I hope this e-mail finds you well :-)
This issue has a few breaches, some good news, some bad news, and me getting slightly angry and using a tableflip emoji for the first time. Enjoy!
Breaches and leaks
- Computer giant Acer hit by $50 million ransomware attack: link.
- WeLeakInfo leaked customer payment info: link.
- Mimecast: SolarWinds hackers stole some of our source code: link.
- Eastern Health cyber 'incident' cancels some surgeries across Melbourne: link.
Exchange hacks continued
- Microsoft Defender Antivirus now automatically mitigates Exchange Server vulnerabilities: link.
- Microsoft investigates potential ties between partner security firm, Exchange Server attack code leak: link.
- Chile's bank regulator shares IOCs after Microsoft Exchange hack: link.
- Hafnium’s China Chopper: a ‘slick’ and tiny web shell for creating server backdoors: link.
There is no real indication who's behind it, but when Project Zero is impressed, that means something. The hacking group used 11 zero days in the course of a year, expertly targeted at fully patched Windows 10 using Chrome, fully patched Android devices and iOS 11-13.
These yearly FBI reports always make for mindboggling reading. As you would expect, BEC scams take the majority slice at around $2 billion. And this is just in the US mind you. Good material in case anyone in your circle claims that "cybercrime really doesn't do that much damage".
Join the Secure Coding Summit to hear from industry-leading AppSec and DevSecOps practitioners, analysts, and visionaries as they share their best pro tips to level up your code security. (Sponsored)
Apparently anyone can, for the whopping price of $16, subscribe to a text messages service where you can claim any existing number if you pinky swear that you won't use it for anything bad. The whole underlying system is so massively flawed that we really just need to move past it for anything that requires security.
While we're on the subject of 2fa: good news! And also long overdue. Facebook has expanded security key support too: link.
Their previous tool, Sparrow, is meant to detect compromise in Azure/Microsoft 365 environments. This one, CHIRP, is for on-prem environments.
Pretty neat attack, again by Alex Birsan who came up with the dependency confusion attacks. By simply adding companies as collaborators in an npm package, a bot picked it up and posted it as part of a list of Azure SDK packages. It didn't seem to work for the other companies that he tried though.
"Make sure you own the domain that you reference everywhere" is so basic that I doubt it's included in most threat models. But, yeah. Make sure that you do please.
You might remember that I went a little "wtf" on this story a few weeks back, so I find this deeper dive to be worth sharing. It really pisses me off that the mayor of the town involved called it "a success story, recognising that there are some deficiencies but that our protocols worked".
The intrusion was detected because someone saw a mouse cursor move on a screen ffs. And they got in because you ran an orphaned Teamviewer install, used a shared password, no 2fa, and freakin EOL Windows 7 machines. But yeah sure, let's go with "success story" (╯°□°）╯︵ ┻━┻
Not directly security related, but I got a kick out of reading this. What would happen if you embed copyrighted or forbidden-by-authorities material in the Bitcoin blockchain? It's in there for good. Does that mean that every miner is now officially storing illegal digital material? If so, what then? Nice thought-provoking read.
1Password Business has some very solid protection mechanisms that are worth highlighting. You can allow, report or deny access to vaults based on location or IP address, enforce 1Password updates, monitor sign-in attempts, a lot of good stuff. Check out the link to learn more. (Sponsored)