Home / Robin's Newsletter

Robin’s Newsletter #142

Hafnium mass-exploitation of Microsoft Exchange servers. Google, Alliaz and MunichRe team up on cloud cyber insurance. Bitflipping may be more common than you think.

 Vol. 4  Iss. 10  07/03/2021, last updated 14/03/2021   Robin Oldham  ~6 Minutes

Subscribe to Robin's Newsletter

This week

Over 30,000 U.S. organisations compromised by flaws in Microsoft Exchange mail server

It’s been a bad week to be a Microsoft Exchange server admin as it came to light that four vulnerabilities in Outlook Web Access had been chained together and exploited by a suspected Chinese-affiliated group - dubbed Hafnium - for espionage purposes. Over 100,000 servers are believed to have been compromised worldwide.

Targets include “infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks, and NGOs.”

The four vulnerabilities (CVE-2021-26855/26857/26858/27065) allow the attackers to use server-side request forgery to authenticate HTTP requests as the Exchange server, run code as SYSTEM and then write files anywhere on the server. The result has been to implant a web shell that then allows them to read and exfiltrate the victim’s emails.

The reasons behind the scale of the attack are unclear. Espionage actors are usually extremely careful to cover their tracks and infecting 10,000’s organisations draws a lot of heat. It may be the result of a rogue contractor or cybercrime gang testing how to automate for mass-exploitation.

Microsoft has released a patch that closes the four vulnerabilities. You must install it as an administrator or aspects of it will fail and, helpfully, you won’t be notified. Given the extremely widespread nature of the attack, even if you did patch quickly it may be that your Exchange server was also ready compromised.

Also published are tools that identify if your Exchange server has been compromised on github.

The velocity of exploitation and reach is concerning and the impact will be disproportionately large on smaller organisations. Though for these businesses while email is one of those things critical, it generally isn’t core enough, to warrant running it on-prem and is worth serious consideration for a move to the cloud, if you haven’t already.

In the meantime: #HugOps. #HugIR. They’ve had a long week.

microsoft.com, cisa.gov, krebsonsecurity.com, arstechnica.com, techcrunch.com, theregister.com

Interesting stats

~$200,000 per day expenses reported by SolarWinds relating to the investigation and remediation of their supply-chain attack… $3.5M to the end of the December 2020 financial reporting period (the breach was disclosed on 14th December) bleepingcomputer.com

The U.S. Army is warning of QR code scams cyberscoop.com which led to this stat from a Mobile Iron survey in September 2020… 71% of people cannot distinguish between a legitimate and malicious QR code, that I assume means that 29% of respondents are liars? 🙃

The ’two buttons’ meme, asking if a QR code is legitimate or malicious

Other newsy bits

Trust in AI systems

The integrity of the data sets used to train, and maintain, artificial intelligence is an increasingly hot topic. Not just because manipulating them may be used to cause undesired or unpredictable results, but because of the biases that may be baked into the decision-making process of these systems. That’s one of the reasons behind the high profile departures of Google’s ethics researchers Margaret Mitchell and Timnit Gebru.

“Algorithms are opinions embedded in code” — Cathy O’Neil   Congress has been considering the need for an ‘Algorithmic Accountability Act’ to govern the use of artificial intelligence. The Act would require companies to assess the probable real-world impact of automated decision-making systems. East of the Atlantic AI has been an area of focus for data protection regulators like the ICO, who have some points and examples to consider if you’re interested in, or designing, AI systems. 

‘Hacking’ AI systems and their algorithms may be far simpler than you think: just last year artist Simon Weckert subverted Google’s traffic algorithms by towing a trolly of Android handsets around Berlin (vol. 3, iss. 6). 

ft.com, ico.org.uk

Google, Allianz and MunichRe team up on cloud cyber insurance

The ‘Risk Protection Program’ allows customers of Google’s cloud platform to generate an assessment of their cloud workloads against Google’s view of best practice, then submit this to insurers to get a tailored cyber insurance policy. It’s an interesting risk transfer proposition (and similar to something we’ve been exploring at Cydea). Insurers have been increasingly worried about the aggregation of risk by lots of their policyholders relying on relatively few technology vendors. This concentration would mean that a failure at, for example, AWS may cause a significant portion of their policyholders to make a claim, resulting in massive payouts (imagine if the tarmac ‘failed’ on 500 miles of road resulting in motor claims from every driver simultaneously). The Risk Protection Program is perhaps as much about protecting the insurers’ commercial risk as their clients’ cyber risk. google.com

In brief

Attacks, incidents & breaches

  • Malaysian Airlines Enrich loyalty programme compromised by attackers for nine years, claims no evidence of data misuse scmagazine.com
  • Passenger data stolen in breach at airline industry provider SITA theregister.com, airlines including British Airways are requiring customers to reset passwords, though claim none were compromised.
  • Admin and finance information stolen from security vendor Qualys via Accellion file transfer appliance theregister.com
  • “Pretty much everything on Gab, including user data and private posts” leaked from the social network popular with the far-right wired.com, the way the breach has been handled by the company is odd, Troy Hunt has some interesting commentary in this thread @TroyHunt
  • Four-hour Google Voice outage in February was caused by expired TLS certificate bleepingcomputer.com

Threat intel

  • REvil / Sodinokibi ransomware gang to start placing phone calls to business partners of victims and journalists, as well as launching DDOS attacks to encourage payment of ransom demands bleepingcomputer.com
  • A ‘weaponised exploit’ targeting Spectre hardware vulnerabilities has been uploaded to Virus Total three years after the design flaws in Intel, AMD and ARM processors were discovered therecord.media
  • BEC scammers targeting venture capital and private equity investors with fake ‘capital call’ messages bleepingcomputer.com
  • Three more ‘sophisticated and elegant’ pieces of malware, including second-stage command and control, used in the Solorigate/Sunburst attack on SolarWinds uncovered by Microsoft and FireEye zdnet.com
  • Ursnif banking trojan targeting 100 Italian banks, according to Avast zdnet.com

Vulnerabilities

  • Microsoft Exchange, see above.
  • ‘High’ criticality zero-day vulnerability in Chrome being exploited, patch available zdnet.com
  • SuperMicro and Pulse Secure release patches for TrickBot’s firmware-infecting module dubbed ‘TrickBoot’ bleepingcomputer.com

Privacy

  • AdGuard releases list of ‘CNAME trackers’ that attempt to circumvent third-party cookie blocking github.com

Public policy

  • Musing from Randal Milch on post-breach IR investigations and attorney-client privileges: “What is good for litigation is not necessarily good for cybersecurity.” lawfareblog.com

Mergers, acquisitions and investments

  • Smart, but pricy, move: Okta has acquired Auth0 for $6.5BN to expand identity coverage to “both workforce and customer” techcrunch.com
  • Also in identity… Private equity group TPG buys Thycotic to merge with previous investment in Centrify. The new group will rival BeyondTrust and CyberArk in revenue terms theregister.com

And finally

Bitflipping may happen more frequently than you might imagine

Everything you do on your computer boils down to bits, binary representations of 0’s and 1’s. Occasionally cosmic rays or hardware errors can result in these values being ‘flipped’ in memory from 0 to 1, or visa-versa. A researcher has been investigating bitsquatting using domain names that are one bit different: for example, flipping the ‘i’ bit in “windows” becomes “whndows”. Having found 14 ‘bit flipped’ domains for windows.com they registered them and the traffic. The time.windows.com domain is used to synchronised the clock on the Windows operating system and, over 14 days, they received 199,180 NTP Client connections from 626 unique IP addresses. Cool research, Remy!  bleepingcomputer.com