Sharepoint servers under attack. Microsoft outsourcing DoD work to China. Several supply chain issues.  

News

Hi everyone,

Thank you for the very kind messages, it's good to be back.

This week's issue is fairly Microsoft themed. And after summarizing the outsourcing-to-China story I got so worked up that I had to take a break. I guess I'm not as jaded to security news as I sometimes fear, after years of being in this line of work. That's a relief actually :D

Enjoy the read and mind your blood pressure when you do so ;-)

Cheers folks,

Dieter

Microsoft releases emergency patches for SharePoint RCE flaws exploited in attacks

Well, this was certainly the main story this week. I'll digest the "highlights" and link to articles with more detail:

  • Back in May researchers successfully exploited Sharepoint in the Berlin Pwn2Own contest. They dubbed the exploitchain "ToolShell". This was a proof-of-concept and no code was shared, but someone built on this work to start actual attacks.
  • The vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted.
  • The vulnerabilities are being very actively exploited. Over 400 servers of over 150 organizations are known to be compromised, many of them governmental. Among them the US nuclear weapons agency NNSA, which made some headlines.
  • Updates are now available for both Sharepoint 2019 and 2016.
  • It's not enough to just patch, if you were compromised then the attackers have authentication keys that can be used at a later time, you'll need to rotate those.

Useful links to dive deeper:

  • Microsoft's page with patches and news: link.
  • You can find the write-up of that Pwn2Own event here.
  • There are some mitigations and IoC's shared here.
  • Brian Krebs wrote a good overview here.
  • Eye Security first uncovered the active exploitation and has a great write-up here.
bleepingcomputer.com

Microsoft outsources US Defense Department work to China

I admit, I actually threw a fit when reading this one, and I can't believe how little attention it's getting. So much so that I went back to re-read the article(s) to see if I'm missing anything that mitigates this somewhat? I can't find anything though. I guess the Sharepoint debacle is a well-timed distraction, ironically enough.

So, here's the deal: Microsoft runs several systems and services for the US Defense Department. These are systems that, by law, need to be operated by US citizens with sufficient security clearance. However, Microsoft thought it was a good idea to outsource this work to Chinese tech support engineers, and work around the "US citizen issue" by "monitoring" the work through a "digital escort", who -is- a US Citizen.

However, these people aren't necessarily technical, and admit they can't always follow what is going on. Because of course not, have you ever seen a non-tech person sit next to an engineer and try to follow what they do? It just doesn't work. It's like me watching over someone doing surgery. "Hmm yes, I see that you are using a scalpel there ol' chap, I concur. Carry on.". But don't worry folks, at least they promised to stop doing it.

I got so incredibly pissed off by this and I'm not even a US citizen. Microsoft's reputation on security has gotten so many uppercuts in the last few years that I'm flabbergasted that we're still using them. UGH. I'll stop here. But gawd damned.

propublica.org

UK to ban public sector orgs from paying ransomware gangs

The UK would ban public sector and critical infrastructure organizations from paying ransoms, and make it mandatory for those not covered under the ban to essentially ask the government for permission to pay up.

We've heard talk about this plenty of times before, I'm eager to find out if this will be implemented and if so, what the consequences will look like. Regardless of whether you are for or against, it would be a huge move.

bleepingcomputer.com

Supply chain issues

There were quite a few supply chain issues this week. I might as well group them together for the occasion:

  • Hackers breach Toptal GitHub account, publish malicious npm packages: link.
  • NPM package ‘is’ with 2.8M weekly downloads infected devs with malware: link.
  • Arch Linux pulls AUR packages that installed Chaos RAT malware: link.
  • Hacker sneaks infostealer malware into early access Steam game: link.

Quick links

  • UK backing down on Apple encryption backdoor after pressure from US: link.
  • After brief delay, Trump’s CISA nominee sails through Senate hearing: link.
  • Ukraine arrests suspected admin of XSS Russian hacking forum: link.
  • Over 1,000 CrushFTP servers exposed to ongoing hijack attacks: link.

Please use a password manager

If you're not using a password manager yet, please consider doing so. And if you're looking for one to try, give 1Password a shot.

I wouldn't know what to do without it, it's such a great help when navigating between devices, storing anything from passwords to tokens to passkeys and SSH keys.

And as always, thank you 1Password for supporting this humble newsletter.

1password.com

No spam, ever. We'll never share your email address and you can opt out at any time.