(This post is unfinished right now)
ArsTechnica: Tens of thousands of US organizations hit in ongoing Microsoft Exchange hack (3/6/21)
ArsTechnica: Microsoft issues emergency patches for 4 exploited 0-days in Exchange (3/2/21)
Why care about security? Many of us have been conditioned to have a blase approach to security - what could anyone want to find from my browsing activity anyways? Who cares if advertisers have my info - not like they're gonna hurt me. Often these concerns are argued with respect to the legislatively legitimized Constitutional violations under the PATRIOT act. These are certainly a concern in principle, and in practice for activists and organizers. While the typical citizen may not have to worry about government surveillance, an ecosystem of security and privacy would certainly provide better cover to such persons and groups.
However, this altruism is probably not enough to compel many to be concerned about security. This lack of security has real world consequences however - user data can be maliciously accessed, facilities can be disrupted, and sensitive data can be stolen by malicious actors (not just the government! :P). Digital security is not an alien, impossible event, it just requires a bad app on your phone, a bad extension on your browser, a slightly-out-of-date Windows OS (the obvious solution being: don't use Microsoft products as much as you can). We have seen breach after breach.
Ironically, the Constitutional violations of our government (and the subsequent whistle blowing) seem to have eroded general concern about security. As a result, we become increasingly vulnerable to rogue actors. For example, extensions/apps asking for permissions is something many of us don't think twice about, but can be part of a malicious attack on your security by rogue actors (ie here). This is to say, even if the Constitutional violations were not a problem, the cavalier approach many Americans (and maybe other people of the world) take to cyber security leaves them incredibly vulnerable to infilitration - with obvious potential consequences of stolen money, leaked sensitive data, stolen passwords, and so on. More subtly, this laziness may (besides the actual exploitable flaws) means a general poor sense of cyber-security, resulting in poor defenses at critical infrastructure by their operators (ie here).
Yet just in 2021 (and I guess December 2020) there have been a flurry of events which should make you start scratching your head. In December 2020, The SolarWind's Orion debacle occurred, in which vulnerabilities in the security system were used to take over systems from business to government. Then a water treatment facility near Tampa Florida got hacked (partly due to bad operational security), and nearly poisoned a city with lye - that computer was using Microsoft. Multiple zero-days have had to be patched by Microsoft this year, and with it the human risk that people don't keep their stuff up to date. Now there has been the enormous Microsoft Exchange attack, and just now Microsoft released a critical 0-day patch that targeted security researchers, targeted by none other than North Korea [x]. Clearly there is a problem.
The recent attack on Microsoft's Exchange, (aka Outlook Web Access (OWA)) has exposed a few issues with the corporate model of technology. Now there are real advantages to technologies like OWA. I don't know them all, but it would be bad faith to say there aren't reasons. One example is this very site - I use a remote server through the Vultr service (dodge that AWS B) ). I pay a fee per month to have a web server wherever it is, and I don't need to worry about giving it a stable internet connection, and I don't need to worry about buying a server. And if I wanted to, I could store information there if I wanted to, in case my local computer went down (that would be a pretty dumb way to use that particular server, especially as it's a web server imo, seems like a bad idea). Or if you have a big computational project, and you don't have a power computer, then you can basically rent a computer "on the cloud" to run whatever you need to (although if you plan to work with such a lot, it's actually more cost effective to buy your own - the payoff is pretty fast too). These are the benefits I'm aware of.
However, it isn't immediately clear to me that (A) we always need the cloud, and (B) we need to have centralized technologies that utilize the cloud to do all of this. See, you could just set up your own email server, or web server, or whatever - maybe it's on the cloud! Still, it's yours - when Microsoft Exchange goes down, you don't go down. And if you are a decent sized company, that might be worthwhile. Or really, anyone. You might say "ooo, but that's so difficult!" This technology is opium - stuff that a normal IT person should be able to handle is now taken off their shoulders. And here we are partly suffering for it (although the other part is this is not an open-source project, which I'll get to).
Like most things, a good principle to view online security is that "you're only as secure as your weakest link". And if your whole infrastructure is on the web, using technology from an infamously insecure company like Microsoft, then you have a whole bunch of weak links. Does this mean you have to abandon "the cloud"? Well, it wouldn't kill you. But at the same time, no. But we live in a uniquely insecure time. As I highlighted earlier, we have been lulled into not caring about security, relying on sluggish corporations to do the heavy lifting, and putting all of our infrastructure in one of the most vulnerable spaces there is - the web.
One solution is moving away from closed-source and corporate technology. Microsoft had months warning about these issues [a], and didn't address it in time - why continue to trust them, if you're a business, or government, or individual? I have little doubt an open-source project would have suffered this same issue. But even if they did, we have the issue of people not keeping their stuff up to date [b]. Why is this? Partly human laziness - this is something we just aren't gonna get around. Another part, I'd argue, is that by offloading the burden of responsibility onto a large outside actor, IT departments may have taken a more lax approach to security. Now I don't actually know about all the stuff Microsoft has going on, but a linux-based serve could be updated in-place - you don't have to reboot to update, it just happens in the background. This could be something useful for server administrators. This is a point of ignorance for me though.
One obvious way to deal with this problem is, recognizing that humans will always fail to update their servers properly, use more federated technology. This means decentralizing, so there is less vulnerability in the system, as well as de-clouding the system, to make it less exposed to the web. The cloud poses many risks, as a recent (3/10/21) breach of a Cloud-based camera service shows [y].
'The Florida water treatment facility whose computer system experienced a potentially hazardous computer breach last week used an unsupported version of Windows with no firewall and shared the same TeamViewer password among its employees, government officials have reported.' [1][2]
ArsTechnica: Zero-days under active exploit are keeping Windows users busy
Android barcode scanner with 10 million+ downloads infects users
Chrome users have faced 3 security concerns over the past 24 hours
'The longer back story is that, as reported in a GitHub thread in November, the original extension developer sold it last June, and it began showing signs of malice under the new ownership. Specifically, the thread said, a new version contained malicious code that tracked users and manipulated Web requests.'
'In a post published Friday by security firm Tenable, however, researchers noted that the flaw was reported to Google on January 24, one day before Google’s threat analysis group dropped a bombshell report that hackers sponsored by a nation-state were using a malicious website to infect security researchers with malware. Microsoft issued its own report speculating that the attack was exploiting a Chrome zero-day.'
'Lastly, a security researcher reported on Thursday that hackers were using malware that abused the Chrome sync feature to bypass firewalls so the malware could connect to command and control servers. Sync allows users to share bookmarks, browser tabs, extensions, and passwords across different devices running Chrome.'
ArsTechnica: SolarWinds patches vulnerabilities that could allow full system control
'Martin Rakhmanov, a researcher with Trustwave SpiderLabs, said in a blog post on Wednesday that he began analyzing SolarWinds products shortly after FireEye and Microsoft reported that hackers had taken control of SolarWinds’ software development system and used it to distribute backdoored updates to Orion customers. It didn’t take long for him to find three vulnerabilities, two in Orion and a third in a product known as the Serv-U FTP for Windows. There's no evidence any of the vulnerabilities have been exploited in the wild.
'The most serious flaw allows unprivileged users to remotely execute code that takes complete control of the underlying operating system. Tracked as CVE-2021-25274 the vulnerability stems from Orion’s use of the Microsoft Message Queue, a tool that has existed for more than 20 years but is no longer installed by default on Windows machines.'
SpiderLabs Blog: Full System Control with New SolarWinds Orion-based and Serv-U FTP Vulnerabilities
ArsTechnica: Malicious Chrome and Edge add-ons had a novel way to hide on 3 million devices
'Researchers from Prague-based Avast said on Wednesday that the extension developers employed a novel way to hide malicious traffic sent between infected devices and the command and control servers they connected to. Specifically, the extensions funneled commands into the cache-control headers of traffic that was camouflaged to appear as data related to Google analytics, which websites use to measure visitor interactions.'
'Based on user reviews of some of the extensions, the CacheFlow campaign appears to have been active since October 2017. Avast said that the stealth measures it uncovered may explain why the campaign went undetected for so long.'
Google surveillance is a liability as it normalized surveillance, and provides an umbrella which breachers can attempt to hide under.
Backdoored Browser Extensions Hid Malicious Traffic in Analytics Requests
30% of "SolarWinds hack" victims didn't actually use SolarWinds
'Many of the attacks gained initial footholds by password spraying to compromise individual email accounts at targeted organizations. Once the attackers had that initial foothold, they used a variety of complex privilege escalation and authentication attacks to exploit flaws in Microsoft's cloud services. Another of the Advanced Persistent Threat (APT)'s targets, security firm CrowdStrike, said the attacker tried unsuccessfully to read its email by leveraging a compromised account of a Microsoft reseller the firm had worked with.'
'According to The Wall Street Journal, SolarWinds is now investigating the possibility that these Microsoft flaws were the APT's first vector into its own organization. In December, Microsoft said the APT in question had accessed its own corporate network and viewed internal source code—but that it found "no indications that our systems were used to attack others." At that time, Microsoft had identified more than 40 attacks on its customers, a number that has increased since.'
'Microsoft Corporate VP of Security, Compliance, and Identity Vasu Jakkal told ZDNet that the "SolarWinds" campaign isn't an isolated emergency so much as the new normal, saying, "These attacks are going to continue to get more sophisticated. So we should expect that. This is not the first and not the last. This is not an outlier. This is going to be the norm."'
Security firm Malwarebytes was infected by same hackers who hit SolarWinds
'“While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor,” the notice stated. “We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.”'
'When the mass compromise came to light last month, Microsoft said the hackers also stole signing certificates that allowed them to impersonate any of a target’s existing users and accounts through the Security Assertion Markup Language. Typically abbreviated as SAML, the XML-based language provides a way for identity providers to exchange authentication and authorization data with service providers.'
'Twelve days ago, the Cybersecurity & Infrastructure Security Agency said that the attackers may have obtained initial access by using password guessing or password spraying or by exploiting administrative or service credentials.'
'Because the attackers used their access to the SolarWinds network to compromise the company’s software build system, Malwarebytes researchers investigated the possibility that they too were being used to infect their customers. So far, Malwarebytes said it has no evidence of such an infection. The company has also inspected its source code repositories for signs of malicious changes.'
'Malwarebytes said it first learned of the infection from Microsoft on December 15, two days after the SolarWinds hack was first disclosed. Microsoft identified the network compromise through suspicious activity from a third-party application in Malwarebytes’ Microsoft Office 365 tenant. The tactics, techniques, and procedures in the Malwarebytes attack were similar in key ways to the threat actor involved in the SolarWinds attacks.'
Hackers steal Mimecast certificate used to encrypt customers' M365 traffic
'In a post published on Tuesday, the company said that the certificate was used by about 10 percent of its customer base, which—according to the company—numbers about 36,100. The “sophisticated threat actor” then likely used the certificate to target “a low single digit number” of customers using the certificate to encrypt Microsoft 365 data. Mimecast said it learned of the compromise from Microsoft.'
'Certificate compromises allow hackers to read and modify encrypted data as it travels over the Internet. For that to happen, a hacker must first gain the ability to monitor the connection going into and out of a target’s network. Typically, certificate compromises require access to highly fortified storage devices that store private encryption keys. That access usually requires deep-level hacking or insider access.'
'he disclosure comes a month after the discovery of a major supply chain attack that infected roughly 18,000 customers of Austin, Texas-based SolarWinds with a backdoor that gave access to their networks. In some cases—including one involving the US Department of Justice—the hackers used the backdoor to take control of victims’ Office 365 systems and read email they stored. Microsoft, itself a victim in the hack, has played a key role in investigating it. The type of backdoor pushed to SolarWinds customers would also prove valuable in compromising a certificate.'
Mimecaster Creating an Office 365 Association for Server Conections
~18.000 organizations downloaded backdoor planted by Cozy Bear hackers (Published: 12/14/2020)
'FireEye went on to say that a digitally signed component of the Orion framework contained a backdoor that communicates with hacker-controlled servers. The backdoor, planted in the Windows dynamic link library file SolarWinds.Orion.Core.BusinessLayer.dll, was written to remain stealthy, both by remaining dormant for a couple weeks and then blending in with legitimate SolarWinds data traffic.'
FireEye researchers wrote: "The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component. Once the update is installed, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe (depending on system configuration). After a dormant period of up to two weeks, the malware will attempt to resolve a subdomain of avsvmcloud[.]com. The DNS response will return a CNAME record that points to a Command and Control (C2) domain. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications. The list of known malicious infrastructure is available on FireEye’s GitHub "
'Supply chain attacks are among the hardest to counter because they rely on software that's already trusted and widely distributed. SolarWinds' Monday-morning filing suggests that Cozy Bear hackers had the ability to infect the networks about 18,000 of the company’s customers. It’s not yet clear how many of those eligible users were actually hacked.'
North Korea hackers use social media to target security researchers
'After establishing communication with an actual researcher, the attackers would ask the target to work together on cyber vulnerability research and then share collaboration tools containing malicious code to install malware on the researcher’s systems.'
'In some cases, the attackers were able to create a backdoor to the victim’s computer even when their systems were running fully patched and up-to-date Windows 10 and Chrome browser versions, Google said.'
DDoSers are abusing Microsoft RDP to make attacks more powerful
DDoS-for-hire services are abusing the Microsoft Remote Desktop Protocol to increase the firepower of distributed denial-of-service attacks that paralyze websites and other online services, a security firm said this week.
'Typically abbreviated as RDP, Remote Desktop Protocol is the underpinning for a Microsoft Windows feature that allows one device to log into another device over the Internet. RDP is mostly used by businesses to save employees the cost or hassle of having to be physically present when accessing a computer.'
'As is typical with many authenticated systems, RDP responds to login requests with a much longer sequence of bits that establish a connection between the two parties. So-called booter/stresser services, which for a fee will bombard Internet addresses with enough data to take them offline, have recently embraced RDP as a means to amplify their attacks, security firm Netscout said.'
'The amplification allows attackers with only modest resources to strengthen the size of the data they direct at targets. The technique works by bouncing a relatively small amount of data at the amplifying service, which in turn reflects a much larger amount of data at the final target. With an amplification factor of 85.9 to 1, 10 gigabytes-per-second of requests directed at an RDP server will deliver roughly 860Gbps to the target.'
'DDoS amplification attacks work by using UDP network packets, which are easily spoofable on many networks. An attacker sends the vector a request and spoofs the headers to give the appearance the request came from the target. The amplification vector then sends the response to the target whose address appears in the spoofed packets.'
Home alarm tech backdoored security cameras to spy on customers having sex"
'The revelation of an electronic Peeping Tom is a good reminder of the risks that come from installing network connected cameras inside the home or other locations where there's a reasonable expectation of privacy. People who choose to accept these risks should take the time to educate themselves on how to use, configure, and maintain the devices. Among the first things to inspect are the list of users given access and who has actually logged into the system.'
Hackers alter stolen regulatory data to sow mistrust in COVID-19 vaccine
How law enforcement gets around your smartphone's encryption
'“It just really shocked me, because I came into this project thinking that these phones are really protecting user data well,” says Johns Hopkins cryptographer Matthew Green, who oversaw the research. “Now I’ve come out of the project thinking almost nothing is protected as much as it could be. So why do we need a backdoor for law enforcement when the protections that these phones actually offer are so bad?”'
'The main difference between Complete Protection and AFU relates to how quick and easy it is for applications to access the keys to decrypt data. When data is in the Complete Protection state, the keys to decrypt it are stored deep within the operating system and encrypted themselves. But once you unlock your device the first time after reboot, lots of encryption keys start getting stored in quick access memory, even while the phone is locked. At this point an attacker could find and exploit certain types of security vulnerabilities in iOS to grab encryption keys that are accessible in memory and decrypt big chunks of data from the phone.'
'The researchers found that Android has a similar setup to iOS with one crucial difference. Android has a version of “Complete Protection” that applies before the first unlock. After that, the phone data is essentially in the AFU state. But where Apple provides the option for developers to keep some data under the more stringent Complete Protection locks all the time—something a banking app, say, might take them up on—Android doesn't have that mechanism after first unlocking. Forensic tools exploiting the right vulnerability can grab even more decryption keys, and ultimately access even more data, on an Android phone.'
'Tushar Jois, another Johns Hopkins PhD candidate who led the analysis of Android, notes that the Android situation is even more complex because of the many device makers and Android implementations in the ecosystem. There are more versions and configurations to defend, and across the board users are less likely to be getting the latest security patches than iOS users.'
WIRED: How Police Can Crack Locked Phones - and Extract Information A report finds 50,000 cases where law enforcement agencies turned to outside firsms to bypass the encryption on a mobile device
ArsTechnica: Microsoft is seeing a big spike in Web shell use
Rob Braxman Tech: Spyware-Free Phones in 2021: We're being Squeezed!
Rob Braxman Tech: Cool Android Hacks for Privacy! Kill Switch, Contact Tracing off, Non-Useful features and more