Cyber security news March 2021

This posting is here to collect cyber security news in March 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

342 Comments

  1. Tomi Engdahl says:

    Vittoria Elliott / Rest of World:
    Experts say Russia accidentally blocked domains with the characters “t.co”, like Microsoft.com, as well as some government websites, while slowing down Twitter — Reminder: Internet censorship can have unintended consequences. — Russian internet users began noticing something strange …
    How the Russian government accidentally blocked its own websites
    Reminder: Internet censorship can have unintended consequences.
    https://restofworld.org/2021/how-the-russian-government-accidentally-blocked-access-to-its-own-websites/

    Russian internet users began noticing something strange on Wednesday: a number of websites, including the Kremlin’s own Kremlin.ru, were down. Just hours earlier, Roskomnadzor, the Russian government body overseeing communications and technology, announced that it was purposely slowing down access to Twitter, claiming the company had allowed over 3,000 posts featuring suicide, child exploitation, and drug use to remain up in violation of Russian law.

    But the outage that followed affected far more than just the social media site, including domains like Reddit.com and Microsoft.com. The Russian government appears to have bungled its latest attempt at internet censorship, accidentally blocking its own websites in the process. And this isn’t even the first time it’s made a similar mistake in the last few years.

    “With the aim of protecting Russian citizens and forcing the internet service to follow the law on the territory of the Russian Federation, centralized responses have been taken against Twitter starting March 10, 2021 — specifically, the initial throttling of the service’s speeds, in accordance with the regulations,” Roskomnadzor said in a statement.

    Reply
  2. Tomi Engdahl says:

    Millions of websites offline after fire at French cloud services firm
    https://www.reuters.com/article/us-france-ovh-fire-idUSKBN2B20NU

    A fire at a French cloud services firm has disrupted millions of websites, knocking out government agencies’ portals, banks, shops, news websites and taking out a chunk of the .FR web space, according to internet monitors.

    Europe’s large web hosting provider knocked offline following fire
    By Mayank Sharma 10 March 2021
    Several websites and online services have been knocked offline following OVH issue
    https://www.techradar.com/news/europes-large-web-hosting-provider-knocked-offline-following-fire

    Reply
  3. Tomi Engdahl says:

    3.6 million websites taken offline after fire at OVH datacenters
    10th March, 2021
    https://news.netcraft.com/archives/2021/03/10/ovh-fire.html

    Around 3.6 million websites across 464,000 distinct domains were taken offline after the major fire at an OVHcloud datacenter site in Strasbourg overnight.

    More than 18% of the IP addresses attributed to OVH in Netcraft’s most recent Web Server Survey

    Reply
  4. Tomi Engdahl says:

    Talk about a Blue Monday: OVH outlines recovery plan as French data centres smoulder
    Servers affected include those used by ESA, Villarreal football club, and some misused by malware miscreants
    https://www.theregister.com/2021/03/10/ovh/

    Customers of European cloud hosting provider OVH have been told it plans to restart three data centres on its French campus in Strasbourg next week, following a massive fire on site this morning that destroyed one bit barn.

    The SBG1 and SBG4 data centres are scheduled to reopen by Monday 15 March and the SBG3 DC by Friday next week. SBG2 was wiped out by the blaze but fortunately no one was hurt in the incident.

    The fire caused serious disruption across European websites, with, according to Netcraft, “3.6 million websites across 464,000 distinct domains… taken offline.”

    Reply
  5. Tomi Engdahl says:

    Giant Datacenter Fire Takes Down Government Hacking Infrastructure
    A fire at a European datacenter has had some impact on the infrastructure used by several government and criminal hacking groups, according to Kaspersky Lab.
    https://www.vice.com/en/article/3an9wb/ovh-datacenter-fire-takes-down-government-hacking-infrastructure

    On Wednesday, a massive fire destroyed a datacenter and caused damage in other server buildings owned by OVHCloud, the largest European cloud service provider. The blaze has impacted several of the company’s customers—including hackers.

    According to Costin Raiu, the Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, there are 140 OVH servers used by government hackers and sophisticated criminal groups that he and his colleagues track. Of those, 36% are now down, he said in a post on Twitter.

    Reply
  6. Tomi Engdahl says:

    OVHcloud data centers engulfed in flames
    Updated: Customers are being urged to launch their own disaster recovery plans.
    https://www.zdnet.com/article/ovhcloud-data-centers-engulfed-in-flames/

    Reply
  7. Tomi Engdahl says:

    https://status.us.ovhcloud.com/

    Reply
  8. Tomi Engdahl says:

    Microsoft’s GitHub under fire after disappearing proof-of-concept exploit for critical Microsoft Exchange vuln
    Funny how code that targets Redmond vanishes while tons of others menacing other vendors remain
    https://www.theregister.com/AMP/2021/03/12/github_disappears_exploit/?__twitter_impression=true

    On Wednesday, shortly after security researcher Nguyen Jang posted a proof-of-concept exploit on GitHub that abuses a Microsoft Exchange vulnerability revealed earlier this month, GitHub, which is owned by Microsoft, removed code, to the alarm of security researchers.

    The PoC code, something short of an actual functioning exploit, consisted of a 169-line Python file. It took advantage of CVE-2021-26855, a Microsoft Exchange Server flaw that allows an attacker to bypass authentication and act with administrative privileges.

    The bug, referred to as ProxyLogon, was one of four Microsoft Exchange zero-days that Microsoft patched in an out-of-band release on March 3, 2021. It’s part of the “Hafnium” attack that prompted a US government warning last week.

    Jang posted a write-up of his work, in Vietnamese, with a link to the code on GitHub. And a few hours later, the link to the code on GitHub no longer functioned.

    Er, double standards anyone?
    While the PoC code remains accessible in code repos hosted elsewhere, such as competitor GitLab, security researchers have been quick to condemn GitHub for its inconsistent standards and Microsoft for supposed self-interested meddling.

    Other PoC code for the same CVE was still available on GitHub at the time this article was filed.

    “This is huge, removing a security researchers’ code from GitHub against their own product and which has already been patched,” decried Dave Kennedy, founder of TrustedSec, via Twitter.

    PoC is not fully functional and doesn’t include remote code execution capabilities.

    GitHub’s stated policy disallows any repositories that contain or install “any active malware or exploits.”

    Reply
  9. Tomi Engdahl says:

    When stolen materials are published online
    https://www.kaspersky.com/blog/accellion-fta-data-leaks/38980/
    Hackers trying to inflict maximum reputation damage are sending out
    links to the data they stole through Accellion FTA vulnerabilities.
    Late last year, information surfaced online about attacks on companies
    using the outdated Accellion File Transfer Appliance (FTA). Some
    cybercriminals used Accellion FTA vulnerabilities to snatch
    confidential data, using the threat of publication to extort ransom
    from the victims. We are not pleased to report that they were true to
    their word.

    Reply
  10. Tomi Engdahl says:

    Molson Coors brewing operations disrupted by cyberattack
    https://www.bleepingcomputer.com/news/security/molson-coors-brewing-operations-disrupted-by-cyberattack/
    The Molson Coors Beverage Company has suffered a cyberattack that is
    causing significant disruption to business operations. Molson Coors is
    well-known for its iconic beer brands, including Coors Light, Miller
    Lite, Molson Canadian, Blue Moon, Peroni, Killian’s, and Foster’s.. In
    a Form-8K filed with the SEC today, Molson Coors disclosed that they
    suffered a cyberattack on March 11th, causing significant disruption
    to their operations, including the production and shipment of beer.

    Reply
  11. Tomi Engdahl says:

    ProxyLogon PoC Exploit Released; Likely to Fuel More Disruptive Cyber
    Attacks
    https://thehackernews.com/2021/03/proxylogon-exchange-poc-exploit.html
    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and
    the Federal Bureau of Investigation (FBI) on Wednesday issued a joint
    advisory warning of active exploitation of vulnerabilities in
    Microsoft Exchange on-premises products by nation-state actors and
    cybercriminals. “CISA and FBI assess that adversaries could exploit
    these vulnerabilities to compromise networks, steal information,
    encrypt data for ransom, or even execute a destructive attack,” the
    agencies said. “Adversaries may also sell access to compromised
    networks on the dark web.”

    Reply
  12. Tomi Engdahl says:

    Norway’s parliament hit by new hack attack
    https://www.reuters.com/article/us-norway-cyber/norway-parliament-sustains-fresh-cyber-attack-idUSKBN2B21TX
    OSLO (Reuters) – Hackers have infiltrated the Norwegian Parliaments
    computer systems and extracted data, officials said on Wednesday, just
    six months after a previous cyber attack was made public. The attack
    by unknown hackers was linked to a vulnerability in Microsofts
    Exchange software, the parliament said, adding that this was an
    international problem.. The latest attack was more severe than last
    years, parliament President Tone Wilhelmsen Troen told a news
    conference.. Myös: https://yle.fi/uutiset/3-11831255

    Reply
  13. Tomi Engdahl says:

    At Least 10 Threat Actors Targeting Recent Microsoft Exchange Vulnerabilities
    https://www.securityweek.com/least-10-threat-actors-targeting-recent-microsoft-exchange-vulnerabilities

    At least 10 threat actors are currently involved in the targeting of Microsoft Exchange servers that are affected by recently disclosed zero-day vulnerabilities, according to cybersecurity firm ESET.

    On March 2, Microsoft announced patches for four bugs (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that were part of a pre-authentication remote code execution (RCE) attack chain already being exploited in the wild.

    Successful exploitation of the bugs could result in the attacker deploying webshells onto the vulnerable Exchange servers, potentially taking full control of them. To date, ESET has identified more than 5,000 compromised servers, but others previously reported that tens of thousands of organizations may have been hacked.

    Last week, Microsoft said that the flaws were being exploited by Chinese hacking group HAFNIUM, but security researchers were quick to report that several cyber-espionage groups were already targeting the vulnerable Exchange servers.

    Now, ESET reveals that at least 10 threat actors are actively engaged in such attacks, including Tick (also known as Bronze Butler), LuckyMouse (also tracked as APT27), Calypso, Websiic, Winnti Group (BARIUM, APT41), Tonto Team (CactusPete), ShadowPad, Mikroceen, and DLTMiner. Activity involving the “Opera” Cobalt Strike and IIS backdoors was also observed.

    Reply
  14. Tomi Engdahl says:

    Lorenzo Franceschi-Bicchierai / VICE:
    Researcher publishes a proof of concept on GitHub that uses vulnerabilities exploited by hackers to breach Microsoft Exchange servers; GitHub deleted the code — Microsoft-owned Github quickly deleted the code, which exploited vulnerabilities apparently used by Chinese hackers to break into a series of companies.
    https://www.vice.com/en/article/n7vpaz/researcher-publishes-code-to-exploit-microsoft-exchange-vulnerabilities-on-github

    Reply
  15. Tomi Engdahl says:

    The 8-Bit:
    Researchers demonstrate a browser-based side-channel attack that works even if JavaScript is blocked, affecting Intel Core, Samsung Exynos, Apple’s M1, others
    First Browser-Based Side-Channel attack against Apple’s M1 chips works even with Javascript disabled; more so than other architectures
    https://the8-bit.com/apple-m1-chip-side-channel-vulnerability-attack/
    A team of researchers has demonstrated a new browser-based side-channel attack that works even if Javascript is blocked, one that affects hardware platforms including Intel Core, AMD Ryzen, Samsung Exynos, and even Apple’s M1 chips. Surprisingly, the researchers concluded that due to simpler cache replacement policies, their attacks are more effective on the M1 and Exynos chips.

    To demonstrate the attack, researchers developed a sequence of attacks with decreased dependence on Javascript features which led to the “first browser-based side-channel attack which is constructed entirely from Cascading Style Sheets (CSS) and HTML, and works even when script execution is completely blocked.
    It’s also imperative to note that these attacks were demonstrated mainly using Google’s Chrome browser irrespective of the architecture. And due to the differences between security implementations of different browsers, the results of the attack may vary.
    This vulnerability may lead to microarchitectural website fingerprinting attacks, the researchers say. A website fingerprinting attack allows an eavesdropper to determine the target’s web activity by leveraging features from the target’s packet sequence. This also effectively disregards the application of most privacy-protecting technologies such as VPNs, proxies, or even TOR.
    According to a paper published by the researchers behind the demonstration, Javascript has become a popular way of conducting side-channel attacks. However, browsers employ a method in which an attacker is barred from precisely measuring time which is apparently essential in Javascript-based side-channel attacks.

    Reply
  16. Tomi Engdahl says:

    Situation is escalating. Patch your servers ASAP!

    https://thehackernews.com/2021/03/proxylogon-exchange-poc-exploit.html?m=1

    Reply
  17. Tomi Engdahl says:

    Nvidia’s unhackable GeForce RTX 3060 hash rate limiter may not have been hacked after all
    By Dave James 2 days ago
    https://www.pcgamer.com/nvidia-geforce-rtx-3060-hash-rate-limiter-cracked/?utm_campaign=socialflow&utm_medium=social&utm_source=facebook.com

    An image showing multiple RTX 3060 cards mining cryptocurrency was not referencing Ethereum.

    The only cryptocurrency that Nvidia blocks with its RTX 3060 hash rate limiter is the Ethereum algorithm, and so other alt-coins are still fair game for the green team’s mainstream GeForce card.

    Reply
  18. Tomi Engdahl says:

    Matt Burgess / WIRED UK:
    UK Home Office confirms trial of web surveillance tool that can track users’ browsing history in partnership with two unknown ISPs and National Crime Agency

    The UK is secretly testing a controversial web snooping tool
    https://www.wired.co.uk/article/internet-connection-records-ip-act

    The Investigatory Powers Act, or Snooper’s Charter, was introduced in 2016. Now one of its most contentious surveillance tools is being secretly trialled by internet firms

    For the last two years police and internet companies across the UK have been quietly building and testing surveillance technology that could log and store the web browsing of every single person in the country.

    The tests, which are being run by two unnamed internet service providers, the Home Office and the National Crime Agency, are being conducted under controversial surveillance laws introduced at the end of 2016. If successful, data collection systems could be rolled out nationally, creating one of the most powerful and controversial surveillance tools used by any democratic nation.

    Despite the National Crime Agency saying “significant work” has been put into the trial it remains clouded in secrecy. Elements of the legislation are also being challenged in court. There has been no public announcement of the trial, with industry insiders saying they are unable to talk about the technology due to security concerns.

    The trial is being conducted under the Investigatory Powers Act 2016, dubbed the Snooper’s Charter

    Reply
  19. Tomi Engdahl says:

    Dozens Of Rust Servers Wiped Out In Data Center Fire
    https://kotaku.com/dozens-of-rust-servers-wiped-out-in-data-center-fire-1846447362

    A fire that broke out overnight in Strasbourg, France destroyed one of OVHcloud’s data centers and damaged a second, Reuters reports. The French government and Centre Pompidou, which houses a public information library and modern art museum, had their data affected by the fires, as did Facepunch Studios, maker of the online survival game Rust.

    “We’ve confirmed a total loss of the affected EU servers during the OVH data centre fire,” the England-based game developer announced on Twitter this morning. “We’re now exploring replacing the affected servers. Data will be unable to be restored.” It’s not yet clear what started the fire.

    The Rust community is known for sinking thousands of collective hours into crafting complex bases and engaging in elaborate role-play on various servers, where progress is normally only erased with advanced warning as part of monthly updates. “When the world gives you a force wipe,” wrote one player on the Rust subreddit.

    Several players on the Rust subreddit used last night’s fire as evidence that Facepunch should invest in backups for its gaming servers to safeguard players’ creations. But others pointed out that backups can be very costly, especially for an online multiplayer game that doesn’t charge a subscription. “And as others have said, you are playing on a free server, that rust is arguably losing money on (since you don’t pay to play), so extra money for a backup that is unlikely to be needed and deleted at next wipe is extra burning of money (pun intended),” wrote Reddit user BarryCarlyon.

    OVHcloud has pitched itself as a European alternative to US data center giants Amazon, Microsoft, and Google, Reuters reports. It had also just announced plans for a potential Initial Public Offering (IPO) to go public and get the funding necessary to compete with its counter-parts on the other side of the Atlantic.

    Reply
  20. Tomi Engdahl says:

    Microsoft Issues Security Patches for 89 Flaws — IE 0-Day Under Active Attacks
    https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html

    Reply
  21. Tomi Engdahl says:

    Linus Torvalds fixes ‘double ungood’ Linux kernel bug
    https://www.zdnet.com/article/linus-torvalds-fixes-double-ungood-linux-kernel-bug/

    Well, that was embarrassing. Linus Torvalds’ first release candidate for the Linux kernel 5.12 included a show-stopping bug. After shutting down that release Torvalds has launched a new version of 5.12, which doesn’t include the mistake.

    Reply
  22. Tomi Engdahl says:

    https://foreignpolicy.com/2021/03/10/chris-krebs-microsoft-exchange-hack-largest-cyberattack/

    Reply
  23. Tomi Engdahl says:

    The prime suspect in a fire that wiped out Rust’s European servers is an uninterruptible power supply.

    A fire that wiped out Rust’s EU servers may have been caused by a faulty UPS
    By Jacob Ridley 5 hours ago
    https://www.pcgamer.com/a-fire-that-wiped-out-rusts-eu-servers-may-have-been-caused-by-a-faulty-ups/?utm_source=facebook.com&utm_campaign=socialflow&utm_medium=social

    “Thanks to 300 cameras that we have in Strasbourg… we hope to have all the answers about why it started and how it evolved.”

    “When the firefighters came they took photos with a thermal camera and saw two UPS on fire, UPS 7 and UPS 8. We had the maintenance of UPS 7 in the morning. The supplier came and changed a lot of pieces inside UPS 7 and restarted UPS 7 afternoon. And it seems like it was working but in the morning we had the fire.”

    SBG2 will need to be fully rebuilt, OVH says, assumedly as an entirely new unit with up-to-date technology, while SBG1 will be powered back on room by room once it is deemed safe to do so.

    Reply
  24. Tomi Engdahl says:

    Russia claims a fire at a data center in France broke access to Google and YouTube. Google says that’s not true.
    https://trib.al/DJSZRnU
    Russia experienced a Google outage on Wednesday, and blamed it on a fire at a data center in France.
    Google says that’s false, and that the outage was caused by a local internet service provider.
    The outage occurred as Russia’s government broke the country’s internet while trying to censor Twitter.

    Reply
  25. Tomi Engdahl says:

    The disruption of Emotet was a blow for cyber criminals – but just weeks later, the gap is being filled by other trojans and botnets.

    This trojan malware is now your biggest security headache
    https://www.zdnet.com/article/this-trojan-malware-is-now-your-biggest-security-headache/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook

    The disruption of Emotet was a blow for cyber criminals – but just weeks later, the gap is being filled by other trojans and botnets.

    Reply
  26. Tomi Engdahl says:

    Hackers are exploiting vulnerable Exchange servers to drop ransomware, Microsoft says
    https://techcrunch.com/2021/03/12/hackers-exchange-servers-ransomware/?tpcc=ECFB2021

    Hackers are exploiting recently discovered vulnerabilities in Exchange email servers to drop ransomware, Microsoft has warned, a move that puts tens of thousands of email servers at risk of destructive attacks.

    In a tweet late Thursday, the tech giant said it had detected the new kind of file-encrypting malware called DoejoCrypt — or DearCry — which uses the same four vulnerabilities that Microsoft linked to a new China-backed hacking group called Hafnium.

    Reply
  27. Tomi Engdahl says:

    Students Are Easily Cheating ‘State-of-the-Art’ Test Proctoring Tech
    Students are using HDMI cables and hidden phones to cheat on exams administered through invasive proctoring software like Proctorio.
    https://www.vice.com/en/article/3an98j/students-are-easily-cheating-state-of-the-art-test-proctoring-tech

    Reply
  28. Tomi Engdahl says:

    Serious Security: Webshells explained in the aftermath of HAFNIUM attacks
    https://nakedsecurity.sophos.com/2021/03/09/serious-security-webshells-explained-in-the-aftermath-of-hafnium-attacks/

    Reply
  29. Tomi Engdahl says:

    https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams

    Reply
  30. Tomi Engdahl says:

    Maailmalla leviää haittaohjelma, joka on miltei mahdoton havaita – tunnistatko tämän ohjelmointikielen?
    Antti Kailio12.3.202107:51|päivitetty12.3.202107:51HAITTAOHJELMATDIGITALOUSOHJELMOINTITIETOTURVAHAKKERIT
    Nim-ohjelmointikieli on haittaohjelmille kaikkea muuta kuin tyypillinen.
    https://www.tivi.fi/uutiset/maailmalla-leviaa-haittaohjelma-joka-on-miltei-mahdoton-havaita-tunnistatko-taman-ohjelmointikielen/55fedb87-512f-47c0-b034-4b555fd22b75

    This malware was written in an unusual programming language to stop it from being detected
    NimzaLoader malware is unusual because it’s written in a programming language rarely used by cyber criminals – which could make it harder to detect and defend against.
    https://www.zdnet.com/article/this-malware-was-written-in-an-unusual-programming-language-to-stop-it-from-being-detected/

    Reply
  31. Tomi Engdahl says:

    https://nim-lang.org/

    Reply
  32. Tomi Engdahl says:

    Intel CPU interconnects can be exploited by malware to leak encryption keys and other info, academic study finds
    Side-channel ring race ‘hard to mitigate with existing defenses’
    https://www.theregister.com/2021/03/08/intel_ring_flaw/

    Reply
  33. Tomi Engdahl says:

    https://redcanary.com/blog/microsoft-exchange-attacks/

    Reply
  34. Tomi Engdahl says:

    A hacker who exposed Verkada’s surveillance camera snafu has been raided
    Based on an “alleged hack that took place last year”
    https://www.theverge.com/platform/amp/2021/3/12/22328344/tillie-kottmann-hacker-raid-switzerland-verkada-cameras

    Tillie Kottmann, a 21-year-old hacker, has been raided by Swiss authorities and their devices seized, Bloomberg reports — days after helping to reveal how Silicon Valley security startup Verkada’s own security was so poor that that hackers were able to access over 150,000 of the company’s cameras to see the insides of schools, jails, hospitals, police stations, and Tesla factories.

    The raid doesn’t have anything to do with Verkada, according to Bloomberg, but instead an “alleged hack that took place last year,” and interestingly, a Swiss authority pointed Bloomberg to the US Department of Justice for further questions. (The DOJ declined to comment.)

    It’s not clear which hack the DOJ might be interested in, as Kottmann has been continually sharing leaked files from various companies for months, but one sticks out as likely: Kottmann leaked a huge collection of secret documents and source code from chipmaker Intel last year, and Intel vowed to investigate.

    Reply
  35. Tomi Engdahl says:

    https://www.theverge.com/platform/amp/2021/3/12/22328344/tillie-kottmann-hacker-raid-switzerland-verkada-cameras wow, they had access to $150,000 cameras including those inside jails and Tesla factories.

    Reply
  36. Tomi Engdahl says:

    Exploits on Organizations Worldwide Tripled every Two Hours after
    Microsoft’s Revelation of Four Zero-days
    https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/
    Following the revelation of four zero-day vulnerabilities currently
    affecting Microsoft Exchange Server, Check Point Research (CPR)
    discloses its latest observations on exploitation attempts against
    organizations that it tracks worldwide. myös:
    https://www.tivi.fi/uutiset/tv/31187ac4-d460-4a33-be35-0256443bbb11

    Reply
  37. Tomi Engdahl says:

    F-Secure: “Tilanne voi revetä käsiin” Exchange-hyökkäysten hirmumyrsky
    repii maailmaa
    https://www.tivi.fi/uutiset/tv/fe917487-6fb2-435b-b7a8-301a8b42ff85
    F-Securen tietoturvakonsultti Antti Laatikainen arvelee, että
    Microsoftin Exchange-palvelimista löytynyt haavoittuvuus on saamassa
    aikaan vuosikymmenen pahimman tietoturvakatastrofin.

    Reply
  38. Tomi Engdahl says:

    Hackers Are Targeting Microsoft Exchange Servers With Ransomware
    https://thehackernews.com/2021/03/icrosoft-exchange-ransomware.html
    According to the latest reports, cybercriminals are leveraging the
    heavily exploited ProxyLogon Exchange Server flaws to install a new
    strain of ransomware called “DearCry.”. “Microsoft observed a new
    family of human operated ransomware attack customers detected as
    Ransom:Win32/DoejoCrypt.A, ” Microsoft researcher Phillip Misner
    tweeted. “Human operated ransomware attacks are utilizing the
    Microsoft Exchange vulnerabilities to exploit customers.”. also:
    https://www.bleepingcomputer.com/news/security/ransomware-now-attacks-microsoft-exchange-servers-with-proxylogon-exploits/

    Reply
  39. Tomi Engdahl says:

    Microsoft Exchange exploits now used by cryptomining malware
    https://www.bleepingcomputer.com/news/security/microsoft-exchange-exploits-now-used-by-cryptomining-malware/
    The operators of Lemon_Duck, a cryptomining botnet that targets
    enterprise networks, are now using Microsoft Exchange ProxyLogon
    exploits in attacks against unpatched servers.

    Reproducing the Microsoft Exchange Proxylogon Exploit Chain
    https://www.praetorian.com/blog/reproducing-proxylogon-exploit/
    The Praetorian Labs team has reverse engineered the initial security
    advisory and subsequent patch and successfully developed a fully
    functioning end-to-end exploit. This post outlines the methodology for
    doing so but with a deliberate decision to omit critical
    proof-of-concept components to prevent non-sophisticated actors from
    weaponizing the vulnerability.

    Reply
  40. Tomi Engdahl says:

    Researcher Publishes Code to Exploit Microsoft Exchange
    Vulnerabilities on Github
    https://www.vice.com/en/article/n7vpaz/researcher-publishes-code-to-exploit-microsoft-exchange-vulnerabilities-on-github
    Microsoft-owned Github quickly deleted the code, which exploited
    vulnerabilities apparently used by Chinese hackers to break into a
    series of companies. also:
    https://arstechnica.com/gadgets/2021/03/critics-fume-after-github-removes-exploit-code-for-exchange-vulnerabilities/

    Reply
  41. Tomi Engdahl says:

    A Spectre proof-of-concept for a Spectre-proof web
    https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html
    In this post, we will share the results of Google Security Team’s
    research on the exploitability of Spectre against web users, and
    present a fast, versatile proof-of-concept (PoC) written in JavaScript
    which can leak information from the browser’s memory. We’ve confirmed
    that this proof-of-concept, or its variants, function across a variety
    of operating systems, processor architectures, and hardware
    generations.. also: https://leaky.page/ Spectre javascript poc

    Reply
  42. Tomi Engdahl says:

    Quickpost: “ProxyLogon PoC” Capture File
    https://blog.didierstevens.com/2021/03/12/quickpost-proxylogon-poc-capture-file/
    I was able to get the “ProxyLogon PoC” Python script running against a
    vulnerable Exchange server in a VM.

    Reply
  43. Tomi Engdahl says:

    Protecting on-premises Exchange Servers against recent attacks
    https://www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-exchange-servers-against-recent-attacks/
    For the past few weeks, Microsoft and others in the security industry
    have seen an increase in attacks against on-premises Exchange servers.
    The target of these attacks is a type of email server most often used
    by small and medium-sized businesses, although larger organizations
    with on-premises Exchange servers have also been affected. This is now
    what we consider a broad attack, and the severity of these exploits
    means protecting your systems is critical. While Microsoft has regular
    methods for providing tools to update software, this extraordinary
    situation calls for a heightened approach.

    Reply
  44. Tomi Engdahl says:

    Kyberhyökkäys näkyy Telialla firmojen sähköpostit nurin kolmatta
    päivää
    https://www.is.fi/digitoday/tietoturva/art-2000007856648.html
    Teleoperaattori Telian omistaman hosting- ja nettipalveluyritys Telia
    Inmics-Nebulan sähköpostipalvelut ja kalenteri ovat poissa käytössä
    kolmatta päivää, eikä katkon pituuden jatkumisesta ole tietoa. Tilanne
    koskee tuhansia palvelua käyttäviä yrityskäyttäjiä. Telian tiedote:
    https://www.inmicsnebula.fi/fi/tiedotteet/kriittinen-microsoft-exchange-haavoittuvuus-havaittu-telia-inmics-nebulan

    Reply
  45. Tomi Engdahl says:

    Another Google Chrome 0-Day Bug Found Actively Exploited In-the-Wild
    https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html
    Google has addressed yet another actively exploited zero-day in Chrome
    browser, marking the second such fix released by the company within a
    month. While the update contains a total of five security fixes, the
    most important flaw rectified by Google concerns a use after free
    vulnerability in its Blink rendering engine. The bug is tracked as
    CVE-2021-21193.

    Reply
  46. Tomi Engdahl says:

    15-year-old Linux kernel bugs let attackers gain root privileges
    https://www.bleepingcomputer.com/news/security/15-year-old-linux-kernel-bugs-let-attackers-gain-root-privileges/
    Three vulnerabilities found in the iSCSI subsystem of the Linux kernel
    could allow local attackers with basic user privileges to gain root
    privileges on unpatched Linux systems. These security bugs can only be
    exploited locally, which means that potential attackers will have to
    gain access to vulnerable devices by exploiting another vulnerability
    or using an alternative attack vector.

    Reply
  47. Tomi Engdahl says:

    https://hackaday.com/2021/03/12/this-week-in-security-apt-targeting-researchers-and-someone-watching-all-the-cameras/

    Reply
  48. Tomi Engdahl says:

    Verkossa on käynnissä hiljainen katastrofi – ”kymmeniä tai satoja Vastaamon tyyppisiä tietomurtoja” https://www.is.fi/digitoday/tietoturva/art-2000007861992.html

    Reply
  49. Tomi Engdahl says:

    “Hack everybody you can”: What to know about the massive Microsoft Exchange breach
    https://www.cbsnews.com/news/microsoft-exchange-server-hack-what-to-know/?ftag=CNM-00-10aab6a&linkId=113403700

    Reply
  50. Tomi Engdahl says:

    Google Must Face Suit Over Snooping on ‘Incognito’ Browsing
    https://www.bloomberg.com/news/articles/2021-03-13/google-must-face-suit-over-snooping-on-incognito-browsing?sref=ExbtjcSG

    Judge concludes company didn’t notify users of data collection
    Class action suit alleges Google knows ‘who your friends are’

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*