By the CyberWire staff
Widespread Exchange Server exploitation.
KrebsOnSecurity reported last Friday that at least 30,000 organizations in the US had been hacked by the Chinese threat actor tracked by Microsoft as "Hafnium." The threat actor exploited four (now-patched) zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019 to plant backdoors and exfiltrate emails. The flaws, which were discovered and reported by Volexity, are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Following Microsoft's issuance of emergency patches on March 2nd, Krebs says Hafnium "dramatically stepped up attacks on any vulnerable, unpatched Exchange servers," gaining access to hundreds of thousands of servers worldwide. Volexity's President Steven Adair told Krebs, "Even if you patched the same day Microsoft published its patches, there's still a high chance there is a web shell on your server. The truth is, if you're running Exchange and you haven't patched this yet, there’s a very high chance that your organization is already compromised."
ESET says at least four other APT groups besides Hafnium had exploited the vulnerabilities before they were publicly disclosed, and "many more threat actors" began scanning and compromising Exchange Servers after the disclosure. They include the espionage-focused groups Tick, LuckyMouse, Calypso, Tonto Team, Mikroceen, and Winnti Group, as well as the cryptojacking gang DLTMiner. The Record cites ESET and Kryptos Logic as saying that at least one of the threat actors was trying to log into and hijack Hafnium's web shells.
The Record also notes that on Wednesday a Vietnamese security researcher published a working public exploit for the vulnerabilities.
FBI and CISA on Wednesday issued a joint advisory stating, "Successful exploitation of these vulnerabilities allows an attacker to access victims' Exchange Servers, enabling them to gain persistent system access and control of an enterprise network. It has the potential to affect tens of thousands of systems in the United States and provides adversaries with access to networks containing valuable research, technology, personally identifiable information and other sensitive information from entities in multiple U.S. sectors. FBI and CISA assess that adversaries will continue to exploit this vulnerability to compromise networks and steal information, encrypt data for ransom or even execute a destructive attack. Adversaries may also sell access to compromised networks on the dark web."
DomainTools, which has published a summary of the situation, summarized the timeline in an email:
"CVE-2021-26855 was under active exploitation since January 2021 by multiple groups, with the possibility of some exploitation activity prior to this time. Since 27 February 2021 and especially following public disclosure by Microsoft on 02 March 2021, multiple additional entities have opportunistically leveraged these vulnerabilities as part of multiple, independent campaigns. While a number of entities linked to the Exchange exploitation activity have previously been linked to PRC-directed or -sponsored operations, multiple additional entities are also involved."
Drew Schmitt, Senior Threat Intelligence Analyst at GuidePoint Security, commented on the importance of knowing which threat actors were involved:
"Having knowledge of specific threat groups is helpful for defenders to incorporate threat intelligence and modeling into their security strategy. As defenders begin to have a more detailed grasp on threat groups and their methodology, they are able to implement defense in depth strategies that will provide the most layers of protection in their environments. Identifying these groups is great for the individual organization, but most important for the cybersecurity community as a whole. Threat groups are often operating faster than blue teams can keep up and it's imperative that we continue to strive for collective security that relies on rapid intelligence sharing."
By Women in Cyber, for Women in Cyber.
This month’s Creating Connections issue will publish this Monday, March 15th and will focus on International Women’s Month. Featured pieces include tips from Dominique West from the Security in Color podcast, a challenge to help other women around the world, a list of historic achievements by women, and many more goodies. Sign up and join our community dedicated to empowering women in the industry.
Chinese threat actor exploited SolarWinds vulnerability.
Secureworks describes cyberespionage activity by a suspected Chinese actor dubbed "SPIRAL." The actor exploited a vulnerability (CVE-2020-10148) in SolarWinds' Orion product to deploy its SUPERNOVA web shell. The researchers say this activity is unrelated to the Russian-linked Solorigate campaign that also made use of SolarWinds' Orion.
The SUPERNOVA web shell is a Trojanized version of a legitimate Orion DLL. The threat actor first executed a reconnaissance script before deploying the web shell, then obtained credentials from Windows' Local Security Authority Subsystem Service (LSASS). After this, the actor "mapped network shares on two hosts: a domain controller and a server that could provide access to sensitive business information."
Secureworks believes the group is based in China because the actor (apparently inadvertently) exposed a Chinese IP address when it downloaded an installer:
"A Secureworks endpoint detection and response (EDR) agent checked in from a host that did not belong to the compromised organization and used an IP address geolocated to China. The naming convention of this host was the same as another host used by the threat actor to connect to the network via a VPN connection. This ‘<Username>-PC’ naming convention is the default hostname for a Windows 7 host, but it is not the victim’s standard naming convention for hosts. CTU analysis suggests the threat group likely downloaded the endpoint agent installer from the network and executed it on the attacker-managed infrastructure. The exposure of the IP address was likely unintentional, so its geolocation supports the hypothesis that the SPIRAL threat group operates out of China."
For more, see the CyberWire Pro Research Briefing.
What could be better than reading the CyberWire? Working for the CyberWire!
If you have a passion for sales and want to be a part of a dynamic team, the CyberWire is the place for you! The CyberWire has an opening for a dynamic, goal-oriented sales person to work with our sponsorship team. If that sounds like you, or someone you know, we would love to talk to you. Visit our Careers page to learn more.
A warning on deepfakes.
The US FBI warned yesterday that hostile foreign actors should be expected to use increasingly plausible and convincing content in their influence operations. The Bureau expects these efforts to arrive in the near future. “Malicious actors almost certainly will leverage synthetic content for cyber and foreign influence operations in the next 12-18 months,” the Private Industry Notification said. “Foreign actors are currently using synthetic content in their influence campaigns, and the FBI anticipates it will be increasingly used by foreign and criminal cyber actors for spearphishing and social engineering in an evolution of cyber operational tradecraft.”
The emerging tactics involve deepfakes, which the FBI calls “synthetic content,” explained “as the broad spectrum of generated or manipulated digital content, which includes images, video, audio, and text.” The emerging technologies go beyond “traditional techniques like Photoshop” and its ancestors in photographic retouching used to remove unpersons from Soviet photographs, or to produce evidence of an elderly Chairman Mao’s vigor in the form of a doctored snap of him swimming in a cold river.
The Bureau does point out that synthetic content is protected speech under the First Amendment, but that the FBI will investigate it when it’s misused by foreign adversaries. Thus the FBI seems to be looking more for inauthenticity than it is seeking to police content. Their advice to businesses and individuals confronted with generated content is Baconian common sense, which the Bureau sums up under the mnemonic acronym SIFT: “Stop, Investigate the source, Find trusted coverage, and Trace the original content when consuming information online.” The “T” seems particularly important.
Sifting out the fakes won’t be easy. The entertainment industry is finding applications for machine learning that could enable AI, with sufficient training, to replicate actors’ voices convincingly. (WIRED’s example is drawn from the Simpsons, but there are companies working on it, and the Simpsons have already used recordings to bring back the voice of the late Marcia Wallace in an Edna Krabappel farewell appearance. For now it would be easier to just hire a voice actor who could do a convincing Selma Bouvier, but the technology is advancing quickly.)
For more, see the CyberWire Pro Disinformation Briefing.
CyberWire Pro offers more reporting, analysis and insights.
Subscribe to CyberWire Pro to gain exclusive access to actionable reporting, analysis and insights on the global information security industry reshaping our world. CyberWire Pro is an independent news service you can depend on to stay informed, and save time. This unique offer includes access to exclusive podcasts, briefings, webinars, and much more! Visit thecyberwire.com/pro to learn more.
Hacktivists pull off massive surveillance camera breach.
An international hacker collective gained access to 150,000 live surveillance cameras by hacking into a super admin account at Verkada Inc, a Silicon Valley security camera management firm, Bloomberg reports. The cameras exposed live footage of hospitals, police departments, schools, and companies like automobile giant Tesla and cybersecurity firm Cloudflare. The hacking group, who also say they obtained archive footage from all of Verkada's clients, stated that the goal of "OperationPanopticon" was to draw attention to the ubiquity of video surveillance.
Tillie Kottmann, a reverse engineer in the group, told Bleeping Computer that the group obtained the hardcoded credentials for the super admin account by infiltrating Verkada's DevOps infrastructure. On Twitter, the group posted images from the camera footage, as well as a picture of the Verkada's Linux operating system's root access, as evidence of their handiwork. Once Verkada learned of the breach, they disabled all admin accounts to prevent the hackers further access. Twitter also took down Tillie Kottmann's account for unspecified violations of its policies (presumably the policies that prohibit posting hacked material) but the curious can see Kottmann's relevant thread archived here, in the WayBackMachine.
Motherboard reported yesterday that Swiss police had raided Kottmann's Lucerne apartment and seized the hacker's electronics. Bloomberg reports that the raid was conducted in conjunction with an earlier US criminal case, and quotes a search warrant from the Western District of Washington as stating that Kottmann was wanted for "the hacking of computer databases and the subsequent theft and distribution of information including source code, confidential documents and internal user data."
Vice has a quote from Kottmann to the effect that "My apartment was raided by local police this morning 7am my time and all my electronic devices have been confiscated on request of the US Department of Justice," but Kottmann hasn't responded to Vice's other questions. The publication had previously received Kottmann's coup list, which included "K-12 schools, seemingly private residences marked as 'condos,' shopping malls, credit unions, multiple universities across America and Canada, pharmaceutical companies, marketing agencies, pubs and bars, breweries, a Salvation Army center, churches, the Professional Golfers Association, museums, a newspaper's office, airports, and more."
For more, see the CyberWire Pro Privacy Briefing.
Are you a member of the government or military?
We're offering a large discount for CyberWire Pro to those on active duty or in the reserves, and to those who work in government agencies. What can you do with a Pro subscription? Glad you asked. Many federal workers subscribe and rely on Pro to stay up-to-date on developments in the field; You can enjoy full access to actionable reporting, analysis and insight concerning the global information security industry. Contact us today to receive your discount, Or to get a personalized tour of CyberWire Pro.
Mergers and acquisitions.
McAfee has agreed to sell its enterprise business to a consortium led by Symphony Technology Group (STG) for $4 billion in cash. McAfee's president and CEO Peter Leav stated, "STG is the right partner to continue strengthening our Enterprise business, and this outcome is a testament to the business' industry-leading solutions and most notably to the outstanding contributions of our employees. This transaction will allow McAfee to singularly focus on our consumer business and to accelerate our strategy to be a leader in personal security for consumers." The transaction is expected to close by the end of 2021.
San Francisco-based identity and access management company Okta has signed a definitive agreement to acquire Bellevue, Washington-headquartered single sign-on provider Auth0 for $6.5 billion in stock. Okta stated, "The transaction will accelerate Okta's growth in the $55 billion identity market. Auth0 will operate as an independent business unit inside of Okta, and both platforms will be supported, invested in, and integrated over time — becoming more compelling together. As a result, organizations will have greater choice in selecting the identity solution for their unique needs."
Tyto Athene, based in Herndon, Virginia, will acquire AT&T Government Solutions, Inc (GSI), AT&T’s Department of Defense IT professional services business. Tyto's press release states, "The combination of Tyto and GSI would create a leading pure-play provider of IT professional services and solutions to critical US Government agencies with positions on best-in-class contract vehicles, a full spectrum of industry leading capabilities, and substantial scale and resources to serve the increasingly complex needs of US Government agencies. After closing, the newly expanded Tyto Athene will employ approximately 1,200 highly skilled employees with 18 offices across the US and worldwide. Tyto expects this transaction to enhance its ability to address the rapidly evolving requirements of technology-enabled digital transformation and joint all-domain operations as a critical element of the U.S. national defense strategy."
Massachusetts-based security screening company Evolv Technology will merge with special purpose acquisition company (SPAC) NewHold Investment Corp. Evolv stated, "Pursuant to the merger agreement, Evolv will merge with a wholly owned subsidiary of NewHold, with Evolv being the surviving entity of the merger and a wholly owned subsidiary of NewHold. NewHold, which currently holds approximately $172.5 million of cash in trust, will be renamed to Evolv Technology, Inc. following the merger. The combined entity will have an estimated pro forma enterprise value of approximately $1.25 billion. The upsized and oversubscribed $300 million PIPE includes investors such as Motorola Solutions, Inc., Magnetar Capital, Eldridge, Senator Investment Group and UBS O’Connor, in addition to investments from star athletes, franchise owners and managers."
More business news can be found in the CyberWire Pro Business Briefing.
Microsoft's Patch Tuesday addressed 89 vulnerabilities, 14 of which are rated critical. These are in addition to last week's out-of-band patches for the actively exploited Exchange Server flaws. Adobe patched its Connect, Creative Cloud, and Framemaker products. And CISA's advisory indicated 21 security mitigations for industrial control systems.
Crime and punishment.
Police in Belgium and the Netherlands have taken down SKY ECC, an encrypted chat platform popular with cybercriminals, the Record reports. Belgian authorities have arrested 48 suspects, while police in the Netherlands have made 30 arrests. The authorities said they infiltrated the chat platform in mid-February 2021 and have been intercepting messages. SKY ECC maintains that it wasn't breached, stating that "a fake phishing application falsely branded as SKY ECC was illegally created, modified and side-loaded onto unsecure devices, and security features of authorized SKY ECC phones were eliminated in these bogus devices which were then sold through unauthorized channels."
The US Attorney’s Office for the Southern District of New York has charged John McAfee and Jimmy Gale Watson, the advisor of McAfee's cryptocurrency team, with "conspiracy to commit commodities and securities fraud, conspiracy to commit securities and touting fraud, wire fraud conspiracy and substantive wire fraud, and money laundering conspiracy offenses stemming from two schemes relating to the fraudulent promotion to investors of cryptocurrencies qualifying under federal law as commodities or securities." McAfee remains in detention in Spain, while Watson was arrested in Texas last week. (It's worth reiterating that since 1994 McAfee has had no connection to the eponymous security company he founded.)
Courts and torts.
Facebook is opposing a $12 million attorney fees request from lawyers who represented users affected by a 2018 cyberattack, Law360 reports. The claimants reached a settlement with the company last year.
Policies, procurements, and agency equities.
DotGovGSA says that the DOTGOV Act of 2020 will turn over control of the .gov domain from the General Services Administration, which has managed the domain for over twenty years, to the Cybersecurity and Infrastructure Security Agency. As BleepingComputer reports, the agencies say they're collaborating “to ensure a seamless transition,” to be completed next month. CISA will work to provide low-cost .gov access, establish a user-friendly Domain Name Service management hub, and support reliability and security efforts. Dot gov sites help users locate official communications.
Gadgets360 claims President Biden's expected nomination of Columbia University law professor Lina Khan to the Federal Trade Commission signifies "an aggressive antitrust stance." Khan previously contributed to a House report urging Big Tech breakups and published an article on Amazon's market dominance.
The Administration also selected US Digital Service, Office of Personnel Management, and private sector veteran Clare Martorana as Chief Information Officer, Federal News Network reports.
For more, see the CyberWire Pro Policy Briefing.