Information Technology

Credit: Microsoft

Microsoft has published a preliminary root cause analysis of its March 15 Azure Active Directory outage, which took down Office, Teams, Dynamics 365, Xbox Live and other Microsoft and third-party apps that depend on Azure AD for authentication. The roughly 14-hour outage affected a “subset” of Microsoft customers worldwide, officials said.Microsoft’s preliminary analysis of the incident, published March 16, indicated that “an error occurred in the rotation of keys used to support Azure AD’s use of OpenID, and other, Identity standard protocols for cryptographic signing operations,” according to the findings published to its Azure Status History page. Officials said as part of normal security practices, an automated system removes keys that are no longer in use, but over the past few weeks, a key was marked as “retain” for longer than normal to support a complex cross-cloud migration. This resulted in a bug being exposed causing the retained key to be removed. Metadata about the signing keys is published by Microsoft to a global location, its analysis notes. But once the metadata was changed around 3 p.m. ET (the start of the outage, applications using these protocols in Azure AD started picking up the new metadata and stopped trusting tokens/assertions that were signed with the removed key. Microsoft engineers rolled back the system to its prior state around 5 p.m. ET, but it takes a while for applications to pick up the rolled-back metadata and refresh with the correct metadata. A subset of storage resources required an update to invalidate the incorrect entries and force a refresh. Microsoft’s post explains that Azure AD is undergoing a multi-phase effort to apply additional protections to the back-end Safe Deployment Process to prevent these kinds of problems. The remove-key component is in the second phase of the process, which isn’t scheduled to be finished until mid-year. Microsoft officials said the Azure AD authentication outage that happened at the end of September is part of the same class of risks that they believe they will circumvent once the multi-phase project is complete. “We understand how incredibly impactful and unacceptable this is and apologize deeply. We are continuously taking steps to improve the Microsoft Azure Platform and our processes to help ensure such incidents do not occur in the future,” the blog post said. A full root-cause analysis will be published once the investigation is complete, officials said. More

A cyber espionage campaign is targeting telecoms companies around the world with attacks using malicious downloads in an effort to steal sensitive data – including information about 5G technology – from compromised victims.Uncovered by cybersecurity researchers at McAfee, the campaign is targeting telecommunications providers in Southeast Asia, Europe and the United States. Dubbed Operation Diànxùn, researchers say the attacks are the work of a hacking group working out of China.The group, also known as Mustang Panda and RedDelta, has a history of hacking and espionage campaigns targeting organisations around the world – and now it appears to be focused on compromising telecoms providers.At least 23 telecommunications providers are suspected to have been targeted as part of the campaign which has been active since at least August 2020. It hasn’t been disclosed how many of the targets were successfully compromised by hackers.While the initial means of infection hasn’t yet been identified, it’s known that victims are directed towards a malicious phishing domain under the control of the attackers which is used to deliver malware to victims.According to researchers, the malicious web page masquerades as a Huawei careers site, which has been designed to look indistinguishable from the real thing. The researchers emphasised that Huawei itself isn’t involved in the cyber espionage campaign.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

When users visit the faked site, it delivers a malicious Flash application which is used to drop the Cobalt Strike backdoor onto the visiting machine, ultimately providing attackers with visibility on the machine and the ability to collect and steal sensitive information. The attacks appear to specifically be designed to target those who have knowledge of 5G and stealing sensitive or secret information in relation to the technology. Researchers have linked Operation Diànxùn to previous hacking operations by Chinese groups due to the attacks and the malware being deployed using similar similar tactics, techniques and procedures (TTPs) to previous campaigns publicly attributed to the group. Analysis of the attacks suggest that the campaign is still actively attempting to compromise targets in the telecommunications sector.”We believe the campaign is still ongoing. We spotted new activity last week with the same TTPs, meaning the actor and the campaign are still running,” Thomas Roccia, security researcher in the McAfee advanced threat research strategic intelligence team told ZDNet.With malicious domains playing such a significant role in this campaign, one way to help protect against attacks could be to train staff in being able to recognise if they’ve been directed towards a fake or malicious website – although given how cyber attackers have become very good at building highly accurate fake sites, this could be tricky.Having a robust strategy for applying security updates and patches in a timely manner can also help protect networks from cyber attacks, because a network with the latest updates applied is more robust when it comes to preventing hackers exploiting vulnerabilities.MORE ON CYBERSECURITY More

Looking for a password manager? There’s a lot of services out there to choose from, and next month there will be another kid on the block — Dropbox.

Starting April, Dropbox will begin offering a free, limited version of Dropbox Passwords to anyone who has a free Dropbox Basics plan.This free plan can be accessed from up to three devices.The catch?There’s a limitation.You can only store 50 passwords. Need to store more and you have two choices — go elsewhere, or subscribe to a Dropbox plan.

Another feature that Dropbox announced as “coming soon” is the ability to securely share any password with anyone. Not sure how useful a feature this will be (how often do you share a password?) but might come in handy for those Wi-Fi access codes or Netflix passwords. More

A years-old security vulnerability in Microsoft Office is still the most frequently exploited flaw by cyber criminals as a means of delivering malware to victims.Analysis of cyberattacks between October and December 2020 by cybersecurity researchers at HP shows that one exploit accounts for almost three-quarters of all campaigns that attempt to take advantage of known vulnerabilities.

More on privacy

The exploit is CVE-2017-11882, a memory corruption vulnerability in Microsoft Office’s Equation Editor, which was first disclosed in December 2017. When exploited successfully, it allows attackers to execute remote code on a vulnerable machine after the victim opens the malicious document – usually sent via a phishing email – used to run the exploit, providing them with an avenue for dropping malware. SEE: Network security policy (TechRepublic Premium)But despite a security update being available to protect against the vulnerability for over three years, it’s still the most frequent exploit used by cyber criminals to deliver malware via malicious Microsoft Office documents.”The enduring popularity of Equation Editor exploits such as CVE-2017-11882 may be due to home users and businesses not updating to newer, patched versions of Office. We commonly see this vulnerability being exploited by attackers who distribute easily-obtainable [remote access trojans],” Alex Holland, senior malware analyst at HP Inc, told ZDNet.The use of CVE-2017-11882 has dropped compared to the previous quarter, when it accounted for 87% of exploits used – but another vulnerability is gaining popularity, more than doubling in use in just the space of a few months.

CVE-2017-0199 is a vulnerability in Microsoft Word remote code execution, which first came to light in 2017. It allows attackers to download and execute PowerShell scripts on compromised machines, providing them with additional access.Analysis of attacks by HP found that 22% of campaigns attempting to take advantage of unpatched exploits used CVE-2017-0199 during the past three months of 2020 – something that could’ve been prevented if cybersecurity teams had patched against it when a security update was released in 2017. Email remains the key method for cyber criminals distributing malicious attachments in order to deliver malware – but there has been a slight change in the exact method of delivery.SEE: Cybercrime groups are selling their hacking skills. Some countries are buyingBefore the final quarter of 2020, malicious documents counted for just over half of files used to distribute exploits, but that dropped to just under a third. Meanwhile, the use of Excel Spreadsheets as a means of distributing exploits doubled in that period, rising from being used in one in ten instances detected to almost one in five.”Excel appeals to attackers because it supports a legacy macro technology called Excel 4.0 or XLM. These older macros have proven more difficult to detect than their Visual Basic for Application counterparts because security tools struggle to parse them,” said Holland.But no matter the type of file that cyber attackers are attempting to use to distribute malware, there’s a simple thing organisations can do to protect themselves from falling victim – apply the relevant security patches, especially if the updates have been available for many years already.MORE ON CYBERSECURITY More

The US Securities and Exchange Commission (SEC) has charged a Californian trader for allegedly using Twitter to hype up stocks before dumping them for a profit. 

The charges, unsealed on Monday and filed in federal court in the Central District of California on March 2, accuses Andrew Fassari of fraud through the spread of “false and misleading” information.
SEC has also obtained an emergency asset freeze and other emergency relief. 
According to SEC, Fassari, under the Twitter handle @OCMillionaire, used the microblogging platform to allegedly spread false tips relating to the stock of a company, Arcis Resources Corporation (ARCS). 
The Twitter handle is followed by roughly 13,000 users and was active as of March 8, 2021. 
SEC’s complaint says that on December 9, Fassari began purchasing over 41 million shares in the Nevada company before touting the stock on Twitter. 
Among the claims, documented in over 120 messages referencing $ARCS, was the expansion of operations, a CEO that had “big plans” for the company, exciting news was on its way, and the idea that investment could be a “life-changer.”

The US regulator alleges that while the share price rocketed by over 4000%, Fassari then sold his stake and secured profits of over $929,000.
On December 19, Fassari posted a screenshot to Twitter claiming that he had sold for a massive loss. The message read:

“$ARCS / Sold for a huge loss. I don’t care what anyone says about me. I back up what I say. I take my losses like a man. I don’t blame anyone for this. Everyone received the emails and saw their Twitter. This was either [a] calculated pump or a CEO who did things in the wrong order.”

However, some Twitter followers have questioned the authenticity of the trading screenshot.
On March 2, SEC issued a temporary trading ban on ARCS securities (.PDF).  
“We allege that Fassari profited by using social media to deceive investors,” commented Melissa Hodgman, Acting Director of SEC’s Division of Enforcement. “The SEC is committed to protecting investors by proactively monitoring suspicious trading activity tied to social media, and by charging those who use social media to violate the federal securities laws.”
The regulator is seeking a permanent injunction, disgorgement, prejudgement interest, and a civil penalty under charges of violating the antifraud provisions of federal securities law. 
Speaking to Reuters, a lawyer acting on Fassari’s behalf said, “it appears Mr. Fassari has been hit with fallout from the GameStop, Robinhood, Reddit controversy.”
Around the time when GameStop (GME) shares skyrocketed and some retail investors jumped on so-called ‘meme’ stocks, SEC issued an advisory warning of the risks associated with stock trades pumped on social media. 
SEC acknowledged that many may jump on stock options discussed across social media platforms, news aggregators, research websites, and forums, but cautioned that “following the crowd may lead to significant investment losses.”
In March, SEC charged a number of individuals allegedly involved in an Airborne Wireless Network pump-and-dump stock scheme. The agency claims that the publicly-traded firm’s controlling parties were concealed and cash was spent on hyping the stock, only for major holders to dump their stakes — defrauding other investors out of $45 million. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has released a one-click mitigation tool as a stop-gap for IT admins who still need to apply security patches to protect their Exchange servers. 

Released on Monday, the tool is designed to mitigate the threat posed by four actively-exploited vulnerabilities that have collectively caused havoc for organizations worldwide. 
Microsoft released emergency fixes for the critical vulnerabilities on March 2. However, the company estimates that at least 82,000 internet-facing servers are still unpatched and vulnerable to attack. 
The company previously released a script on GitHub that administrators could run in order to see if their servers contained indicators of compromise (IOCs) linked to the vulnerabilities. In addition, Microsoft released security updates for out-of-support versions of Exchange Server.
However, after working with clients and partners, Microsoft says there is a need for “a simple, easy to use, automated solution that would meet the needs of customers using both current and out-of-support versions of on-premise Exchange Server.”
See also: Everything you need to know about the Microsoft Exchange Server hack
The Microsoft Exchange On-Premises Mitigation Tool has been designed to help customers that might not have security or IT staff on hand to help and has been tested across Exchange Server 2013, 2016, and 2019. 

It is important to note the tool is not an alternative to patching but should be considered a means to mitigate the risk of exploit until the update has been applied — which should be completed as quickly as possible.  
The tool can be run on existing Exchange servers and includes Microsoft Safety Scanner as well as a URL rewrite mitigation for CVE-2021-26855, which can lead to remote code execution (RCE) attacks if exploited. 
“This tool is not a replacement for the Exchange security update but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching,” Microsoft says. 
In related news this week, Microsoft reportedly began investigating the potential leak of Proof-of-Concept (PoC) attack code supplied privately to cybersecurity partners and vendors ahead of the zero-day public patch release. The company says that no conclusions have yet been drawn over attack spikes related to the vulnerabilities. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Services Australia on Friday sent an email to over 600 Northern Territory businesses, informing them of the introduction of the divisive Cashless Debit Card (CDC) scheme in the territory from Wednesday.
The email, however, was sent with recipient email addresses exposed.
“This email was sent as a Carbon Copy (CC) rather than a Blind Carbon Copy (BCC) as intended. We apologise to these businesses for this human error,” a Services Australia spokesperson told ZDNet.
“The issue was identified quickly and soon after the emails were recalled, with unread copies deleted as a result. A new email was then correctly re-issued with all recipients BCC’d.”
Senator for the Northern Territory Malarndirri McCarthy called the incident a breach of privacy. The Service Australia spokesperson said the email was generic in nature and included no personal information.
“We take our role of protecting the personal information of Australians extremely seriously. We do not send personal details to bulk email addresses. The topic of this stakeholder correspondence was only general information,” they continued.
“We are presently reviewing the situation and we’ll take appropriate steps to prevent this happening again. This will include feedback and training for staff and liaison with the Office of the Australian Information Commissioner as may be required.”

See also: Australian Senate passes two-year extension for ‘racist’ welfare quarantining system
The CDC will start rolling out from Wednesday in the NT and Cape York. There are currently over 23,000 Territorians who are on the Basics Card and transition to the more bank card-like solution is voluntary for those people. In the Cape York, the CDC will replace the Basics Card.
The CDC aims to govern how those in receipt of welfare spend their money, with the idea being to both prevent the sale of alcohol, cigarettes, and some gift cards, and block the funds from being used on activities such as gambling.
Participants of the CDC have 80% of their funds placed on card, which is managed by Indue, with the remaining 20% to be paid into a bank account.
The Bill that allows trials of the card to go on for another two years across Bundaberg and Hervey Bay, the East Kimberley, Ceduna, and Goldfields regions and have it enter the Northern Territory and Cape York, affecting mostly Indigenous Australians, passed the Senate in December.
McCarthy, alongside her fellow Labor Party members, believes there is no evidence that compulsory, broad-based income management actually works.
Similarly, Greens Senator Rachel Siewert previously called the CDC a “discriminatory, racist, punitive approach to income support”.
“It’s not good enough that there’s been a data breach and it’s not good enough if there’s not been any information provided to people in the Territory,” McCarthy said on Monday.
“We have over 23,000 Territorians who are on the Basics Card and they will need to know what the Cashless Debit Card means. And there are other Territorians who could very well be on the Cashless Debit Card before the end of the year.”
HERE’S MORE FROM CANBERRA More

Credit: Microsoft
Microsoft has been providing confidential computing capabilities for Azure for several years. The main benefit: To encrypt data while it’s in use, which is especially important to customers in the finance, government, health care and communications verticals. To date, most, if not all of Microsoft’s confidential computing work has centered around Intel hardware. But that’s about to change.On March 15, Microsoft announced it would be extending its confidential computing options in partnership with AMD — the same day AMD took the wraps off its newest Epyc chip.
Microsoft announced today it would become the first major cloud maker to offer confidential virtual machines on the newly announced AMD Epyc 7003 series processors. Key to that work is the security feature called Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP), which enables protection of VMs by creating a trusted execution environment and which will be “substantially enhanced” in the third-generation AMD Epyc processor, Microsoft’s blog post says.In other AMD Epyc news today, Microsoft also announced availability plans for AMD Epyc 7003-powered Azure virtual machines, which will be optimized for high-performance-computing (HPC) workloads.  More