I hope this e-mail finds you well.
Good news: the breach section only has five stories!
The bad news: it's probably because everyone is busy hacking Exchange servers.
But hey, didn't it feel nice to read the words "good news" for once?
Not becoming cynical in this business is an ongoing struggle :D Either way, I hope you enjoy this issue!
Exchange hacks continued
As you would expect, this issue is going to be mostly about Exchange. Here goes:
The urgent bits:
- Microsoft Exchange exploits now used by cryptomining malware: link.
- Also being used by ransomware: link.
- There is a PoC exploit available: link.
- Other state-sponsored hacking groups are joining in the frenzy: link.
- Exchange attacks are quoted as "doubling every two hours": link.
- Microsoft has issued patches for older, no longer supported versions of Exchange: link.
Some known breaches so far:
- European Banking Authority discloses Exchange server hack: link.
- Norway parliament data stolen in Microsoft Exchange attack: link.
And some good general information to get up to speed:
- A nice overview article on what we know so far : link.
- A great timeline from Krebs on the whole thing: link.
Other breaches and leaks
- Researchers hacked Indian govt sites via exposed git and env files: link.
- Ryuk ransomware hits 700 Spanish government labor agency offices: link.
- Hackers access surveillance cameras at Tesla, Cloudflare, banks, more, through super-admin account: link.
- Molson Coors brewing operations disrupted by cyberattack: link.
- Flagstar Bank customer data breached through Accellion hack: link.
Actual good news! This looks awesome. Sigstore is a "Let's Encrypt for code signing", aiming to make it very easy and free to digitally sign code to verify its authenticity. It's also backed by a transparancy log for easy auditability. It's still in the early stages, they currently want to gather feedback. I have to dive deeper into this, but it feels like a great step forward in supply chain security.
I didn't really expect Spectre to become news again, but it seems it will. Google released a PoC that shows the practicality of Spectre exploits in browsers. They advocate for a number of new security measures that need to be taken, and have released a browser extension called Spectroscope to help developers with that process.
Join Snyk and StackHawk on March 18 as they walk through how to use Software Composition Analysis (SCA) and Dynamic Application Security Testing (DAST) in CI/CD to ship more secure applications. Click the link to register. (Sponsored)
It might not be directly related to security, but it definitely relates to disaster recovery planning.
I hadn't previously considered properly that PDF's, apart from meta data on the author and what not, also shows what (vulnerable) version of software you're running. Which could be excellent information for an attacker to know who to target in an organisation.
Safer elections are always a good thing to know about and share.
It's part of a broader effort to help government organizations run more secure and accessible services.
Today, when you have data encrypted, you need to decrypt it in order to be able to use it. "Fully homomorphic encryption", or FHE, would apparently make it feasible to run computations on encrypted data. That sounds like magic to me. Kudos to you, crypto wizards.
Great cheat sheet, with a nice thread on Hackernews too.
1Password Business has some very solid protection mechanisms that are worth highlighting. You can allow, report or deny access to vaults based on location or IP address, enforce 1Password updates, monitor sign-in attempts, a lot of good stuff. Check out the link to learn more. (Sponsored)