Apple Emergency Updates for iPhones, iPads, and Apple Watch
Apple has released emergency updates for iOS, iPadOS, and watchOS. The updates address a vulnerability in the Apple WebKit browser engine that is reportedly being actively exploited. Users are urged to update to iOS 14.4.2, iPadOS 14.4.2, and watchOS 7.3.3. Apple also released an update for older iPhones, iOS 12.5.2.
Note: Unlike the iOS 14.4.1 update, Apple is telling us this vulnerability is being actively exploited. Push the update to your ADE devices so users will see the prompt to install the update. Expect this update to introduce at least one more Beta version of iOS 14.5 and iPadOS 14.5, so don’t hold off expecting a rapid release of that OS. Additionally iOS 14.5, iPadOS 14.5 introduce a number of changes you’re going to want to review prior to rolling it out.
Read more in:
- Apple releases emergency update for iPhones, iPads, and Apple Watch
- Apple pushes iOS 14.4.2, iPadOS 14.4.2, and watchOS 7.3.3 to supported devices
- About the security content of iOS 14.4.2 and iPadOS 14.4.2
- About the security content of iOS 12.5.2
- About the security content of watchOS 7.3.3
PHP Code Repository Compromised
The PHP Git server was breached on Sunday, March 28. Malicious commits were added to the PHP-SRC repository in the names of PHP developer and maintainer Nikita Popov and PHP creator Rasmus Lerdorf. The fraudulent commits pretended to be typographical errors that needed correcting; they were detected before entering production. PHP maintainers are moving the code base to GitHub.
- In my opinion, the malicious commits were meant to be found and are more a “proof of concept” vs an actual attempt to inject a backdoor. I hope the PHP team will investigate thoroughly to identify the root cause of the breach. There is always a chance of a better-hidden backdoor left in addition to the two malicious commits identified so far.
- If you are using git, either self hosted or via github: (1) ensure you are using strong multi factor authentication or keys to identify developers, (2) use signed commits to make it more difficult to impersonate developers.
- Luckily, it looks like the intrusion was identified quickly enough and no current release of PHP was affected. As a PHP user, there is nothing you need to do at this point.
- The existing processes were able to detect the unauthorized updates and triggered a security review. The risks of insourcing public facing services versus using a hosted solution have changed, particularly with tight margins and a fast-changing security landscape. Service providers such as GitHub have learned how to secure their offering. Note that that does not alleviate your responsibilities to configure and secure your repositories as well. See GitHub’s nine best security practices (https://resources.github.com)
Read more in:
- PHP Infiltrated with Backdoor Malware
- Official PHP Git server targeted in attempt to bury malware in code base
- PHP repository moved to GitHub after malicious code inserted under creator Rasmus Lerdorf’s name
- PHP’s Git server hacked to add backdoors to PHP source code
- Hackers Tried To Backdoor Code Used by 80% of All Websites
SolarWinds: Attackers Accessed DHS Email Accounts
Attackers exploiting the SolarWinds supply chain breach managed to access email accounts of top officials at the US Department of Homeland Security (DHS). They also accessed personal information of other senior federal officials, including the private schedule of the former Energy Secretary.
Malicious Android System Update App is a RAT
A malicious Android app purports to be a system update but is actually a remote access Trojan (RAT) capable of stealing all kinds of data, monitoring users’ locations, and accessing the device’s search history. The app can also record phone calls, take pictures, and steal contact lists and call logs. The app was found on a third-party app store.
Note: While many malicious Android apps are delivered via third-party app stores, some do get added to the Google Play store. Update user guidance to not only not load apps from third-party app stores but also avoid apps from unknown or unfamiliar developers. Additionally, applications which require side-loading or developer mode should be a huge red flag.
Read more in:
- Dangerous Android App Pretends to Be a System Update to Steal Your Data
- New Advanced Android Malware Posing as “System Update”
SpaceX Encrypts Telemetry
SpaceX appears to have encrypted its telemetry. Amateur radio users had been able to access the telemetry data streams because SpaceX had to tell the Federal Communications Commission (FCC) and National telecommunications and Information Administration (NTIA) which frequencies it uses to communicate with its rockets.
- Looks like SpaceX had been encrypting telemetry communications on the Starship vehicles since 2018 or so but not the Falcon9s. But, technology advances are leading to a resurgence in commercial satellite networking, including mobile use. While all the hype is on 5G, increased use of satellite comms is likely to happen more quickly. End to end encryption should be built into all new satellite comms applications – as this article proves once again, satellite comms (like fiber optic comms) are not impossible to intercept and monitor. Security through obscurity does not work.
- NASA has been pushing to encrypt telemetry across the board to increase the security and integrity of communications. The challenge is that existing probes/satellites/etc. have neither the compute power nor the storage to add encryption to their operations. Irrespective of frequency disclosure, security by obscurity is not a good model. Protect sensitive or proprietary information explicitly, design new systems with that capability and capacity rather than adding it later.
Ransomware Operators Threaten to Leak Military Contractor Data
Ransomware operators claim to have stolen data from military contractor PDI Group and is threatening to release it on the Internet if the company does not pay the ransom demand. The PDI Group provides military ground support equipment to militaries around the world.
Note: Knowing where your data is and the consequence of loss ahead of time are key to the decision process here. Consider not only what PII is in the breach data, but also what Intellectual Property is included as well. Consult both the CISA Ransomware guide and your financial institution for regulatory requirements before moving forward with a decision to pay.
OpenSSL Fixes High Severity Vulnerabilities
OpenSSL has fixed two high-severity vulnerabilities in the software library. The first is a certificate check bypass issue that disables the check that prevents non-CA certificates from issuing additional certificates. The second flaw is a null pointer dereference issue that could be exploited to crash vulnerable OpenSSL servers by sending a maliciously-crafted renegotiation ClientHello message. Both issues are fixed in OpenSSL 1.1.1k.
- Neither of these vulnerabilities constitutes an emergency. Wait for updates to arrive for your platform and update according to your normal vulnerability management procedures.
- Exploiting the certificate bypass flaw was possible only when an application expressly set the X509_V_FLAG_X509_STRICT flag. Exploiting the null pointer dereference flaw requires the server to be running TLS 1.2 with renegotiation enabled, which is the default. Disabling renegotiation is specific for your service implementation, updating to OpenSSL 1.1.1k or later may be a simpler option. While OpenSSL 1.0.2 is not impacted, it is also out of support and not receiving public updates. Patches have been released for Ubuntu and Debian. Expect other distributions to release updates soon.
Read more in:
- OpenSSL shuts down two high-severity bugs: Flaws enable cert shenanigans, denial-of-service attacks
- OpenSSL fixes high-severity flaw that allows hackers to crash servers
- OpenSSL Fixes Flaw In Certificate Checks
- OpenSSL Security Advisory
SolarWinds: New Software Build System
SolarWinds CEO Sudhakar Ramakrishna says the company is experimenting with a new software build system that should help prevent breaches like the one disclosed late last year. Speaking at a virtual event last Thursday, Ramakrishna said the company is considering running two or three parallel build systems and chains. SolarWinds is implementing other new security measures, including a cybersecurity committee at the boardroom level and authority for the company’s CISO to pause software updates that are being released simply because of time-to-market concerns.
- SolarWinds will continue to remain under the magnifying glass as they recover from their breach. Adding these security changes to the build process to make unauthorized additions to the code easier to detect may become a model you want to review for your code management. Decoupling time-to-market from the release process, while desirable, may not be practical in a market based economy. Solving this challenge can buy time to produce higher quality code out the gate.
- Anyone thinking parallel build systems will prevent another software supply chain compromise is fundamentally missing the point. The attackers that compromised SolarWinds are extremely disciplined and are playing a long game. This is evidenced by the fact that they actually tested the build process before deploying their malware. While I’m sure statements like these will fool some investors, we can be reasonably sure the Russians are belly-laughing saying “haha – parallel build systems” (or whatever that translates to in Russian).
Read more in:
- SolarWinds Experimenting With New Software Build System in Wake of Breach
- SolarWinds chief details changes in the boardroom, build process in wake of hack
Ransomware Operators Leak Shell Employee Information
Earlier this month, oil company Royal Dutch Shell acknowledged “a third-party cyber security incident.” Clop ransomware operators have uploaded sensitive Shell employee documents to a website. The compromised information includes scans of visas and passports.
Read more in:
- After oil giant Shell hit by Clop ransomware, workers’ visas dumped online as part of extortion attempt
- Third-Party Cyber Security Incident Impacts Shell
US Cyber Command Took Action to Protect 2020 Elections from Meddling
General Paul Nakasone, director of US Cyber Command and director of the National Security Agency, told the Senate Armed Services Committee that “U.S. Cyber Command conducted more than two dozen operations to get ahead of foreign threats before they interfered or influenced our elections in 2020.” Nakasone said that the operations demonstrated that Cyber Command needs to be ready to act if necessary; that Cyber Command’s partnership with NSA is a boon; and that timely information sharing with both foreign and domestic partners benefits everyone.
Critical Flaw in Netmask npm Library
A critical vulnerability in the netmask npm library could be exploited to allow server-side request forgery bypasses and remote file inclusion. The problem lies in the way the library parses IP addresses with leading zeroes. The issue affects an estimate 278 million projects. The issue is fixed in netmask 2.0.0.
Note: This issue may be worse than the PHP compromise. The netmask library is included in more than 200,000 different projects, meaning that more or less any npm/node.js project is using this code. In some cases, it is used to make security decisions. Most users of this library have no idea that they are using it. Time for an “npm audit” and make sure you have a plan for doing this regularly. Not all vulnerabilities in npm packages are advertised as prominently.
Read more in:
- Sitting comfortably? Then it’s probably time to patch, as critical flaw uncovered in npm’s netmask package
- Critical netmask networking bug impacts thousands of applications
- Universal “netmask” npm package, used by 270,000+ projects, vulnerable to octal input data: server-side request forgery, remote file inclusion, local file inclusion, and more (CVE-2021-28918)
Ransomware: Sierra Wireless Begins Bringing Network Back Up
Internet of Things (IoT) manufacturer Sierra Wireless says production has resumed following a March 20 ransomware attack. The company is now focusing on bringing its internal networks back.
NIST Published Draft Framework for Election Infrastructure Security
The US National Institute of Standards and Technology (NIST) has published a draft framework that offers “a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to election infrastructure.” The framework aims to help local governments implement cybersecurity best practices for polling places, voter registration databases, and voting machines. NIST is accepting comments through May 14, 2021.
Note: NIST is providing a structured approach to maintaining and securing both the voting machines and supporting infrastructure such as voter registration databases. As with other CSF documents, the controls are cross-walked with CSC, NIST, COBIT, ISO/IEC 27001 and ISA 62443 standards. This mapping should allow you to use existing controls and frameworks rather than starting from scratch in an unfamiliar baseline.
Read more in:
- NISTIR 8310 (Draft) Cybersecurity Framework Election Infrastructure Profile
- NIST framework focuses on election cybersecurity
Exchange Server: 92 Percent Patched (But Patching is Not Sufficient)
Earlier this week, Microsoft said that 92 percent of vulnerable on-premises Exchange Servers have applied mitigations or been patched against the critical ProxyLogon flaws. Organizations should note that installing the patches does not eliminate the infection if the servers were compromised prior to patching. IT administrators should check systems for indicators of compromise (IOC). Microsoft released fixes for the four vulnerabilities on March 2.
- A 92% mitigation rate is indeed impressive, unless it is due to attackers mitigating the vulnerability to hold on to servers they compromised. Again: It is critical to investigate Exchange servers in detail while patching. A pre-patch compromise is very likely.
- The DHS emergency directive (ED 21-02) requires forensically imaging and analyzing the system prior to patching to avoid this scenario. It is so easy to get caught up in the heat of the moment and forget to check for compromise before patching the vulnerability. If you skipped the check, run the tools from CISA or Microsoft to make sure you’re clean, then cross check with your SIEM. Also verify that your endpoint protection is watching for exploitation real-time. Note Windows Defender includes this capability if your current solution does not.
msrc-blog.microsoft.com: One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021
us-cert.cisa.gov: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool
- This has long been a leading indicator of security-based processes/security programs vs. compliance-based. After a vulnerability is discovered, do you check to see if it had been exploited before you detected and mitigated the vulnerability? Old example: web security gateway is updated with more URLs of malicious and/or compromised web sites – did you check to see if any internal machines communicated with the newly discovered evil locations? Too many audits just check the box if vulnerability scanning and patching, URL updating and blocking is done and never look for that “we found the door to the vault open *and* checked to see if any cash was missing” step.
Read more in:
- Microsoft: 92% of vulnerable Exchange servers are now patched, mitigated
- Microsoft Exchange Servers See ProxyLogon Patching Frenzy
Exchange Server: Australia Cyber Security Centre is Scanning for Vulnerable Systems
Australian Cyber Security Centre (ACSC) head Abigail Bradshaw said that organizations have reached out to ACSC regarding the Microsoft Exchange Server vulnerabilities after they detected indicators of compromise (IOC) on their systems. ACSC is conducting scans of externally facing Internet connections to determine how many systems remain vulnerable.
Note: The ACSC is not only tracking vulnerable systems but also working to help get them patched and mitigated. They are partnering with both Microsoft and Commonwealth CISOs as well as state and territory governments to open communication channels and develop needed expertise to resolve problems.
NCSC Urges Schools to Take Steps to Bolster Defenses Against Ransomware
The UK’s National Cyber Security Centre (NCSC) is warning of an increase in the number of ransomware attacks targeting the education sector. NCSC is urging schools to take steps “to disrupt ransomware attack vectors and enable effective recovery from ransomware attacks.”
Read more in:
- Alert: Further targeted ransomware attacks on the UK education sector by cyber criminals
- Mitigating malware and ransomware attacks (September 2020)
- UK colleges and unis urged to prepare for ransomware before it’s too late
CIOs Stepping Up Cyber Talent Efforts
The CIO Institute’s new report on “What Works in Finding Elite Cybersecurity Talent: Promising Practices for Chief Information Officers” was distributed to 4,800 CIOs this week. It shows how CIOs are taking a more active role in cyber talent management and has two surprising findings on (1) yield of elite talent from cyber education programs is shockingly low and (2) how employers use security certifications to decide whom to interview for job openings. The report also includes information about finding cyber talent inside organizations, outside the IT groups.
Ransomware: Sierra Wireless
Canadian Internet of Things (IoT) manufacturer Sierra Wireless is the victim of a ransomware attack. The attack began on March 20. It affected multiple manufacturing sites and disrupted internal operations. The incident has prompted the company to withdraw Q1 2021 financial guidance it released on February 23.
Read more in:
- Ransomware attack halts production at IoT maker Sierra Wireless
- Ransomware Attack Foils IoT Giant Sierra Wireless
- Sierra Wireless withdraws financial guidance as ransomware attack takes down plants
Ransomware: Spanish Labor Agency
A ransomware attack against Spain’s State Public Employment Service (SEPE) has delayed “hundreds of thousands” of appointments at the labor agency. SEPE is involved in the distribution of unemployment benefits. The attack affected all 710 SEPE offices.
Read more in:
- Spanish labor agency suffers ransomware attack, union says
- Ransomware Attack Strikes Spain’s Employment Agency
Ransomware: How One Company Recovered Without Paying Demand
When Colorado-based data storage company SpectraLogic was the target of a ransomware attack in May 2020, the company called in the FBI instead of engaging with the attackers, who had demanded $3.6 million. SpectraLogic had backups that were separate from the network. Company systems were largely restored within eight days; non-critical systems were brought back several weeks later.
- This is good recap of what it’s really like recovering your enterprise from an attack even when you have offsite backups. Partnership between IT and Cyber Security was key to eliminating the threat from their system to prevent recurrence. Fortunately, they were not subject to additional extortion related to disclosure of exfiltrated information. As the FBI said, this is the right way to recover, and it is also the hard way.
- This is a fantastic read. It highlights the reality of how difficult, from the technical and business aspects, it is to deal with a ransomware attack. Having reliable backups is a key tool in recovering from such attacks. I suggest that you also run an exercise in your organization as to how would you recover from a ransomware attack; this can help you identify weaknesses that you may have from lack of appropriate tools, contact details for law enforcement, processes and procedures to deal with ransomware, and communications to senior management and other key stakeholders.
- On an early system where I cut my teeth, the rule was “if it ran yesterday, it must run today.” We had three restore points: close of business last night, close of business last Friday, and close of business the previous Friday. Historically, backup was designed to recover a small number of files in days. Modern backup may have to be designed to recover some mission-critical applications, networks, or even enterprises in hours. Few legacy systems can meet this requirement.
- Ben Wright and I are doing a presentation at the May RSA Conference on “The Risks of Cyberinsurance” and then a SANS paper on the topic. I’ve done a few comparisons of public events on cost to avoid or survive vs. paying the ransom, and also the limits to reduction (not avoidance) of cost that typical cyberinsurance policies provide.
Ransomware: Operators Leaking Data Stolen from Universities
Ransomware operators have begun leaking data stolen from the University of Colorado (CU) and the University of Miami. The CU data were taken by exploiting a vulnerability in the Accellion File Transfer Appliance (FTA). The University of Miami has not disclosed a breach, but has acknowledged that its SecureSend email application is not accessible.
Note: The CLOP ransomware operators claim to have financial documents, student grades, academic records, enrollment information and student biographical information. Now the task is to not only close the vulnerable path, but also asses the risks and return for payment versus regulatory fines, providing identity monitoring and business impacts, including reputation risk. This is a time to actively engage the board or other governing body; do not make these decisions in a vacuum.
Browser Changes: Chrome Will Default to HTTPS; Firefox Debuts Enhanced Privacy Feature
When Google moved Chrome 90 to the stable channel in mid-April, the browser will use HTTPS as the default protocol for all addresses typed in the address bar. Earlier this week, Mozilla released Firefox 87, which includes a new privacy feature called SmartBlock. The new feature aims to improve the performance of websites that are “broken” by Firefox’s tracking protections. SmartBlock is available for both private browsing and strict mode.
- Firefox and Google Chrome using HTTPS by default does not improve security a lot, but it is a great indicator that the “HTTPS Everywhere” initiative succeeded in making HTTPS common enough to allow for this step. Some people have suggested eliminating HTTP. This may never be possible, as the proper use of HTTPS requires certificates verifying a specific host name. To configure these certificates, HTTP may still be needed. For sites listening on loopback for example, HTTPS does not add much and a correct implementation of HTTPS can be difficult.
- About 83% of sites are now HTTPS so Chrome defaulting to https:// unless otherwise specified will have nominal impact. Even so, verify secured sites are what they claim to be. Note that IP Address, reserved hostnames like localhost/ and single label domains (e.g., payroll) will still default to http://. Firefox 87 also contains enhancements which limit the information in the HTTP Referer Header to just the top level URL. https://www.example.com is sent rather than https://www.example.com/mypath?myparameters.
Read more in:
- Chrome 90 goes HTTPS by default while Firefox injects substitute scripts to foil tracking tech
- Firefox 87 launch packed with private browsing ‘SmartBlock’
- Google Chrome will use HTTPS as default navigation protocol
- The good and the bad with Chrome web browser’s new security defaults
- Firefox 87 introduces SmartBlock for Private Browsing
Insurance Company CNA Financial Suffers Data Breach
Insurance firm CNA Financial was hit with a cyberattack on Sunday, March 21. A message on the company’s website notes that “out of an abundance of caution, we have disconnected our systems from our network, which continue to function.” Because CNA is a top US provider of cybersecurity insurance, there is concern that the attackers were looking for policyholder data, which could be used to plan ransomware attacks against companies with ransomware coverage.
Read more in:
- CNA insurance firm hit by a cyberattack, operations impacted
- Top insurer CNA disconnects systems after cyberattack
- A Cyberattack Allegedly Knocked Insurance Giant CNA Offline
- Policyholders may be the primary target in hack of cyber insurance provider CNA
California State Controller’s Office Suffers Data Breach
Earlier this month, the California State Controller’s Office Unclaimed Property Division experienced a data breach. A successful phishing attack gave attackers access to an employee account for 24 hours between March 18 and 19. The breach compromised personal data, including names, addresses, Social Security numbers, and the value of the property that has been submitted to the agency.
Read more in:
- Phish Leads to Breach at Calif. State Controller
- 9,000 employees targeted in phishing attack against California agency
- Phishing Attack Exposes Sensitive Data at California Agency
IT Contractor Gets Two Years in Prison for Deleting 1,200 O365 Accounts
Former IT contractor Deepanshu Kher has been sentenced to two years in prison for breaking into a company’s server and deleting more than 1,200 of their 1,500 O365 accounts. Kher had worked for a consulting firm that was hired to help an unnamed company with its O365 migration. Kher was pulled from the project for unsatisfactory work and then fired from the consulting firm in 2018. Several months later, he broke into the company’s system and deleted the accounts.
Read more in:
- Outsourced techie gets 2-year sentence after trashing system of former client: 1,200 Office 365 accounts zapped
- IT admin with axe to grind sent to prison for wiping Microsoft user accounts
- Office 365 Cyberattack Lands Disgruntled IT Contractor in Jail
QNAP Warns of Brute Force Attacks Targeting NAS Devices
QNAP is urging customers to take steps to improve the security of their Internet-exposed network attached storage (NAS) devices. The devices are being targeted in brute force attacks. Users are encouraged to use strong passwords, change the default access port number, and disable the admin account.
- My monthly(?) reminder: Never, ever expose NAS devices to the public internet. I have also noticed an increase in scans against SSH servers listening on (very) odd ports lately. That said: I believe QNAP is attempting to distinguish itself a bit from the crowd of similar devices by being more open in alerting its customers of security issues surrounding its product.
- NAS devices are a popular target. Not only do they have access to possibly sensitive data and backups, they are a location crypto mining software can hide with a lower detection possibility. In addition to the advice above, be sure you have configured your IP access to only allow authorized hosts to access the device and don’t expose services to the Internet.
Read more in:
- Take Action to Protect Your QNAP Devices From Brute-Force Attacks
- QNAP warns of ongoing brute-force attacks against NAS devices
Known Flaws in Thrive Themes for WordPress are being Actively Exploited
Recently-patched vulnerabilities in Thrive Themes “legacy” themes and Thrive Themes plugins for WordPress are being actively exploited. The two flaws can be chained to allow unauthenticated users to upload arbitrary files on vulnerable WordPress sites. Users are urged to update to Thrive Themes “legacy” themes 2.0.0 and to the most recent versions of Thrive Themes plugins.
- A flaw in the RESTAPI for Zapier can be exploited when Zapier is not configured, which allows arbitrary data to be added to the wp_options table. That update coupled with a flaw in the “Legacy” theme’s file compression REST API call allows for creation of arbitrary files on the site, including PHP executable. Updates to the Thrive themes and plugins were released March 12th; auto update can update themes as well as plugins. Wordfence Premium versions received firewall rules March 23rd, and the free version will receive them on April 22nd.
- WordPress plugins continue to be both vulnerable and exploited. They should be used sparingly, by design and intent, not by default, and should be actively managed and policed.
Read more in:
- Active Exploits Hit WordPress Sites Vulnerable to Thrive Themes Flaws
- Recently Patched Vulnerability in Thrive Themes Actively Exploited in the Wild
Cisco Fixes Jabber Flaws
Cisco has released updates to address five vulnerabilities in Jabber for Windows, macOS, and Android and iOS. The most severe of the flaws is due to improper input validation of message content and could be exploited to allow remote, authenticated users execute arbitrary code.
Note: The alert suggests running Jabber in Phone-only or Team Messaging mode is a workaround for all but CVE-2021-1471. It is better to push out the updated versions. The Cisco alert below includes information on fixed and vulnerable versions. Mobile devices should auto-update to new versions as they are released to their respective App Stores.
Read more in:
- Cisco addresses critical bug in Windows, macOS Jabber clients
- Cisco Jabber Desktop and Mobile Client Software Vulnerabilities
Exchange Server: Some Patched Systems Were Already Breached
Brandon Wales, acting executive director of the Cybersecurity and Infrastructure Security Agency (CISA) said that thousands of Exchange Servers that have been patched had already been breached. He urged companies to check their systems for indicators of compromise and malicious activity, noting that compromised systems could be used to introduce ransomware or to attack other organizations. Updates for the critical flaws were released on March 2, but many systems have not yet been patched. Researchers at F-Secure said that Exchange Servers are being attacked “faster than we can count.”
Note: Make sure that you’ve checked for IOCs after you patch. The vulnerabilities area being actively exploited, and even if you applied the patches the day they were released, you still need to verify that your system is clean. Both Microsoft and CISA have published free tools to scan your system. The Microsoft EMOT tool has been updated to be easier and more effective than the prior version and will download and install the MS Security Scanner. github.com: microsoft / CSS-Exchange
Read more in:
- Thousands of Exchange servers breached prior to patching, CISA boss says
- ‘The race is on’: CISA raises alarm bells about ransomware attacks against Microsoft Exchange servers
- Microsoft Exchange Server attacks: ‘They’re being hacked faster than we can count’, says security company
Exchange Server: Ransomware Operators are Moving In
Vulnerable Microsoft Exchange Servers are now being actively targeted by ransomware operators. Ransomware known as DearCry began attacking Exchange Servers as early as March 9. BlackKingdom ransomware began exploiting the vulnerabilities more recently.
Note: DearCry appears to be a quickly developed package which encrypts not only data, but also executables and DLLs, rendering the system unusable. BlackKingdom is a more mature traditional ransomware, and security firms can provide help with file recovery if needed. Mitigate the risk by applying patches, scanning for IOCs and making sure that you have real-time detection of attempted exploitation.
Read more in:
- The Peculiar Ransomware Piggybacking Off of China’s Big Hack
- Microsoft Exchange servers now targeted by BlackKingdom ransomware
Exchange Server: Microsoft Defender Antivirus Mitigates One of the Vulnerabilities
Microsoft has updated two antivirus tools so that they mitigate one of the Exchange Server vulnerabilities in on-premises servers. Microsoft Defender Antivirus and System Center Endpoint Protection mitigates one of the four Exchange Server vulnerabilities for which Microsoft released patches earlier this month. By mitigating this particular vulnerability (CVE-2021-26855), the tools thwart attackers’ current model of operation.
Note: The Defender mitigation addresses the ProxyLogon vulnerability. Even with the Defender mitigation, you still need to apply the patches for a comprehensive fix as well as scan to make sure your system has not been compromised. The Microsoft EMOT tool is designed to make this easy and can remediate issues found.
Read more in:
- Microsoft antivirus now automatically mitigates Exchange Server vulnerability
- Microsoft Defender Antivirus now automatically mitigates Exchange Server vulnerabilities
- Microsoft Defender adds automatic Exchange ProxyLogon mitigation
CISA Warns of Multiple Vulnerabilities in GE Power Management Devices
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning of multiple vulnerabilities in GE’s Universal Relay power management devices. The flaws could be exploited to access sensitive information, obtain privileged access, create a denial-of-service condition, or reboot the device. GE urges users to update affected devices’ firmware to UR firmware version 8.10 or later.
- The list of vulnerabilities found in GE’s firmware is pretty much like reading the OWASP Top 10 software vulnerabilities list from 2005! This is true for many of the operational technology and “Internet of Things” vulnerabilities being disclosed – lots of vulnerabilities caused by prioritizing convenience (easy installs) over security and these devices put many obstacles in the way of easy patching. Essential security hygiene or at least strong segmentation and break/fix windows for patching should be high priority. Spending on Computerized Maintenance Management Systems (CMMS) by OT teams is a $1B per year market. Find out if your company is using a CMSS product and try to get firmware updating to be part of routine maintenance planning.
- The list of disclosed vulnerabilities is both long and reminiscent of vulnerabilities we learned how to avoid years ago. Note that the version 7.4 firmware update added SSH V1 support and version 8.1x has support for weak SSH algorithms. Beyond updating the firmware, use network segmentation, firewalls, and isolation to limit access to these devices to only authorized devices as it’s not clear the weak protocols can be disabled. Don’t allow direct access from the Internet or your enterprise internet. See also the CISA control systems recommended practices for references on ICS defense in depth and improving ICS overall cybersecurity: us-cert.cisa.gov: Recommended Practices.
Read more in:
- CISA Warns of Security Flaws in GE Power Management Devices
- ICS Advisory (ICSA-21-075-02) GE UR family
US Federal Grand Jury Indicts Swiss Citizen For Alleged Role in Leaking Stolen Data
A US federal grand jury has indicted an individual on charges they allegedly stole sensitive data and then posted them on the web. The compromised data include administrative credentials, access keys, and source code. Till Kottmann, who remains in Switzerland, faces several charges, including conspiracy to commit computer fraud and abuse.
Note: While the motivation for the hack appears to be raising awareness of private company and government-sponsored surveillance and the corresponding impacts on privacy coupled with inadequate security, unauthorized hacking is going to run you into legal entanglements. Worse still, if you’re taking action in support of class-action lawsuits intended to change legislation, it can render your work inadmissible. If you’re interested in disclosing security shortfalls, use the processes of a responsible disclosure organization to do it legally.
Read more in:
- Swiss security provocateur who leaked Intel secrets indicted by US authorities
- Verkada Attacker Charged With Wire Fraud, Conspiracy in US
- Swiss hacker charged for leaking proprietary source code
- Verkada breach spotlights ongoing concerns over surveillance firms’ security
- Swiss Hacker indicted for conspiracy, wire fraud, and aggravated identity theft
Netop Fixes Four Critical Flaws in Remote Teaching Software
Netop has addressed four critical vulnerabilities in its Netop Vision Pro system; the monitoring software is used by teachers to remotely access students’ computers. The flaws could be exploited to spy on students through webcams and microphones, infect machines with malware, and steal user credentials. Netop learned of the vulnerabilities in December 2020 and released an updated version of the product in February 2021.
Read more in:
- Critical Security Bugs Fixed in Virtual Learning Software
- Popular remote lesson monitoring program could be exploited to attack student PCs
- McAfee finds vulnerabilities in popular virtual learning software Netop Vision Pro
Critical BIG-IP Vulnerability is Being Actively Exploited
Attackers are scanning for and actively targeting systems with unpatched F5 Networks BIG-IP and BIG-IQ network devices. F5 released fixes for this flaw and 20 others earlier this month. The unauthenticated remote command execution vulnerability exists in the iControl REST interface. BIG-IP server appliances are used to manage traffic flowing into and out of large networks.
Read more in:
- Hackers are exploiting a server vulnerability with a severity of 9.8 out of 10
- Critical F5 BIG-IP Flaw Now Under Active Attack
- Critical F5 BIG-IP vulnerability now targeted in ongoing attacks
- K02566623: Overview of F5 vulnerabilities (March 2021)
Adobe Issues Fix for Critical Flaw in ColdFusion
Adobe has released updates for Cold Fusion to address a critical improper input validation vulnerability that could be exploited to execute arbitrary code. The issue affects ColdFusion 2016 Update 16 and earlier, ColdFusion 2018 Update 10 and earlier, and ColdFusion 2021, version 2021.0.0.323925.
Note: Adobe gives the security bulletin a priority rating of 2, which indicates that while it’s not actively being exploited, this is a product which has historically been at risk so you should plan to update soon (within 30 days.) Don’t wait for someone to discover your unpatched server. Note that you need to not only apply the corresponding ColdFusion update, but also update your JRE/JDK to the latest versions of the LTS releases for 1.8 and JDK 11 to secure the server. The Adobe security update site below also has links to guides for locking down your ColdFusion server which should be leveraged.
Read more in:
- Adobe Fixes Critical ColdFusion Flaw in Emergency Update
- Critical code execution vulnerability fixed in Adobe ColdFusion
- Adobe Patches Critical ColdFusion Security Flaw
- Security updates available for Adobe ColdFusion | APSB21-16
Shell Discloses Accellion File Transfer Appliance Breach
Energy company Shell disclosed that it “has been impacted by a data security incident involving Accellion’s File Transfer Appliance.” The company is notifying affected individuals and stakeholders.
Note: The Accellion FTA is being actively targeted and has been since December. Even if you apply the patches to extend the life of the service while you transition, you must check the device for indicators of compromise. At this point it may be better to take it offline and accelerate the migration than accept the risk of further compromise.
Read more in:
- Energy giant Shell discloses data breach after Accellion hack
- Shell Says Personal, Corporate Data Stolen in Accellion Security Incident
- Third-Party Cyber Security Incident Impacts Shell
Flagstar Bank Now Says Some Customer Data Were Compromised in Accellion Attack
Michigan’s Flagstar Bank has been some notifying people that their personal data, including names, addresses, and Social Security numbers, were compromised through an attack against the institution’s Accellion file sharing platform. When Flagstar initially acknowledged the January attack several weeks ago, it said that employee data were compromised. Some of the people who have recently been contacted have not had an account with Flagstar in years; others have never had an account with Flagstar.
Note: Flagstar is offering two years of free credit monitoring to affected individuals. If you don’t already have credit monitoring, accept the offer. Otherwise, multiple monitoring services do not add much value. Note that financial institutions may acquire your personal information in unexpected ways, such as when they purchase your loan from the originating institution, and have retention requirements, mandated by regulators, which exceed the time you’re a customer. As a business, retain personal information the minimal amount of time, making sure you don’t have caches of unpurged data.
Read more in: Ransomwared Bank Tells Customers It Lost Their SSNs
Survey: Cybersecurity Experts Rank Smart City Technologies
Researchers at Berkeley’s Center for Long-Term Cybersecurity (CLTC) asked security experts to “rank different technologies according to underlying technical vulnerabilities, their attractiveness to potential attackers, and the potential impact of a successful serious cyberattack.” According to the results of the survey, emergency alerts, street video surveillance, and smart traffic signals posed more security risks than other technologies. The other technologies included in the survey are smart waste/recycling bins; satellite water leak detection; water consumption tracking; smart tolling; public transit open data; and gunshot detection. The researchers were asked to consider the presence of serious vulnerabilities in the underlying technology, the consequences of a successful attack, and whether the technology would be considered a target of interest for attackers.
Note: The term “Smart City” is like “Internet of Things” – very broad terms that often contain very different technologies or use cases. Comparison of risk across the disparate items within those broad buckets isn’t very meaningful. It is more important to focus on requiring essential security hygiene to be built into all products and systems being procured as part of “Smart City” initiatives.
Read more in:
- The Cybersecurity Risks of Smart City Technologies What Do The Experts Think? (PDF)
- Survey finds alert systems and video surveillance are riskiest ‘smart city’ technologies
Russian Pleads Guilty to Tesla Extortion Attempt
A Russian man who attempted to recruit a Tesla employee to place malware on computers at the Tesla Gigafactory has pleaded guilty to conspiracy to intentionally cause damage to a protected computer.” Egor Igorevich Kriuchkov allegedly planned to use the malware to steal data from the network and hold for ransom. Rather than cooperate with Kriuchkov, the Tesla employee informed his employer who then notified the FBI. Kriuchkov was arrested in August 2020.
Read more in:
- Hacker who tried to extort Tesla pleads guilty
- Crims with ties to Tesla and SpaceX cuffed for computerized conspiracies
- Russian pleads guilty to Tesla hacking and extortion attempt
ODNI Report on 2020 Elections: Russia Pushed Influence Narratives
The National Intelligence Council’s (NIC’s) Intelligence Community Assessment, Foreign Threats to the 2020 US Federal Elections, says there is evidence that foreign actors, most notably Russia, attempted to influence the election and undermine confidence in the electoral process. “A key element of Moscow’s strategy this election cycle was its use of proxies linked to Russian intelligence to push influence narratives … to US media organizations, US officials, and prominent US individuals, some close to [the] former president and his administration.” NIC says that they “have no indications that any foreign actor attempted to alter any technical aspect of the voting process in the 2020 US elections.”
- Back in the late 1950’s a faked experiment led to concern over subliminal advertising frames inserted into films shown in movie theaters. In the early 2000s scientific research proved subliminal advertising did lead to unknowing influence and many countries banned it, while in the US the FCC “discouraged” its use. Much of the influence techniques used by nation states and terrorist groups on social media is essentially subliminal advertising and legislation needs to evolve – it is not something market forces will address.
- Social engineering, influencing others to act in a fashion that supports your desired outcomes, is not new. Often this manifests itself in advertising, or social media posts where the legitimacy is difficult to discern. Changes in legislation can make it harder or add consequences, but it still falls to the consumer to verify information provided.
Read more in:
- Putin targeted people close to Trump in bid to influence 2020 election, U.S. intelligence says
- Foreign Meddling Flooded the 2020 Election—but Not by Hackers
- Foreign Threats to the 2020 US Federal Elections (PDF)
FBI Internet Crime Report 2020
The FBI’s Internet Crime Complaint Center (IC3) has published the 2020 Internet Crime Report. IC3 received more than 790,000 complaints regarding Internet-related crime in 2020. Phishing was the most often reported crime, followed by non-payment/non-delivery, and extortion. The total losses reported to IC3 total more than $4 billion. Business email compromise accounted for the largest portion ($1.8 billion) of those losses.
Note: Just to put that $4B number in perspective: the 2020 National Retail Federation shrinkage survey estimated that 2019 shrinkage (inventory loss from shoplifting, employee theft, supplier error/fraud, cashier errors and other causes) was $62B in the retail sector alone. Three key points here: (1) the FBI IC3 data comes from complaints filed with the FBI, the numbers don’t reflect overall losses in anyway; (2) in many industries, traditional crime continues to have a much larger business impact that cybercrime; (3) retail has kept shrinkage in the range of 1.5 – 2% over the years, while spending 1-1.5% of revenue on loss prevention/shrinkage control, meaning a 3% loss of revenue to shrinkage and the loss prevention program is an acceptable cost of doing business. Increasing spending in loss prevention without reducing shrinkage enough would result in a loss of profit, even if the absolute level of shrinkage went down. Can you talk similar language about the effectiveness of your spending on security controls to justify increases or changes?
Read more in:
- FBI Internet Crime Report 2020 (PDF)
- FBI: One type of scam is costing business the most
- FBI: Over $4.2 billion officially lost to cybercrime in 2020
Mimecast Says SolarWinds Threat Actor Stole Source Certificates and Customer Server Connection Information
Cloud-based email management company Mimecast says that a threat actor linked to the SolarWinds supply chain breach gained “access to part of our production grid environment… [and] accessed certain Mimecast-issued certificates and related customer server connection information.” The threat actor also accessed and downloaded some Mimecast source code repositories.
- When implementing MFA, make sure to not leave exceptions. Verify that remains in effect. Make sure that access credentials, including certificates, are only accessible where absolutely needed. This also raises the question – when you discover a credential is compromised, and change it, and then discover you still have attackers in your system, do you update it again? Or do you wait to make the initial update until you’re absolutely certain the attackers are gone?
- Private keys should not be stored online when not in use.
Read more in:
- Incident Report
- Mimecast reveals source code theft in SolarWinds hack
- SolarWinds threat actor gains access to Mimecast’s production grid environment
- Mimecast says SolarWinds hackers breached its network and spied on customers
- Mimecast Says SolarWinds Attackers Accessed its Source Code Repositories
- Mimecast: SolarWinds Attackers Stole Source Code
CISA’s CHIRP Tool Detects SolarWinds Indicators of Compromise
The US Cybersecurity and Infrastructure Security Agency (CISA) has released a tool that can detect indicators of compromise related to SolarWinds in on-premises environments. “The tool looks for the presence of malware identified by security researchers as TEARDROP and RAINDROP; credential dumping certificate pulls; certain persistence mechanisms identified as associated with this campaign; system, network, and M365 enumeration; and known observable indicators of lateral movement.”
- Similar to the Sparrow tool which scans for signs of APT compromise in a MS 365 or Azure environment, CHIRP scans for signs of APT compromise in an on-premise environment. CHIRP is available as a PowerShell script or compiled executable and is a command line tool. Unlike the Microsoft tool, CHIRP makes no changes to systems and takes 1-2 hours to run. Ingest the JSON results in your SEIM.
- Such tools will enable one to detect some, perhaps even most, but not all compromises. “The absence of evidence is not evidence of absence.”
Read more in:
- Alert (AA21-077A) Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool
- CISA releases new SolarWinds malicious activity detection tool
Three Year Sentence for Twitter Bitcoin Hack
One of the people involved in the Twitter cryptocurrency scam in July 2020 has pleaded guilty to 30 charges, including accessing a computer without authority causing more than $5,000 in damage. Graham Ivan Clark, who was 17 at the time of the incident, will serve three years in a detention facility. He has also surrendered the cryptocurrency he received in the scam. Two co-conspirators are facing charges as well.
Read more in:
- ‘Bit-Con’ Twitter teen hacker accepts plea agreement, three years behind bars
- I was a teenage Twitter hacker. Graham Ivan Clark gets 3-year sentence
- Prosecutors Reach Plea Agreement in Case of Twitter Hacker Graham Clark
Public-Private Task Force to Focus on Exchange Server Response
The National Security Council has created a Unified Coordination Group (UCG), a task force focused on the government’s response to the Microsoft Exchange Server attacks. The task force members include representatives from the intelligence community and well as from private industry. White House Press Secretary Jen Psaki said the UCG met earlier this week and “discussed the remaining number of unpatched systems, malicious exploitation, and ways to partner together on incident response, including the methodology partners could use for tracking the incident.” Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said the Biden “Administration is committed to working with the private sector to build back better – including to modernize our cyber defenses and enhance the nation’s ability to respond rapidly to significant cybersecurity incidents.”
- Rather than “build back better,” use cloud or outsourced services which are built and maintained at a higher level of assurance. One of the appeals and challenges of using cloud services is that the provider is patching and updating, as well as setting the security parameters they can manage. This leaves the customer with a smaller set of responsibilities. In the FedRAMP cloud space, system security is based on the same security framework that agencies need to follow when securing their own systems, with the added benefit of an external auditing company which holds them accountable for fully meeting those controls. While a more aggressive update schedule may stress existing resources, they also provide guidance to minimize the risks associated with updates.
- The “Exchange Server” problem pales in comparison to SolarWinds.
Read more in:
- Statements by Press Secretary Jen Psaki & Deputy National Security Advisor for Cyber Anne Neuberger on Microsoft Exchange Vulnerabilities UCG
- White House Weighs New Cybersecurity Approach After Failure to Detect Hacks
- White House forms public-private task force to tackle Microsoft Exchange hack
Cisco Issues Router Fixes
Cisco has released fixes to address a high-severity flaw that could be exploited to remotely execute code as root user or cause a denial-of-service condition. The issue exists in the web-based management interface’s improper validation of user-supplied input. Cisco has made fixes available for affected products: RV132W ADSL2+ Wireless-N VPN routers running a firmware release prior to 126.96.36.199; and RV134W VDSL2 Wireless-AC VPN routers running a firmware release prior to 188.8.131.52.
Note: When configuring devices like these, limit access to the administration interface to authorized devices only. Do not enable remote administration without requiring a VPN. These routers were released in 2016; it’s a good time to consider replacing them with newer models, particularly if you are out of support and unable to apply the update.
Read more in:
- Cisco Plugs Security Hole in Small Business Routers
- Cisco Small Business RV132W and RV134W Routers Management Interface Remote Command Execution and Denial of Service Vulnerability
Man Extradited to US, Sentenced to Prison for Cyber Extortion
A US district judge sentenced Joshua Polloso Epifaniou to one year and one day in prison for breaking into websites, stealing user and customer data, and threatening to publish it unless he was paid. Epifaniou has paid nearly $1 million in restitution and forfeiture.
Read more in:
- Cypriot sentenced for email hacking committed as teen
- Cypriot hacker sentenced to federal prison for extorting website operators with stolen personal information
Connecticut Will Consolidate State IT Operations
The governor of Connecticut said the state will consolidate its IT operations into one organization within Connecticut’s Department of Administration Services. Connecticut has close to 40 state agencies; some of the smaller agencies currently lack sufficient IT resources and expertise. The change is also expected to improve cybersecurity.
Note: Centralizing services like this enables leveraging a consolidated pool of expertise, and provide opportunities for increased coverage. The trick is not only relocation of services, but also having them operate in a consistent fashion, leveraging common patching, updating and backup processes as well as common platforms and application stacks to eliminate pockets of specialized support staff and processes. Security boundaries also have to be considered, much like when merging businesses, including verification of resources and services before trusting them in the new environment.
Read more in:
- Connecticut to consolidate IT into single agency
- Gov. Lamont Kicks Off State IT Centralization in Connecticut
- Governor Lamont Announces Launch of Information Technology Optimization Process Within State Government
GAO: Department of Energy Needs to Increase Focus on Distribution System Cybersecurity
According to a report from the Government Accountability Office (GAO), the US power grid’s distribution systems are at an increased risk from cyberattacks. The distribution systems’ industrial control systems (ICSs) are increasingly remotely accessible and connected to business networks. The report says that the Department of Energy has focused on cybersecurity of the grid’s generation and transmission systems and needs to make sure the distribution system’s cybersecurity concerns are mitigated as well.
- With a giant distributed system such as the Grid, not only do remote connections for management and monitoring need to be secure, but data communication paths, whether wireless or ethernet over powerline, need to be verified to limit unauthorized interception. The most common mitigation response I have heard to malicious behavior on control systems is to revert to manual control. While good on paper, verify that is actually practical and timely before relying on that plan.
- We have been saying this for a decade or more. Time to stop “admiring the problem.” We need a narrow focus on what to do. Start with strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) wherever controls are connected to the public networks. Then end-to-end application layer encryption and finally application content control.
Read more in:
- US grid at rising risk to cyberattack, says GAO
- ELECTRICITY GRID CYBERSECURITY: DOE Needs to Ensure Its Plans Fully Address Risks to Distribution Systems (PDF)
Universities and Colleges Targeted In Rash of Ransomware Attacks
Today the FBI issued a rare “FLASH” report notifying “trusted partners” of a sharply accelerating wave of PYSA ransomware already targeting education institutions in 12 US states and the United Kingdom. PYSA, also known as Mespinoza, is a malware capable of exfiltrating data and encrypting users’ critical files and data stored on their systems. The unidentified cyber actors have specifically targeted higher education, K-12 schools, and seminaries. These actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments.
Colleges that are not members of another FBI trusted partner group can get a copy of the report through their student cyber clubs that are wisely using this notification to practice locating IOCs both to help their schools and as preparation for the National Cyber Scholarship competition coming on April 5. The Cyber FastTrack College Coalition of 120 colleges is sharing the FBI FLASH report and more than 100 practice labs contained in the CyberStart learning labs game. Have your college cyber club president request the FBI FLASH report (and learning labs) by emailing [email protected].
Compromised Exchange Servers Targeted with Ransomware
In a new phase of attacks against on-premises Exchange Servers, systems that have already been compromised are now being targeted with ransomware. Microsoft says it “protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry.”
- These Exchange Server exploits follow an accelerated timeline of adoption by new criminals: from nation state attacks -> organized crime -> commodity ransomware attacks. Again: If you are not patched, you are compromised. Also consider Business E-Mail Compromise (BEC) attacks a possibility. They are more difficult to detect and may not make the news, at first.
- Microsoft released a one-click tool aimed at companies, in particular SMEs, to use to identify whether they have been compromised and/or vulnerable, and to help remedy if they are. The tool is available at msrc-blog.microsoft.com: One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021
Read more in:
- Exchange servers first compromised by Chinese hackers hit with ransomware
- Microsoft Exchange attacks: Watch out for this new ransomware threat to unpatched servers
- Ransomware may be targeting Microsoft’s Hafnium Exchange Server vulnerabilities
- DearCry Ransomware Hitting Exchange Servers
We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry.
— Microsoft Security Intelligence (@MsftSecIntel) March 12, 2021
Linux Kernel Flaws Could be Exploited to Gain Root Privileges
A trio of vulnerabilities in the iSCSI module of the Linux kernel could be exploited to allow anyone with a user account to obtain root privileges. The vulnerabilities have been present since 2006 and they affect all Linux distributions. They were only recently detected by researched from GRIMM, which notified the Linux Security Team in mid-February. The issues are fixed in these kernel releases: 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260.
- Not an emergency. Patch as updated packages become available. Sadly, privilege escalation vulnerabilities are too common to really worry about them too much.
- While you may no longer have SCSI or iSCSI devices, the loadable modules are still installed with the OS. As kernel modules can be loaded by non-privileged users, it’s a good idea to look at hardening the processes around loading kernel modules and allowing only authorized/approved modules to load. While each Linux distribution is slightly different, modules can be denied by editing the modprobe configuration files to not only prevent the loading, but also to change the install for a given module to /bin/false.
- The key issue with Linux vulnerabilities is all the different flavors of Linux that might be in use in your environment, especially in appliances and ICS-type equipment. That impacts not only the level of severity of the vulnerability but also the availability and timeliness of patching. This type of vulnerability – “vestigial” capabilities that aren’t used much but are left in software to end\sure backwards compatibility – are a continuing goldmine for attackers that Windows and Linux suffer because of the broad base of hardware that runs those OSs and the many, many, many years they have been out. It really is time to change the planning around IT lifecycle/depreciation schedules to be closer to mobile device short timeframes than the current schedules which really date back to mainframe days.
Read more in:
- New Old Bugs in the Linux Kernel
- Three flaws that sat in Linux kernel since 2006 could deliver root privileges to attackers
- 15-year-old Linux kernel bugs let attackers gain root privileges
Analysis Shows Security Agencies Need to Adopt Better PDF Sanitization Methods
Researchers from the University of Grenoble (France) Alpes and France’s Institut national de recherche en informatique et en automatique (INRIA) have published a paper detailing data exposure concerns in PDFs published by security agencies. The researchers analyzed 40,000 PDFs published by security agencies in 47 countries. Just seven agencies used sanitization to remove sensitive information from PDFs, and 65 percent of the sanitized files still contained sensitive information. PDFs contain layers of hidden data. Inadequate sanitization can reveal “sensitive information like authors names, details on the information system and architecture.” The researchers urge agencies to change sanitization methods.
- Redacting information requires a careful choice of tool and technique to avoid using mechanisms which can be bypassed. With PDF and other modern document types, it’s easy to overlook the hidden data included by default, from embedded files, to information about the author, organization and even software versions used. The published paper enumerates 11 types of hidden data in PDF files. The best tool for removing metadata from PDF files is Adobe Acrobat. NSA has published a guide for redacting files using Adobe Acrobat Pro. apps.nsa.gov: Redaction of PDF Files Using Adobe Acrobat Professional X
- Or maybe we need fewer PDFs? Reviving the art of creating readable plain text documents may be easier and more effective than sanitizing PDFs.
Read more in:
- Research: Security Agencies Expose Information via Improperly Sanitized PDFs
- Exploitation and Sanitization of Hidden Data in PDF Files (PDF)
Cyberattack Disrupted Molson Coors Production
The Molson Coors brewing company says that a cyberattack “caused a system outage,” disruption operations. Molson Coors disclosed the information in Form 8-K filed with the US Securities and Exchange Commission (SEC). The company has not provided details about the attack.
Read more in:
- Molson Coors Cracks Open a Cyberattack Investigation
- Molson Coors says cyberattack disrupted beer brewing
- FORM 8-K | MOLSON COORS BEVERAGE COMPANY (PDF)
OVH Data Center Fire Occurred After UPS Unit Maintenance, Some Backups Non-recoverable
A fire that destroyed an OVH data center in Strasbourg, France, was likely caused by problems with an uninterrupted power supply (UPS) unit. Firefighters’ thermal cameras showed that a recently-serviced UPS unit and an adjacent unit were burning. The company has also said that internal backups for some systems are “non-recoverable.”
- When outsourcing functions, whether to a hosting center or a cloud provider, look carefully at geographic separation to prevent single points of failure. When services were in your data center, you had discussions about separations to prevent a single incident taking down your systems and you sent backups to an offsite facility for storage. These same risks apply here. Cloud services make it easy to have regional separations, most often considered for availability, but also consider separations for recovery as well, separate backups and services. Similarly, have backups in a separate co-location service from your hosted systems if you’re not retaining them in your data center.
- Fire safety is usually outside the expertise of cybersecurity teams, but it is just as complex – putting one group in charge of both has been promoted, but often makes no sense. Many UPS systems involve batteries and there are numerous scenarios where batteries can be mismanaged or undermaintained and burst into flames. There are also many storage scenarios which innocuous maintenance materials (antifreeze, fertilizer, burlap sacks, etc.) may be stored too close together and lead to fires. This is a good example to use to drive inspection if your group is responsible for fire safety.
- Too many people feel that once their data is in the cloud they no longer need to worry about backups.
Read more in:
- OVH data center fire likely caused by faulty UPS power supply
- OVH fire: Octave Klaba says UPS systems were ablaze
- OVH says some customer data and configs can’t be recovered after fire, some seems to be OK, plenty is safe
- Status and backup by service in our Strasbourg data centers (SBG)
Microsoft Investigating Possible Leak of Exchange Server Proof-of-Concept Code
Microsoft is investigating whether information about the Exchange Server vulnerabilities was leaked prior to the patches’ release. Microsoft shared information about the vulnerabilities with its security partners through its Microsoft Active Protections Program (MAPP). On February 23, some MAPP partners received information about the Exchange Server vulnerabilities, which included proof-of-concept exploit code. (Please note that the WSJ story is behind a paywall.)
Note: Microsoft sources say they suspect that one of their MAPP business partners released the code. Vulnerability and supporting information, such as proof-of-concept code is released to these partners as part of their patch release process. If a partner was the source of the leak, they will face consequences, including ejection from the MAPP program. The possible risks of the MAPP program indicate timely application of released updates is prudent.
Read more in:
- How Did the Exchange Server Exploit Leak?
- Microsoft investigates potential ties between partner security firm, Exchange Server attack code leak
- Microsoft Investigates Whether Leaked ‘Proof of Concept’ Attack Code Contributed to Exchange Hack
- Microsoft Probes Whether Leak Played Role in Suspected Chinese Hack (paywall)
Sky Global CEO and Associate Indicted
A US federal grand jury has returned an indictment against Sky Global CEO Jean-Francois Eap and a former distributor of Sky Global devices, Thomas Herdman. Suzanne Turner, FBI Special Agent in Charge of the San Diego Field Office, said “Eap and Herdman allegedly provided a service designed to allow criminals to evade law enforcement to traffic drugs and commit acts of violent crime without detection.” Sky Global devices are allegedly designed to prevent law enforcement from monitoring communications.
Read more in:
- U.S. Indicts CEO of Encrypted Phone Firm ‘Sky’
- CEO of Sky Global encrypted chat platform indicted by US
- US Indicts Head of Alleged Crime Chat Comms Service
- Sky Global Executive and Associate Indicted for Providing Encrypted Communication Devices to Help International Drug Traffickers Avoid Law Enforcement
UK ISPs and Law Enforcement Have Been Testing Internet Surveillance Technology
Internet service providers, the UK Home Office, and the National Crime Agency have been testing surveillance technology that could be used to retain all UK residents’ browsing histories. The Investigatory Powers Act 2016 allows the collection of data to create Internet Connection Records, and allows the information to be stored for up to 12 months.
Note: This will be watched very closely by the EU because the UK has now left the EU via Brexit. The UK has been granted temporary adequacy (meaning companies within the EU can continue to transfer personal data to organisations within the UK) until the end of June this year. However, should the EU deem the measures the UK are testing with this project to be in breach of the rights of EU citizens, the EU may not grant the UK ongoing adequacy from July 1, leading to major personal data transfer issues between the EU and the UK.
Google Pushes Out Fix for Another Chrome Zero-day
A use-after-free vulnerability in Google Chrome’s Blink rendering engine is being actively exploited. This is the third zero-day flaw in Chrome that has been disclosed in as many months. The issue is fixed in the most recent version of Chrome on the stable channel for desktop, “89.0.4389.90 for Windows, Mac and Linux, which will roll out over the coming days/weeks.” The update fixes four additional vulnerabilities.
- Luckily, Google Chrome has a reasonably solid auto-update scheme. Just make sure to restart Google Chrome at least once a day.
- The updates have not aligned with patch Tuesday, meaning you’re going to have to kick off an out-of-band patch sequence. Make sure to tell users to close Chrome, because you’re going to have to do that for them to apply the update. Make sure your other Chromium based browsers are up to date as well.
- Browsers have become so general, flexible, feature-rich, and complex that they are inherently risky. Prefer purpose-built apps for sensitive applications.
Read more in:
- Google Warns Mac, Windows Users of Chrome Zero-Day Flaw
- Google Chrome Zero-Day Under Attack, Again
- Stable Channel Update for Desktop
Google’s Proof-of-Concept Spectre Exploit
Google has published a proof-of concept exploit for the Spectre vulnerability. Google notes that “the goal of this proof of concept is to demonstrate the feasibility of a web-based Spectre exploit.”
Note: The POC demonstrates that current Spectre mitigations are incomplete. Google has published guidance on new security defenses to mitigate both Spectre-style and common web-level cross-site leaks (security.googleblog.com: Towards native security defenses for the web ecosystem). These defenses are dependent on new security features introduced in Chrome 83 and Firefox 79 and if followed can help create applications more resistant to CSRF, XSS, DOM based and other information leak attacks.
Read more in:
- Google emits data-leaking proof-of-concept Spectre exploit for Intel CPUs to really get everyone’s attention
- This Spectre proof-of-concept shows how dangerous these attacks can be
- google / security-research-pocs
Buffalo Public Schools Cancels Classes Due to Ransomware
Buffalo (New York) Public Schools was hit with a ransomware attack on Friday, March 12. The district cancelled remote learning on Friday afternoon “due to an unanticipated interruption to BPS District network systems.” The district has cancelled all classes on Monday, March 15.
Read more in:
- Buffalo Public Schools was victim of ransomware attack
- Buffalo Public Schools cancels classes after cyberattack
- Update on Cybersecurity Attack (PDF)
House Committee Forms DOD Supply Chain Security Task Force
The US House of Representatives Armed Services Committee has created a task force to look into defense supply chain issues. Over the next three months, the Defense Critical Supply Chain Task Force will develop legislative solutions to supply chain and related issues that can be incorporated into the 2022 National Defense Authorization Act. Task force co-chair Representative Mike Gallagher (R-Wisconsin) also co-chaired the Cyberspace Solarium Commission.
- A much faster approach would be to simply photocopy the reports from any of the numerous other task forces that have been launched by the US Federal Government in the last decade or so on the same topic. I provided input to one in 2012 or so and would just cut and paste my same recommendations today.
- Paying attention to your supply chain is really important, particularly when a known supplier is acquired by one who may not have your best interests at heart. Discovery may reveal hardware and software products no longer appropriate for your enterprise which will then have to be replaced or constrained. That analysis has to be supported by detection capabilities and response to prevent malicious activities not yet surfaced by your supply chain analysis.
- Even if we are unable to hold vendors responsible for the quality of their own code, we must hold them accountable when they distribute malicious code from other sources. We will not secure the supply-chain by putting all the onus on the end-using enterprises.
Some Exchange Server Victims Have Multiple Backdoors Installed
Experts are working to notify and help organizations with systems that have been compromised by groups exploiting the Exchange Server vulnerabilities before the attackers move on to phase two of the campaign, which could have much more dire consequences. Some of the victims have been targeted by multiple groups and as a result, now have multiple backdoors on their systems. Victims of the attacks include Norway’s parliament, and the European Banking Authority.
- With proof-of-concept code circulating, backdoors are to be expected. Attackers are racing to control as many systems as possible before other groups lock them down. The attackers are acting MUCH more quickly than system owners and will make the cleanup job all that much harder for system owners who are slow to respond.
- As feared, the criminals have already moved on to the next phase and are starting to leverage their foothold on compromised systems to launch ransomware attacks known as Ransom:Win32/DoejoCrypt.A, and also as DearCry (www.zdnet.com: Microsoft Exchange attacks: Watch out for this new ransomware threat to unpatched servers) If you have not checked your on premise Exchange servers by now do so as a matter of urgency using the guidance provided by Microsoft: msrc-blog.microsoft.com: Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021
Read more in:
- Warning the World of a Ticking Time Bomb
- List of Hacked Exchange Servers May Boost Recovery Efforts
- Å nei! Norway’s Stortinget struck by Microsoft Exchange malware
- Norway parliament data stolen in Microsoft Exchange attack
- European Banking Authority restores email service in wake of Microsoft Exchange hack
- Cyber-attack on the European Banking Authority – UPDATE 3
- Microsoft Exchange server hack: Banking agency on ‘heightened alert’ after cyberattack
- Up to 60,000 computer systems exposed in Germany to Microsoft flaw: BSI
Multiple Threat Actors are Exploiting Exchange Server Vulnerabilities
According to analysis from ESET, at least 10 APT groups are exploiting the Microsoft Exchange Server vulnerabilities. Many of the groups have ties to China. Six of the groups were actively exploiting the flaws prior to Microsoft’s emergency patch release on Tuesday, March 2.
- The interval between initial exploits by Hafnium and additional APT groups is simply too small for them to have independently discovered the vulnerabilities and developed working exploits. This suggests that after the initial exploits were leveraged by Hafnium in or before January, they then shared them with other groups such as Tick, LuckyMous, Calypso, Webslic and APT41. Given the scope of added exploits discovered, assume they are shared even more broadly. For this reason, it is best to operate on the model that all Exchange servers are targets and that you not only need to apply the patches, but also check carefully for signs of compromise. Make sure that your real-time endpoint protection includes the Exchange vulnerabilities and IOCs.
- This issue of NewsBites features a wide array of vulnerabilities in IT critical infrastructure elements, like windows, MacOS, Exchange and F5 BigIP – without even mentioning SolarWinds Orion. This points out two big issues that are pre-requisites to even considering thinking about talking about buzzwords like “Zero Trust:” – (1) to be proactive, risk analysis has to focus as much (really more) on where vulnerabilities would cause the most impact to business as on who might launch attacks; and (2) if you can’t get the critical IT infrastructure elements to the essential security hygiene level (meaningful segmentation, rapid patching, configuration management) then you have no chance in assessing the trustability of anything else.
- I concur with John Pescatore but I want to stress the urgency and seriousness. Our infrastructure now stands naked before a nation state willing to take the risk of being caught in the act of compromising that infrastructure. We must assume that that state will work to maintain its advantage and that in time of crisis would exploit it.
Read more in:
- Exchange servers under siege from at least 10 APT groups
- At least 10 APT hacking groups have exploited Exchange Server bugs, ESET warns
- Microsoft Exchange Servers Face APT Attack Tsunami
- There’s a vexing mystery surrounding the 0-day attacks on Exchange servers
- Exchange Server security patch warning: Apply now before more hackers exploit the vulnerabilities
- More hacking groups join Microsoft Exchange attack frenzy
- The Cybersecurity 202: More hackers jump to take advantage of a widespread Microsoft security flaw
- It’s Open Season for Microsoft Exchange Server Hacks
Microsoft Releases Patches for Older Versions of Exchange Server
On Monday, March 8, Microsoft released patches for older, unsupported versions of Exchange Server to protect entities using those versions from attacks. The decision to release the additional fixes underscores the severity of the severity of the situation. In a blog post accompanying the patches’ release, Microsoft cautions that the cumulative updates address only the four Exchange Server vulnerabilities that are being actively exploited and urged users to upgrade to a supported version of Exchange Server.
Note: If you are running an older Exchange version, you not only need to apply the patches, but also run detection tools such as the Microsoft Safety Scanner (MSERT) to detect and remove any web shells. Next, start your migration to either supported Exchange or Exchange online services.
Read more in:
- Microsoft Exchange attacks: Now Microsoft rushes out a patch for older versions of Exchange
- Amid widespread Exchange Server attacks, Microsoft issues patch for older versions
- March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server
Apple Updates macOS, iOS, and iPadOS to Fix Code Execution Issue
Apple has released an assortment of updates to fix a vulnerability that could allow arbitrary code execution. Users are urged to update to macOS Big Sur 11.2.3, iOS 14.4.1 and iPadOS 14.4.1.
- Apple’s release of an update fixing one single vulnerability is very unusual and may indicate that this vulnerability is already being exploited.
- This update fixes CVE-2021-1844 in Webkit, necessitating updates to iOS/iPadOS and watchOS as well as Safari and macOS 11 (BigSur). While iOS and iPadOS 14.5 are expected to drop soon, this update is here now. Minimize the impact by leveraging your device management solution to push the update to Automated Device Enrollment (ADE), formerly DEP, devices.
Read more in:
- iPhone, iPad and Mac security: Apple releases fixes for bug that could allow code execution via malicious web content
- About the security content of macOS Big Sur 11.2.3
- About the security content of iOS 14.4.1 and iPadOS 14.4.1
Microsoft Patch Tuesday: March 2021
On Tuesday, March 9, Microsoft released updates to address more than 80 vulnerabilities in Windows, Edge, Azure, Office, and other products. Several of the vulnerabilities are being actively exploited, including a memory corruption issue in Internet Explorer that was used in attacks targeting security researchers; the flaw can be exploited to gain privileges equivalent to those of the logged-on user.
- With all the attention to Exchange, don’t lose sight of this month’s Microsoft patches. Ten of the released updates are rated critical. Some of the patches are being refined, so keep an eye out for changes. Note that this is the last patch for the legacy Edge browser, because support ends this month. You should be actively migrating off legacy Edge to alternatives such as Chromium Edge.
- I hope you had the Exchange server issue under control ahead of the release of Tuesday’s monthly patches. We should all be patching DNS servers (and AD using DNS). This vulnerability, while not as easily exploitable as some, has also had some PoC exploits released.
Read more in:
- Microsoft Patch Tuesday, March 2021 Edition
- Beware the IDEs of March: Microsoft’s latest monthly fixes land after frantic Exchange Server updates
- Microsoft’s March Patch Tuesday: Critical remote code execution flaws, IE zero-day fixed
- Critical 0-day that targeted security researchers gets a patch from Microsoft
- Microsoft Patch Tuesday Fixes 82 CVEs, Internet Explorer Zero-Day
Adobe Updates Five Critical Flaws in Framemaker, Connect, and Creative Cloud
Adobe has released updates to address critical flaws in Framework, Connect, ad Creative Cloud. An out-of-bounds read issue in Framework, an improper input validation issue in Connect, and an arbitrary file overwrite issue and an OS command injection security issue in Creative could be exploited to allow arbitrary code execution. An improper input validation issue in Creative Cloud could be exploited to gain elevated privileges.
Note: While these vulnerabilities are rated critical, they are also marked priority 3 which means the product has not historically been a target and to install the updates at your discretion. Creative cloud users should automatically get the updates. Add scanning for the updated versions to your monthly patch verification process flagging or updating those who fail to apply the update.
Read more in:
- Adobe releases batch of security fixes for Framemaker, Creative Cloud, Connect
- Adobe Critical Code-Execution Flaws Plague Windows Users
- Security Updates Available for Adobe Framemaker | APSB21-14
- Security updates available for Adobe Connect | APSB21-19
- Security update available for Adobe Creative Cloud Desktop Application | APSB21-18
F5 Issues Updates to Fix Seven BIG-IP Flaws; Four are Critical
F5 has disclosed seven security issues affecting its BIG-IP and BIG-IQ network devices. Four of the flaws are critical remote code execution issues that could be exploited to take control of vulnerable systems. The flaws are fixed in BIGH-IP versions 184.108.40.206, 220.127.116.11, 14.1.4, 18.104.22.168, 22.214.171.124, and 126.96.36.199. One of the critical flaws also affects BIG-IQ; it is fixed in versions 8.0.0, 188.8.131.52, and 184.108.40.206.
- In addition to patching these systems, verify that the administrative interfaces are not exposed. The #1 precaution you can take, if it is for a home router or an enterprise gateway, is to avoid exposing your administrative interfaces and APIs to the public.
- If you’re an F5 shop, you’re probably using F5 for not only load balancing Internet facing services, but also WAF and SSL termination. These vulnerabilities enable remote code execution, so an exploit can effectively pivot into non-public areas of your corporate network. It’s reasonably easy to discover vulnerable devices with tools like Shodan. There is no effective mitigation other than patching/updating. The F5 overview below has a table of affected to fixed software versions. Use this to plan your attack. Also don’t overlook your non-Internet facing F5 devices.
Read more in:
- F5 Networks Urges Customers to Update to New Versions of Its App Delivery Tech
- For the second time in less than a year, F5 announces critical vulnerabilities in networking devices
- F5 issues BIG-IP patches to tackle unauthenticated remote code execution, critical flaws
- F5, CISA Warn of Critical BIG-IP and BIG-IQ RCE Bugs
- Now it is F5’s turn to reveal critical security bugs – and the Feds were quick to sound the alarm on these BIG-IP flaws
- F5 Security Advisory for RCE Vulnerabilities in BIG-IP, BIG-IQ
- Overview of F5 critical vulnerabilities (March 2021)
Verkada Surveillance Cameras Breached
Live feeds from more than 150,000 Verkada surveillance cameras were breached after admin account credentials were found on the Internet. The intruders were able to access archived footage as well. Verkada has disabled all internal administrator accounts. Affected organizations include hospitals, prisons, schools, police stations, and manufacturing facilities.
Note: This isn’t new: Internet connected cameras accessed via some kind of “support” or “backdoor” password. Cameras often need to be exposed to the Internet for remote monitoring. If you do this: Please do not place cameras in sensitive areas (for example inside your house or office) and avoid systems that store footage in the cloud.
Read more in:
- Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals
- Hacktivists breach Verkada and view 150,000 CCTV cams in hospitals, prisons, a Tesla factory, even Cloudflare HQ
- Verkada disables accounts after reports its security cameras were breached
- Camera tricks: Privacy concerns raised after massive surveillance cam breach
- ‘Thousands’ of Verkada Cameras Affected by Hacking Breach
- Hackers access surveillance cameras at Tesla, Cloudflare, banks, more
- Massive camera hack exposes the growing reach and intimacy of American surveillance
- Tesla factory cameras breached by hackers, report says
- Hacked Surveillance Camera Firm Shows Staggering Scale of Facial Recognition
European Judicial and Law Enforcement Authorities Make Arrests After Cracking Sky ECC Encryption
Authorities in Belgium, France, and the Netherlands, with the support of Europol and Eurojust, have “unlocked” the Sky ECC encrypted communication network, which allows them to monitor communications of organized crime groups. Earlier this week, authorities conducted raids in which they seized property and made arrests. Sky ECC maintains that its encryption was not broken, but that the information used to make the arrests and seizures was obtained through a phony version of its app.
Note: Well done to all involved in this operation. In particular I think it is very worth noting that this operation was successful without requiring any backdoors into encryption. This demonstrates that we can have strong encryption and that law enforcement with the right resources and tools do not need to undermine that security to attain their goals.
Read more in:
- New Major Interventions to Block Encrypted Communications of Criminal Networks
- Sky ECC denies police have ‘cracked’ encrypted messaging platform
- Europe ‘unlocks’ encrypted Sky ECC chat service to make arrests
- Encrypted Phone Firm ‘Sky’: Someone Sold Compromised Versions of Our App
OVHcloud Data Center Fire in France
A fire at OVH data centers in Strasbourg, France, has affected the availability of major websites, including eeNews Europe, VeraCrypt, and Rust. Some threat actor groups have also been affected. The fire broke out in one of four data centers in Strasbourg; the entire site, which includes four data centers, has been isolated. OVHcloud is the largest cloud services provider in Europe.
- OVH has a rich history of inaction against malicious sites. Some researchers noted how the data center fire removed about 30% of the infrastructure used by various APT groups. This history of inaction against malicious content may also be an indicator for an underlying issue with how the data centers are run in general.
- Just because you moved to the cloud does not mean your BCP issues are magically gone away. Always revise your BCPs and test them using different scenarios, your cloud provider going offline being one of those scenarios.
Read more in:
- OVHcloud data centers engulfed in flames
- OVH data center burns down knocking major sites offline
- Giant Datacenter Fire Takes Down Government Hacking Infrastructure
Schneider Releases Updates to Address Flaws in Certain Smart Meters
Schneider Electric has released updated for two vulnerabilities that affect its PowerLogic ION/PM smart meter product line. The flaws which were detected by researchers at Claroty are pre-authentication integer-overflow vulnerabilities; both could be exploited to reboot a vulnerable meter, effectively creating denial-of-service condition. One of the vulnerabilities could also be exploited to allow remote code execution.
Note: These are unauthenticated vulnerabilities, which have been widely published on the Internet. Beyond applying the update, make sure that your meters are properly isolated and that only authorized devices can reach them. The Schneider Electric bulletins includes general security recommendations. Also use NIST SP 800-82 “Guide to Industrial Control Systems (ICS) Security” to validate the security measures taken and identify gaps to resolve: nvlpubs.nist.gov (PDF)
Read more in:
- Claroty Uncovers Vulnerabilities in Schneider Electric Smart Meters
- Serious Vulnerabilities Found in Schneider Electric Power Meters
Microsoft’s MSERT Tool Can Now Detect Exchange Server Indicators of Compromise
Microsoft has updated its MSERT security scanning tool that enables it to detect web shell scripts used in the recent Exchange Server attacks.
- Windows Defender has also been updated to detect the web shells. The Microsoft Safety Scanner, also called MSERT, can be used to detect and will automatically remove the implanted web shells unless you start it with the /N argument. Note MSERT is not a real-time defense tool and only performs spot checks. Select the full scan option, which can take a while. Microsoft also released a PowerShell script “Test-ProxyLogin.ps1” to search for IOCs in Exchange and OWA log files, see GitHub CSS-Exchange link below.
- Given the nature of these vulnerabilities and the widespread exploitation of them, if your company has not yet applied the patches then assume you have been breached and respond accordingly. Applying the patches will fix the vulnerability but will not address any compromise or additional backdoors attackers may have planted before the patches were applied.
Read more in:
- Microsoft’s MSERT tool now finds web shells from Exchange Server attacks
- Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this tool
- microsoft / CSS-Exchange
30,000+ Exchange Servers Breached
At least 30,000 organizations in the US have been breached through vulnerabilities in Microsoft Exchange Server. Microsoft released emergency updates to address the flaws on Tuesday, March 2. Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive instructing federal civilian departments and agencies to apply the patches or disconnect their vulnerable systems from the Internet. Read more in:
- At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software
- Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims
- Tens of thousands of US organizations hit in ongoing Microsoft Exchange hack
- Government briefed on breach of at least 30,000 Microsoft Exchange Servers
- Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
Alternative Mitigations for Exchange Server Vulnerabilities
Microsoft has released a set of suggested mitigations for organizations that are unable to apply the March 2 emergency Exchange Server updates. Microsoft cautions that ”these mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack.”
Note: Examine the mitigations carefully before deciding to implement. They include disabling services you may be using. Even if you decide to implement them, you still need to apply the security patches for a complete fix as well as check your services for IOC’s to make sure you’re not already compromised.
Read more in:
- Microsoft Releases Alternative Mitigations for Exchange Server Vulnerabilities
- Microsoft Exchange Server Vulnerabilities Mitigations – updated March 6, 2021
Exchange Server Attacks Timeline
Brian Krebs enumerates events from DEVCORE’s January 5, 2021 disclosure of the Exchange Server vulnerabilities to Microsoft through current efforts “to notify victims, coordinate remediation, and remain vigilant for ‘Stage 2’ of this attack.” The ZDNet article answers questions such as “What Happened?”; “What are the vulnerabilities and why are they important?”; and “What do I do now?”
Note: The Brian Krebs article includes an excellent timeline that helps explain how these bugs went from to a bug disclosure with updates on patch Tuesday scenario to an act immediately situation. Make sure that you examine the mitigation and remediation options from Microsoft, do not leave your exchange services unchecked, act on the assumption that many threat actors are looking for an opportunistic exploit. Don’t be exploit 60,001.
Read more in:
- A Basic Timeline of the Exchange Mass-Hack
- Everything you need to know about the Microsoft Exchange Server hack
Exchange Server Attack Victims
Organizations affected by Exchange Server attacks include US defense contractors, international aid organizations, think tanks, and the European Banking Authority, which took its email systems offline following an attack. Czech Investigators are trying to determine whether email systems attacks affecting the city of Prague and the Czech Labor Ministry are related to the Exchange Server vulnerabilities. Read more in:
- European Banking Authority discloses Exchange server hack
- EU Banking Regulator Hit by Microsoft Email Hack
- Victims of Microsoft Exchange Server zero-days emerge
- Cyber-attack on the European Banking Authority
- Czech capital Prague, Labour Ministry face cyber attacks
SITA Breach Compromised Airline Passenger Data
Aviation IT services provider SITA has confirmed that its systems were hit with a cyberattack that compromised passenger data stored on its SITA Passenger Service System servers. The incident occurred on February 24, 2021. Affected airlines have begun notifying passengers. SITA (Société Internationale de Télécommunications Aéronautiques) is based in Geneva, Switzerland.
- This is third-party compromise. Affiliated airlines, (e.g., Star Alliance) share data. One of the Airlines is also a SITA customer, with associated data sharing, which allowed access to not only their customers’ data but also passenger data for other member airlines. When sharing data, make sure only the minimum necessary to operate is shared, that protection requirements are clearly stated, then monitor for misuse. In this case the data is limited to member name, status and membership number; airlines are watching for misuse of that information.
- Frequent flyers should take this occasion to review the often extensive personal information that airlines and travel agencies hold on them and change their passwords. Few airlines or travel agencies offer strong authentication.
Read more in:
- Airlines warn passengers of data breach after aviation tech supplier is hit by cyberattack
- Massive Supply-Chain Cyberattack Breaches Several Airlines
- Oh SITA: Airline IT provider confirms passenger data leaked after major ‘cyber-attack’
- SITA statement about security incident
Scottish University and Nottinghamshire Schools Victims of Separate Cyberattacks
Scotland’s University of the Highlands and Islands (UHI) is dealing with “an ongoing cyber incident” that has forced it to shut down many of its 13 campuses. Fifteen schools in the Nova Education Trust have been affected by a cybersecurity incident that prevented them from providing much remote learning. Read more in:
- University of the Highlands and Islands shuts down campuses as it deals with ‘ongoing cyber incident’
- Latest news
- Cyberattack shuts down online learning at 15 UK schools
More Accellion Breach Victims
The scope of the breaches exploiting vulnerabilities in Accellion’s File Transfer Appliance (FTA) continues to grow. Michigan-based Flagstar Bank recently disclosed that some of their data were accessed. Accellion released fixes for the vulnerabilities in December 2020 and January 2021. Accellion has planned to end support for FTA on April 30, 2021; the company has been encouraging customers to migrate to its new Kiteworks platform.
- This NewsBites item illustrates both the complexity and time varying nature of supply chain risk. If company X used Bank Y that had a file transfer capability that was provided by service Z that used the Accellion File Transfer appliance, December 2020 (when Accellion acknowledged it was the cause of the first reported breach) should have been an immediate severe risk flag – if Company X even know Bank Y used Service Z that used Accellion’s vulnerable product. But the risk actually started increasing in 2018 when Accellion started telling customers it would be ending support for the product in April 2021 and ending support for the appliance OS in November 2020 – all reasons for Service Z to move away from the product and for customers of Service Z to move away from Service Z if it did not – if this level of supply chain risk monitoring was being done, which some are actually doing today.
- If you have the Accellion FTA appliance, you are hopefully finishing (or have finished) your migration to an alternative solution. If you are a customer of a company still using the FTA appliance, evaluate the risk of data exposed using that platform, versus selecting a new supplier using supported/secure services. Make sure your vendor/supply chain monitoring includes watching for and responding to these sorts of risk.
Read more in:
- The Accellion Breach Keeps Getting Worse—and More Expensive
- Ransomware Gang Fully Doxes Bank Employees in Extortion Attempt
- Flagstar Bank customer data breached through Accellion hack
- Flagstar Bank hit by data breach exposing customer, employee data
- Accellion Incident Information Center
Critical Vulnerability in The Plus Addons for Elementor WordPress Plugin
A critical flaw in The Plus Addons for Elementor plugin for WordPress can be exploited to take control of vulnerable websites. The privilege elevation vulnerability appears to affect only the premium version of the plugin; the free version, The Plus Addons for Elementor Lite, is not affected. Users of the premium version of the plugin are urged to deactivate and remove it until a fix is available.
Note: Treat this as a zero day. The coding error, when exploited, allows the creation of new admin users and login as existing ones. A firewall rule was distributed to the paid Wordfence users on March 8th; free versions will not get that rule until April 7th. If you’re using the paid version of Elementor, and you need The Plus Addons, an alternative to removing the plugins may be to switch to the free “Elementor Lite.”
Unpatched QNAP NAS Devices are Being Targeted with Cryptomining Malware
Threat actors are targeting unpatched QNAP network attacked storage (NAS) devices to install cryptomining malware. QNAP released fixes for the firmware flaws – an improper access control vulnerability and a command injection vulnerability – in October 2020. The researchers who found the issue “noticed the attacker customized the program by hiding the mining process and the real CPU memory resource usage information, so when the QNAP users check the system usage via the WEB management interface, they cannot see the abnormal system behavior.” The issue affects all QNAP NAS devices with firmware that predates the October 2020 update.
- QNAP NAS devices have been a target since September 2019. Limiting access to them and keeping the firmware and apps updated needs to be SOP. If you own a QNAP NAS device, change the passwords for all accounts, remove unknown user accounts, make sure both the firmware and applications are updated, remove unused/unknown applications, limit access to the device to authorized hosts only via ACL or firewall rules, and install the QNAP MalwareRemover app.
- NAS devices should not be attached to the public networks. They should be physically isolated, not merely firewalled.
Read more in:
- Unpatched QNAP devices are being hacked to mine cryptocurrency
- Crypto-Miner Campaign Targets Unpatched QNAP NAS Devices
Charges in Georgia Hacking Cases
A US federal grand jury has indicted Robert Purbeck for allegedly breaking into computer networks of medical clinics and a city in the US state of Georgia. Purbeck is facing charges of computer fraud and abuse, access device fraud and wire fraud.
Note: These attacks were possible because working credentials were obtained for the targeted servers. MFA should be SOP when protecting access to sensitive data, such as medical records. Also make sure systems are accessible only from known clients, and that patient/customer facing systems can only be used to access the minimum amount of data, and are monitored for misuse. Make sure these systems also implement MFA.
Read more in: Idaho Man Charged With Hacking Into Computers in Georgia
FBI Investigating Healthcare Ransomware Attacks
The FBI is investigating at least two healthcare-related ransomware attacks: one affecting Allergy Partners, which has locations across the US, and the second affecting the Rehoboth McKinley Christian Health Care in Gallup, New Mexico. Rehobot’s network was hit with ransomware in February. The facility serves the Navajo Nation. Read more in: