Security week 3

Stay safe. We bring you our regular weekly overview of security news.

Exchange Hack: Norwegian Parliament Hacked Again

After the December attack by Russia-supported APT (advanced persistent threat) group 28, vulnerabilities found in Microsoft Exchange servers have been exploited this time. So far there is no information available on the extent of the attack and the data that have been stolen. While the exploitation was originally attributed to the Hafnium APT group supported by China, researchers from ESET identified more than 10 cybercriminal APT groups (e.g. Tick, LuckyMouse, Calypso), including a few unknown groups, that became active in this area and are attempting to take advantage of the situation until updates are installed on the affected servers. In the article you will read about the activity of the APT groups. 8 days since the update, more than 46 000 servers were still left unupdated (out of the verified 250 000).

Verkada’s Cameras Hacked

Hackers gained access to the security cameras at Tesla, Equinox, Bank of Utah and other health clinics, penitentiaries and banks. Moreover, at the Cloudflare and Tesla HQ, superuser privileges have been gained over this surveillance system. The problem lied in hard-coded login credentials for the super administrator account at the Verkada company. The company invalidated all internal administrator accounts and thus prevented any future unauthorized access to the devices.

OVH Data Center Fire Likely Caused by Faulty UPS

Four data centers SBG1-4 in Strasbourg belonging to OVH, the third largest hosting provider in the world, caught fire, causing irreparable damage to some of the data centers. The cause of the fire appears to be one of the uninterruptible power supplies (UPS) that was inspected that day. The investigation may make use of recordings from more than 300 cameras installed in Strasbourg. The company has begun with the recovery and has ordered 2000 servers, aiming to order more than 10 000 servers for building a new data center.

UK Secretly Testing Controversial Communication Tracking Tool

Having passed the Investigatory Powers Act in 2016, the UK has been developing a tool that may be considered one of the most invasive when it comes to collecting data about its citizens among all the democratic countries in the world. The tool is said to store web browsing metadata from each citizen. The digital life metadata includes the who, what, where, when and why.

Exchange hack: China-bound ATP group exploits multiple vulnerabilities to gain access to Exchange servers

Several vulnerabilities have been exploited to gain access to Exchange servers from Microsoft. These were relatively easy-to-exploit vulnerabilities that were actively used in the real world. Due to the release of a special update for the 2010 exchange, which is no longer supported, it is estimated that some vulnerabilities are more than 10 years old. The attack is attributed to the Hafnium group (APT group tied to China), which is known for attacks on industry, law firms, educational institutions, think tanks, NGOs and others in the United States. When attackers gained access to MS Exchange servers, they extracted data and moved it to MEGA cloud services and installed a web shell backdoor. The attack is so severe that CISA has issued a special order for federal organizations to perform a forensic analysis of this part of the infrastructure and, if they do not find anything, to update the Exchange servers immediately. Vulnerabilities do not affect the Exchange Online service.

Since the release of the updates, the APT group has significantly increased its activity and there is talk of the speed of thousands of broken servers per hour. Based on the timeline, we know that on March 5th, several hundred thousand infiltrations were detected (including the installed backdoor).

Exchange hack: The European Banking Authority (EBA) has been hit by an attack on Microsoft’s email servers

The Chinese-backed ATP group (Hafnium) has exploited hitherto unknown vulnerabilities to infiltrate Exchange servers from Microsoft. EBA temporarily disconnected its Exchange servers and secured its infrastructure. The investigation so far has shown that no data has been leaked.

The NSA, CISA have issued instructions for using Protective DNS

The NSA and CISA have published guidelines for the deployment of PDNS. PDNS uses the existing DNS protocol and its architecture, analyzes DNS queries and minimizes threats. PDNS can target several defense mechanisms against phishing, malware distribution, c&c (command and control) servers, content filtering, and more. In test mode, they had more than 4 billion DNS queries and blocked connections to millions of malicious domains.