The Arlo Pro 5S is easy to install, thanks to its built-in battery. Maria Diaz/ZDNETWhat’s the deal?With this limited-time Prime Day deal, the Arlo Pro 5S More

Microsoft has released its March 2021 quarterly cumulative updates for Exchange Server 2016 and Exchange Server 2019, which include the security updates to address critical flaws that are currently under attack.  These are notable cumulative updates (CUs) because customers with on-premise Exchange Server software should already be installing the separate security updates that Microsoft released on March 2. 

Exchange attacks

Microsoft released the emergency patches in response to four previously unknown vulnerabilities that were being exploited by state-sponsored hackers and have since been pounced on by ransomware attackers.  Also: Windows 10 Start menu hacks TechRepublic PremiumUS federal government agencies have been put on notice to patch the Exchange flaws immediately amid a spike in attacks on government email servers. The UK’s National Cyber Security Centre (NCSC) has also raised an alarm over an estimated 3,000 Exchange servers that lack Microsoft’s latest patches. Here’s ZDNet’s roundup of the Exchange flaws and recent attacks.But now Exchange Server 2016 and Exchange Server 2019 customers have another way of patching the flaws. That is, by installing the latest quarterly cumulative updates (CU) from Microsoft, which is the most complete mitigation available. “We wanted to highlight that these latest CUs contain the fixes that were previously released as Exchange Server Security Updates on March 2, 2021. This means you don’t have to install the March 2021 Security Updates after installing the March 2021 CUs,” Microsoft’s Exchange team noted. 

Microsoft has separately published more information for security teams responding to the Exchange server bugs CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065.Attackers are using the flaws to remotely compromise Exchange servers and then install “web shells” to maintain persistence on compromised machines. Hence, Microsoft warns there is more cleaning up to do on a compromised on-premise Exchange server even after applying the security updates.   “Applying the March 2021 Exchange Server Security Updates is critical to prevent (re)infection, but it will not evict an adversary who has already compromised your server,” Microsoft emphasizes in its advisory for incident response teams. “The best, most complete mitigation is to get to a current Cumulative Update and apply all Security Updates. This is the recommended solution providing the strongest protection against compromise,” Microsoft highlights in its advice for incident response teams handling Exchange Server software that isn’t on supported CUs. Microsoft also offers details for isolating an affected Exchange Server from the public internet until the security patches or the March 2021 CUs have been rolled out. Admins can do this by blocking inbound connections over port 443.

However, this route could break Exchange Server as a tool for supporting remote workers. Blocking inbound connections on port 433 “could inhibit work-from-home or other non-VPN remote work scenarios and does not protect against adversaries who may already be present in your internal network,” Microsoft warns. The advisory also highlights scripts included in the Exchange On-premises Mitigation Tool (EOMT) that Microsoft published on its code-sharing site GitHub. Security teams can use this to check for the presence of web shells on Exchange servers. The other option is to enable Microsoft Defender for Endpoint. “If Microsoft Defender for Endpoint is not running, skip directly to the publicly available tools section. If it is running, we recommend that you follow both methods,” Microsoft notes. The advisory contains step-by-step instructions for investigating each of the four vulnerabilities. Reflecting the severity of this security issue, Microsoft is now offering commercial customers using on-premise Exchange Server a three-month trial of Microsoft Defender for Endpoint.   “Microsoft is making publicly available a 90-day Microsoft Defender for Endpoint trial offer exclusively to support commercial on-premises Exchange Server customers that require continuous investigation and additional post-compromise security event detection beyond what Microsoft Safety Scanner (MSERT) offers,” says Microsoft.  More

Image: Getty ZIP and RAR files have overtaken Office documents as the file most commonly used by cyber criminals to deliver malware, according to an analysis of real-world cyber attacks and data collected from millions of PCs.  The research, based on customer data by HP Wolf Security, found in the period between July and September […] More

Two days ago, the government of India announced, in a seemingly miraculous turn of events, that it would publicly release the source code for its coronavirus contact tracing app, Aarogya Setu, which has already had close to 120 million downloads. The app, which uses Bluetooth to locate infected phone users, was rolled out soon after the COVID-19 outbreak […] More

Garmin has started to bring its Garmin Connect software back online after a ransomware attack shelved the system since late Wednesday, July 22. The company also said that customer data hasn’t been impacted and that its cyberattack occurred July 23. 

In a statement Monday, July 27, Garmin said: “We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen.” Garmin did say that its systems were encrypted, which indicates a ransomware attack. 
As of Monday morning, Garmin said that Garmin Connect has returned with limited functionality. Simply put, Garmin has had a rough week. Here’s the timeline:
Specifically, Garmin Connect can now display activity details and uploads, register devices, show the dashboard, and produce reports and segments. The company noted on its status page:

We are happy to report that Garmin Connect recovery is underway. We’d like to thank you for your understanding and patience as we restore normal operations.  

Garmin has also starting sketching out its FAQ. Regarding customer data, Garmin said:

Garmin Ltd. was the victim of a cyber attack that encrypted some of our systems on July 23, 2020. As a result, many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications. We immediately began to assess the nature of the attack and started remediation.
We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services. Affected systems are being restored and we expect to return to normal operation over the next few days.

Limited functionality remains for daily summaries, courses, Garmin Coach, third party sync, and Strava. On Strava, Strava Beacon integration is working, but segments, routes, and uploaded activities are being queued to sync.
Garmin also said Garmin Golf and Garmin Dive are online with LiveTrack. Vivofit Jr. is limited with delayed stats.
There are still a few unknowns about the Garmin incident and the FAQ provided doesn’t add much detail about the attack or processes to prevent another one in the future. With any luck, Garmin will have a detailed post mortem at a later date. Garmin reports earnings on Wednesday.  More