Microsoft Exchange Cyber Attack

Microsoft on Friday warned of active attacks exploiting unpatched Exchange Servers carried out by multiple threat actors, as the hacking campaign is believed to have infected tens of thousands of businesses, government entities in the U.S., Asia, and Europe.

The company said “it continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM,” signaling an escalation that the breaches are no longer “limited and targeted” as was previously deemed.

According to independent cybersecurity journalist Brian Krebs, at least 30,000 entities across the U.S. — mainly small businesses, towns, cities, and local governments — have been compromised by an “unusually aggressive” Chinese group that has set its sights on stealing emails from victim organizations by exploiting previously undisclosed flaws in Exchange Server.

Victims are also being reported from outside the U.S., with email systems belonging to businesses in Norway and the Czech Republic impacted in a series of hacking incidents abusing the vulnerabilities. The Norwegian National Security Authority said it has implemented a vulnerability scan of IP addresses in the country to identify vulnerable Exchange servers and “continuously notify these companies.”

The colossal scale of the ongoing offensive against Microsoft’s email servers also eclipses the SolarWinds hacking spree that came to light last December, which is said to have targeted as many as 18,000 customers of the IT management tools provider. But as it was with the SolarWinds hack, the attackers are likely to have only gone after high-value targets based on the initial reconnaissance of the victim machines.

Unpatched Exchange Servers at Risk of Exploitation

A successful exploitation of the flaws allows the adversaries to break into Microsoft Exchange Servers in target environments and subsequently allow the installation of unauthorized web-based backdoors to facilitate long-term access. With multiple threat actors leveraging these zero-day vulnerabilities, the post-exploitation activities are expected to differ from one group to the other based on their motives.

Microsoft Exchange Cyber Attack

The four security issues in question were patched by Microsoft as part of an emergency out-of-band security update last Tuesday, while warning that “many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), which released an emergency directive warning of “active exploitation” of the vulnerabilities, urged government agencies running vulnerable versions of Exchange Server to either update the software or disconnect the products from their networks.

“CISA is aware of widespread domestic and international exploitation of Microsoft Exchange Server vulnerabilities and urges scanning Exchange Server logs with Microsoft’s IoC detection tool to help determine compromise,” the agency tweeted on March 6.

It’s worth noting that merely installing the patches issued by Microsoft would have no effect on servers that have already been backdoored. Organizations that have been breached to deploy the web shell and other post-exploitation tools continue to remain at risk of future compromise until the artifacts are completely rooted out from their networks.

Multiple Clusters Spotted

FireEye’s Mandiant threat intelligence team said it “observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment” since the start of the year. Cybersecurity firm Volexity, one of the firms credited with discovering the flaws, said the intrusion campaigns appeared to have started around January 6, 2021.

Not much is known about the identities of the attackers, except that Microsoft has primarily attributed the exploits with high confidence to a group it calls Hafnium, a skilled government-backed group operating out of China. Mandiant is tracking the intrusion activity in three clusters, UNC2639, UNC2640, and UNC2643, adding it expects the number to increase as more attacks are detected.

In a statement to Reuters, a Chinese government spokesman denied the country was behind the intrusions.

“There are at least five different clusters of activity that appear to be exploiting the vulnerabilities,” said Katie Nickels, director of threat intelligence at Red Canary, while noting the differences in the techniques and infrastructure from that of the Hafnium actor.

In one particular instance, the cybersecurity firm observed some of the compromised Exchange servers had been deployed with a crypto-mining software called DLTminer, a malware documented by Carbon Black in 2019.

“One possibility is that Hafnium adversaries shared or sold exploit code, resulting in other groups being able to exploit these vulnerabilities,” Nickels said. “Another is that adversaries could have reverse engineered the patches released by Microsoft to independently figure out how to exploit the vulnerabilities.”

Microsoft Issues Mitigation Guidance

Microsoft has published new alternative mitigation guidance to help Microsoft Exchange customers who need more time to patch their deployments, in addition to pushing out a new update for the Microsoft Safety Scanner (MSERT) tool to detect web shells and releasing a script for checking HAFNIUM indicators of compromise. They can be found here.

“These vulnerabilities are significant and need to be taken seriously,” Mat Gangwer, senior director of managed threat response at Sophos said. “They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them.”

“The broad installation of Exchange and its exposure to the internet mean that many organizations running an on-premises Exchange server could be at risk,” Gangwer added.

In this episode of the podcast (#206): with movement towards passage of a federal data privacy law stronger than ever, we invite two experts in to the Security Ledger studio to talk about what that might mean for U.S. residents and businesses.

Data theft and misuse has been an acute problem in the United States for years. And, despite the passage of time, little progress has been made in addressing it. Just this week, for example, SITA, an IT provider for the world’s leading airlines said that a breach had exposed data on potentially millions of travelers – just the latest in a steady drumbeat of breach and hacking revelations affecting nearly every industry. 

In the E.U. the rash of massive data breaches from retail firms, data brokers and more led to the passage of GDPR – the world’s first, comprehensive data privacy regime. In the years since then, other nations have followed suit.

But in the U.S., despite the passage of a hodgepodge of state data privacy laws, no comprehensive federal law exists. That means there is still no clear federal framework covers critical issues such as data ownership, the disclosure of data breaches, private rights of action to sue negligent firms and so on. 

Changes In D.C. Bring Data Privacy Into Focus

But that may be about to change. In a closely divided Washington D.C. data privacy is the rare issue that has bipartisan support. And now, with Democrats in control of Congress and the Whitehouse, the push is on to pass pro-consumer privacy legislation into law. 

Rehal Jalil, the CEO of into the studio to dig deep on the security vs. privacy question. SECURE – ITI is a firm that sells privacy management and compliance services.  

n this conversation, Rahil and I talk about the evolving thinking on data privacy and security and about the impact on IT  the EU’s GDPR and state laws like CCPA are having on how businesses manage their data. Rehan and I also talk about whether technology might provide a way to bridge the gap between security and privacy: allowing companies to derive the value from data without exposing it to malicious or unscrupulous actors. 

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to to get notified whenever a new podcast is posted. 

Mandiant researchers identify a range of victims affected in attacks targeting newly reported Microsoft Exchange Server vulnerabilities.

Attackers targeting four critical Microsoft Exchange Server zero-days patched this week hit a range of organizations across retail, government, and higher education, report the Mandiant researchers who today published their observations of the exploit activity.

Microsoft, which issued fixes for the vulnerabilities on March 2, says they have been used in “limited and targeted” attacks against law firms, infectious disease researchers, defense contractors, policy think tanks, and other victims. It attributes the exploits with high confidence to a group it calls Hafnium, which it believes is state-sponsored and operates out of China.

Mandiant began to see instances of abuse of Microsoft Exchange Server in at least one client environment starting in January, researchers write in their report. Their observations included creation of Web shells for persistent access, remote code execution, and reconnaissance for endpoint security tools. In response, they built threat-hunting campaigns to detect attacker activity on Exchange Server.

“While the use of web shells is common amongst threat actors, the parent processes, timing, and victim(s) of these files clearly indicate activity that commenced with the abuse of Microsoft Exchange,” they explain in the blog post.

Researchers are now tracking this activity in three clusters — UNC2639, UNC2640, and UNC2643 — and it predicts the number of clusters will grow as it detects more attacks. So far, the team has detected a range of victims including US-based retailers, local governments, a university, and an engineering firm; the writeup notes potential victims may also include a Southeast Asian government and a Central Asian telecom company.

Businesses are urged to patch the vulnerabilities immediately.

Read Mandiant’s full blog post for more details on its observations.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Rob Lefferts, corporate vice president for Microsoft 365 Security in Security and Compliance, explains the company’s approach to keeping its customers and the industry apprised and updated on its findings from the now-infamous attack.

In the wake of a widespread cyberattack, enterprise IT providers can play a key role in how businesses learn about and mitigate the security threat. That role has evolved as attacks grow more complex – and it presents a tricky challenge when a provider must keep businesses informed of an attack that has infiltrated its own walls and affected tens of thousands of its customers, as Microsoft experienced during the recent SolarWinds incident.

“A lot of the way it [the role] has changed is in the face of ever-increasing complexity and impact,” says Rob Lefferts, corporate vice president for Microsoft 365 Security in Security and Compliance.

Microsoft faced this precise challenge a few months ago, following the major supply chain attack that initially targeted SolarWinds and distributed a backdoor Trojan to some 18,000 organizations via infected software updates. Microsoft was one of thousands affected by the tainted updates; using their access, the attackers were able to view some of its source code.

The company took steps to remediate the internal accounts that were used to view source code “in a number of code repositories.” While security experts pointed out that this access could make some steps easier for attackers, Microsoft maintained that there was no increase in risk. The company has since reported there is no evidence that attackers gained extensive access to services or user data. 

Many across the industry refer to this incident as “the SolarWinds attack”; however, it’s worth noting many victims didn’t use SolarWinds at all. The same nation-state behind the malicious SolarWinds Orion updates infiltrated other organizations through their Microsoft 365 and Azure accounts. Malwarebytes also was a victim of this attack vector; Microsoft had alerted the security company to suspicious activity. 

“We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments,” officials said in a blog post on the attack.

It’s one of many attacks to take advantage of Microsoft applications: criminals have begun to target Microsoft 365 accounts as quickly as businesses adopt the platform. And as security pros point out, many of tactics could be avoided by simply turning on features built into Office 365 Enterprise plans – the problem is, attackers seem to know the suite better than defenders do. Some are abusing features that IT admins don’t know exist.

As Microsoft investigated the extent of this attack on its own internal systems, researchers had the added responsibility of sharing intelligence that could be helpful to other organizations who may have also been infected. This took the form of more than a dozen blog posts in which internal Microsoft analysts published information about the SolarWinds attack as they learned it.

“We had a … pretty aggressive all-hands-on-deck approach of, ‘We’re going to take all the information that we get and make it digestible and publish it on our blog and share that,” Lefferts says. 

The company last week released a free tool businesses can use to check their software for signs of the SolarWinds attack – the same queries Microsoft used to discover the malware in its own code. Prior to that, it released information it discovered on how attackers activated a second stage payload. Its latest blog post, published this week, details three new types of malware being used in late-stage activity by the threat it now refers to as “Nobelium.”

Threat intelligence-sharing following an attack isn’t new for Microsoft or other large IT providers, but this attack marked “a difference in scale” for its response, Lefferts points out. The size and complexity of the SolarWinds incident meant analysts had to take a deep dive into threat data, learn what was happening, make it accessible, and share it with other organizations.

“The reason that SolarWinds might’ve felt a little different was because of the amount of information and the gravity and significance of it for the industry,” he explains, adding that “we went all the way from overview material to ‘here’s the query, go hunt for this in your environment,’ and [businesses] were really able to take advantage of that.” 

In addition to amplifying the amount of information Microsoft shared, this incident amplified businesses’ concerns and questions around security posture. Lefferts says he has had more conversations about identity, and security assertion markup language (SAML), in particular, after the attack. Many are also understandably worried about how to detect and respond to this type of attack; however, oftentimes they’re more worried about one than the other.

“Sometimes the way these events happen causes people to get excited about ‘I just need better detection after the fact,'” he explains, and they don’t think enough about preventing successful attacks in the first place. Some are preoccupied with detection but fail to think about response.

On a broader level, Lefferts says a component of enterprise education is building tools that can help information security teams do their jobs as security threats grow in size and complexity.

“There’s this scale problem that’s sort of endemic to technology – but thinking about security in particular, there’s this real need to make sure that we directly help people because it is hard to hire and train the expertise that they need,” he adds.

As an example, Lefferts describes Microsoft 365 Defender Threat Analytics, released this week in public preview. The tool is a set of reports meant to give security teams multiple perspectives on what’s going on in their environment, as well as steps they should take to address incidents that arise. 

“Security is the number one concern IT leaders and CIOs have when they move to the cloud,” says Sid Nag, vice president in Gartner’s Technology and Service Provider Group, referencing a Gartner study. Many organizations have “full faith” in their cloud providers to address security, putting pressure on providers like Microsoft to strengthen their focus on it.

The pressure increases as more organizations move toward multi-cloud environments, he continues. As more businesses use multiple clouds at the same time, it calls into questioin how their security model is transposed across different cloud estates. Nag says the onus is on cloud providers, not business customers, to determine the right approach and offer solutions that companies need.

“The reality is that cloud is … a journey for most organizations,” Nag explains. “There’s plenty of workloads and applications that are still sitting on prem that have not been moved to the cloud. As these workloads, especially the complex ones, move to the cloud, the challenges arise.” 

Cross-Industry Collaboration Can Drive Education

A key lesson learned in the aftermath of SolarWinds was the importance of the security industry working together to share information on threats in a broader effort to educate businesses and the public – a point Microsoft president Brad Smith emphasized in his written testimony for last week’s Senate hearing on the SolarWinds incident.

“Today, too many cyberattack victims keep information to themselves,” Smith wrote. “We will not solve this problem through silence. It’s imperative for the nation that we encourage and sometimes even require better information-sharing about cyberattacks.”

Smith pointed out how the reason organizations know of this attack is because FireEye, which first detected the activity, was open about what it found in its systems. Without this level of transparency, he said, “we would likely still be unaware of this campaign.” In his testimony, Smith called for a national strategy to improve how threat intelligence is shared across the security community, as well as the need for clear disclosure requirements in the private sector.

“There’s some places I do feel that it’s important for the security industry to take a step back and think about how this [attack] impacts the work that we do,” Lefferts says. “Most of the conclusions we have drawn have been to accelerate things that we were already working on”

One of these projects was the implementation of zero trust, especially in a work-from-home environment, as well as new technologies like extended detection and response (XDR), which provides businesses with visibility across their endpoints, network, and cloud environments, he adds.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

More Insights

Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database CVE-2021-26814
PUBLISHED: 2021-03-06

Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc…

PUBLISHED: 2021-03-05

The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.

PUBLISHED: 2021-03-05

Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.

PUBLISHED: 2021-03-05

ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.

PUBLISHED: 2021-03-05

The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.

Patch management and testing are different, exactly the same, and completely out of hand. Here are tips from the experts on how to wrangle patches in a time of malicious software updates.

(image by Barbara Helgason, via Adobe Stock)

(image by Barbara Helgason, via Adobe Stock)

“If you didn’t already know that patching introduces risk, well…now you know,” says Brad Causey, CEO of security consulting and penetration testing firm Zero Day Consulting.

Causey is referring of course to the recent attack on SolarWinds that shook the industry. Software updates for SolarWinds’ Orion network management software were used to distribute the Sunburst/Solarigate backdoor Trojan to some 18,000 organizations worldwide. (Note: SolarWinds is, itself, also a provider of third-party patch management services. However, those services do not appear to have been affected by the recent attacks.) 

“We’re introducing risk by trying to reduce risk,” Causey says.

This isn’t a new thing though, he says, and testing patches before deployment is standard best practice. Yet, patch testing is generally done to avoid operational snafus, not security threats. It’s meant to spot a code library change that prevents three other applications from running; not to spot a backdoor Trojan.  

With the Sunburst/Solarigate attacks fresh in mind, though, is it time to revamp patch testing procedures? How can enterprise infosec teams tackle patch management securely? Here’s advice from security experts on what to do now.

Be Realistic.

Causey and others say that a supply chain attack on the scale and sophistication of SolarWinds is harrowing, but it doesn’t mean that enterprises need to completely reinvent patch management. Rather, IT teams just need to do some of the best practices they should have been doing all along. After all, the National Institution of Standards and Technology (NIST) lays out highly detailed guidelines on patch management in SP 800-40. 

The trouble is, SP 800-40 was last updated eight years ago, and by NIST’s own reckoning, the number of vulnerabilities per year has tripled since then

“We patch all the time. We’re always patching,” says John Pironti, president of cybersecurity and risk consultancy IP Architects LLC.

Security hygiene, including patching, is an essential part of defense, says Pironti. Nevertheless, he says, “We’re fooling ourselves if we think we can defend ourselves against a nation-state attack [like the SolarWinds incident] while continuing to release code at the speed we do.”

Curtis Franklin, senior analyst of enterprise security management at Omdia, says companies must have patch management technology to help automate the process now, “because it’s gotten really beyond human-scale at this point.” 

Keep Trusting Patches. But… 

Despite the recent high-profile example of a malicious software update, Pironti says companies should not shy away from deploying updates.

“I think we would be doing ourselves a disservice if we started distrusting patches,” he says. “I’d rather trust my vendors than question them when there’s an exploit in the wild.”

He does, however, say it’s fair to ask for better security hygiene in the software development lifecycle. 

…Ask Software to Be More Trustworthy

“We’ve been trained as a society to accept flawed code,” says Pironti. While regulations mandate that some industries’ products meet certain safety and quality standards, enterprise software is largely unregulated. Pironti thinks that at some point this may change. “You can’t let [software companies] be the barometers of what’s acceptable and unacceptable risk,” he says.

In the meantime, he suggests companies ask software vendors and service providers one question before any purchase: What are you doing to ensure the integrity of your third-party code?

Create a Testing Environment That’s a Reasonable Representation of Reality.

In an ideal world, your testing environment would be a perfect mirror image of your production environment. It would represent every device, running every version of every operating system version, and every application, in every complex configuration that might be running in your environment at the time.

“And you’d have to invest in all that equipment nobody’s using, and pay someone to maintain it, right?” points out Causey.

More realistic and affordable, though, he says, is to create a testing environment that accurately represents the systems that are the most critical — those that are used by the widest number of users, or most critical to daily operations, or that touch the most sensitive data.  

Omdia’s Franklin says that many companies succeed in creating a test environment that represents the lion’s share of their endpoints. “The trouble is with their edge cases,” he says.

Those edge cases might not be a problem. Until they are.

Franklin lays out an example:

It might be the system that prints out the bills of lading for the trucks leaving your manufacturing facility. And it runs a dot-matrix printer that has been cranking along since 1997. And Charlie at the freight yard knows how to hit the buttons on his Windows 98 computer to make it print all these bills of lading to keep things flowing out. And you’ve decided that it’s simply impossible to retrain Charlie down in shipping. So you’re not going to. 

And it was fine when Charlie was getting hand-written notes and typing them in. But sometime a few years ago your SAP rep said ‘ya know we can put a connector that goes from SAP to Charlie’s desktop.’ So now Charlie’s Windows 98 desktop has a link back — probably through the Internet — to your SAP instance.

Now, all of a sudden, Charlie’s Windows 98 machine is a vulnerability. … My guess is you don’t have a Windows 98 machine in your [testing] lab. So even if [Microsoft] released an out-of-band patch for Windows 98, you couldn’t test it.

You’re going to have some cases like that. And they get far more numerous and bizarre in healthcare.

Franklin says most companies widely use sandboxing. “But if they’re honest with themselves, they know that they can’t sandbox everything. If they’re doing it right, though they know what they can’t sandbox.” 

Use the Right Tool for the Job.

Identifying those fringe cases requires help. There are many types of technologies that will allow enterprises to locate and organize those IT assets and a wide variety of tools that help make patch management smoother. For example:

{Continued on Next Page}

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio


1 of 2


Recommended Reading:

More Insights

On International Women’s Day 2021, gender diversity has improved in cybersecurity, but there is still a long way to go.

Some time ago, Dawn-Marie Hutchinson introduced the “Rule of Steve” to draw attention to the lack of diversity in cybersecurity. It goes like this: In a room (virtual or physical) full of cybersecurity professionals, there are usually more people named Steve than there are women.

Albeit tongue-in-cheek, it is a good indicator of how far the cybersecurity industry still has to go in terms of gender diversity. The situation has improved over recent years, but as we get to International Women’s Day 2021, it is nowhere near parity. Everyone has a role to play in striving for parity this decade.

2020 Provided Opportunity to Change, but There Is Still a Long Way to Go
The (ISC)² Cybersecurity Workforce Study 2020 noted that the security workforce gap closed last year, and by a considerable margin: down from 4 million people to 3.1 million. This is little surprise in a global environment suffering from uncertainty and cost pressures. However, there is still a significant shortfall, and to build the cybersecurity workforce we need to encourage diversity.

To put it bluntly, we need more women, more ethnic diversity, and more neurodiversity. We need more men. We need more people from a whole range of “groups” who have the right aptitude and attitude to work in information and cybersecurity, regardless of location.

Does everyone who works in the industry need to be in an office? Most definitely, “no.” The business challenges of COVID-19 brought about an opportunity for change and to encourage diversity by recruiting individuals away from traditional urban hubs. Remote working significantly expands the pool of candidates, which in turn brings access to a better and more diverse range of individuals.

A disparate and global workforce thinks more broadly, has different ideas, and can drive faster business outcomes than centrally located groups. For those naysayers who didn’t believe it was possible to work remotely in cybersecurity, the COVID-19 crisis proved otherwise and has given organizations a new opportunity to break the Rule of Steve.

There are a range of statistics available for the number of women working in cybersecurity roles. The same (ISC)² study suggests around 28% of workers are female, but this is everyone with 25% or more of their role in cybersecurity. Other studies report percentages of females in the cybersecurity workforce at 21%, 20%, 14%, 11%. Omdia estimates the percentage to be around one-fifth, or 20%. Study after study shows that diverse teams — board level and others — deliver better results, but the Rule of Steve persists.

International Women’s Day Is Not the Only Time We Should Focus on Improving Diversity in the Cybersecurity Workforce
As the mother of two daughters, I see every day as an opportunity to further the cause of women in the workforce. My children are not yet fully in the workforce, but when they do join, irrespective of their choice of profession, they will not regard their gender as any kind of impediment to what they want to achieve.

Everyone working in the cybersecurity industry today has a role to play. Many organizations recognize the lack of diversity in their workforce and have programs in place to improve the situation, but these programs take time to manifest. Every individual’s day-to-day attitude is an important component. We must challenge casual sexism in the workplace: letting it go unchallenged means it is acceptable. We must encourage diversity in job applications: gender language de-coders for job advertisements are free and can significantly improve diversity in applications. We must highlight diverse role models for others to aspire to — not only leaders but also experts in their field. We must constantly challenge ourselves with our own subconscious biases: Have we really addressed our own preconceptions?

There is much to do to break the “Rule of Steve” in cybersecurity, and if everyone plays their part, then we have a chance of achieving parity this decade. International Women’s Day presents an opportunity for headlining the discussion, but the actions should take place 365 days a year.

Maxine leads Omdia’s cybersecurity research, developing a comprehensive research program to support vendor, service provider, and enterprise clients. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong … View Full Bio

Recommended Reading:

More Insights

Cybersecurity researchers on Thursday disclosed two distinct design and implementation flaws in Apple’s crowdsourced Bluetooth location tracking system that can lead to a location correlation attack and unauthorized access to the location history of the past seven days, thereby by deanonymizing users.

The findings are a consequence of an exhaustive review undertaken by the Open Wireless Link (OWL) project, a team of researchers from the Secure Mobile Networking Lab at the Technical University of Darmstadt, Germany, who have historically taken apart Apple’s wireless ecosystem with the goal of identifying security and privacy issues.

In response to the disclosures on July 2, 2020, Apple is said to have partially addressed the issues, stated the researchers, who used their own data for the study citing privacy implications of the analysis.

How Find My Works?

Apple devices come with a feature called Find My that makes it easy for users to locate other Apple devices, including iPhone, iPad, iPod touch, Apple Watch, Mac, or AirPods. With the upcoming iOS 14.5, the company is expected to add support for Bluetooth tracking devices — called AirTags — that can be attached to items like keys and wallets, which in turn can be used for tracking purposes right from within the Find My app.

What’s more interesting is the technology that undergirds Find My. Called offline finding and introduced in 2019, the location tracking feature broadcasts Bluetooth Low Energy (BLE) signals from Apple devices, allowing other Apple devices in close proximity to relay their location to Apple’s servers.

Put differently, offline loading turns every mobile device into a broadcast beacon designed explicitly to shadow its movements by leveraging a crowdsourced location tracking mechanism that’s both end-to-end encrypted and anonymous, so much so that no third-party, including Apple, can decrypt those locations and build a history of every user’s whereabouts.

This is achieved via a rotating key scheme, specifically a pair of public-private keys that are generated by each device, which emits the Bluetooth signals by encoding the public key along with it. This key information is subsequently synchronized via iCloud with all other Apple devices linked to the same user (i.e., Apple ID).

A nearby iPhone or iPad (with no connection to the original offline device) that picks up this message checks its own location, then encrypts the information using the aforementioned public key before sending it to the cloud along with a hash of the public key.

In the final step, Apple sends this encrypted location of the lost device to a second Apple device signed in with the same Apple ID, from where the owner can use the Find My app to decrypt the reports using the corresponding private key and retrieve the last known location, with the companion device uploading the same hash of the public key to find a match in Apple’s servers.

Issues with Correlation and Tracking

Since the approach follows a public key encryption (PKE) setup, even Apple cannot decrypt the location as it’s not in possession of the private key. While the company has not explicitly revealed how often the key rotates, the rolling key pair architecture makes it difficult for malicious parties to exploit the Bluetooth beacons to track users’ movements.

But OWL researchers said the design allows Apple — in lieu of being the service provider — to correlate different owners’ locations if their locations are reported by the same finder devices, effectively allowing Apple to construct what they call a social graph.

“Law enforcement agencies could exploit this issue to deanonymize participants of (political) demonstrations even when participants put their phones in flight mode,” the researchers said, adding “malicious macOS applications can retrieve and decrypt the [offline finding] location reports of the last seven days for all its users and for all of their devices as cached rolling advertisement keys are stored on the file system in cleartext.”

In other words, the macOS Catalina vulnerability (CVE-2020-9986) could allow an attacker to access the decryption keys, using them to download and decrypt location reports submitted by the Find My network, and ultimately locate and identify their victims with high accuracy. The weakness was patched by Apple in November 2020 (version macOS 10.15.7) with “improved access restrictions.”

A second outcome of the investigation is an app that’s designed to let any user create an “AirTag.” Called OpenHaystack, the framework allows for tracking personal Bluetooth devices via Apple’s massive Find My network, enabling users to create their own tracking tags that can be appended to physical objects or integrated into other Bluetooth-capable devices.

This is not the first time researchers from Open Wireless Link (OWL) have uncovered flaws in Apple’s closed-source protocols by means of reverse engineering.

In May 2019, the researchers disclosed vulnerabilities in Apple’s Wireless Direct Link (AWDL) proprietary mesh networking protocol that permitted attackers to track users, crash devices, and even intercept files transferred between devices via man-in-the-middle (MitM) attacks.

This was later adapted by Google Project Zero researcher Ian Beer to uncover a critical “wormable” iOS bug last year that could have made it possible for a remote adversary to gain complete control of any Apple device in the vicinity over Wi-Fi.

If you haven’t already, it’s time to build trust relationships with your financial institutions, using strong security, privacy protections and secure, unique user credentials.

When Congress passed a $900 billion economic relief package in December 2020, it wasn’t just unemployed Americans and those with low to moderate incomes who were happy: Scammers rejoiced as well. Just like back in May 2020, these vultures see a river of money flowing from the federal government to regular Americans and they are eager to grab some of it for themselves.

And the economic relief and associated scamming aren’t over yet: President Biden’s relief plan promises more stimulus soon, and California just passed its own relief package, with $600 for low-income residents. Luckily, there are some ways to ensure that the government money goes into the right hands. 

If scams related to stimulus checks and unemployment payments give you a strong sense of déjà vu, you’re not alone. After all, we’ve been here before, back in May when the first coronavirus relief package was passed and there was massive fraud aimed at state government agencies charged with distributing the unemployment relief. In fact, the Office of the Inspector General of the Department of Labor estimated that fraud claimed $36 billion of the $360 billion available in the CARES Act. 

I had a pretty strong sense of déjà vu myself, since I was the victim of such a scam in my home state of Washington. But on Jan. 11 — some seven months after I filed my initial fraud report — I got an official verification that my Social Security number was mine (really!) and is now officially connected to my account at the Employment Security Department. Now that I have established claim to my ESD account, nobody can present a fraud claim on my behalf.

That doesn’t mean there aren’t other ways from criminals to profit off my data, because in late January, the Washington State Auditor revealed that the personal data of 1.4 million state residents may have been stolen in a hack of third-party software provider Accellion. I’ll add this to the long list of data breaches my data has been involved in!

This Problem Is Mostly Solved by Trust
But I don’t despair all that much about this stuff, because there are things you and I can do to keep ourselves safe. Claiming your account — whether it’s at your state employment services agency or with the IRS or with any other entity that you do business with, really — allows you to establish a channel for trusted interactions. For example, because I have a trust relationship with the Department of the Treasury, any government stimulus check or tax refund can be deposited directly in my bank account — and I don’t have risk a check being lost or stolen, or receiving one of the new, more secure debit cards that are also used to make payments to people who don’t have direct deposit. These trust relationships are built off strong security and privacy protections on part of the agency and the use of secure, unique credentials on the part of the user, but they work far better than the other means. Of course, they still need to protect the data I trust them with.

For people who are receiving the stimulus payment via debit card, the US Treasury is doing its best to ensure that the process of getting paid is clear and secure, including showing recipients exactly what they should look for in the mail, including what the cards look like

For all this effort, it’s easy to imagine that a scammer could emulate this mailing and ask a user to phone into a call center and provide some essential information — perhaps even a bank account — and run a scam that way. Both Forbes and CNBC have provided good guides for using these cards safely and without fees. 

Whether you’re waiting for this stimulus check or the next, bigger one promised by the Biden administration, or seeking to avoid any entanglement in an unemployment scheme, there are some tried and true methods for ensuring that your interactions with government agencies of all sorts are handled securely and privately.

Protect Your Credentials
Protecting credentials — usernames and especially passwords — is one of the best and most basic things you can do to stay safe from hackers. Using unique passwords everywhere is easy when you use a password manager, and adding multifactor authentication adds another level of protection. 

Own Your Accounts
Establishing a secure account with state and federal agencies is the best way to take advantage of the security protections they provide, and this protection generally outweighs whatever risk you have of this agency being breached, though that risk does exist. I’d suggest that people establish an account with their state employment agency (or broader state government) now, and also verify that you have accounts at the major federal agencies you deal with — which will likely include the Social Security Administration and the IRS at a minimum.

While I understand that some people may not believe that they can enter into a trust relationship with the government, I’d suggest that it’s better that you control the terms of that relationship than to allow that relationship to be established by someone else. 

Take Quick Action
The moment you suspect fraud, act as quickly as you can to report it.

Many major government agencies and financial institutions have dedicated fraud hotlines or online services, and they may also suggest that you make a report to your local law enforcement agency. If you take quick action, you might be able to avoid the nightmare of full-blown identity theft.

Protect Your Credit
Freezing your credit at all three credit agencies is a simple (and free) act that can prevent anyone with access to your personal information from opening up an account in your name. You’ll need to learn a few tricks to unfreeze your account when needed, but it’s well worth your time.

Apply Healthy Skepticism
Even if you do all of the above, you can still fall prey to a scam if you allow people to convince to give away information or credentials you shouldn’t. That’s why you’ve got to be skeptical of any phone calls, emails, or letters that ask you to divulge financial information or passwords. Your healthy skepticism is your best defense.

Tom Pendergast is MediaPRO’s Chief Learning Officer. He believes that every person cares about protecting data, they just don’t know it yet. That’s why he’s constantly trying to devise new and easy ways to help awareness program managers educate their employees. Whether it’s … View Full Bio

Recommended Reading:

More Insights