news210312

Exchange

Another week brings another security breach of breathtaking proportions. It turns out that since at least January 4, organisations with their own Exchange email servers have been vulnerable to external attack. That means tens of thousands of email servers around the world have been compromised, with the European Banking Authority and the Norwegian Parliament among the high-profile victims. Microsoft has pinned the blame on a state-backed group in China known as Hafnium, but at least 10 groups have been spotted trying to take advantage of the vulnerabilities.

There is consternation about the potential impact of the breach. On Wednesday, the US warned, "Successful exploitation of these vulnerabilities allows an attacker to access victims’ Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.... adversaries will continue to exploit this vulnerability to compromise networks and steal information, encrypt data for ransom, or even execute a destructive attack. Adversaries may also sell access to compromised networks on the dark web".

Microsoft has issued updates to fix the vulnerabilities, including for versions of Exchange that it no longer supports, but the problem is the length of time hackers were able to exploit the issues. Veteran cybersecurity journalist, Brian Krebs, says many experts believe a variety of groups got wind of the vulnerabilities and were able to exploit them before they were patched. The result is a potential 'long tail', with reports that wide scale ransomware attacks have already begun. Worse, Krebs says Microsoft was first notified about the issues in January which raises obvious questions about the way the technology industry handles such challenges.

Anyone with an Exchange server on their own premises should obviously have patched their machines by now, but it's also vital to ensure data are backed up and that those backups aren't connected to the internet. It's also worth considering whether a cloud-based email solution would be a better way to provide email communications.

Threats

Ransomware: Criminals behind REvil ransomware say their service now includes the capability to contact journalists or business partners to publicise breaches and increase pressure on victims to pay up. The Record

Spoofing: Business-related applications including those from Microsoft, Zoom, and DocuSign are the most frequently exploited in brand phishing attacks. Greathorn (R)

reCAPTCHA: A phishing attack targeting Microsoft users uses a bogus Google reCAPTCHA system. The campaign begins with a fake voicemail notification. ZScaler

Mother's Day: It's Mothering Sunday in the UK this week and the National Cyber Security Centre is warning about attempts by criminals to exploit it.

Android: Eight “dangerous” apps have been found on Google’s Play Store. They can steal banking details and bypass two-factor authentication. Forbes

Ad blockers: Fake versions of AdShield and Netshield are designed to install cryptocurrency miners on target computers. As always, be really careful about what you install. Kaspersky

Browsers: Criminals are targeting previously unknown vulnerabilities in order to compromise devices. It's another reminder to restart your browser regularly so that it stays updated. Menlo Security

Vendor invoice: Technique involves an attacker impersonating a known partner of the target organisation. The spoofed email inquires about an outstanding invoice and attaches a fake copy in an attempt to steal financial credentials. Abnormal Security

ZIPX: Beware of email attachments with ZIPX extensions and Adobe Acrobat icons. They're being used to disguise malicious executable files. Trustwave

Proving who you are

German security officials are reported to be proposing that online communications should be linked to a user's real identity. The proposal was leaked by Posteo, a secure email provider, and reported by the AP. It quoted a German Interior Ministry spokesman as saying police had the right to interfere with communications privacy "whether the user resorts to classical telephony or encrypted telecommunications services." Privacy activists are unimpressed, with one warning that the idea could make Germany "a mini-China". We're sceptical about whether such a proposal could be made to work in practice, but the extraordinary level of online venom would almost certainly fall if those wielding their poisoned keyboards had to reveal who they really are.

Biters bitten

The past year has seen a series of successes in the battle against online criminals, and this week Russian crime forums and a supposedly secure messaging app joined the list of victims. The forums were breached by unknown attackers, and users are reported to be concerned that stolen details will be used to identify them. In Europe, law enforcement disrupted a leading provider of encrypted communications which is widely used by criminals. Europol said the result was invaluable insights into hundreds of millions of messages. And, on a smaller scale, Microsoft has settled a claim against a global tech support scam which a couple ran from their cottage in rural Surrey.

Russia hacks itself

With delicious irony, Russia tried to punish Twitter for failing to remove content the Kremlin doesn't like but ended up taking down most of its own government websites. Moscow has long been exercised about its lack of control over social media - and it's particularly upset by posts supporting jailed opposition activist, Alexei Navalny. On Wednesday, the telecoms regulator said it would slow down access to Twitter because the service had failed to delete posts with links to pornography and drugs. But in doing so, it appears to have targeted any website domain name containing "t.co" (which Twitter uses to shorten web addresses). Cue a sudden inability to reach not only government websites, but also Reddit and Microsoft among many others. Russia's attitude to online media is multi-layered, to put it mildly. This week, US officials, quoted by the Wall Street Journal, accused (R) Russian intelligence of using fake news sites to spread misinformation about coronavirus vaccines.

NFT

With NFTs fetching millions of dollars, we've had several requests to explain what they are, so we'll give it a go - though, honestly, the answer requires more than a few lines. NFT stands for "nonfungible token". The token can be anything capable of being digitally represented, and nonfungible (sometimes hyphenated, sometimes not) just means it contains information that makes it unique, so it can't be exchanged like a banknotes (i.e. it's not fungible). The unique information (or token) is stored in a distributed ledger (or blockchain) that acts as a certificate of ownership and authenticity. A common analogy is an artwork and, just as with a painting, it's possible to make a copy of an NFT, but each version will have its own unique identity. Again, the analogue would be a limited print, numbered and signed by the artist. From a security perspective, NFTs are a wonderful opportunity for fraud - and we'd advise caution before diving in. If you'd like to know more, NPR and The Verge have good explainers. We particularly like The Verge's conclusion; "You might be wondering: what is an NFT, anyhow? After literal hours of reading, I think I know. I also think I’m going to cry."

In brief

Netflix: It's taken a while, but the streaming giant appears to have tired of people sharing passwords. It's not blocking the practice yet, but it's testing messages to discourage it. Washington Post via ZDNet

Verdaka: Hackers broke into the systems of a widely-used security camera startup in an apparent attempt to highlight the pervasiveness of video surveillance. It later emerged that the video feeds could also be accessed by employees - but no-one had thought to tell the clients. Bloomberg

Airlines: Most members of frequent flier schemes are affected by a breach affecting IT provider SITA, which works with some 90% of the global aviation industry. (This is the incident Malaysia Airlines reported last week). Passwords are not thought to have been stolen. SITA

Grindr: The Norwegian data protection authority has announced its intention to fine the dating app, Grindr, €9.6 million for sharing personal data with advertising/data firms without a legal justification. Datatilsynet

MacBooks: Apple is planning to release redesigned 14-inch and 16-inch MacBook Pro models in the second half of this year. They'll include MagSafe charging and may have an HDMI port and an SD-card slot. Ming-Chi Kuo via MacRumors

Avatars: Realistic avatars are Facebook’s next focus for its virtual reality business. Mark Zuckerberg said he "would love to get to the point...where you can make real authentic eye contact with someone and have real expressions that get reflected on your avatar.” Yikes. The Information (R)

Robots: They're coming...from Amazon and Samsung, among others. Business Insider reports ($) that Amazon's secretive home robot project has reached “late-prototype stage” (amid scepticism from employees). And Mashable has details of Samsung's version that was unveiled in January.

iPhone: We're often critical of Apple for the quality of its products (one of our MacBooks has just returned from 2 weeks in the repair shop), but credit where it's due. An iPhone 11 has been recovered from the bottom of a lake where it had spent 6 months. And it worked. CBC via 9to5Mac

Updates

Microsoft: As well as addressing the Exchange horror, Microsoft's monthly 'Patch Tuesday' includes fixes for 82 issues, five of them being actively exploited. Two (for Windows 10) have already been withdrawn after reports that they've caused devices to crash when using network printers.

Microsoft 365: Office 365 will now scan Excel 4.0 (XLM) macros (which should help protect against the increasing number of attacks abusing them).

Apple: Updates for Safari, macOS Big Sur, iOS to address a serious vulnerability which could lead to 'arbitrary code execution' by visiting a website hosting malicious code. There's also an update for Apple Watch (Series 3 and later).

Adobe: Security updates for Animate, Photoshop, Connect, Creative Cloud and Framemaker.

SAP: 9 security notes, 2 (for Solution Manager and Business Client) are updates to previous notifications and are rated 'Hot News'.

F5: Is urging users to install updates that address four critical remote code execution (RCE) vulnerabilities affecting most BIG-IP and BIG-IQ software versions.

1Password: New version of password management app now runs natively on Apple's M1 Macs.

Firefox: Version 86.0.1 fixes several bugs for Linux and Apple M1 devices.

SecureDrop: Version 1.8.0 is the first release to support for Ubuntu 20.04 (Focal). SecureDrop instances must be manually upgraded to Ubuntu 20.04 LTS before April 30, 2021.

FFT news digest March 12 2021