being used to track women, Apple launched an app to help users shield their privacy.

In India, the women on the auction apps are still shaken.

Ismat Ara, a journalist showcased on Bulli Bai, called it “nothing short of online harassment.”

It was “violent, threatening and intending to create a feeling of fear and shame in my mind, as well as in the minds of women in general and the Muslim community,” Ara said in a police complaint that she posted on social media.

Arfa Khanum Sherwani, also featured for sale, wrote on Twitter: “The auction may be fake but the persecution is real.”
…