This posting is here to collect cyber security news in March 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in March 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
342 Comments
Tomi Engdahl says:
Vittoria Elliott / Rest of World:
Experts say Russia accidentally blocked domains with the characters “t.co”, like Microsoft.com, as well as some government websites, while slowing down Twitter — Reminder: Internet censorship can have unintended consequences. — Russian internet users began noticing something strange …
How the Russian government accidentally blocked its own websites
Reminder: Internet censorship can have unintended consequences.
https://restofworld.org/2021/how-the-russian-government-accidentally-blocked-access-to-its-own-websites/
Russian internet users began noticing something strange on Wednesday: a number of websites, including the Kremlin’s own Kremlin.ru, were down. Just hours earlier, Roskomnadzor, the Russian government body overseeing communications and technology, announced that it was purposely slowing down access to Twitter, claiming the company had allowed over 3,000 posts featuring suicide, child exploitation, and drug use to remain up in violation of Russian law.
But the outage that followed affected far more than just the social media site, including domains like Reddit.com and Microsoft.com. The Russian government appears to have bungled its latest attempt at internet censorship, accidentally blocking its own websites in the process. And this isn’t even the first time it’s made a similar mistake in the last few years.
“With the aim of protecting Russian citizens and forcing the internet service to follow the law on the territory of the Russian Federation, centralized responses have been taken against Twitter starting March 10, 2021 — specifically, the initial throttling of the service’s speeds, in accordance with the regulations,” Roskomnadzor said in a statement.
Tomi Engdahl says:
Millions of websites offline after fire at French cloud services firm
https://www.reuters.com/article/us-france-ovh-fire-idUSKBN2B20NU
A fire at a French cloud services firm has disrupted millions of websites, knocking out government agencies’ portals, banks, shops, news websites and taking out a chunk of the .FR web space, according to internet monitors.
Europe’s large web hosting provider knocked offline following fire
By Mayank Sharma 10 March 2021
Several websites and online services have been knocked offline following OVH issue
https://www.techradar.com/news/europes-large-web-hosting-provider-knocked-offline-following-fire
Tomi Engdahl says:
3.6 million websites taken offline after fire at OVH datacenters
10th March, 2021
https://news.netcraft.com/archives/2021/03/10/ovh-fire.html
Around 3.6 million websites across 464,000 distinct domains were taken offline after the major fire at an OVHcloud datacenter site in Strasbourg overnight.
More than 18% of the IP addresses attributed to OVH in Netcraft’s most recent Web Server Survey
Tomi Engdahl says:
Talk about a Blue Monday: OVH outlines recovery plan as French data centres smoulder
Servers affected include those used by ESA, Villarreal football club, and some misused by malware miscreants
https://www.theregister.com/2021/03/10/ovh/
Customers of European cloud hosting provider OVH have been told it plans to restart three data centres on its French campus in Strasbourg next week, following a massive fire on site this morning that destroyed one bit barn.
The SBG1 and SBG4 data centres are scheduled to reopen by Monday 15 March and the SBG3 DC by Friday next week. SBG2 was wiped out by the blaze but fortunately no one was hurt in the incident.
The fire caused serious disruption across European websites, with, according to Netcraft, “3.6 million websites across 464,000 distinct domains… taken offline.”
Tomi Engdahl says:
Giant Datacenter Fire Takes Down Government Hacking Infrastructure
A fire at a European datacenter has had some impact on the infrastructure used by several government and criminal hacking groups, according to Kaspersky Lab.
https://www.vice.com/en/article/3an9wb/ovh-datacenter-fire-takes-down-government-hacking-infrastructure
On Wednesday, a massive fire destroyed a datacenter and caused damage in other server buildings owned by OVHCloud, the largest European cloud service provider. The blaze has impacted several of the company’s customers—including hackers.
According to Costin Raiu, the Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, there are 140 OVH servers used by government hackers and sophisticated criminal groups that he and his colleagues track. Of those, 36% are now down, he said in a post on Twitter.
Tomi Engdahl says:
OVHcloud data centers engulfed in flames
Updated: Customers are being urged to launch their own disaster recovery plans.
https://www.zdnet.com/article/ovhcloud-data-centers-engulfed-in-flames/
Tomi Engdahl says:
https://status.us.ovhcloud.com/
Tomi Engdahl says:
Microsoft’s GitHub under fire after disappearing proof-of-concept exploit for critical Microsoft Exchange vuln
Funny how code that targets Redmond vanishes while tons of others menacing other vendors remain
https://www.theregister.com/AMP/2021/03/12/github_disappears_exploit/?__twitter_impression=true
On Wednesday, shortly after security researcher Nguyen Jang posted a proof-of-concept exploit on GitHub that abuses a Microsoft Exchange vulnerability revealed earlier this month, GitHub, which is owned by Microsoft, removed code, to the alarm of security researchers.
The PoC code, something short of an actual functioning exploit, consisted of a 169-line Python file. It took advantage of CVE-2021-26855, a Microsoft Exchange Server flaw that allows an attacker to bypass authentication and act with administrative privileges.
The bug, referred to as ProxyLogon, was one of four Microsoft Exchange zero-days that Microsoft patched in an out-of-band release on March 3, 2021. It’s part of the “Hafnium” attack that prompted a US government warning last week.
Jang posted a write-up of his work, in Vietnamese, with a link to the code on GitHub. And a few hours later, the link to the code on GitHub no longer functioned.
Er, double standards anyone?
While the PoC code remains accessible in code repos hosted elsewhere, such as competitor GitLab, security researchers have been quick to condemn GitHub for its inconsistent standards and Microsoft for supposed self-interested meddling.
Other PoC code for the same CVE was still available on GitHub at the time this article was filed.
“This is huge, removing a security researchers’ code from GitHub against their own product and which has already been patched,” decried Dave Kennedy, founder of TrustedSec, via Twitter.
PoC is not fully functional and doesn’t include remote code execution capabilities.
GitHub’s stated policy disallows any repositories that contain or install “any active malware or exploits.”
Tomi Engdahl says:
When stolen materials are published online
https://www.kaspersky.com/blog/accellion-fta-data-leaks/38980/
Hackers trying to inflict maximum reputation damage are sending out
links to the data they stole through Accellion FTA vulnerabilities.
Late last year, information surfaced online about attacks on companies
using the outdated Accellion File Transfer Appliance (FTA). Some
cybercriminals used Accellion FTA vulnerabilities to snatch
confidential data, using the threat of publication to extort ransom
from the victims. We are not pleased to report that they were true to
their word.
Tomi Engdahl says:
Molson Coors brewing operations disrupted by cyberattack
https://www.bleepingcomputer.com/news/security/molson-coors-brewing-operations-disrupted-by-cyberattack/
The Molson Coors Beverage Company has suffered a cyberattack that is
causing significant disruption to business operations. Molson Coors is
well-known for its iconic beer brands, including Coors Light, Miller
Lite, Molson Canadian, Blue Moon, Peroni, Killian’s, and Foster’s.. In
a Form-8K filed with the SEC today, Molson Coors disclosed that they
suffered a cyberattack on March 11th, causing significant disruption
to their operations, including the production and shipment of beer.
Tomi Engdahl says:
ProxyLogon PoC Exploit Released; Likely to Fuel More Disruptive Cyber
Attacks
https://thehackernews.com/2021/03/proxylogon-exchange-poc-exploit.html
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and
the Federal Bureau of Investigation (FBI) on Wednesday issued a joint
advisory warning of active exploitation of vulnerabilities in
Microsoft Exchange on-premises products by nation-state actors and
cybercriminals. “CISA and FBI assess that adversaries could exploit
these vulnerabilities to compromise networks, steal information,
encrypt data for ransom, or even execute a destructive attack,” the
agencies said. “Adversaries may also sell access to compromised
networks on the dark web.”
Tomi Engdahl says:
Norway’s parliament hit by new hack attack
https://www.reuters.com/article/us-norway-cyber/norway-parliament-sustains-fresh-cyber-attack-idUSKBN2B21TX
OSLO (Reuters) – Hackers have infiltrated the Norwegian Parliaments
computer systems and extracted data, officials said on Wednesday, just
six months after a previous cyber attack was made public. The attack
by unknown hackers was linked to a vulnerability in Microsofts
Exchange software, the parliament said, adding that this was an
international problem.. The latest attack was more severe than last
years, parliament President Tone Wilhelmsen Troen told a news
conference.. Myös: https://yle.fi/uutiset/3-11831255
Tomi Engdahl says:
At Least 10 Threat Actors Targeting Recent Microsoft Exchange Vulnerabilities
https://www.securityweek.com/least-10-threat-actors-targeting-recent-microsoft-exchange-vulnerabilities
At least 10 threat actors are currently involved in the targeting of Microsoft Exchange servers that are affected by recently disclosed zero-day vulnerabilities, according to cybersecurity firm ESET.
On March 2, Microsoft announced patches for four bugs (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that were part of a pre-authentication remote code execution (RCE) attack chain already being exploited in the wild.
Successful exploitation of the bugs could result in the attacker deploying webshells onto the vulnerable Exchange servers, potentially taking full control of them. To date, ESET has identified more than 5,000 compromised servers, but others previously reported that tens of thousands of organizations may have been hacked.
Last week, Microsoft said that the flaws were being exploited by Chinese hacking group HAFNIUM, but security researchers were quick to report that several cyber-espionage groups were already targeting the vulnerable Exchange servers.
Now, ESET reveals that at least 10 threat actors are actively engaged in such attacks, including Tick (also known as Bronze Butler), LuckyMouse (also tracked as APT27), Calypso, Websiic, Winnti Group (BARIUM, APT41), Tonto Team (CactusPete), ShadowPad, Mikroceen, and DLTMiner. Activity involving the “Opera” Cobalt Strike and IIS backdoors was also observed.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / VICE:
Researcher publishes a proof of concept on GitHub that uses vulnerabilities exploited by hackers to breach Microsoft Exchange servers; GitHub deleted the code — Microsoft-owned Github quickly deleted the code, which exploited vulnerabilities apparently used by Chinese hackers to break into a series of companies.
https://www.vice.com/en/article/n7vpaz/researcher-publishes-code-to-exploit-microsoft-exchange-vulnerabilities-on-github
Tomi Engdahl says:
The 8-Bit:
Researchers demonstrate a browser-based side-channel attack that works even if JavaScript is blocked, affecting Intel Core, Samsung Exynos, Apple’s M1, others
First Browser-Based Side-Channel attack against Apple’s M1 chips works even with Javascript disabled; more so than other architectures
https://the8-bit.com/apple-m1-chip-side-channel-vulnerability-attack/
A team of researchers has demonstrated a new browser-based side-channel attack that works even if Javascript is blocked, one that affects hardware platforms including Intel Core, AMD Ryzen, Samsung Exynos, and even Apple’s M1 chips. Surprisingly, the researchers concluded that due to simpler cache replacement policies, their attacks are more effective on the M1 and Exynos chips.
To demonstrate the attack, researchers developed a sequence of attacks with decreased dependence on Javascript features which led to the “first browser-based side-channel attack which is constructed entirely from Cascading Style Sheets (CSS) and HTML, and works even when script execution is completely blocked.
It’s also imperative to note that these attacks were demonstrated mainly using Google’s Chrome browser irrespective of the architecture. And due to the differences between security implementations of different browsers, the results of the attack may vary.
This vulnerability may lead to microarchitectural website fingerprinting attacks, the researchers say. A website fingerprinting attack allows an eavesdropper to determine the target’s web activity by leveraging features from the target’s packet sequence. This also effectively disregards the application of most privacy-protecting technologies such as VPNs, proxies, or even TOR.
According to a paper published by the researchers behind the demonstration, Javascript has become a popular way of conducting side-channel attacks. However, browsers employ a method in which an attacker is barred from precisely measuring time which is apparently essential in Javascript-based side-channel attacks.
Tomi Engdahl says:
Situation is escalating. Patch your servers ASAP!
https://thehackernews.com/2021/03/proxylogon-exchange-poc-exploit.html?m=1
Tomi Engdahl says:
Nvidia’s unhackable GeForce RTX 3060 hash rate limiter may not have been hacked after all
By Dave James 2 days ago
https://www.pcgamer.com/nvidia-geforce-rtx-3060-hash-rate-limiter-cracked/?utm_campaign=socialflow&utm_medium=social&utm_source=facebook.com
An image showing multiple RTX 3060 cards mining cryptocurrency was not referencing Ethereum.
The only cryptocurrency that Nvidia blocks with its RTX 3060 hash rate limiter is the Ethereum algorithm, and so other alt-coins are still fair game for the green team’s mainstream GeForce card.
Tomi Engdahl says:
Matt Burgess / WIRED UK:
UK Home Office confirms trial of web surveillance tool that can track users’ browsing history in partnership with two unknown ISPs and National Crime Agency
The UK is secretly testing a controversial web snooping tool
https://www.wired.co.uk/article/internet-connection-records-ip-act
The Investigatory Powers Act, or Snooper’s Charter, was introduced in 2016. Now one of its most contentious surveillance tools is being secretly trialled by internet firms
For the last two years police and internet companies across the UK have been quietly building and testing surveillance technology that could log and store the web browsing of every single person in the country.
The tests, which are being run by two unnamed internet service providers, the Home Office and the National Crime Agency, are being conducted under controversial surveillance laws introduced at the end of 2016. If successful, data collection systems could be rolled out nationally, creating one of the most powerful and controversial surveillance tools used by any democratic nation.
Despite the National Crime Agency saying “significant work” has been put into the trial it remains clouded in secrecy. Elements of the legislation are also being challenged in court. There has been no public announcement of the trial, with industry insiders saying they are unable to talk about the technology due to security concerns.
The trial is being conducted under the Investigatory Powers Act 2016, dubbed the Snooper’s Charter
Tomi Engdahl says:
Dozens Of Rust Servers Wiped Out In Data Center Fire
https://kotaku.com/dozens-of-rust-servers-wiped-out-in-data-center-fire-1846447362
A fire that broke out overnight in Strasbourg, France destroyed one of OVHcloud’s data centers and damaged a second, Reuters reports. The French government and Centre Pompidou, which houses a public information library and modern art museum, had their data affected by the fires, as did Facepunch Studios, maker of the online survival game Rust.
“We’ve confirmed a total loss of the affected EU servers during the OVH data centre fire,” the England-based game developer announced on Twitter this morning. “We’re now exploring replacing the affected servers. Data will be unable to be restored.” It’s not yet clear what started the fire.
The Rust community is known for sinking thousands of collective hours into crafting complex bases and engaging in elaborate role-play on various servers, where progress is normally only erased with advanced warning as part of monthly updates. “When the world gives you a force wipe,” wrote one player on the Rust subreddit.
Several players on the Rust subreddit used last night’s fire as evidence that Facepunch should invest in backups for its gaming servers to safeguard players’ creations. But others pointed out that backups can be very costly, especially for an online multiplayer game that doesn’t charge a subscription. “And as others have said, you are playing on a free server, that rust is arguably losing money on (since you don’t pay to play), so extra money for a backup that is unlikely to be needed and deleted at next wipe is extra burning of money (pun intended),” wrote Reddit user BarryCarlyon.
OVHcloud has pitched itself as a European alternative to US data center giants Amazon, Microsoft, and Google, Reuters reports. It had also just announced plans for a potential Initial Public Offering (IPO) to go public and get the funding necessary to compete with its counter-parts on the other side of the Atlantic.
Tomi Engdahl says:
Microsoft Issues Security Patches for 89 Flaws — IE 0-Day Under Active Attacks
https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html
Tomi Engdahl says:
Linus Torvalds fixes ‘double ungood’ Linux kernel bug
https://www.zdnet.com/article/linus-torvalds-fixes-double-ungood-linux-kernel-bug/
Well, that was embarrassing. Linus Torvalds’ first release candidate for the Linux kernel 5.12 included a show-stopping bug. After shutting down that release Torvalds has launched a new version of 5.12, which doesn’t include the mistake.
Tomi Engdahl says:
https://foreignpolicy.com/2021/03/10/chris-krebs-microsoft-exchange-hack-largest-cyberattack/
Tomi Engdahl says:
The prime suspect in a fire that wiped out Rust’s European servers is an uninterruptible power supply.
A fire that wiped out Rust’s EU servers may have been caused by a faulty UPS
By Jacob Ridley 5 hours ago
https://www.pcgamer.com/a-fire-that-wiped-out-rusts-eu-servers-may-have-been-caused-by-a-faulty-ups/?utm_source=facebook.com&utm_campaign=socialflow&utm_medium=social
“Thanks to 300 cameras that we have in Strasbourg… we hope to have all the answers about why it started and how it evolved.”
“When the firefighters came they took photos with a thermal camera and saw two UPS on fire, UPS 7 and UPS 8. We had the maintenance of UPS 7 in the morning. The supplier came and changed a lot of pieces inside UPS 7 and restarted UPS 7 afternoon. And it seems like it was working but in the morning we had the fire.”
SBG2 will need to be fully rebuilt, OVH says, assumedly as an entirely new unit with up-to-date technology, while SBG1 will be powered back on room by room once it is deemed safe to do so.
Tomi Engdahl says:
Russia claims a fire at a data center in France broke access to Google and YouTube. Google says that’s not true.
https://trib.al/DJSZRnU
Russia experienced a Google outage on Wednesday, and blamed it on a fire at a data center in France.
Google says that’s false, and that the outage was caused by a local internet service provider.
The outage occurred as Russia’s government broke the country’s internet while trying to censor Twitter.
Tomi Engdahl says:
The disruption of Emotet was a blow for cyber criminals – but just weeks later, the gap is being filled by other trojans and botnets.
This trojan malware is now your biggest security headache
https://www.zdnet.com/article/this-trojan-malware-is-now-your-biggest-security-headache/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
The disruption of Emotet was a blow for cyber criminals – but just weeks later, the gap is being filled by other trojans and botnets.
Tomi Engdahl says:
Hackers are exploiting vulnerable Exchange servers to drop ransomware, Microsoft says
https://techcrunch.com/2021/03/12/hackers-exchange-servers-ransomware/?tpcc=ECFB2021
Hackers are exploiting recently discovered vulnerabilities in Exchange email servers to drop ransomware, Microsoft has warned, a move that puts tens of thousands of email servers at risk of destructive attacks.
In a tweet late Thursday, the tech giant said it had detected the new kind of file-encrypting malware called DoejoCrypt — or DearCry — which uses the same four vulnerabilities that Microsoft linked to a new China-backed hacking group called Hafnium.
Tomi Engdahl says:
Students Are Easily Cheating ‘State-of-the-Art’ Test Proctoring Tech
Students are using HDMI cables and hidden phones to cheat on exams administered through invasive proctoring software like Proctorio.
https://www.vice.com/en/article/3an98j/students-are-easily-cheating-state-of-the-art-test-proctoring-tech
Tomi Engdahl says:
Serious Security: Webshells explained in the aftermath of HAFNIUM attacks
https://nakedsecurity.sophos.com/2021/03/09/serious-security-webshells-explained-in-the-aftermath-of-hafnium-attacks/
Tomi Engdahl says:
https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams
Tomi Engdahl says:
Maailmalla leviää haittaohjelma, joka on miltei mahdoton havaita – tunnistatko tämän ohjelmointikielen?
Antti Kailio12.3.202107:51|päivitetty12.3.202107:51HAITTAOHJELMATDIGITALOUSOHJELMOINTITIETOTURVAHAKKERIT
Nim-ohjelmointikieli on haittaohjelmille kaikkea muuta kuin tyypillinen.
https://www.tivi.fi/uutiset/maailmalla-leviaa-haittaohjelma-joka-on-miltei-mahdoton-havaita-tunnistatko-taman-ohjelmointikielen/55fedb87-512f-47c0-b034-4b555fd22b75
This malware was written in an unusual programming language to stop it from being detected
NimzaLoader malware is unusual because it’s written in a programming language rarely used by cyber criminals – which could make it harder to detect and defend against.
https://www.zdnet.com/article/this-malware-was-written-in-an-unusual-programming-language-to-stop-it-from-being-detected/
Tomi Engdahl says:
https://nim-lang.org/
Tomi Engdahl says:
Intel CPU interconnects can be exploited by malware to leak encryption keys and other info, academic study finds
Side-channel ring race ‘hard to mitigate with existing defenses’
https://www.theregister.com/2021/03/08/intel_ring_flaw/
Tomi Engdahl says:
https://redcanary.com/blog/microsoft-exchange-attacks/
Tomi Engdahl says:
A hacker who exposed Verkada’s surveillance camera snafu has been raided
Based on an “alleged hack that took place last year”
https://www.theverge.com/platform/amp/2021/3/12/22328344/tillie-kottmann-hacker-raid-switzerland-verkada-cameras
Tillie Kottmann, a 21-year-old hacker, has been raided by Swiss authorities and their devices seized, Bloomberg reports — days after helping to reveal how Silicon Valley security startup Verkada’s own security was so poor that that hackers were able to access over 150,000 of the company’s cameras to see the insides of schools, jails, hospitals, police stations, and Tesla factories.
The raid doesn’t have anything to do with Verkada, according to Bloomberg, but instead an “alleged hack that took place last year,” and interestingly, a Swiss authority pointed Bloomberg to the US Department of Justice for further questions. (The DOJ declined to comment.)
It’s not clear which hack the DOJ might be interested in, as Kottmann has been continually sharing leaked files from various companies for months, but one sticks out as likely: Kottmann leaked a huge collection of secret documents and source code from chipmaker Intel last year, and Intel vowed to investigate.
Tomi Engdahl says:
https://www.theverge.com/platform/amp/2021/3/12/22328344/tillie-kottmann-hacker-raid-switzerland-verkada-cameras wow, they had access to $150,000 cameras including those inside jails and Tesla factories.
Tomi Engdahl says:
Exploits on Organizations Worldwide Tripled every Two Hours after
Microsoft’s Revelation of Four Zero-days
https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/
Following the revelation of four zero-day vulnerabilities currently
affecting Microsoft Exchange Server, Check Point Research (CPR)
discloses its latest observations on exploitation attempts against
organizations that it tracks worldwide. myös:
https://www.tivi.fi/uutiset/tv/31187ac4-d460-4a33-be35-0256443bbb11
Tomi Engdahl says:
F-Secure: “Tilanne voi revetä käsiin” Exchange-hyökkäysten hirmumyrsky
repii maailmaa
https://www.tivi.fi/uutiset/tv/fe917487-6fb2-435b-b7a8-301a8b42ff85
F-Securen tietoturvakonsultti Antti Laatikainen arvelee, että
Microsoftin Exchange-palvelimista löytynyt haavoittuvuus on saamassa
aikaan vuosikymmenen pahimman tietoturvakatastrofin.
Tomi Engdahl says:
Hackers Are Targeting Microsoft Exchange Servers With Ransomware
https://thehackernews.com/2021/03/icrosoft-exchange-ransomware.html
According to the latest reports, cybercriminals are leveraging the
heavily exploited ProxyLogon Exchange Server flaws to install a new
strain of ransomware called “DearCry.”. “Microsoft observed a new
family of human operated ransomware attack customers detected as
Ransom:Win32/DoejoCrypt.A, ” Microsoft researcher Phillip Misner
tweeted. “Human operated ransomware attacks are utilizing the
Microsoft Exchange vulnerabilities to exploit customers.”. also:
https://www.bleepingcomputer.com/news/security/ransomware-now-attacks-microsoft-exchange-servers-with-proxylogon-exploits/
Tomi Engdahl says:
Microsoft Exchange exploits now used by cryptomining malware
https://www.bleepingcomputer.com/news/security/microsoft-exchange-exploits-now-used-by-cryptomining-malware/
The operators of Lemon_Duck, a cryptomining botnet that targets
enterprise networks, are now using Microsoft Exchange ProxyLogon
exploits in attacks against unpatched servers.
Reproducing the Microsoft Exchange Proxylogon Exploit Chain
https://www.praetorian.com/blog/reproducing-proxylogon-exploit/
The Praetorian Labs team has reverse engineered the initial security
advisory and subsequent patch and successfully developed a fully
functioning end-to-end exploit. This post outlines the methodology for
doing so but with a deliberate decision to omit critical
proof-of-concept components to prevent non-sophisticated actors from
weaponizing the vulnerability.
Tomi Engdahl says:
Researcher Publishes Code to Exploit Microsoft Exchange
Vulnerabilities on Github
https://www.vice.com/en/article/n7vpaz/researcher-publishes-code-to-exploit-microsoft-exchange-vulnerabilities-on-github
Microsoft-owned Github quickly deleted the code, which exploited
vulnerabilities apparently used by Chinese hackers to break into a
series of companies. also:
https://arstechnica.com/gadgets/2021/03/critics-fume-after-github-removes-exploit-code-for-exchange-vulnerabilities/
Tomi Engdahl says:
A Spectre proof-of-concept for a Spectre-proof web
https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html
In this post, we will share the results of Google Security Team’s
research on the exploitability of Spectre against web users, and
present a fast, versatile proof-of-concept (PoC) written in JavaScript
which can leak information from the browser’s memory. We’ve confirmed
that this proof-of-concept, or its variants, function across a variety
of operating systems, processor architectures, and hardware
generations.. also: https://leaky.page/ Spectre javascript poc
Tomi Engdahl says:
Quickpost: “ProxyLogon PoC” Capture File
https://blog.didierstevens.com/2021/03/12/quickpost-proxylogon-poc-capture-file/
I was able to get the “ProxyLogon PoC” Python script running against a
vulnerable Exchange server in a VM.
Tomi Engdahl says:
Protecting on-premises Exchange Servers against recent attacks
https://www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-exchange-servers-against-recent-attacks/
For the past few weeks, Microsoft and others in the security industry
have seen an increase in attacks against on-premises Exchange servers.
The target of these attacks is a type of email server most often used
by small and medium-sized businesses, although larger organizations
with on-premises Exchange servers have also been affected. This is now
what we consider a broad attack, and the severity of these exploits
means protecting your systems is critical. While Microsoft has regular
methods for providing tools to update software, this extraordinary
situation calls for a heightened approach.
Tomi Engdahl says:
Kyberhyökkäys näkyy Telialla firmojen sähköpostit nurin kolmatta
päivää
https://www.is.fi/digitoday/tietoturva/art-2000007856648.html
Teleoperaattori Telian omistaman hosting- ja nettipalveluyritys Telia
Inmics-Nebulan sähköpostipalvelut ja kalenteri ovat poissa käytössä
kolmatta päivää, eikä katkon pituuden jatkumisesta ole tietoa. Tilanne
koskee tuhansia palvelua käyttäviä yrityskäyttäjiä. Telian tiedote:
https://www.inmicsnebula.fi/fi/tiedotteet/kriittinen-microsoft-exchange-haavoittuvuus-havaittu-telia-inmics-nebulan
Tomi Engdahl says:
Another Google Chrome 0-Day Bug Found Actively Exploited In-the-Wild
https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html
Google has addressed yet another actively exploited zero-day in Chrome
browser, marking the second such fix released by the company within a
month. While the update contains a total of five security fixes, the
most important flaw rectified by Google concerns a use after free
vulnerability in its Blink rendering engine. The bug is tracked as
CVE-2021-21193.
Tomi Engdahl says:
15-year-old Linux kernel bugs let attackers gain root privileges
https://www.bleepingcomputer.com/news/security/15-year-old-linux-kernel-bugs-let-attackers-gain-root-privileges/
Three vulnerabilities found in the iSCSI subsystem of the Linux kernel
could allow local attackers with basic user privileges to gain root
privileges on unpatched Linux systems. These security bugs can only be
exploited locally, which means that potential attackers will have to
gain access to vulnerable devices by exploiting another vulnerability
or using an alternative attack vector.
Tomi Engdahl says:
https://hackaday.com/2021/03/12/this-week-in-security-apt-targeting-researchers-and-someone-watching-all-the-cameras/
Tomi Engdahl says:
Verkossa on käynnissä hiljainen katastrofi – ”kymmeniä tai satoja Vastaamon tyyppisiä tietomurtoja” https://www.is.fi/digitoday/tietoturva/art-2000007861992.html
Tomi Engdahl says:
“Hack everybody you can”: What to know about the massive Microsoft Exchange breach
https://www.cbsnews.com/news/microsoft-exchange-server-hack-what-to-know/?ftag=CNM-00-10aab6a&linkId=113403700
Tomi Engdahl says:
Google Must Face Suit Over Snooping on ‘Incognito’ Browsing
https://www.bloomberg.com/news/articles/2021-03-13/google-must-face-suit-over-snooping-on-incognito-browsing?sref=ExbtjcSG
Judge concludes company didn’t notify users of data collection
Class action suit alleges Google knows ‘who your friends are’