This posting is here to collect cyber security news in March 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in March 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
342 Comments
Tomi Engdahl says:
High severity Linux network security holes found, fixed
https://www.zdnet.com/article/linux-network-security-holes-found-fixed/
This nasty set of bugs can lead to an attacker gaining root access, but the patch is already available.
Young and rising Linux security developer Alexander Popov of Russia’s Positive Technologies discovered and fixed a set of five security holes in the Linux kernel’s virtual socket implementation. An attacker could use these vulnerabilities (CVE-2021-26708) to gain root access and knock out servers in a Denial of Service (DoS) attack.
With a Common Vulnerability Scoring System (CVSS) v3 base score of 7.0, high severity, smart Linux administrators will patch their systems as soon as possible.
While Popov discovered the bugs in Red Hat’s community Linux distribution Fedora 33 Server, it exists in the system using the Linux kernel from November 2019′s version 5.5 to the current mainline kernel version 5.11-rc6.
These holes entered Linux when virtual socket multi-transport support was added. This networking transport facilitates communication between virtual machines (VM) and their host.
The core problem is race conditions in the CONFIG_VSOCKETS and CONFIG_VIRTIO_VSOCKETS kernel drivers. These are shipped as kernel modules in all major Linux distributions. The reason why this is such a serious problem is whenever an ordinary user creates an AF_VSOCK socket, the vulnerable modules are automatically loaded. A race condition exists when a system’s substantive behavior depends on the sequence or timing of uncontrollable events.
Greg Kroah-Hartman, the stable Linux kernel chief maintainer, accepted the patches into Linux 5.10.13 on February 3. Since then the patch has been merged into mainline kernel version 5.11-rc7 and backported into affected stable trees.
The patch has also already been incorporated into such popular Linux distributions as Red Hat Enterprise Linux (RHEL) 8, Debian, Ubuntu, and SUSE.
Tomi Engdahl says:
Chrome 89 Patches Actively Exploited Vulnerability
https://www.securityweek.com/chrome-89-patches-actively-exploited-vulnerability
Google this week announced the availability of Chrome 89 in the stable channel, with patches for a total of 47 vulnerabilities, including one that has been exploited in the wild.
Tracked as CVE-2021-21166, the zero-day security hole is described as a high-severity “object lifecycle issue in audio.” The bug was reported by Alison Huffman of Microsoft Browser Vulnerability Research, and is the second of this type addressed in Chrome 89, alongside CVE-2021-21165, also rated high risk.
“Google is aware of reports that an exploit for CVE-2021-21166 exists in the wild,” the Internet giant notes, without providing further details on exploitation, impact, or attack vectors.
Tomi Engdahl says:
High severity Linux network security holes found, fixed
https://www.zdnet.com/article/linux-network-security-holes-found-fixed/
This nasty set of bugs can lead to an attacker gaining root access, but the patch is already available.
Tomi Engdahl says:
It only took four years and thousands of complaints but ICANN finally kills off rogue Indian domain registrar
DNS oversight body accused again and again of chronic foot-dragging
https://www.theregister.com/AMP/2021/03/04/icann_domain_woes/?__twitter_impression=true
Tomi Engdahl says:
“KEY ALERT” — German prison has to spend ‘£43,000’ changing 600 locks after intern sent a photo of the keys to his friends on WhatsApp
German prison has to spend ‘£43,000′ changing 600 locks after intern sent a photo of the keys to his friends on WhatsApp
https://www.dailymail.co.uk/news/article-9325001/German-prison-changes-locks-intern-shared-photos.html
The trainee shared the photos on a WhatsApp group to boast about his new job
It raised fears that the prison’s 647 inmates could have staged a mass breakout
The prison near Berlin has since changed all the locks in cells and corridors
The trainee at Heidering prison near Berlin took photos of the keys and shared them in a WhatsApp group to brag about his new job, German media says.
But he apparently failed to realise that keys can easily be reproduced by specialists, meaning replicas could have been smuggled inside.
The intern is said to have shared pictures of cell and corridor keys before the leak was reported to judicial authorities on Thursday.
Around 20 prison workers were tasked with changing the locks the following day and had to work through the night to head off the security risk.
Officials said the old keys were quickly destroyed after they had been used one last time to open the doors so that the locks could be changed.
Tomi Engdahl says:
Three Top Russian Cybercrime Forums Hacked
https://krebsonsecurity.com/2021/03/three-top-russian-cybercrime-forums-hacked/
Over the past few weeks, three of the longest running and most
venerated Russian-language online forums serving thousands of
experienced cybercriminals have been hacked. In two of the intrusions,
the attackers made off with the forums user databases, including email
and Internet addresses and hashed passwords. Members of all three
forums are worried the incidents could serve as a virtual Rosetta .
Stone for connecting the real-life identities of the same users across
multiple crime forums.. On Tuesday, someone dumped thousands of
usernames, email addresses and obfuscated passwords on the dark web
apparently pilfered from Mazafaka (a.k.a. Maza, MFclub), an exclusive
crime forum that has for more than a decade played host to some of the
most experienced and infamous Russian cyberthieves.. The compromise of
Maza and Verified and possibly a third major forum has many
community members concerned that their real-life identities could be
exposed. Exploit perhaps the next-largest and most popular Russian
forum after Verified, also experienced an apparent compromise this
week.
Tomi Engdahl says:
Unsecured Cloud Configurations Exposing Information in Thousands of
Mobile Apps
https://blog.zimperium.com/unsecured-cloud-configurations-exposing-information-in-thousands-of-mobile-apps/
In our analysis, 14% of iOS and Android apps that use cloud storage
had unsecure configurations and were vulnerable to a number of
significant issues that exposed PII, enabled fraud or exposed IP or
internal systems.. During our review, we encountered several apps
relying on both Google and Amazon storage that was accessible without
any security. In one example, the information we were able to obtain
included profile pictures and other PII information.. Other apps leak
information that enables fraud. In one example, an app shows images
containing physical payment implements such as checks. . Another
category of apps exposes configuration information that could be used
for further investigation or penetration. For example, one may think
music apps dont have any important information to protect, however, we
identified cases where the entire server infrastructures, scripts,
servers and much more was exposed publicly.
Tomi Engdahl says:
Windows DNS SIGRed bug gets first public RCE PoC exploit
https://www.bleepingcomputer.com/news/security/windows-dns-sigred-bug-gets-first-public-rce-poc-exploit/
“If exploited carefully, attackers can execute code remotely on the
vulnerable system and gain Domain Admin rights, effectively
compromising the entire corporate infrastructure,” Palmiotti
explained.. Details at
https://www.graplsecurity.com/post/anatomy-of-an-exploit-rce-with-cve-2020-1350-sigred
Tomi Engdahl says:
SITA statement about security incident
https://www.sita.aero/pressroom/news-releases/sita-statement-about-security-incident/
SITA confirms that it was the victim of a cyber-attack, leading to a
data security incident involving certain passenger data that was
stored on SITA Passenger Service System (US) Inc. servers. Passenger
Service System (US) Inc. (SITA PSS) operates passenger processing
systems for airlines.. Myös Finnair uhrina
https://www.hs.fi/talous/art-2000007839783.html
Tomi Engdahl says:
Researcher bitsquats Microsoft’s windows.com to steal traffic
https://www.bleepingcomputer.com/news/security/researcher-bitsquats-microsofts-windowscom-to-steal-traffic/
A researcher was able to “bitsquat” Microsoft’s windows.com domain by
cybersquatting variations of windows.com.. However, this technique
differs from cases where typosquatting domains are used for phishing
activities in that it requires no action on the victim’s part. …
“Now lets say that the computer is running too hot, a solar flare is
happening, or a cosmic ray (very real thing) flips a bit on the
computer,” says [the researcher] Remy.. In a 2011 Black Hat paper,
titled “Bit-squatting DNS Hijacking without Exploitation,” researcher
Artem Dinaburg saw when he had squatted 31 bitsquatted variations of
eight legitimate domains of multiple organizations, on an average
3,434 daily DNS requests came his way, that should otherwise have gone
to the DNS servers for the legitimate domains.. Likewise, as soon as
Remy squatted the aforementioned domains and setup sinkholes to record
any traffic, the researcher noticed an uptick in legitimate traffic
coming his way.. Blog at
https://remyhax.xyz/posts/bitsquatting-windows/
Tomi Engdahl says:
Microsoft: We’re cracking down on Excel macro malware
https://www.zdnet.com/article/microsoft-were-cracking-down-on-malware-that-uses-excel-macros/
Now Microsoft is expanding the integration of its AMSI with Office 365
to include the scanning of Excel 4.0 XLM macros at runtime, bringing
AMSI in line with VBA.
Tomi Engdahl says:
https://gizmodo.com/someone-is-hacking-the-hackers-1846406428
Tomi Engdahl says:
High severity Linux network security holes found, fixed
This nasty set of bugs can lead to an attacker gaining root access, but the patch is already available.
https://www.zdnet.com/article/linux-network-security-holes-found-fixed/
Tomi Engdahl says:
Microsoft: We’ve found three more pieces of malware used by the SolarWinds attackers
Microsoft and FireEye have identified a new “elegant” backdoor used by the SolarWinds attackers.
https://www.zdnet.com/article/microsoft-weve-found-three-more-pieces-of-malware-used-by-the-solarwinds-attackers/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
Tomi Engdahl says:
Thousands of Microsoft Customers May Have Been Victims of Hack Tied to China
https://www.nytimes.com/2021/03/06/technology/microsoft-hack-china.html
The hackers started their attack in January but escalated their efforts in recent weeks, security experts say. Business and government agencies affected.
Businesses and government agencies in the United States that use a Microsoft email service have been compromised in an aggressive hacking campaign that was probably sponsored by the Chinese government, Microsoft said.
The number of victims is estimated to be in the tens of thousands and could rise, some security experts believe, as the investigation into the breach continues. The hackers had stealthily attacked several targets in January
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
Sources: at least 30K US organizations have been hacked by an aggressive Chinese espionage group exploiting unpatched flaws in Microsoft’s Exchange Server — At least 30,000 organizations across the United States — including a significant number of small businesses, towns …
At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software
https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/
At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.
On March 2, Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from Internet-facing systems running Exchange.
In the three days since then, security experts say the same Chinese cyber espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide.
In each incident, the intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.
Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.
Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed “Hafnium,” and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
Tomi Engdahl says:
White House fears significant number of organisations caught in Microsoft hack
https://www.abc.net.au/news/2021-03-06/white-house-fears-significant-hack-microsoft-exchange-email/13223508
The White House fears a significant number of organisations around the world have been compromised through a back door installed via recently patched flaws in Microsoft’s email software, and warns it “could have far-reaching impacts”.
Key points:
Microsoft has declined to provide details on the scale of the hack
All of those affected are thought to have used web versions of the Outlook email client
White House press secretary Jen Psaki says there are concerns “there are a large number of victims”
The hacking has already reached more places than all of the tainted code downloaded from SolarWinds Corp, the company at the heart of another massive hacking spree uncovered in December.
The latest hack has left channels for remote access spread among credit unions, town governments and small businesses, according to records from a US investigation
If successfully exploited, “an unauthenticated attacker” could “write files and execute code”, the alert warned.
Tens of thousands of organisations in Asia and Europe are also affected, the records show.
The hacks are continuing despite emergency patches issued by Microsoft on Tuesday.
Microsoft, which had initially said the hacks consisted of “limited and targeted attacks,” declined to comment on the scale of the problem on Friday but said it was working with government agencies and security companies to provide help to customers.
One scan of connected devices showed only 10 per cent of those vulnerable had installed the patches by Friday, though the number was rising.
Because installing the patch does not get rid of the back doors, US officials are racing to figure out how to notify all the victims and guide them in their hunt.
Tomi Engdahl says:
At Least 30,000 US Organizations Newly Hacked Via Holes In Microsoft’s Email Software
https://m.slashdot.org/story/382604
Tomi Engdahl says:
A communications and IT vendor for 90 percent of the world’s #airlines, SITA, has been hit with a security #breach.
https://threatpost.com/supply-chain-cyberattack-airlines/164549/
Tomi Engdahl says:
Move over, SolarWinds: 30,000 orgs’ email hacked via Microsoft Exchange Server flaws
13
The attack has been ongoing since January
https://www.theverge.com/2021/3/5/22316189/microsoft-exchange-server-security-exploit-china-attack-30000-organizations
Tomi Engdahl says:
https://cybernews.com/security/imdb-flaw-gave-me-credit-for-chernobyl-got-and-other-gigs/
Tomi Engdahl says:
Anatomy of an Exploit: RCE with CVE-2020-1350 SIGRed
https://www.graplsecurity.com/post/anatomy-of-an-exploit-rce-with-cve-2020-1350-sigred
Tomi Engdahl says:
Microsoft links new malware to SolarWinds hackers
https://www.scmagazine.com/home/security-news/malware/microsoft-links-new-malware-linked-to-solarwinds-hackers/
Tomi Engdahl says:
The Former SolarWinds CEO Is Blaming the Firm’s Poor Cybersecurity on an Intern
https://slate.com/technology/2021/03/solarwinds-hack-cyber-espionage-intern-password.html
Tomi Engdahl says:
Mazafaka Elite Hacking and Cybercrime Forum Got Hacked!
https://thehackernews.com/2021/03/mazafaka-elite-hacking-and-cybercrime.html
In what’s a case of hackers getting hacked, a prominent underground
online criminal forum by the name of Maza has been compromised by
unknown attackers, making it the fourth forum to have been breached
since the start of the year. The intrusion is said to have occurred on
March 3, with information about the forum members including
usernames, email addresses, and hashed passwords publicly disclosed
on a breach notification page put up by the attackers, stating “Your
data has been leaked” and “This forum has been hacked.”. Also:
https://www.bleepingcomputer.com/news/security/notorious-maza-cybercrime-forum-attacked-by-other-hackers/
Tomi Engdahl says:
Detection and Response to Exploitation of Microsoft Exchange Zero-Day
Vulnerabilities
https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
Beginning in January 2021, Mandiant Managed Defense observed multiple
instances of abuse of Microsoft Exchange Server within at least one
client environment. The observed activity included creation of web
shells for persistent access, remote code execution, and
reconnaissance for endpoint security solutions. Our investigation
revealed that the files created on the Exchange servers were owned by
the user NT AUTHORITY\SYSTEM, a privileged local account on the
Windows operating system.
Tomi Engdahl says:
PLEASE LEAVE AN EXPLOIT AFTER THE BEEP
https://www.dubex.dk/aktuelt/nyheder/please-leave-an-exploit-after-the-beep
In January 2021, Dubex investigated suspicious activity on a set of
Exchange servers. Generic post exploitation activity was seen, and
many POST requests were sent to webshells hosted in the OWA directory.
It was initially suspected the servers might be backdoored directly
through the OWA and that webshells were being used for ease of access.
As a result, Dubex started its incident response efforts . and
acquired system memory (RAM) and disk images to initiate a forensics
investigation. This investigation revealed a zero-day exploit being
used in the wild.
Tomi Engdahl says:
Microsoft: Exchange updates can install without fixing vulnerabilities
https://www.bleepingcomputer.com/news/security/microsoft-exchange-updates-can-install-without-fixing-vulnerabilities/
Due to the critical nature of recently issued Microsoft Exchange
security updates, admins need to know that the updates may have
installation issues on servers where User Account Control (UAC) is
enabled. Microsoft has added these warnings to all Exchange security
updates released throughout the last few years.
Tomi Engdahl says:
D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant
https://threatpost.com/d-link-iot-tor-gafgyt-variant/164529/
A new variant of the Gafgyt botnet thats actively targeting
vulnerable D-Link and Internet of Things devices is the first variant
of the malware to rely on Tor communications, researchers say. Gafgyt,
a botnet that was uncovered in 2014, has become infamous for launching
large-scale distributed denial-of-service (DDoS) attacks. Researchers
first discovered activity from the newest variant, which they call
Gafgyt_tor, on Feb. 15.
Tomi Engdahl says:
These two unusual versions of ransomware tell us a lot about how
attacks are evolving
https://www.zdnet.com/article/these-two-unusual-versions-of-ransomware-tell-us-a-lot-about-how-attacks-are-evolving/
Two newly discovered forms of ransomware with very different traits
show just how diverse the world of ransomware has become as more cyber
criminals attempt to join in with cyber extortion. Both forms of
ransomware emerged in February and have been detailed by cybersecurity
researchers at Trend Micro AlumniLocker and Humble – with the two
versions attempting to extort a bitcoin ransom in different ways.
Tomi Engdahl says:
Varo tällaista viestiä haittaohjelma saattaa lähettää laskuusi
tuhansia viestejä sekä vaarantaa pankkitilisi
https://www.tivi.fi/uutiset/tv/e4a64a51-b6c1-4868-8ea2-e3f0964dbd54
Rikolliset kiusaavat suomalaisia jälleen huijausviesteillä, joita
lähetetään Postin tai PostNordin nimissä. Poliisi kertoo
tiedotteessaan, että huijausviesti voi tulla tekstiviestillä, jossa
pyydetään asentamaan puhelimeen sovellus viestissä olevan linkin
kautta. Jos vastaanottajan matkapuhelimessa on
Android-käyttöjärjestelmä, asentuu käyttäjien puhelimiin linkistä
painamalla haittaohjelma, joka lähettää laitteesta ulkomaille satoja
tai tuhansia viestejä asiakkaan laskuun. Haittaohjelma on vaikea
huomata, ennen kuin laite alkaa lähettämään runsaasti viestejä
itsenäisesti, Poliisi kertoo.
Tomi Engdahl says:
Microsoft Exchange Server Vulnerabilities Mitigations March 2021
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
Microsoft previously blogged our strong recommendation that customers
upgrade their on-premises Exchange environments to the latest
supported version. For customers that are not able to quickly apply
updates, we are providing the following alternative mitigation
techniques to help Microsoft Exchange customers who need more time to
patch their deployments and are willing to make risk and service
function trade-offs. These mitigations are not a remediation if your
Exchange servers have already been compromised, nor are they full
protection against attack.
At Least 30,000 U.S. Organizations Newly Hacked Via Holes in
Microsofts Email Software
https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/
At least 30,000 organizations across the United States including a
significant number of small businesses, towns, cities and local
governments have over the past few days been hacked by an unusually
aggressive Chinese cyber espionage unit thats focused on stealing
email from victim organizations, multiple sources tell
KrebsOnSecurity.. The espionage group is exploiting four
newly-discovered flaws in Microsoft Exchange Server email software,
and has seeded hundreds of thousands of victim organizations worldwide
with tools that give the attackers total, remote control over affected
systems.
Tomi Engdahl says:
Microsoft Adopted an ‘Aggressive’ Strategy for Sharing SolarWinds
Attack Intel
https://www.darkreading.com/operations/microsoft-adopted-an-aggressive-strategy-for-sharing-solarwinds-attack-intel/d/d-id/1340327
Rob Lefferts, corporate vice president for Microsoft 365 Security in
Security and Compliance, explains the company’s approach to keeping
its customers and the industry apprised and updated on its findings
from the now-infamous attack. In the wake of a widespread cyberattack,
enterprise IT providers can play a key role in how businesses learn
about and mitigate the security threat. That role has evolved as
attacks grow more complex – and it presents a tricky challenge when a
provider must keep businesses informed of an attack that has
infiltrated its own walls and affected tens of thousands of its
customers, as Microsoft experienced during the recent SolarWinds
incident.
Tomi Engdahl says:
Chinas RedEcho accused of targeting Indias power grids
https://blog.malwarebytes.com/vital-infrastructure/2021/03/chinas-redecho-accused-of-targeting-indias-power-grids/
RedEcho, an advanced persistent threat (APT) group from China, has
attempted to infiltrate the systems behind Indias power grids,
according to a threat analysis report from Recorded Future [PDF].. It
appears that what triggered this attempt to gain a foothold in Indias
critical power generation and transmission infrastructure, was a tense
standoff at Pangong Tso lake in May 2020. However, the report by
Recorded Future, a cybersecurity company specializing in threat
intelligence, claims that RedEcho were on the prowl way before this
time.
Tomi Engdahl says:
Microsoft IOC Detection Tool for Exchange Server Vulnerabilities
https://us-cert.cisa.gov/ncas/current-activity/2021/03/06/microsoft-ioc-detection-tool-exchange-server-vulnerabilities
Microsoft has released an updated script that scans Exchange log files
for indicators of compromise (IOCs) associated with the
vulnerabilities disclosed on March 2, 2021. CISA is aware of
widespread domestic and international exploitation of these
vulnerabilities and strongly recommends organizations run the
Test-ProxyLogon.ps1 scriptas soon as possibleto help determine whether
their systems are compromised. For additional information on the
script, see Microsofts blog HAFNIUM targeting Exchange Servers with
0-day exploits.
Tomi Engdahl says:
Check to see if youre vulnerable to Microsoft Exchange Server
zero-days using this tool
https://www.zdnet.com/article/check-to-see-if-youre-vulnerable-to-microsoft-exchange-server-zero-days-using-this-tool/
Microsoft’s Exchange Server team has released a script for IT admins
to check if systems are vulnerable to recently-disclosed zero-day
bugs. As noted in an alert published by the US Cybersecurity and
Infrastructure Security Agency (CISA) on Saturday, Microsoft’s team
has published a script on GitHub that can check the security status of
Exchange servers.
Tomi Engdahl says:
Microsoft Office 365 gets protection against malicious XLM macros
https://www.bleepingcomputer.com/news/security/microsoft-office-365-gets-protection-against-malicious-xlm-macros/
Microsoft has added XLM macro protection for Microsoft 365 customers
by expanding the runtime defense provided by Office 365′s integration
with Antimalware Scan Interface (AMSI) to include Excel 4.0 (XLM)
macro scanning. AMSI was introduced in 2015, and it has been adopted
by all major antivirus products available for the Windows 10 platform
since then. It allows Windows 10 services and apps to communicate with
security products and request runtime scans of potentially dangerous
data.
Tomi Engdahl says:
The attack, which Microsoft has said started with a Chinese government-backed hacking group, has so far claimed at least 60,000 known victims globally, according a former senior US official with knowledge of the investigation. Many of them appear to be small or medium-sized businesses caught in a wide net the attackers cast as Microsoft worked to shut down the hack.
Victims identified so far include banks and electricity providers, as well as senior citizen homes and an ice cream company,
https://www.thestar.com.my/tech/tech-news/2021/03/07/hackers-breach-thousands-of-microsoft-customers-around-the-world
Tomi Engdahl says:
A Basic Timeline of the Exchange Mass-Hack
https://krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-hack/
Sometimes when a complex story takes us by surprise or knocks us back
on our heels, it pays to revisit the events in a somewhat linear
fashion. Heres a brief timeline of what we know leading up to last
weeks mass-hack, when hundreds of thousands of Microsoft Exchange
Server systems got compromised and seeded with a powerful backdoor
Trojan horse program.. When did Microsoft find out about attacks on
previously unknown vulnerabilities in Exchange?
Tomi Engdahl says:
Kyberturvallisuuskeskus varoittaa: Sadat organisaatiot ovat riskissä
päätyä tai ovat jo päätyneet sähköpostipalvelinten tietomurron
kohteeksi
https://yle.fi/uutiset/3-11827028
Kyberturvallisuuskeskus varoittaa, että Suomessa sadat organisaatiot
ovat riskissä päätyä tai jo päätyneet sähköpostipalvelinten
tietomurron kohteeksi. Ongelma on laajuudeltaan ja vakavuudeltaan
suurin Suomessa ainakin pariin vuosikymmeneen, arvioi keskuksen
erityisasiantuntija Juha Tretjakov. Ongelma koskee osaa tahoista,
jotka käyttävät Microsoftin Exchange-palvelinta.
Kyberturvallisuuskeskus kertoo sivuillaan(siirryt toiseen palveluun)
päivittäneensä maanantaina punaisen varoituksen
Exchange-sähköpostipalvelimen osalta todeten, että pelkkä palvelimen
päivitys ei ole riittävä toimi.. Myös:
https://www.is.fi/digitoday/tietoturva/art-2000007848088.html.
https://www.tivi.fi/uutiset/tv/d825bda3-5d0f-42c2-bc71-e3d666e673f5.
https://www.hs.fi/talous/art-2000007848036.html
Tomi Engdahl says:
European Banking Authority discloses Exchange server hack
https://www.bleepingcomputer.com/news/security/european-banking-authority-discloses-exchange-server-hack/
The European Banking Authority (EBA) took down all email systems after
their Microsoft Exchange Servers were hacked as part of the ongoing
attacks targeting organizations worldwide. EBA is part of the European
System of Financial Supervision and it oversees the integrity orderly
functioning of the EU banking sector.. “The Agency has swiftly
launched a full investigation, in close cooperation with its ICT
provider, a team of forensic experts and other relevant entities,” EBA
said.
Tomi Engdahl says:
Hackers hiding Supernova malware in SolarWinds Orion linked to China
https://www.bleepingcomputer.com/news/security/hackers-hiding-supernova-malware-in-solarwinds-orion-linked-to-china/
Intrusion activity related to the Supernova malware planted on
compromised SolarWinds Orion installations exposed on the public
internet points to an espionage threat actor based in China. Security
researchers named the hacker group Spiral and correlated findings from
two intrusions in 2020 on the same victim network to determine
activity from the same intruder.
Tomi Engdahl says:
Microsoft Exchange Cyber Attack What Do We Know So Far?
https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html
Microsoft on Friday warned of active attacks exploiting unpatched
Exchange Servers carried out by multiple threat actors, as the hacking
campaign is believed to have infected tens of thousands of businesses,
government entities in the U.S., Asia, and Europe. The company said
“it continues to see increased use of these vulnerabilities in attacks
targeting unpatched systems by multiple malicious actors beyond
HAFNIUM,” signaling an escalation that the breaches are no longer
“limited and targeted” as was previously deemed.
Tomi Engdahl says:
Microsoft’s MSERT tool now finds web shells from Exchange Server
attacks
https://www.bleepingcomputer.com/news/security/microsofts-msert-tool-now-finds-web-shells-from-exchange-server-attacks/
Microsoft has pushed out a new update for their Microsoft Safety
Scanner (MSERT) tool to detect web shells deployed in the recent
Exchange Server attacks. On March 2nd, Microsoft disclosed that four
Exchange Server zero-day vulnerabilities were being used in attacks
against exposed Outlook on the web (OWA) servers. These
vulnerabilities are tracked as CVE-2021-26855, CVE-2021-26857,
CVE-2021-26858, CVE-2021-27065.
Tomi Engdahl says:
The Accellion Breach Keeps Getting Worseand More Expensive
https://www.wired.com/story/accellion-breach-victims-extortion/
THE DRUMBEAT OF data breach disclosures is unrelenting, with new
organizations chiming in all the time. But a series of breaches in
December and January that have come to light in recent weeks has
quietly provided an object lesson in how bad things can get when
hackers find an inroad to dozens of potential targetsand they’re out
for profit. Firewall vendor Accellion quietly released a patch in late
December, and then more fixes in January, to address a cluster of
vulnerabilities in one of its network equipment offerings.
Tomi Engdahl says:
McAfee Sheds Enterprise Business in $4 Billion Deal
https://www.securityweek.com/mcafee-sheds-enterprise-business-40-billion-deal
Tomi Engdahl says:
Microsoft Server Hack Has Victims Hustling to Stop Intruders
https://www.securityweek.com/microsoft-server-hack-has-victims-hustling-stop-intruders
Victims of a massive global hack of Microsoft email server software — estimated in the tens of thousands by cybersecurity responders — hustled Monday to shore up infected systems and try to diminish chances that intruders might steal data or hobble their networks.
The White House has called the hack an “active threat” and said senior national security officials were addressing it.
The breach was discovered in early January and attributed to Chinese cyber spies targeting U.S. policy think tanks. Then in late February, five days before Microsoft issued a patch on March 2, there was an explosion of infiltrations by other intruders, piggybacking on the initial breach. Victims run the spectrum of organizations that run email servers, from mom-and-pop retailers to law firms, municipal governments, healthcare providers and manufacturers.
While the hack doesn’t pose the kind of national security threat as the more sophisticated SolarWinds campaign, which the Biden administration blames on Russian intelligence officers, it can be an existential threat for victims who didn’t install the patch in time and now have hackers lingering in their systems. The hack poses a new challenge for the White House, which even as it prepares to respond to the SolarWinds breach, must now grapple with a formidable and very different threat from China.
“I would say it’s a serious economic security threat because so many small companies out there can literally have their business destroyed through a targeted ransomware attack,” said Dmitri Alperovitch, former chief technical officer of the cybersecurity firm CrowdStrike
Tomi Engdahl says:
Disruptions at Pan-American Life Likely Caused by Ransomware Attack
https://www.securityweek.com/disruptions-pan-american-life-likely-caused-ransomware-attack
Recent service disruptions at the Pan-American Life Insurance Group (PALIG) were likely caused by a cyberattack conducted by a threat actor known for using the REvil ransomware.
New Orleans-based PALIG provides life, accident and health insurance services across the Americas. The group has more than 20 member companies and employs roughly 2,000 people worldwide.
The official website of PALIG (palig.com) currently only displays some contact information and the following message: “Pan-American Life Insurance Group is currently experiencing a disruption to some of our services and we are working to restore them. To facilitate communication during this time, we have created temporary email accounts as an official communication channel.”
Tomi Engdahl says:
Multiple Airlines Impacted by Data Breach at Aviation IT Firm SITA
https://www.securityweek.com/multiple-airlines-impacted-data-breach-aviation-it-firm-sita
SITA, a multinational company that specializes in air transport communications and IT, this week confirmed falling victim to a cyberattack that appears to have impacted multiple airlines around the world.
SITA said on Thursday that the attack, which it described as “highly sophisticated,” affected certain passenger data stored on servers of SITA Passenger Service System (PSS) Inc., which operates passenger processing systems for airlines.
“After confirmation of the seriousness of the data security incident on February 24, 2021, SITA took immediate action to contact affected SITA PSS customers and all related organizations,” the company said in a statement.
https://www.sita.aero/pressroom/news-releases/sita-statement-about-security-incident/
Tomi Engdahl says:
Report: Russian Hackers Exploit Lithuanian Infrastructure
https://www.securityweek.com/report-russian-hackers-exploit-lithuanian-infrastructure
Hacker groups linked to Russian intelligence conducted cyber-attacks against top Lithuanian officials and decision-makers last year and used the Baltic nation’s technology infrastructure as a base to hit targets elsewhere, a report by Lithuania’s intelligence service said Thursday.
The annual national security threat assessment report claimed that, among others, the Russian cyber-espionage group APT29 with alleged links to Russia’s intelligence services “exploited” Lithuania’s information technology infrastructure “to carry out attacks by APT29 against foreign entities developing a COVID-19 vaccine.”