News
Hi everyone,
I hope this e-mail finds you well :-)
This issue has a few breaches, some good news, some bad news, and me getting slightly angry and using a tableflip emoji for the first time. Enjoy!
Dieter
Exchange hacks continued
- Microsoft Defender Antivirus now automatically mitigates Exchange Server vulnerabilities: link.
- Microsoft investigates potential ties between partner security firm, Exchange Server attack code leak: link.
- Chile's bank regulator shares IOCs after Microsoft Exchange hack: link.
- Hafnium’s China Chopper: a ‘slick’ and tiny web shell for creating server backdoors: link.
Hacking group used 11 zero-days to attack Windows, iOS, Android users
There is no real indication who's behind it, but when Project Zero is impressed, that means something. The hacking group used 11 zero days in the course of a year, expertly targeted at fully patched Windows 10 using Chrome, fully patched Android devices and iOS 11-13.
FBI: Over $4.2 billion officially lost to cybercrime in 2020
These yearly FBI reports always make for mindboggling reading. As you would expect, BEC scams take the majority slice at around $2 billion. And this is just in the US mind you. Good material in case anyone in your circle claims that "cybercrime really doesn't do that much damage".
Secure Coding Virtual Summit on March 24
Join the Secure Coding Summit to hear from industry-leading AppSec and DevSecOps practitioners, analysts, and visionaries as they share their best pro tips to level up your code security. (Sponsored)
Can we stop pretending SMS is secure now?
Apparently anyone can, for the whopping price of $16, subscribe to a text messages service where you can claim any existing number if you pinky swear that you won't use it for anything bad. The whole underlying system is so massively flawed that we really just need to move past it for anything that requires security.
Twitter now supports multiple 2FA security keys on mobile and web
While we're on the subject of 2fa: good news! And also long overdue. Facebook has expanded security key support too: link.
CISA releases new SolarWinds malicious activity detection tool
Their previous tool, Sparrow, is meant to detect compromise in Azure/Microsoft 365 environments. This one, CHIRP, is for on-prem environments.
Microsoft's Azure SDK site tricked into listing fake package
Pretty neat attack, again by Alex Birsan who came up with the dependency confusion attacks. By simply adding companies as collaborators in an npm package, a bot picked it up and posted it as part of a list of Azure SDK packages. It didn't seem to work for the other companies that he tried though.
Fintech giant Fiserv used unclaimed domain
"Make sure you own the domain that you reference everywhere" is so basic that I doubt it's included in most threat models. But, yeah. Make sure that you do please.
America’s drinking water is surprisingly easy to poison
You might remember that I went a little "wtf" on this story a few weeks back, so I find this deeper dive to be worth sharing. It really pisses me off that the mayor of the town involved called it "a success story, recognising that there are some deficiencies but that our protocols worked".
The intrusion was detected because someone saw a mouse cursor move on a screen ffs. And they got in because you ran an orphaned Teamviewer install, used a shared password, no 2fa, and freakin EOL Windows 7 machines. But yeah sure, let's go with "success story" (╯°□°)╯︵ ┻━┻
Illegal content and the Blockchain
Not directly security related, but I got a kick out of reading this. What would happen if you embed copyrighted or forbidden-by-authorities material in the Bitcoin blockchain? It's in there for good. Does that mean that every miner is now officially storing illegal digital material? If so, what then? Nice thought-provoking read.
Important protection features in 1Password Business
1Password Business has some very solid protection mechanisms that are worth highlighting. You can allow, report or deny access to vaults based on location or IP address, enforce 1Password updates, monitor sign-in attempts, a lot of good stuff. Check out the link to learn more. (Sponsored)