I hope you all had a great week. This is a pretty packed issue, again. Honestly, when I started the newsletter years ago I feared that I wouldn't have enough content to fill out an issue each week. Now it's all about finding a balance between keeping things somewhat brief but not miss anything interesting. Please let me know if I'm not striking that balance properly. In the meanwhile, I hope you get value out of this one.
Breaches and leaks
- Far-right website Gab hacked, 70GB of data leaked: link.
- Cybersecurity firm Qualys is the latest victim of Accellion hacks: link.
- Oxfam Australia supporters embroiled in new data breach: link.
- European e-ticketing platform Ticketcounter extorted in data breach: link.
- Universal Health Services lost $67 million due to Ryuk ransomware attack: link.
- SITA data breach affects millions of travelers from major airlines: link.
- Cyberattack shuts down online learning at 15 UK schools: link.
- Three top Russian cybercrime forums hacked: link.
This is a big one, but I'll try to summarize. A previously unknown Chinese hacker group has been attacking Microsoft Exchange servers with zero-days. They get inside, steal e-mails and open up web shells to compromise the networks further.
Since Microsoft has gone public this week the hacker group has massively ramped up their attack, compromising thousands of servers per hour, globally. The total count of compromised networks seems to be in the hundreds of thousands.
If you run Exchange servers you are told to assume compromise, even going back as far as September 2020. There are patches, indicators of compromise, tools to find the installed webshells, and a lot more info to dig in to.
The linked article breaks the initial news and links to the four zero-day CVE's. Some more info:
- The attacks seem to be getting the name "ProxyLogon", just fyi.
- Great follow-up article from Krebs: link.
- CISA issues emergency directives: link.
- Patches might seem installed but not fix anything, double check: link.
- Guidance by Microsoft on removing webshells: link.
This definitely raised my eyebrows, since it's been over three years since those issues were made public. Using the exploits, unprivileged users can dump LM/NT hashes on Windows systems and the Linux /etc/shadow file from the targeted devices' kernel memory. It sounds like it's still difficult to execute, but interesting nonetheless.
The "dependency confusion" attacks are making their way into criminal use, with what seem to be attempts at targeting applications related to Amazon, Lyft and Slack.
ZAPCon, the first user conference for ZAP, is happening this Tuesday, March 9. Over 1,500 attendees are joining to understand how their peers are using ZAP and to learn about the project's roadmap. Get your free ticket and see you Tuesday! (Sponsored)
Yet another method of adding pressure to the extortion. The REvil ransomware group announced that they'll be offering the ability to make voice-scrambled VOIP calls to the media and victim's business partners when a target becomes infected.
Your regular reminder that one of the biggest security threats doesn't require any technical know-how. BEC scammers are now specifically targetting investors with fake capital call notices (a new slice of investment being due), with an average payout of $809.000.
This article gives a nice overview of new security features included in Windows Server 2022.
Interesting read on how a researcher was able to send thousands of "forgotten password" reset codes without being blocked. Kudos to the researcher. Also see their own blogpost for a great writeup.
Nice analysis of Okta's acquisition of Auth0 that was announced this week.
It's been previously reported that the DoD hasn't prioritised cybersecurity in their weapon systems. A new report seems to indicate that not that much has changed, because three out of five contracts for weapon programs has no guidelines as to what is expected in terms of cybersecurity. And if it's not in the contract, it probably won't get done.
This is just a cool read. I had no idea that lasers were used for random number generation. New developments are increasing the output of those systems with several orders of magnitude, currently up to 250.000 gigabits of random data per second.
Great post explaining all kinds of quirks in our usage of HTTP. For example 'no-cache' meaning "do cache", the possibility to send headers after the HTTP body, the usage of HTTP 1xx codes, websockets ignoring CORS completely, and more. I learned a lot :D Great thread on Hackernews too with plenty more examples thrown in.
One of the more awesome features of 1Password Business is the ability to get reports on things like: who has access to which vaults, which devices are authorised, who in your team has 2fa enabled, and even who accessed which item when. Super powerful for forensics and audits. (Sponsored)