Information Technology

Microsoft has released a one-click mitigation tool as a stop-gap for IT admins who still need to apply security patches to protect their Exchange servers. 

Released on Monday, the tool is designed to mitigate the threat posed by four actively-exploited vulnerabilities that have collectively caused havoc for organizations worldwide. 
Microsoft released emergency fixes for the critical vulnerabilities on March 2. However, the company estimates that at least 82,000 internet-facing servers are still unpatched and vulnerable to attack. 
The company previously released a script on GitHub that administrators could run in order to see if their servers contained indicators of compromise (IOCs) linked to the vulnerabilities. In addition, Microsoft released security updates for out-of-support versions of Exchange Server.
However, after working with clients and partners, Microsoft says there is a need for “a simple, easy to use, automated solution that would meet the needs of customers using both current and out-of-support versions of on-premise Exchange Server.”
See also: Everything you need to know about the Microsoft Exchange Server hack
The Microsoft Exchange On-Premises Mitigation Tool has been designed to help customers that might not have security or IT staff on hand to help and has been tested across Exchange Server 2013, 2016, and 2019. 

It is important to note the tool is not an alternative to patching but should be considered a means to mitigate the risk of exploit until the update has been applied — which should be completed as quickly as possible.  
The tool can be run on existing Exchange servers and includes Microsoft Safety Scanner as well as a URL rewrite mitigation for CVE-2021-26855, which can lead to remote code execution (RCE) attacks if exploited. 
“This tool is not a replacement for the Exchange security update but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching,” Microsoft says. 
In related news this week, Microsoft reportedly began investigating the potential leak of Proof-of-Concept (PoC) attack code supplied privately to cybersecurity partners and vendors ahead of the zero-day public patch release. The company says that no conclusions have yet been drawn over attack spikes related to the vulnerabilities. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Services Australia on Friday sent an email to over 600 Northern Territory businesses, informing them of the introduction of the divisive Cashless Debit Card (CDC) scheme in the territory from Wednesday.
The email, however, was sent with recipient email addresses exposed.
“This email was sent as a Carbon Copy (CC) rather than a Blind Carbon Copy (BCC) as intended. We apologise to these businesses for this human error,” a Services Australia spokesperson told ZDNet.
“The issue was identified quickly and soon after the emails were recalled, with unread copies deleted as a result. A new email was then correctly re-issued with all recipients BCC’d.”
Senator for the Northern Territory Malarndirri McCarthy called the incident a breach of privacy. The Service Australia spokesperson said the email was generic in nature and included no personal information.
“We take our role of protecting the personal information of Australians extremely seriously. We do not send personal details to bulk email addresses. The topic of this stakeholder correspondence was only general information,” they continued.
“We are presently reviewing the situation and we’ll take appropriate steps to prevent this happening again. This will include feedback and training for staff and liaison with the Office of the Australian Information Commissioner as may be required.”

See also: Australian Senate passes two-year extension for ‘racist’ welfare quarantining system
The CDC will start rolling out from Wednesday in the NT and Cape York. There are currently over 23,000 Territorians who are on the Basics Card and transition to the more bank card-like solution is voluntary for those people. In the Cape York, the CDC will replace the Basics Card.
The CDC aims to govern how those in receipt of welfare spend their money, with the idea being to both prevent the sale of alcohol, cigarettes, and some gift cards, and block the funds from being used on activities such as gambling.
Participants of the CDC have 80% of their funds placed on card, which is managed by Indue, with the remaining 20% to be paid into a bank account.
The Bill that allows trials of the card to go on for another two years across Bundaberg and Hervey Bay, the East Kimberley, Ceduna, and Goldfields regions and have it enter the Northern Territory and Cape York, affecting mostly Indigenous Australians, passed the Senate in December.
McCarthy, alongside her fellow Labor Party members, believes there is no evidence that compulsory, broad-based income management actually works.
Similarly, Greens Senator Rachel Siewert previously called the CDC a “discriminatory, racist, punitive approach to income support”.
“It’s not good enough that there’s been a data breach and it’s not good enough if there’s not been any information provided to people in the Territory,” McCarthy said on Monday.
“We have over 23,000 Territorians who are on the Basics Card and they will need to know what the Cashless Debit Card means. And there are other Territorians who could very well be on the Cashless Debit Card before the end of the year.”
HERE’S MORE FROM CANBERRA More

Credit: Microsoft
Microsoft has been providing confidential computing capabilities for Azure for several years. The main benefit: To encrypt data while it’s in use, which is especially important to customers in the finance, government, health care and communications verticals. To date, most, if not all of Microsoft’s confidential computing work has centered around Intel hardware. But that’s about to change.On March 15, Microsoft announced it would be extending its confidential computing options in partnership with AMD — the same day AMD took the wraps off its newest Epyc chip.
Microsoft announced today it would become the first major cloud maker to offer confidential virtual machines on the newly announced AMD Epyc 7003 series processors. Key to that work is the security feature called Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP), which enables protection of VMs by creating a trusted execution environment and which will be “substantially enhanced” in the third-generation AMD Epyc processor, Microsoft’s blog post says.In other AMD Epyc news today, Microsoft also announced availability plans for AMD Epyc 7003-powered Azure virtual machines, which will be optimized for high-performance-computing (HPC) workloads.  More

One of the good things about Linux is that it supports so much old hardware. With just a bit of work, there’s almost no computing hardware that can’t run Linux. That’s the good news. The bad news is that sometimes ancient security holes can be found within old programs. That’s the case with Linux’s Small Computer System Interface (SCSI) data transport driver.

A trio of security holes — CVE-2021-27365, CVE-2021-27363, and CVE-2021-27364 — was found by security company GRIMM researchers in an almost forgotten corner of the mainline Linux kernel. The first two of these have a Common Vulnerability Scoring System (CVSS) score above 7, which is high. While you may not have had a SCSI or iSCSI drive in ages, these 15 years old bugs are still around. One of them could be used in a Local Privilege Escalation (LPE) attack. In other words, a normal user could use them to become the root user.
Don’t let the word “local” fool you. As Adam Nichols, Principal of Software Security at GRIMM, said: “These issues make the impact of any remotely exploitable vulnerability more severe. Enterprises running publicly facing servers would be at the most risk.”
True, the vulnerable SCSI code isn’t loaded by default on most desktop distros. But it’s a different story on Linux servers. If your server needs RDMA (Remote Direct Memory Access), a high-throughput, low-latency networking technology, it’s likely to autoload the rdma-core Linux kernel module, which brings with it the vulnerable SCSI code. 
Whoops!
Exploiting the hole isn’t easy, but GRIMM has released a proof of concept exploit, which shows how to exploit two of the vulnerabilities. Now that the way has been shown you can count on attackers giving it a try. 
In particular, CentOS 8, Red Hat Enterprise Linux (RHEL) 8, and Fedora systems, where unprivileged users can automatically load the required modules if the rdma-core package is installed, are vulnerable. SUSE Linux Enterprise Server (SLES) can also be attacked. Ubuntu 18.04 and earlier are also open to attack.  And, of course, if you’re actually using SCSI or iSCSI drives you can be assaulted.

Fortunately, these bugs have already been patched. So, unless you like taking chances with your Linux servers, I’d advise you to patch your Linux distributions as soon as possible.
Related Stories: More

Any organisations which have yet to apply the critical updates to secure zero-day vulnerabilities in Microsoft Exchange Server are being urged to do so immediately to prevent what’s described as an ‘increasing range’ of hacking groups attempting to exploit unpatched networks.

Exchange attacks

An alert from the UK’s National Cyber Security Centre (NCSC) warns that all organisations using affected versions of Microsoft Exchange Server should apply the latest updates as a matter of urgency, in order to protect their networks from cyber attacks including ransomware.
The NCSC says it believes that over 3,000 Microsoft Exchange email servers used by organisations in the UK haven’t had the critical security patches applied, so remain at risk from cyber attackers looking to take advantage of the vulnerabilities. 
If organisations can’t install the updates, the NCSC recommends that untrusted connections to Exchange server port 443 should be blocked, while Exchange should also be configured so it can only be accessed remotely via a VPN.
It’s also recommended that all organisations which are using an affected version of Microsoft Exchange should proactively search their systems for signs of compromise, in case attackers have been able to exploit the vulnerabilities before the updates were installed.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
That’s because installing the update after being compromised will not automatically remove access for any cyber attackers that have already gained accessed. NCSC officials said they’ve helped detect and remove malware related to the attack from more than 2,300 machines at businesses in the UK. 

“We are working closely with industry and international partners to understand the scale and impact of UK exposure, but it is vital that all organisations take immediate steps to protect their networks,” said Paul Chichester, director for operations at the NCSC.
“Whilst this work is ongoing, the most important action is to install the latest Microsoft updates,” he added.
Microsoft first became aware of the Exchange vulnerabilities in January and issued patches to tackle them on March 2, with organisations told to apply them as soon as possible.
It’s thought that tens of thousands of organisations around the world have had their email servers compromised by the cyber attacks targeting Microsoft Exchange, potentially putting large amounts of sensitive information into the hands of hackers.
Cybersecurity researchers at Microsoft have attributed the campaign to a state-sponsored advanced persistent threat (APT) hacking group working out of China, dubbed Hafnium.
Since the emergence of the vulnerabilities, a number of state-sponsored and cyber criminal hacking groups have also rushed to target Microsoft Exchange servers in order to gain access before patches are applied.
Cyber criminals have even distributed a new form of ransomware – known as DearCry – designed specifically to target vulnerable Exchange servers, something which could cause a major problem for organisations which haven’t applied the latest Exchange security updates.
“Organisations should also be alive to the threat of ransomware and familiarise themselves with our guidance. Any incidents affecting UK organisations should be reported to the NCSC,” said Chichester.
MORE ON CYBERSECURITY More

Google has failed to have a proposed class-action lawsuit quashed that alleges the company violated user privacy by collecting data in Incognito browser modes. 

The lawsuit, originally filed in June 2020, claims that Google tracks and collects consumer browsing history, among other activities, even when Chrome’s Incognito or other privacy-based browser sessions are in use. 
Filed in the District Court of Northern California, the class-action complaint alleges that when an individual visits a web page served by Google services — such as plug-ins, Google Analytics, and Google Ad Manager — data is collected, no matter the browser mode. 
The lawsuit says that Google is “intercepting, tracking, and collecting communications” and harvesting the data of users without obtaining consent, as noted by sister site CNET.
In total, the class-action lawsuit is seeking $5 billion from Google and parent company Alphabet. 
While Google sought to have the lawsuit shut down, presiding US District Judge Lucy Koh dismissed the request on Friday, saying that the tech giant “did not notify users that Google engages in the alleged data collection while the user is in private browsing mode” in her ruling, as reported by Bloomberg.  
In a statement, a Google spokesperson said the company “strongly dispute[s] these claims” and will “defend ourselves vigorously against them.”

“As we clearly state each time you open a new Incognito tab, websites might be able to collect information about your browsing activity during your session,” the spokesperson added, with such warnings displayed, as below, when a new incognito session in Chrome is launched.

In October, Google became the target of an antitrust lawsuit filed by the US Department of Justice (DoJ). The US agency claims that Google holds an “illegal” monopoly over online search services and advertising, and further accused the firm of “exclusionary practices that are harmful to competition.”
Previous and related coverage
Have a tip? Get in touch via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have provided insight into China Chopper, a web shell used by the state-sponsored Hafnium hacking group.

Hafnium is a group of cyberattackers originating from China. The collective recently came into the spotlight due to Microsoft linking them to recent attacks exploiting four zero-day vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — in Microsoft Exchange Server.
Microsoft says that Hafnium tends to strike targets in the United States, focusing on industries including defense, research, law, and higher education. While believed to be based in China, the group uses leased virtual private servers (VPS) in the US.
Due to the renewed interest in Hafnium, on Monday, Trustwave published an analysis of one of the group’s tools, China Chopper, which is a web shell widely used for post-exploitation activities. 
The web shell has been detected in Exchange Server-related attacks alongside DearCry ransomware deployment.
China Chopper is not new and has been in the wild for at least a decade. The tiny web shell — coming in at only four kilobytes (.PDF) — contains two key components; a web shell command-and-control (C2) client binary and a text-based web shell payload, the server component. 
“The text-based payload is so simple and short that an attacker could type it by hand right on the target server — no file transfer needed,” the team notes.

FireEye calls the tool a “slick little web shell that does not get enough exposure and credit for its stealth.”
There are different variants of China Chopper in the wild that are written in different languages — such as ASP, ASPX, PHP, JSP, and CFM — but they all have similar functions. The Active Server Page Extended (ASPX) variety, once it lands on a server already compromised via an exploit, for example, is typically no more than one line of code. 
Red Canary notes that the .aspx web shell names are generally made up of eight random characters. 
Upon examination of a China Chopper sample, Trustwave describes how when an HTTP POST request is made, the script calls the “eval” function to execute the string inside a POST request variable.
“The POST request variable is named “secret,” meaning any JScript contained in the “secret” variable will be executed on the server,” the researchers say. “JScript is implemented as an active scripting engine allowing the language to use ActiveX objects on the client it is running on. This can be and is abused by attackers to achieve reverse shells, file management, process execution, and much more.”
A client component of China Chopper is usually hosted on an attacker’s system to facilitate communication, which can be used for tasks such as running a virtual terminal to launch commands based on cmd.exe, downloading files, and executing other malicious scripts.
The researchers also noted corresponding .NET DLLs to China Chopper generated by ASP.NET runtime on compromised servers. 
TEMP.Periscope/Leviathan, APT41/Double Dragon, and Bronze Union, among other advanced persistent threat (APT) groups, have been connected to the use of this popular web shell in the past.
Red Canary has also identified a cluster of Microsoft Exchange Server attacks building from the use of this backdoor. Dubbed “Sapphire Pigeon,” multiple web shells are being dropped on compromised servers at different times — and in some cases, days before post-exploit activities begin. 
At least 10 APTs are thought to be exploiting the critical Exchange Server vulnerabilities, of which at least 82,000 servers remain unpatched, according to Microsoft. 
Last week, Check Point Research said the rate of attacks leveraging the vulnerabilities was doubling every two to three hours. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has released a proof of concept (PoC) code to demonstrate the practicality of Spectre side-channel attacks against a browser’s JavaScript engine to leak information from its memory. 
Google in 2018 detailed two variants of Spectre, one of which – dubbed variant 1 (CVE-2017-5753) – concerned Javascript exploitation against browsers. Spectre targeted the process in modern CPUs called speculative execution to leak secrets such as passwords from one site to another malicious site.
SEE: Hiring Kit: Python developer (TechRepublic Premium)
Web developers can visit Google’s new page – at https://leaky.page – to see a demo of Spectre in JavaScript, a video demo on YouTube and a detailed write up of the PoC on GitHub. 
[embedded content]
Google released the PoC for developers of web applications to understand why it’s important to deploy application-level mitigations. At a high level, as detailed in a Google document on W3C, a developer’s “data must not unexpectedly enter an attacker’s process”.      
While the PoC demonstrates the JavaScript Spectre attack against Chrome 88’s V8 JavaScript engine on an Intel Core i7-6500U ‘Skylake’ CPU on Linux, Google notes it can easily be tweaked for other CPUs, browser versions and operating systems. It was even successful on Apple’s M1 Arm CPU with minor modifications. The attack can leak data at a rate of 1kB per second. 
The chief components of the PoC are a Spectre version 1 “gadget” or code that triggers attacker-controlled transient execution; and a side-channel or “a way to observe side effects of the transient execution”. 

“The web platform relies on the origin as a fundamental security boundary, and browsers do a pretty good job at preventing explicit leakage of data from one origin to another,” explained Google’s Mike West. 
“Attacks like Spectre, however, show that we still have work to do to mitigate implicit data leakage. The side-channels exploited through these attacks prove that attackers can read any data which enters a process hosting that attackers’ code. These attacks are quite practical today, and pose a real risk to users.”

While Google and other browser vendors have developed mitigations for Spectre, such as Site Isolation, they don’t prevent exploitation of Spectre, explain Stephen Röttger and Artur Janc, Google information security engineers. 
SEE: Cybercrime groups are selling their hacking skills. Some countries are buying
“Rather, [these mitigations] protect sensitive data from being present in parts of the memory from which they can be read by the attacker,” they note in a blogpost.  
“While operating system and web browser developers have implemented important built-in protections where possible (including Site Isolation with out-of-process iframes and Cross-Origin Read Blocking in Google Chrome, or Project Fission in Firefox), the design of existing web APIs still makes it possible for data to inadvertently flow into an attacker’s process,” they explain. 
Google has also released a new prototype Chrome extension called Spectroscope that scans an application to find resources that may require enabling additional defenses.  
Röttger and Janc note that the Variant 1 gadget can be mitigated at a software level. However, the V8 team has found that mitigation of Spectre Variant 4 or Speculative Store Bypass (SSB) is “simply infeasible in software”.   More