Hillicon Valley — Apache vulnerability sets off alarm bells

Today is Tuesday. Welcome to Hillicon Valley, detailing all you need to know about tech and cyber news from Capitol Hill to Silicon Valley. Subscribe here: digital-staging.thehill.com/newsletter-signup.

Follow The Hill’s cyber reporter, Maggie Miller (@magmill95), and tech team, Chris Mills Rodrigo (@millsrodrigo) and Rebecca Klar (@rebeccaklar_), for more coverage.

Red alarm bells continued to ring Tuesday as cybersecurity professionals and government officials raced to address the recently uncovered vulnerability in Apache logging package log4j, which has left most of the world vulnerable to cyberattacks by nation states and cybercriminals alike.

Meanwhile, the Department of Homeland Security announced a new program to allow vetted hackers to hunt through the agency’s systems for vulnerabilities, and Apple announced that it was again instituting a mask mandate in stores.

Let’s jump into the news.

Newest cyber headache 

A vulnerability in a widely used logging platform uncovered late last week has left security professionals and officials scrambling to respond and patch systems before other nations and cybercriminals can exploit the flaw.

The vulnerability in Apache logging package log4j has affected potentially thousands of companies worldwide, and is a particularly serious problem.

Big impact: “This is one of the worst vulnerabilities in the history of vulnerabilities,” Tom Kellermann, a former member of an Obama administration cybersecurity commission and the head of Cybersecurity Strategy at technology company VMware, told The Hill on Monday. 

The vulnerability, first discovered late last week, is severe because it is in a system that underlies most company systems around the world and has been in use for decades.

“Think of Apache as being one of the legs, one of the giant supports of a bridge that facilitates the connective tissue between the worlds of applications and computer environments,” Kellermann said. “If you could poison that support, which is essentially what is going on right now by our adversaries, because you have active scanning and exploitation of this vulnerability occurring, you could essentially destabilize these bridges.”

Yikes: Attackers are actively exploiting the issue, with Check Point Software reporting Monday afternoon that it was seeing a “pandemic-like spread” of attacks since last week, with more than 800,000 attempted attacks in 72 hours and about 100 hacks a minute. Check Point said more than 40 percent of corporate networks worldwide were coming under attack.

Government steps in: Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly on Saturday announced that the log4j vulnerability had been added to the agency’s catalog of vulnerabilities, requiring federal agencies to immediately address it, and that CISA’s Joint Cyber Defense Collaborative had established a senior leadership group to focus on the issue. The team includes partners at the FBI and the National Security Agency (NSA). 

“To be clear, this vulnerability poses a severe risk,” Easterly said in a statement Saturday. “We urge all organizations to join us in this essential effort and take action.” 

Read more here.

Feds offer chance to hack DHS 

The Department of Homeland Security (DHS) on Tuesday announced a new bug bounty program meant to help tackle cyber vulnerabilities in the agency. 

The Hack DHS program will allow vetted cybersecurity experts to hunt through some external DHS systems for vulnerabilities and be paid by the department if they find any, enabling DHS to strengthen its systems against attacks. 

The program will occur in three phases across the next fiscal year, with the first phase involving virtual assessments of DHS networks, the second a live hacking event, and the third phase involving DHS evaluating the findings. 

“As the federal government’s cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems,” Homeland Security Secretary Alejandro Mayorkas said in a statement Tuesday.

“The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors. This program is one example of how the Department is partnering with the community to help protect our Nation’s cybersecurity.” 

Read more here.

VIRGINIA LEGISLATURE UNIT ATTACKED

The information technology unit for Virginia’s General Assembly has been hit by a ransomware attack, which barred legislators and staff from accessing the system that handles bills.

Alena Yarmosky, a spokesperson for Gov. Ralph Northam‘s (D-Va.) office, said in a statement on Monday that the cyberattack targeted the legislative branch’s Division of Legislative Automated Systems, according to The Washington Post.

That agency represents the Virginia General Assembly for affairs involving “computer technology, legislative information collection and dissemination, and publication production and distribution,” per the group’s website, as cited by the Post.

The website was inaccessible as of Tuesday night.

Read more here. 

 

Mask up 

 

Apple will require customers to wear masks at all U.S. stores as COVID-19 cases rise, the company said Tuesday.

“We regularly monitor conditions and we will adjust our health measures in stores to support the wellbeing of customers and employees,” an Apple spokesperson said in a statement.

“Amid rising cases in many communities, we now require that all customers join our team members in wearing masks while visiting our stores.”

Apple is reinstating the policy as coronavirus cases rise and new variants of the virus, including the highly transmissible omicron variant, spread. 

Read more here.

HUAWEI IN THE HOT SEAT

PowerPoint presentations from Chinese telecommunications giant Huawei Technologies indicate that the company has a larger role in China’s surveillance efforts than was previously known, according to The Washington Post.

The Post reviewed over 100 Huawei PowerPoint presentations, many of them labeled “confidential,” in which the company detailed how the government could use its technologies to identify voices, track people for political purposes and monitor the movements of inmates within prisons, among other surveillance tactics.

“Huawei has no knowledge of the projects mentioned in the Washington Post report,” the company said in a statement to the newspaper. “Like all other major service providers, Huawei provides cloud platform services that comply with common industry standards.” 

Read more here.

HR MANAGER HIT BY RANSOMWARE ATTACK

Ultimate Kronos Group (UKG), a human resources management provider, was hit by a ransomware attack earlier this week, the company confirmed. 

Kronos Executive Vice President Bob Hughes confirmed the incident in a blog post published Monday. Hughes noted that the company became aware of the breach on Dec. 11 and that it had impacted the Kronos Private Cloud, which includes UKG Workforce Central, UKG TeleStaff, Healthcare Extensions and Banking Scheduling Solutions.

Hughes warned that while the company was working to address the incident, it could result in Kronos Private Cloud systems being impacted for “several weeks.”

The attack could have a widespread impact for several major companies, with UKG’s customers including Tesla, Marriott, Yamaha, Samsung, Revlon, The Container Store and Peet’s Coffee and Tea, among many others. 

Read more here. 

BITS AND PIECES

An op-ed to chew on: A gunpowder military in an information age

Lighter click: Truly wild ride

Notable links from around the web:

How Beijing influences the influencers (The New York Times / Paul Mozur, Raymond Zhong, Aaron Krolik, Aliza Aufrichtig, and Nailah Morgan) 

The Army is in hot water over TikTok recruiting activity (The Verge / Makena Kelly) 

Amazon delivery drivers say they sacrifice their safety to meet holiday rush (Vice Motherboard / Lauren Kaori Gurley)

 

One last thing: A mobile voting system? 

The U.S. Postal Service worked on a secret project to test a blockchain-based mobile phone voting system ahead of the 2020 elections before ultimately abandoning the project, according to The Washington Post.

The effort was apparently conducted without any involvement from agencies focused on election security. According to the Post, the secrecy of the project alarmed officials, who worried that news of it could spark conspiracies and stoke distrust in the U.S. election system.

Matt Masterson, former senior adviser for the Cybersecurity and Infrastructure Security Agency (CISA) who served in the federal government when the mobile voting project was being pursued, said he was never aware of the Postal Service’s activities when it came to the program.

“If you’re doing anything in the election space, transparency should be priority number one. There should be no guessing game around this,” Masterson told the newspaper.

Read more here. 

That’s it for today, thanks for reading. Check out The Hill’s technology and cybersecurity pages for the latest news and coverage. We’ll see you Wednesday.

Tags Alejandro Mayorkas

Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed..

 

Main Area Top ↴

Testing Homepage Widget

 

Main Area Middle ↴
Main Area Bottom ↴

Most Popular

Load more

Video

See all Video