Ransomware for Vulnerable Exchange Servers per The Hacker News

We knew this was coming. There were warnings sounded by CISA, the FBI and more. Microsoft researchers have identified “DearCry”, “human operated ransomware” that leverages the recent MS Exchange vulns known as ProxyLogon. At this point, there are wise and rightly jaded sources describing this event as far worse than SolarWinds. At the least expect to find evidence of compromise for on-prem boxes and at worst … expect to be compromised beyond the defined exposure.

That Verkada Camera Incident again illustrates how IoT is insecure per Malware Bytes blog

A member of a Swiss hacking collective sought to make a point about too much surveillance by hacking into Verkada camera feeds. They were successful and accessed a whole bunch of camera feeds – because they were able to find an admin credential publicly online that gave them “super admin” rights to access “any camera, belonging to any of the company’s clients”. Yes. You read that right.

Basic good practices in security involve limiting access and privilege- the rule of least privilege because this is what can happen if you don’t have checks and balances in place. But as we keep discovering with IoT, security gets lip service if it is even an afterthought.

UPDATE: OVH datacenter fire. This was an enormous event with a lot of fallout. OVH is the largest host provider in Europe and third largest globally. A UPS unit, or uninterruptible power supply, that had been serviced that morning is now being looked at as possibly having caused the fire. Good time to make sure your DRP and BCP factor in events like this. And your UPSs are in good shape.

Is there no end to the badness?! Cyberattack disrupts beer production per Bleeping Computer

Reports are coming out today that Molson Coors Beverage Company has suffered a cyberattack. The systems outage may cause disruption or delay affecting their brewery operations, shipments and production. While not yet confirmed, it looks like a ransomware attack hit Tuesday, prompting a shutdown to prevent further spread within the operation. I can’t even 😢

New malware “RedXOR” targeting Linux systems per Threatpost

Apparently Chinese APT groups aren’t busy enough. This new backdoor malware comes courtesy of the Winnti group, in targeted attacks on legacy Linux systems. Its capabilities include data exfil and tunneling traffic elsewhere plus more.

Heads up that Linux malware increased significantly over 2020. And interested parties include Russian bear APTs and cybercrime heavyhitter Carbanak. That’s important given the extent of cloud migration, and that Linux is running on most public cloud workloads.

Go Shodan Yourself!: And this. I spent last night searching Shodan, like many others in security, checking for both MS Exchange and f5 exposure. It is staggering how many organizations of all sizes and capabilities show up with things attackers would appreciate . Like TLS v1, or expired certificates. You can say you have mitigations in place, that your production gear isn’t exposed- but really, how are checking to see what others are finding about you? Stay safe!

I thought I’d wait, but it didn’t get better lol. Let’s dig in.

How many are there? F5 reports four critical remote code execution vulnerabilities per Bleeping Computer

It’s bad. F5 BIG-IP and BIG-IQ are found in so many enterprise networks: government, FI, ISPs, major organizations. This involves a glorious unauthenticated RCE flaw, CVE-2021-22986 on iControl REST interface. The others are: CVE-2021-22987 on Appliance mode for Traffic Mgmt User Intervace; CVE-2021-2291 a buffer overflow affecting the Traffic Mgmt Microkernel; and CVE-2021-22992 an “advanced WAF/ASM buffer overflow vulnerability. Read the guidance supplied by f5 here then please, please, please patch because this can lead to full system compromise. And if you’d like to know more about how bad this is, here is a link to an excellent thread on twitter when there was another unauthenticated RCE that was actively exploited against f5 last July.

Internet Explorer Memory Corruption vulnerability actively exploited per ZDNet

Another patch you need to get to asap from yesterday’s joyous collection of vulnerabilities. Internet Explorer (IE) vulns are perennial faves for attackers to find and exploit given widespread use and likelihood of unpatched status. The risk with this one is that an attacker would have “the same operating system permissions as the user visiting the website” which could enable a lot more badness for vulnerable admins who get pwned.

Literally on Fire: The OVHcloud data center, located in Strasbourg, France, has burnt down. As reported in ZDNet today, a disastrous fire has completely destroyed the SBG2 data center as well as part of SBG1. SBG3 and 4 were protected. Most importantly, everyone is safe. OVHcloud provides global services to more than 1.5 million customers, managing 27 data centers in the US, UK, France, Australia and elsewhere. Wishing OVHcloud a successful and safe recovery. How up to date is your disaster recovery plan?

Update Exchange Server Patches: Microsoft released additional security patches for servers running Exchange Server versions NOT supported by last week’s patches. Per Bleeping Computer

Apple Patches Against Code Execution per ZD Net

Keeping with our patching theme. This fix applies to iPhones, iPads and MacBooks. The bug affects WebKit, the browser engine for Safari, so that an unpatched user could become the victim of maliciously crafted content on a website leading to “arbitrary code execution”. And we don’t want that. While Apple products do offer more security that wall is getting steadily pulled down by attackers and vulnerabilities. The onus is increasingly on end users to become more security aware and follow best practices because attacks are bypassing standard detection and prevention. “Gotta catch ‘em all” only works with Pokemons.

Food for Thought: Access and Sensitive Data

2021 has ushered in a year of massive supply chain attacks – SolarWinds, Accellion et al. This was following on the heels of a solid year of extortionist ransomware attacks – essentially “your money AND your data” because once that data has been accessed without authorization it has been breached. We can’t predict the next attack or block or the holes. We can, however, better protect the data we have by labeling and limiting access. An article in HelpNet Security cites 76% of employees had inappropriate access to data. The pandemic created a virtual workforce almost overnight. As we move forward and build new policies, look at how to implement new frameworks like zero-trust for wider reach and mobility, to leave less to chance when it comes to data and access.

Cheering on the excellent work done by The Diana Initiative today to support women and diversity in our field. The CFP is open!

QNAP storage devices used to mine cryptocurrency per Bleeping Computer

Network-attached storage devices aka NAS have vulnerabilities, can be left internet facing with default settings, and are searched for online using Shodan. QNAP devices have specifically been targeted by ransomware made for them. Two remote code execution vulns from 2020 are being exploited- not a problem if you patched back then but a lot of boxes are neglected and connected. Like 4,297,426 found online by 360 Netlab.

Check your networks – you may be surprised to find some boxes connected you didn’t know about. If cryptominers are able to get in, then you might be a stepping stone in a bigger campaign to someone you have access to.

Chinese APT group “Spiral” linked to Supernova malware in SolarWinds attack per ZDNet

2021 is the year of supply chain attacks and discovering Chinese cyber espionage as we dig deeper. Securework’s researchers are seeing similarities between the use of a compromised SolarWinds server to deploy Supernova malware and other intrusions by the “Spiral” group.

Spiral has been exploiting CVE-2020-10148 in SolarWinds Orion’s API for authentication bypass and remote code execution. Supernova is “an advanced web shell” written in.NET that maintains persistence and does dirty deeds without leaving tracks. It gives the attackers both high privileges and a lot of visibility into the victim’s network. While this is not part of the actual SolarWinds attack, it highlights the opportunistic skills of advanced attackers to slip in undetected through an already open door. We can expect more lessons ahead.

My weekly post to share big picture thoughts and connect the dots.

UPDATE: MS Exchange server patches and UAC issues per Bleeping Computer

A heads up for those installing the Exchange server patches to check if IAC or User Account Control is enabled. The patch may look like it installed but doesn’t actually fix the problem. Security expert Kevin Beaumont advised to validate build numbers. The issue has to do with certain Exchange-related services not being stopped by the security update. For manual patch applications Microsoft recommends installing as Admin from the command line. Wishing you all success!

UPDATE: Three new SolarWinds Malware strains found per The Hacker News

We knew there’d be more, lots more. On March 4 FireEye and Microsoft announced their finding of three more malware types in the massive supply chain attack: Goldmax or SUNSHUTTLE, GoldFinder (I am singing Goldfinger in my head with you now) and Sibot. Goldmax appears to be another sophisticated second stage backdoor to allow the attackers, now dubbed “Nobelium” by Microsoft, to cloak malicious traffic using regular network traffic while downloading more malware and uploading stolen goodies.

The sophistication and crafting of the malware speaks to the resources and focus of this attacker. State-sponsored adversaries ate determined and equipped to bypass defenses and detections in place. What we have to work with is our awareness that these attacks happen, and that constant vigilance and monitoring are key components of ensuring we do defense in depth.

Closing note: Robocalls are more than a nuisance- they are a threat. Per ZDNet, the FTC and 38 states took down a massive operation that defrauded victims of $110 million. If you’d like to learn more, I talk about the exponential increases in size and abuse of trust, as well as how to deal with them on CSuite with Claudette McGowan

Uh oh 😟 Working PoC exploit for SIGRed DNS server RCE vuln per Bleeping Computer

We pay attention to vulnerabilities that allow for RCE or remote code execution because it will end in tears and bad things. Last summer Microsoft reported on a doozy of a flaw, rated 10 out if 10 for severity because wormable 😬 living 17 years in its code and impacting all Windows Server versions from 2003 to 2019. This is the first published working exploit since Microsoft addressed SIGRed with patches and a registry workaround in July 2020. Are you patched?

Updates for MS Exchange Patch it! Patch it Now!” per ZDNet

CISA issued Emergency Directive 21-02 on Wednesday March 3, mandating that agencies do a thorough search for infiltration or compromise, patch immediately and disconnect from the network if they find anything. Exchange is embedded in IT infrastructure and essential to how work gets done in most enterprise, corporate and government workspaces. Security firm Eset is now saying several cyber espionage groups are exploiting CVE-2021-26855. Targets are not just in the US.

Es tu Qualys? More fallout from the Accellion breach to add Qualys per ZDNet

The Accellion secure file transfer app gets used in a LOT of places apparently. There have been well over 100 victims to date as Clop ransomware continues to post them on its name and shame site. Qualys is a trusted firm used for cloud security and compliance and now is the latest victim. 2021 has been a casebook study on third party risk and exposure with ongoing supply chain attacks and big names impacted. Time to move on from “trust but verify” to more actively “Verify then trust” with existing and new external relationships.

EMERGENCY PATCH UPDATE: MS EXCHANGE SERVERS UNDER ACTIVE EXPLOIT

Microsoft just issued 4 patches for security issues (see alert here) being actively exploited by a Chinese APT group, Hafnium. Exchange versions 2013-2019 are affected. The vulnerabilities are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. The description per Microsoft is:

These vulnerabilities are used as part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.

Hafnium’s targets are US based, in various sectors which include infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. They exploit vulnerabilities found in internet-facing servers and exfiltrate data to file sharing sites. They are stealthy and operate from virtual private servers leased in the US.

Hide in plain sight: Updated ObliqueRAT hides in images per ZDNet

ObliqueRAT has evolved from basic functionality to multiple infection vectors and capabilities. The new campaign targets victims in South Asia with tainted sites rather than sending emails which get nabbed. The attacks use steganography to hide malicious payload files within image files on the site. ObliqueRAT is linked to the Transparent Tribe APT and distributions of CrimsonRAT.

RATs are powerful, multi-function tools heavily used by attackers. It’s important to keep in mind that malware operators are constantly enhancing their tools, so what we have defences for won’t cover everything. Kinda like vaccines and variants. You can read the report by Cisco Talos here.

Breach Alert: Oxfam Australia is reporting information about supporters on one of its databases was “unlawfully accessed by an external party” in January 2021. The data of 1.8 million accounts was being sold on an underground site. Partial financial details were also exposed. Per Have I Been Pwned

Updates to Jailbreak tool “Unc0ver” for iPhones v 11 – 14.3 per The Hacker News

With the latest release of “unc0ver” 6.0, almost any iPhone can be unlocked and uses one of those 0days from January that was being exploited, CVE-2021-1782, a privilege escalation vulnerability.

Attackers are quick to act on vulnerabilities especially when they mean access into walled-gardens or secure enclaves like Apple’s operating system. While we know about the use of this vulnerability here, we don’t know the full extent of exploits or attackers as Apple has not shared that. Things that will go bump in the night …

Insider Threat: Chinese businessman steals transistor secrets from GE with insider help per The Register

A Chinese businessman based in Hong Kong was charged with conspiring to steal very valuable and sensitive information on transistor technology from GE to help set up a competing firm based in China. He had a little help from his friend or friends on the inside. Nothing confirmed as yet but potential investors were told that tech was worth $100 million. As we get better at securing endpoints and access points, expect adversaries to seek other ways in. Insider risk will always be a risk.

China is highly competitive and driven by their strategic “Made in China 2025” plan. As that deadline approaches expect to see a corresponding escalation in cyber espionage and recruitment of insiders to gain the advantage over Western rivals.

Gootloader malware: Abusing SEO and hacking CMS per Bleeping Computer

Gootloader malware has evolved do more than deliver the Gootkit information stealer and REvil ransomware. It has created a considerable network of poisoned sites and is abusing SEO in Google to show fake forums targeted to specific geographic regions only with malicious links. The operators behind Gootloader have as many as 400 active servers running legit but hacked websites. Researchers describe a convoluted infection chain which takes time to unravel and works in the attackers’ advantage to deliver a range of malware. Sophos has a technical analysis of Gootloader here.