Information Technology

Microsoft has released security updates for unsupported versions of Exchange email servers following widespread attacks exploiting four newly discovered security vulnerabilities.
Microsoft has already released out-of-band emergency patches for Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 but, in light of ongoing cyberattacks exploiting the flaws, it’s produced security updates for earlier versions of Exchange it otherwise does not patch. 

More Coverage

The security updates for older versions of Exchange only address the four newly disclosed flaws that are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The issues affect on-premise Exchange servers. 
Though patches for unsupported Microsoft products are rare, the company has been forced to issue them on multiple occasions in the past five years to address global cyberattacks. It made patches for unsupported Windows XP in 2017 after the WannaCry ransomware attacks and produced patches for Windows XP again in 2019 after identifying a severe wormable flaw in Windows.    
Microsoft notes that this security update for Exchange only addresses the four new flaws and does not mean those versions of Exchange, such as Exchange 2010 and earlier, are now supported. The patches are designed to update specific cumulative updates (CU) of Exchange. 
The patches include updates for the following cumulative updates: 
“Microsoft is producing an additional series of security updates (SUs) that can be applied to some older (and unsupported) Cumulative Updates (CUs). The availability of these updates does not mean that you don’t have to keep your environment current,” Microsoft states.  

“This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs. If you are already mid-update to a later CU, you should continue with that update.”
Microsoft spokesman Frank X Shaw said on Twitter that Microsoft engineers had “worked around the clock to deliver fixes” for  these older and unsupported cumulative update versions of Windows Exchange.
Microsoft raced out patches for Exchange earlier this month after security researchers discovered that suspected China-backed hackers were exploiting Exchange servers to access emails of targets. Security firm Volexity said the bugs had been exploited from around January 6, 2021.  
SEE: Network security policy (TechRepublic Premium)
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) this week ordered civilian agencies to apply Microsoft’s patches or disconnect vulnerable email servers. CISA also warned it had seen “widespread domestic and international exploitation” of the flaws. 
It’s been a busy few months for cybersecurity teams around the world after the SolarWinds supply chain attack was disclosed by Microsoft and FireEye in mid-December. Those teams are already under pressure after supporting remote-working arrangements during the pandemic. 
Chris Krebs, the former director of CISA, commented this week that incident response teams are burned out. He recommended patching Exchange now if possible and assume that the organization has been breached already. If searching for signs of compromise was not currently possible, he recommended following CISA’s advice: disconnect and rebuild the Exchange server.
Microsoft says the new Exchange updates are available only through the Microsoft Download Center and not on the Microsoft Update service.
“We are producing updates only for some older CUs for Exchange 2016 and 2019,” it notes. 
Microsoft also warns that there are problems with this security update that may cause Outlook on the web to crash, depending on the configuration. 
“When you try to manually install this security update by double-clicking the update file (.msp) to run it in normal mode (that is, not as an administrator), some files are not correctly updated,” Microsoft notes in a support document. 
“When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook on the web and the Exchange Control Panel (ECP) might stop working.””This issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services. To avoid this issue, follow these steps to manually install this security update.”
CISA today issued another warning for organizations to apply Microsoft’s patches. 
“CISA urges ALL organizations across ALL sectors to follow guidance to address the widespread domestic and international exploitation of Microsoft Exchange Server product vulnerabilities,” CISA said on Twitter. 
“An adversary can exploit this vulnerability to compromise your network and steal information, encrypt data for ransom, or even execute a destructive attack,” it said in an advisory.   More

A cryptocurrency miner is being deployed on QNAP NAS devices through a remote code execution flaw.

QNAP, a Taiwanese vendor, manufactures hardware including network-attached storage (NAS) devices, products used to provide additional, centralized storage in home and business use cases. 
On March 2, 360Netlab researchers received reports that QNAP NAS devices were subject to a new wave of attacks. 
Internet of Things (IoT) and associated devices are commonly hijacked through brute-force attacks and via credential theft. However, in this case, two vulnerabilities leading to remote code execution (RCE) are thought to be to blame. 
The vulnerabilities are tracked as CVE-2020-2506 and CVE-2020-2507. According to QNAP, the Helpdesk app security issues combine improper access control and a command injection vulnerability which can be used to trigger RCE and hijack NAS devices. 
The critical vulnerabilities were disclosed in a security advisory dated October 7, 2020. Devices that contain firmware prior to August are vulnerable. 
360Netlab researchers estimate that “hundreds of thousands of online QNAP NAS devices” have not been patched. An online mapping scan, as of last week, detected 4,297,426 QNAP NAS devices — with 951,486 unique IPs — that may remain vulnerable. 

The team says that these products are susceptible to full hijacking through attackers gaining root privileges — and this allows them to deploy cryptocurrency mining malware. 
The miner is called UnityMiner. This malware, which utilizes a version of open source XMRig — used to mine Monero (XMR) — is able to disguise the mining process and tamper with reported CPU memory resource usage data in an attempt to hide its presence on a compromised machine. 
“When QNAP users check the system usage via the web management interface, they cannot see the abnormal system behavior,” the researchers note. 
Once deployed on a target machine, the malware consists of unity_install.sh and Quick.tar.gz, which together contain download instructions, the payload, and configuration data. 
The CPU architecture will be checked so the correct miner version can be installed, and as of now, UnityMiner is compatible with ARM64 and AMD64. Only half of the available cores are used for mining, likely in another effort to stay under the radar and not overload the infected NAS device. 
Three pool proxies are used to disguise the address of the wallet where cryptocurrency, after mining, is stored. 
360Netlab contacted QNAP with its findings on March 3. 
In January, QNAP published a security advisory warning of the active exploit of Dovecat, malware that compromises NAS devices via weak credentials for the purpose of cryptocurrency mining. 
ZDNet has reached out to QNAP and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Intel has signed an agreement with Defense Advanced Research Projects Agency (DARPA) to take part in its Data Protection in Virtual Environments (DPRIVE) program, which is aiming to develop an accelerator for fully homomorphic encryption (FHE).
“Fully homomorphic encryption remains the holy grail in the quest to keep data secure while in use,” Intel Labs principal engineer Rosario Cammarota said.
FHE is an approach to data security that delivers mathematical proof of encryption by using cryptographic means, which DARPA has touted could potentially provide a new level of certainty around how data is stored and manipulated.
“Today, traditional encryption protects data while stored or in transmission, but the information must be decrypted to perform a computation, analyse it, or employ it to train a machine learning model,” the agency explained.
“Decryption endangers the data, exposing it to compromise by savvy adversaries or even accidental leaks. FHE enables computation on encrypted information, allowing users to strike a balance between using sensitive data to its full extent and removing the risk of exposure.”
While FHE is positioned as a viable path forward, it requires a prohibitive amount of compute power and time.
“A computation that would take a millisecond to complete on a standard laptop would take weeks to compute on a conventional server running FHE today,” DARPA program manager Tom Rondeau said.

DARPA launched DPRIVE to reduce the processing time from weeks to seconds.
Microsoft is the key cloud ecosystem and homomorphic encryption partner leading the commercial adoption of the technology once developed by testing it in its cloud offerings, including Microsoft Azure and the Microsoft JEDI cloud with the US government.
Intel’s role will be to design an application-specific integrated circuit accelerator to reduce the performance overhead currently associated with fully homomorphic encryption.
“When fully realised, the accelerator could deliver a massive improvement in executing FHE workloads over existing CPU-driven systems, potentially reducing cryptograms’ processing time by five orders of magnitude,” the chip giant said.
Intel joins DPRIVE alongside Duality Technologies, Galois, and SRI International. The four companies will lead researchers to develop an FHE accelerator hardware and software stack that reduces the computational overhead required to make FHE calculations to a speed comparable to similar unencrypted data operations.
In addition, teams are exploring novel approaches to memory management, flexible data structures and programming models, and formal verification methods to ensure the FHE implementation is correct-by-design and provides confidence to the user, DARPA said.
“We currently estimate we are about a million times slower to compute in the FHE world then we are in the plaintext world. The goal of DPRIVE is to bring FHE down to the computational speeds we see in plaintext. If we are able to achieve this goal while positioning the technology to scale, DPRIVE will have a significant impact on our ability to protect and preserve data and user privacy,” Rondeau said.
HERE’S MORE More

Pros
✓Loud siren and strobe
✓Configurable alert zones
✓Well-constructed

Cons
✕Voice alert too quiet

The Ezviz C3X outdoor security camera is very cool for an outdoor security camera and it has some much-needed features for monitoring your home or office.
This is a well-constructed, solid, metal camera with a locking metal base to hold it firmly in place.
It is dust-proof, weather-proof, rated IP67, and is solid enough not to be blown by the wind when secured by its locking ring on the mount.
Eileen Brown
The C3X comes in two versions. You can buy either a Wi-Fi or PoE (Power over Ethernet) camera. I have the Wi-Fi version that can also be connected to the internet through a LAN cable to your router.
Inside the box, there is the camera, power adaptor, extension lead, and cable seal kit. There is also a paper drilling template and a screw kit.
The quick start guide has a QR code to enable you to download the full user guide and the app. The camera is also compatible with Alexa, and Google Home.
Top ZDNET Reviews

On the body of the camera, there is an LED indicator, which is blue to show the Wi-Fi connection status or whether a video is being viewed in the app. The LED flashes red if the Wi-Fi connection has failed.
The C3X is so simple to connect to the app — by far the easiest camera I have tried so far. It is simple to connect the app to the camera using 2.4GHz Wi-Fi and it is really simple to use.
The C3X will either use a micro SD card up to 256GB, or there is a free 7-day trial to the cloud services. The camera will record video using H.265 video compression to save storage space. Its a viewing angle of up to 89 degrees horizontal (106 degrees diagonal)
The night view has really good color — as opposed to the usual black and white view of other cameras I have reviewed.
Only on dark nights, before the moon has risen, does the camera switch to black and white. It does not use a spotlight to enhance the view.
You can program the C3X to emit a siren and bright strobe light when it detects any motion.
The camera siren will fire if it detects people or cars but not when it detects tree movement or dogs.

Eileen Brown
You can configure a voice alert to trigger instead when someone enters the zone or field of view.
However, the voice output from the camera is really quiet — even when all of the options in the settings are set to intense. It is far more effective to use the siren.
It was a little disappointing as I had hoped for a really loud bellow when someone crossed into the zone.
The camera itself has dual 2MP lenses. One lens records the brightness and the other captures color information. The two 1080p images are merged by the camera.
It also has dial infrared lights which can detect motion up to 100ft away.
You can select which parts of the image view will be used to detect motion by drawing a specific zone — or set a line to cross. The lines feature is sluggish to set so you need to be patient.
All in all, this camera has some great features. I particularly like the alert detection feature, the siren, and the strobe light.
For $149 the Ezviz C3X is a neat little camera that is super easy to configure and the motion detection feature is excellent — if only the voice alert was louder.

ZDNet Recommends More

McAfee announced Monday that it will sell its enterprise security business to a consortium led by Symphony Technology Group in a deal worth $4 billion. McAfee, which went public in October, said the deal is meant to bolster its efforts to become a pure-play consumer cybersecurity company. 

Since its split from Intel in early 2017, McAfee has pivoted to cloud services and worked to build out its platform with a focus on its enterprise product portfolio. However, the company is now narrowing focus and directing its resources to the consumer side of the business in a bid for long term growth.
“This transaction will allow McAfee to singularly focus on our consumer business and to accelerate our strategy to be a leader in personal security for consumers,” said McAfee chief executive Peter Leav, in a statement.
Intel bought McAfee in 2011 and rebranded as Intel Security in 2014. A year later, Intel Security adjusted its strategy to refocus the business on endpoint security, as well as threat intelligence, analytics, and orchestration. McAfee was spun out from Intel through a deal with TPG Capital, which owns 51 percent of McAfee.
When the deal closes, the McAfee brand name will be retained and used for the consumer business. The enterprise unit will get a new name and brand refresh in the coming months.
RELATED: More

A possible link to China has been noted by researchers examining the exploit of SolarWinds servers to deploy malware. 

On Monday, Secureworks’ counter threat unit (CTU) said that during late 2020, a compromised Internet-facing SolarWinds server was used as a springboard to deploy Supernova, a .NET web shell. 
Similar intrusions on the same network suggest that the Spiral threat group, suspected of a Chinese origin, is to blame for both cases.
According to the researchers, CVE-2020-10148 has been actively exploited by Spiral. This vulnerability is found in the SolarWinds Orion API and is described as an authentication bypass bug leading to the remote execution of API commands.
When vulnerable servers are detected and exploited, a script is deployed to write the Supernova web shell to disk using a PowerShell command.
Written in .NET, Supernova is described by Palo Alto Networks as an advanced web shell designed not only to maintain persistence on a compromised machine but one that is also able to compile “method, arguments and code data” in-memory, leaving little forensic trace. 
“The attackers have constructed a stealthy and full-fledged .NET API embedded in an Orion binary, whose user is typically highly privileged and positioned with a high degree of visibility within an organization’s network,” Palo Alto says. “The attackers can then arbitrarily configure SolarWinds (and any local operating system feature on Windows exposed by the .NET SDK) with malicious C# code. The code is compiled on the fly during benign SolarWinds operation and is executed dynamically.”

In the case noted by SecureWorks, Supernova is used to perform reconnaissance, for domain mapping, and for both credential and information theft.
The past intrusion was performed on a ManageEngine ServiceDesk server, with access gained as early as 2018. In these examples, identical commands were used and the same servers were accessed — a domain controller and system containing sensitive business data — and a total of three compromised admin accounts were hijacked in both attacks.  
“CTU researchers have associated Chinese threat groups with network intrusions involving the targeting of ManageEngine servers, maintenance of long-term access to periodically harvest credentials and exfiltrate data, and espionage or theft of intellectual property,” the team notes.
It is not believed, however, that these cases are linked to the devastating SolarWinds supply chain attack that took place in December 2020. Cyberattackers compromised the chain and deployed a malicious Orion update, impacting upwards of 18,000 organizations. 
Microsoft estimates that it took the combined efforts of at least 1,000 engineers to pull off the attack and recently found three new malware components linked to the attack alongside Sunburst/Solorigate, Teardrop, and Sunspot. 
Update 18.22GMT: A SolarWinds spokesperson told ZDNet:

“This report references an incident where a network was first compromised in a way that was unrelated to SolarWinds. That breach enabled the attackers to add the malicious Supernova code to Orion software on the customer’s network. 
It is important to note that Supernova is not associated with the broad and sophisticated supply chain attack that targeted multiple software companies as vectors. Supernova was neither signed nor delivered by SolarWinds and the issue was addressed in Orion platform updates that were released in December.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited by a state-sponsored threat group from China and appear to have been adopted by other cyberattackers in widespread attacks.

More Coverage

While in no way believed to be connected to the SolarWinds supply chain attack that has impacted an estimated 18,000 organizations worldwide — so far — there is concern that lags in patching vulnerable servers could have a similar impact, or worse, on businesses. 
Also: Best VPNs • Best security keys  • Best antivirus
Here is everything you need to know about the security issues and our guide will be updated as the story develops. 
What happened?
On March 2, Microsoft released patches to tackle four severe vulnerabilities in Microsoft Exchange Server software. At the time, the company said that the bugs were being actively exploited in “limited, targeted attacks.”
Microsoft Exchange Server is an email inbox, calendar, and collaboration solution. Users range from enterprise giants to small and medium-sized businesses worldwide. 
While fixes have been issued, the scope of potential Exchange Server compromise depends on the speed and uptake of patches — and the number of estimated victims continues to grow. 
What are the vulnerabilities and why are they important?

The critical vulnerabilities impact on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. However, Exchange Online is not affected. 
CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
CVE-2021-26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.
CVE-2021-26858: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths. 
CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths. 
If used in an attack chain, all of these vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment.
In summary, Microsoft says that attackers secure access to an Exchange Server either through these bugs or stolen credentials and they can then create a web shell to hijack the system and execute commands remotely. 
“These vulnerabilities are used as part of an attack chain,” Microsoft says. “The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.”
Who is responsible for known attacks?
Microsoft says that attacks using the zero-day flaws have been traced back to Hafnium. 
Hafnium is a state-sponsored advanced persistent threat (APT) group from China that is described by the company as a “highly skilled and sophisticated actor.” 
While Hafnium originates in China, the group uses a web of virtual private servers (VPS) located in the US to try and conceal its true location. Entities previously targeted by the group include think tanks, non-profits, defense contractors, and researchers. 
Is it just Hafnium? 
When zero-day vulnerabilities come to light and emergency security fixes are issued, if popular software is involved, the ramifications can be massive. Problems can often be traced back to awareness of new patches, slow uptake, or reasons why IT staff cannot apply a fix — whether this is because they are unaware that an organization is using software, third-party libraries, or components at risk, or potentially due to compatibility problems. 
According to Volexity, attacks using the four zero-days may have started as early as January 6, 2021. 

ZDNet Recommends

Mandiant says further attacks against US targets include local government bodies, a university, an engineering company, and retailers. The cyberforensics firm believes the vulnerabilities could be used for the purposes of ransomware deployment and data theft. 
Sources have told cybersecurity expert Brian Krebs that approximately 30,000 organizations in the US have been hacked so far. Bloomberg estimates put this figure closer to 60,000, as of March 8.
The European Banking Authority is one of the latest victims. Data may have been accessed from the agency’s email servers. 
The US Cybersecurity and Infrastructure Security Agency (CISA) says that the agency is “aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers.”
In an update on March 5, Microsoft said the company “continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond Hafnium.”
The Biden Administration is expected to form a task force to explore the reported links between Microsoft Exchange attacks and China, according to CNN. 
How can I check my servers and their vulnerability status? What do I do now?
Microsoft has urged IT administrators and customers to apply the security fixes immediately. However, just because fixes are applied now, this does not mean that servers have not already been backdoored or otherwise compromised.
Interim mitigation option guides are also available if patching immediately is not possible. 
The Redmond giant has also published a script on GitHub available to IT administrators to run that includes indicators of compromise (IOCs) linked to the four vulnerabilities. IoCs are listed separately here. 
CISA issued an emergency directive on March 3 that demanded federal agencies immediately analyze any servers running Microsoft Exchange and to apply the firm’s supplied fixes. 
If there are any indicators of suspicious behavior dating back as far as September 1, 2020, CISA requires agencies to disconnect them from the Internet to mitigate the risk of further damage. 
Microsoft continues to investigate and as more information comes to light we will update.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Four previously unknown or ‘zero-day’ vulnerabilities in Microsoft Exchange Server are now being used in widespread attacks against thousands of organisations with potentially tens of thousands of organisations affected, according to security researchers.
The bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Microsoft, which issued emergency patches for last week, attributed the attacks to a newly discovered hacking team it calls Hafnium, most likely a China-backed group. Microsoft said they were “limited targeted attacks” but warned they could be more widely exploited in the near future.   
Also: Check if your systems are vulnerable to Microsoft Exchange Server zero-days using this tool

ZDNet Recommends

Since then, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an order to agencies to apply the patches for on-premise Exchange systems or to simply disconnect vulnerable servers after seeing “active exploitation” of the vulnerabilities. In other words, patch now or cut off a vital communications tool. 
Microsoft urged Exchange customers, which range from large enterprise to small businesses, to apply the patches immediately because “nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.”
CISA over the weekend warned that it was “aware of widespread domestic and international exploitation” of Microsoft Exchange Server vulnerabilities and urged the scanning of Exchange Server logs with Microsoft’s IOC detection tool to help determine compromise. 
History suggests many organizations do not update their software when vulnerabilities are found. Microsoft last year warned Exchange server customers to patch the critical flaw CVE-2020-0688 but found that months afterwards tens of thousands of Exchange servers remained unpatched, despite nation-state attackers exploiting the bug from the outset.

Chris Krebs, the former director of CISA, reckons government agencies and small businesses will be more affected by these attacks than large enterprise. 
He believes the Exchange bugs will disproportionately affect small businesses and organizations in the education sector as well as state and local governments. 
“Incident response teams are BURNED OUT & this is at a really bad time,” he wrote. 

This is a crazy huge hack. The numbers I’ve heard dwarf what’s reported here & by my brother from another mother (@briankrebs). Why, though? Is this a flex in the early days of the Biden admin to test their resolve? Is it an out of control cybercrime gang? Contractors gone wild? pic.twitter.com/cA4lkS4stg
— Chris Krebs (@C_C_Krebs) March 6, 2021

The Hafnium attackers deployed “web shells” on compromised Exchange servers for the purpose of stealing data and installing more malware. Web shells are small scripts that provide a basic interface for remote access to a compromised system. 
According to Brian Krebs, author of Krebsonsecurity, the Hafnium hackers have accelerated attacks on vulnerable Exchange servers since Microsoft released the patches. His sources told him that 30,000 organisations in the US have been hacked as part of this campaign. 
SEE: Phishing: These are the most common techniques used to attack your PC
“The intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers,” notes Krebs. 
Volexity, a Washington DC-based security firm, said the Hafnium attacks started as early as January 6, 2021. 

More Coverage More