9 October 2022

Security News This Week: Microsoft Exchange Server Has a Zero-Day Problem


THERE WERE GLOBAL ripples in tech policy this week as VPN providers were forced to pull out of India as the country’s new data collection law takes hold, and UN countries prepare to elect a new head of the International Telecommunications Union—a key internet standards body.

After explosions and damage to the Nord Stream gas pipeline that runs between Russia and Germany, the destruction is being investigated as deliberate, and a complicated hunt is on to identify the perpetrator. And still-unidentified hackers are “hyperjacking” victims to grab data using a long-feared technique for hijacking virtualization software.

The notorious Lapsus$ hackers have been back on their hacking joyride, compromising massive companies around the world and delivering a dire but important warning about how vulnerable large institutions really are to compromise. And the end-to-end-encrypted communication protocol Matrix patched serious and concerning vulnerabilities this week.

Pornhub debuted a trial of an automated tool that pushes users searching for child sexual abuse material to seek help for their behavior. And Cloudflare rolled out a free Captcha alternative in an attempt to validate humanness online without the headache of finding bicycles in a grid or deciphering blurry text.


And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.


On Thursday night, Microsoft confirmed that two unpatched Exchange Server vulnerabilities are actively being exploited by cybercriminals. The vulnerabilities were discovered by a Vietnamese cybersecurity company named GTSC, which claims in a post on its website that the two zero-days have been used in attacks against its customers since early August. While the flaws only impact on-premise Exchange Servers that an attacker has authenticated access to, according to GTSC, the zero-days can be chained together to create backdoors into the vulnerable server. “The vulnerability turns out to be so critical that it allows the attacker to do RCE [remote code execution] on the compromised system,” the researchers said.


In a blog post, Microsoft described the first flaw as a server-side request forgery (SSRF) vulnerability, and the second as “an attack that allows remote code execution on a vulnerable server when PowerShell is accessible to the attacker.” The post also provides guidance for how on-premises Microsoft Exchange customers should mitigate the attack.


Sloppy dev-ops and CIA negligence partially enabled Iranian intelligence to identify and capture informants who risked their lives to provide the United States with information, according Reuters. The year-long investigation follows the story of six Iranian men who were jailed as part of an aggressive counterintelligence operation by Iran that began in 2009. The men were partially outed by what Reuters describes as a flawed web-based covert communications system that led to the arrest and execution of dozens of CIA informants in Iran and China. In 2018, Yahoo News reported on the system.

Because the CIA appeared to have purchased web-hosting space in bulk from the same provider, Reuters was able to enumerate hundreds of secret CIA websites meant to facilitate communications between informants around the world and their CIA handlers. The sites, which are no longer active, were devoted to topics such as beauty, fitness, and entertainment. Among them, according to Reuters, was a Star Wars fan page. Two former CIA officials told the news agency that each fake website was assigned to only one spy in order to limit exposure of the entire network in case any single agent was captured.

James Olson, a former chief of CIA counterintelligence, told Reuters, “If we’re careless, if we’re reckless, and we’ve been penetrated, then shame on us.”


On Wednesday, a former National Security Agency staffer was charged with three violations of the Espionage Act for allegedly attempting to sell classified national defense information to an unnamed foreign government, according to court documents unsealed this week. In a press release about the arrest, the US Department of Justice stated that Jareh Sebastian Dalke, of Colorado Springs, Colorado, used an encrypted email to send excerpts of three classified documents to an undercover FBI agent, who he believed to be working with a foreign government. Dalke allegedly told the agent that he was in serious financial debt and, in exchange for the information, needed compensation in cryptocurrency.

The FBI arrested Dalke on Wednesday when he arrived at Union Station in downtown Denver to deliver classified documents to the undercover agent. If convicted, he could face up to life in prison or the death penalty.


On Tuesday, hackers hijacked Fast Company’s content management system, blasting two obscene push notifications to the publication’s Apple News followers. In response, the publication’s parent company, Mansueto Ventures, shut down Fastcompany.com and Inc.com, which it also owns. Fast Company issued a statement calling the messages “vile” and “not in line with the content and ethos” of the outlet. An article the hacker apparently posted to Fast Company’s website claimed they got access through a password that was shared across many accounts, including an administrator.

No comments: