Information Technology

Microsoft has issued an alert that hackers using a strain of ransomware known as DearCry are now targeting unpatched Exchange servers still exposed to four vulnerabilities that were being exploited by suspected Chinese government hackers.
Microsoft is warning Exchange customers once again to apply the emergency patches it released last week for critical flaws affecting on-premise Exchange email servers. 

More Coverage

Microsoft urged customers on March 2 to install the patches immediately due to the risk that more cybercriminals and state-backed hackers would exploit the flaws in coming weeks and months. 
SEE: Network security policy (TechRepublic Premium)
It said existing attacks were being carried out by a Chinese hacking group it calls Hafnium. However, security vendor ESET reported yesterday that at least 10 state-backed hacking groups were now attempting to exploit flaws in unpatched Exchange servers.   
And now cyber criminals are looking to feed off the Exchange bugs. Ransomware attackers spreading a strain called DearCry are attempting to install the malware after compromising Exchange servers, according to Microsoft. 
“We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry,” Microsoft warned in a tweet. Ransom:Win32/DoejoCrypt.A is the name under which Microsoft’s Defender antivirus will detect the new threat.  

Microsoft added that customers using Microsoft Defender antivirus that use automatic updates don’t need to take additional action after patching the Exchange server. 
Microsoft appears to be treating this set of Exchange bugs as an urgent one to fix and last week provided further security updates to address the flaw in unsupported versions of Exchange. 
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) last week ordered federal agencies to patch the Exchange flaws or cut vulnerable servers off from the internet. 
CISA further said it is “aware of threat actors using open-source tools to search for vulnerable Microsoft Exchange Servers and advises entities to investigate for signs of a compromise from at least September 1, 2020.”
The bugs affect Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019, but not Exchange Online. 
The attackers were using the bugs to comprise Exchange servers and deploy web shells to steal data and maintain access to servers after initial compromise. Web shells are small scripts that provide a basic interface for remote access to a compromised system. 
Microsoft has released a script on its code-sharing site GitHub that admins can use to check for the presence of web shells on Exchange servers. 
That script could come in handy when kicking attackers off a previously compromised system. Microsoft security researcher Kevin Beaumont recommended organizations run the script after patching to ensure the web shells are removed. 
SEE: Cybercrime groups are selling their hacking skills. Some countries are buying
CISA has advised it “is aware of widespread domestic and international exploitation of these vulnerabilities” and urged Exchange admins to run Microsoft’s Test-ProxyLogon.ps1 script. 
Independent security researchers behind the MalwareHunterTeam account on Twitter say they’ve seen attacks on companies in Canada, Denmark, United States, Australia, Austria, with the first victims observed on March 9 — just seven days after Microsoft issued the patch and warned Exchange customers to patch immediately. 
CISA strongly recommends organizations run the Test-ProxyLogon.ps1 script as soon as possible to help determine whether their systems are compromised. More

Netflix is testing out ways to stop account holders from sharing their passwords — and access — with others who don’t own a subscription. 

The content streaming service, which now accounts for over 203 million subscribers worldwide, has become a heavyweight in the TV and film sector in recent years, and has, perhaps, become even more popular due to stay-at-home orders prompted by the COVID-19 pandemic. 
However, in the same way as other streaming services — including Disney+, Amazon Prime Video, and Hulu — the company faces the challenge of stopping subscribers from sharing their account credentials. 
Research conducted by ESET last year found that 60% of respondents share their streaming service account details with at least one other person and one in three share their account with two or more people. 
Normally, sharing online account details with anyone is not recommended. However, in the content streaming space, it has become accepted and commonplace. 
As reported by the Washington Post, however, Netflix is exploring ways to stop this practice. 
When accessing a Netflix account, some users have recently seen pop-up messages saying, “If you don’t live with the owner of this account, you need your own account to keep watching.”

Users are then asked to verify they have permission to use the account through a code sent via an email or text message.  
“This test is designed to help ensure that people using Netflix accounts are authorized to do so,” a Netflix spokesperson said. 
The trial has not been rolled out widely, as of yet, and the test does not mean that the company will impose additional checks in the future. However, password sharing is against Netflix’s terms of service and so the company would be within its rights to do so — but may run the risk of alienating subscribers. 
By using a verification option, at the least, this may stop unauthorized use in cases where accounts have been compromised or passwords have been shared without permission. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyberattackers are taking full advantage of slow patch or mitigation processes on Microsoft Exchange Server with attack rates doubling every few hours.  

According to Check Point Research (CPR), threat actors are actively exploiting four zero-day vulnerabilities tackled with emergency fixes issued by Microsoft on March 2 — and attack attempts continue to rise. 
In the past 24 hours, the team has observed “exploitation attempts on organizations doubling every two to three hours.”
The countries feeling the brunt of attack attempts are Turkey, the United States, and Italy, accounting for 19%, 18%, and 10% of all tracked exploit attempts, respectively. 
Government, military, manufacturing, and then financial services are currently the most targeted industries. 

Palo Alto estimates that at least 125,000 servers remain unpatched worldwide.
The critical vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) impact Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.

Microsoft issued emergency, out-of-band patches to tackle the security flaws — which can be exploited for data theft and server compromise — and has previously attributed active exploit to Chinese advanced persistent threat (APT) group Hafnium. 
Read on: Everything you need to know about the Microsoft Exchange Server hack
This week, ESET revealed at least 10 APT groups have been linked to current Microsoft Exchange Server exploit attempts. 
On March 12, Microsoft said that a form of ransomware, known as DearCry, is now utilizing the server vulnerabilities in attacks. The tech giant says that after the “initial compromise of unpatched on-premises Exchange Servers” ransomware is deployed on vulnerable systems, a situation reminiscent of the 2017 WannaCry outbreak. 
“Compromised servers could enable an unauthorized attacker to extract your corporate emails and execute malicious code inside your organization with high privileges,” commented Lotem Finkelsteen, Manager of Threat Intelligence at Check Point. “Organizations who are at risk should not only take preventive actions on their Exchange, but also scan their networks for live threats and assess all assets.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The higher education sector in Australia could soon find itself considered as “systems of national significance”, with the government ready to enforce an “enhanced framework to uplift security and resilience” upon universities via the Security Legislation Amendment (Critical Infrastructure) Bill 2020.
The Group of Eight (Go8) — comprising eight Australian universities — believe the government has in fact not yet identified any critical infrastructure assets in the higher education and research sector and, therefore, does not feel higher education and research should be included as a critical infrastructure sector, given the regulatory ramifications.
“The Go8 considers the catch-all nature of the legislation as proposed for the higher education and research sector to be highlight disproportionate to the likely degree and extent of criticality of the sector,” it said last month.
The Australian National University (ANU) in late 2018 suffered a massive data breach that was discovered in May 2019, and revealed two weeks later in June.
The hackers had gained access to up to 19 years’ worth of data in the system that houses the university’s human resources, financial management, student administration, and “enterprise e-forms systems”.
Read more: ANU incident report on massive data breach is a must-read
Then there was Melbourne’s RMIT University, which last month responded to reports it fell victim to a phishing attack, saying progress was slowly being made in restoring its systems.

While no official attribution has been made regarding who is to blame for the ANU breach, the Australian Security Intelligence Organisation’s (ASIO) Director-General of Security Mike Burgess said he knows, which was enough to set the mind of Senator James Paterson, chair of the Parliamentary Joint Committee on Intelligence and Security (PJCIS), at ease.
“I do know who was behind it. But I would not say that publicly because I don’t believe that’s my role to do so,” Burgess said on Thursday, fronting the PJCIS as part of its inquiry into national security risks affecting the Australian higher education and research sector.
Regarding RMIT, however, the ASIO boss was in the dark.
“It’s not reached my level, not to say someone in my organisation isn’t working on the matter,” he said.
Both the ANU and RMIT incidents were a focus of the committee as it probed representatives from Home Affairs and Education. Paterson was hoping to find attribution, however.
“It has been referred to as an advanced threat actor, but it hasn’t come to the point of a specific deliberation or specification of the country involved, that information has not been identified,” Home Affairs deputy secretary of national resilience and cybersecurity Marc Ablong said.
The specifics of the RMIT incident, which Ablong paints as more of an attack than a systems outage, are still under investigation.
“We wouldn’t want to prejudice our ability to make any judgments about where that’s come from and who’s involved in it until such time, as we’ve got the forensic information to be able to determine exactly what has happened and when,” Ablong said. “But we are aware of the attack and there is investigations underway.”
Discussions around the two security incidents were used by the Home Affairs representative to justify the inclusion of higher education and research in the Critical Infrastructure Bill.
“The threat is very real. It is getting a lot realer and a lot harder, even for very sophisticated organisations,” Ablong said.
According to Ablong, what the higher education sector has failed to realise is that it hasn’t been deeply considering the cyber risk.
“That’s a shame … and more effective measures are needed,” he said.
Paterson, meanwhile, said he has observed that the universities are trying to “have it both ways”.
“They’re telling this committee and the public, ‘Don’t worry, we get it, we want to work with you, we want to fix it’, but also, ‘Please don’t subject us to any actual requirements, legislative or regulatory, that would require us to do anything about it’,” the Liberal Senator mused.
RELATED COVERAGE More

Brewing giant Molson Coors disclosed Thursday that it has experienced a “cybersecurity incident” that has disrupted operations and beer production. In a Form-8K filed with the SEC today, Miller Coors said it’s brining in an outside forensic IT firm to investigate the breach, but that delays in shipments were likely.

“The Company is working around the clock to get its systems back up as quickly as possible,” Miller Coors wrote in the filing. “Although the Company is actively managing this cybersecurity incident, it has caused and may continue to cause a delay or disruption to parts of the Company’s business, including its brewery operations, production, and shipments.”
Molson Coors operates a huge portfolio of beer brands, including the iconic Coors and Miller brands, as well as Molson Canadian, Blue Moon, Peroni, Grolsch, Killian’s, and Foster’s. 
The company has not provided additional details of the cyberattack, but some security experts are calling the incident a ransomware attack. In November, Campari Group, the famed Italian beverage vendor behind brands like Campari, Cinzano, and Appleton, was hit with a ransomware attack that took down a large part of its IT network. 
Campari was the second major beverage vendor after Arizona Beverages to be knocked offline because of a ransomware attack in just two years. 
Speaking of the Miller Coors incident, Niamh Muldoon, global data protection officer with OneLogin, said these attacks illustrate how cyber criminals are targeting high profile organizations to interrupt key business operations and manufacturing.
“Ransomware remains a global cybersecurity threat and is the one cybercrime that has a high direct return of investment associated with it, by holding the victims’ ransom for financial payment,” said Muldoon. “On a global scale, cybercriminals will continue to focus their efforts on this revenue-generating stream. This reinforces what we’ve said before that no industry is exempt from the ransomware threat and it requires constant focus, assessment and review to ensure that critical information assets remain safeguarded and protected against it.” More

A prolific cyber criminal hacking operation is distributing new malware which is written in a programming language rarely used to compile malicious code.
Dubbed NimzaLoader by cybersecurity researchers at Proofpoint, the malware is written in Nim – and it’s thought that those behind the malware have decided to develop it this way in the hopes that choosing an unexpected programming language will make it more difficult to detect and analyse.
NimzaLoader malware is designed to provide cyber attackers with access to Windows computers, and with the ability to execute commands – something which could give those controlling the malware the ability to control the machine, steal sensitive information, or potentially deploy additional malware.
The malware is thought to be the work of a cyber criminal hacking group which Proofpoint refers to as TA800, a hacking operation which targets a wide range of industries across North America.
The group is usually associated with BazarLoader, a form of trojan malware which creates a full backdoor onto compromised Windows machines and is known to be used to deliver ransomware attacks.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Like BazarLoader, NimzaLoader is distributed using phishing emails which link potential victims to a fake PDF downloader which, if run, will download the malware onto the machine. At least some of the phishing emails are tailored towards specific targets with customised references involving personal details like the recipient’s name and the company they work for.

The template of the messages and the way the attack attempts to deliver the payload is consistent with previous TA800 phishing campaigns, leading researchers to the conclusion that NimzaLoader is also the work of what was already a prolific hacking operation, which has now added another means of attack.
“TA800 has often leveraged different and unique malware, and developers may choose to use a rare programming language like Nim to avoid detection, as reverse engineers may not be familiar with Nim’s implementation or focused on developing detection for it, and therefore tools and sandboxes may struggle to analyse samples of it,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint tols ZDNet.
Like BazarLoader before it, there’s the potential that NimzaLoader could be adopted as a tool that’s leased out to cyber criminals as a means of distributing their own malware attacks.
With phishing the key means of distributing NimzaLoader, it’s therefore recommended that organisations ensure that their network is secured with tools which help prevent malicious emails from arriving in inboxes in the first place.
It’s also recommended that organisations train staff on how to spot phishing emails, particularly when campaigns like this one attempt to exploit personal details as a means of encouraging victims to let their guard down.

MORE ON CYBERSECURITY More

YouMail, an anti-spam call company claims that in 2020 robocalls actually declined by 22% from 2019. I don’t believe it. Mind you, even with the drop, the company claims there were still an estimated 45.9 billion robocalls. That’s an insane number of calls, and I swear many of them went right to my number. 

ZDNet Recommends

Lots of you just ignore phone calls from numbers you don’t know. As a journalist, I don’t have that luxury. I get calls sometimes that I must take from numbers I’ve never seen before. There are times you’ll have to do that as well. If you’re trying to get a Covid-19 shot, waiting to hear about a job, or if you need to talk to someone about a new house, you have to pick up the phone too. 
If you’re like me, nine out of ten times though that call will be an automated message about changing cable companies, renewing your car warranty, or some other junk. Looking ahead, I have both good news and bad news.
First, the good news. In late 2019, President Trump signed TRACED, the first federal anti-robocall law. It says something about how annoying spam calls are that this was one of the few bills to be passed through Congress with strong support from both Republicans and Democrats. 
At the same time, the paired anti-spam technologies of Signature-based Handling of Asserted Information Using toKENs (SHAKEN) and the Secure Telephone Identity Revisited (STIR) are being widely adopted. This is a kind of C aller-ID on steroids. SHAKEN/STIR is a protocol for authenticating phone calls with the help of cryptographic certificates so that when someone calls you, you can be sure that the name showing up on Caller ID really is the person calling. It also lets your phone company know, in theory, who’s responsible for a particular robocall. This service will work with both landline and cellular networks. 
The bad news is that as the coronavirus pandemic wave slowly rolls away, call centers are coming back online. Wait, “My Windows PC has a virus on it? You really don’t know who you’re calling, do you!? CLICK.” Yeah, you can expect more of that kind of call. 
The other bad news is that SHAKEN/STIR is still being rolled out. Even when it is completely deployed, though it won’t be a tech silver bullet that will put robocalls into the grave.

So, what can you do? Let’s go over some useful tools.
Smartphone specific robocall blockers 
First, you can just block all unknown callers. With these methods, though, if someone calls that you don’t already have in your contact list, you won’t hear them call. That can be a problem if you’re expecting an urgent, important call. Most phones come with this functionality built in. You just have to turn it on. 
Android phones: Block Calls From Unidentified Callers, tap the phone icon. This is usually on your home screen’s bottom. Once there, at the top right corner of the screen, tap the three dots > Settings > Blocked Numbers. Next, enable Block calls from unidentified callers by pushing the toggle switch to the right. The caller still leaves a voicemail and the number will still be listed on your recent calls display. 
iPhones (iOS 13 and later): Silence Unknown Callers. Go to Settings > Phone, then scroll down, tap Silence Unknown Callers, and turn it on. Your phone won’t ring and the calls go straight to voicemail while still appearing on your recent calls list.
A related, but different technology, Call Screen, is available on Google Pixel smartphones starting with the Pixel 2. With Call Screen, your phone still rings but when you get a suspicious call, you tap “screen call” on the display. Google Assistant then answers the call and asks for the caller to tell you who they are and why they’re calling. Google then makes a real-time transcript of the call. You can then answer it, ignore it, or report it as spam. If you report it as spam that number will be blacklisted on your phone so it can’t call you again. 
Carrier-specific robocall blockers
AT&T Call Protect
With AT&T Call Protect, any call that looks OK will show a “V,” for verified, on your caller ID. Potentially dangerous calls will be blocked and given a busy signal. Presumed spam calls will display “Suspected Spam” on your Caller ID. They’ll also show a category like Political, Nonprofit, Telemarketer, Survey, or Robocaller. This service is available via both an Android and an iPhone app. 
T-Mobile Scam ID and Scam Block
These related services can work together. The first, Scam ID marks possible robocalls and suspicious calls. Scam Block blocks such calls before they can ring. There’s no app for them, you simply turn them on for free with the following call codes: 
Turn on Scam ID: Press #ONI# (#664#), and then the call button.Turn On Scam Block: Press #ONB# (#662#), and then the call button.
Verizon Call Filter
Verizon customers are automatically enrolled in the free version of Call Filter. This comes pre-installed as an app on most Verizon phones. In theory, it detects spam and blocks high-risk calls. A more feature-full version, Call Filter Plus, costs $2.99 per month per line for up to two lines and $7.99 per month for three or more lines. The Plus version includes Caller ID and automatically blocks spam calls based on your preferred level of risk so unwanted callers go straight to voicemail.
Third-party Robocall killers
There are also numerous other apps, which try to protect you. These all work in similar ways. Each service keeps a database of known spammers and uses algorithms to suss out suspicious numbers.  When a call comes in, it checks the caller to see if they’re a bad actor or they look like they might be one. If the caller doesn’t look kosher, they block the call. 

Before even subscribing to any of these services, you should know that none of these are perfect. In my experience, they’ll spot a hostile caller about two times in three. Most of these services offer at least a free week. I strongly suggest you try before you buy. 
Nomorobo is one of the oldest call-blocking programs. When a call comes in you can let it be forwarded to voicemail or block it as spam. Nomorobo can also deal with spam text messages. Unlike most robocall killers, you can also use Nomorobo with VoIP landlines. If you’re still on copper, sorry, you can’t use it. Nomorobo is free on landlines and $1.99 a month per device on smartphones.
Hiya Caller ID and Block’s special sauce is that it detects spoofed calls, which use a similar number to your own number. This happens to me all the time. I get calls from “people” with the same area code and prefix. The prefix is the three numbers between your area code and the last four numbers, which make up your line number. Hiya spots these in case I don’t. 
You may already be using Hiya and not know it. The company’s software powers robocall protection for AT&T, Samsung, and T-Mobile. 
Hiya’s basic app won’t cost you a cent. The premium edition’s spam database is larger and is updated more often. It costs $3.99 a month or $24.99 a year. It’s available on both iPhones and Android.
The most amusing robocall killer is RoboKiller. Besides blocking spammers, it gives them sass back via its Answer Bots, which can waste their time with nonsense conversations. You can either use one of their selections or come up with one of your own. Robocall revenge can be sweet. RoboKiller costs $4.99 a month or you can save money with an annual subscription for $24.99. 
You can try YouMail for free. The YouMail Free Plan, previously known as YouMail Essential, gives you a voice mailbox capacity of 100 messages. It then uses your voicemail data to identify robocalls messages. It also uses that information with Big Data techniques to crowdsource the identity of new spam callers and block them from other YouMail users. It even has a neat trick where it tries to fool known baddies into taking you off their lists by playing a dead line’s beep-beep-beep sound at them. 
If you like it, you can upgrade it to a paid account. Since YouMail is both a robocall blocker and a business phone system, the price reflects that. It starts at $14.99 a month, paid annually, for up to three lines. There are other plans for bigger businesses.
I wish I could say that any of these would kill spam calls once and for all. I can’t. Even when you combine them, you’re still going to get robocalls. The problem is it’s like playing whack-a-mole. As soon as one spam service is shut down, another one pops up. Someday SHAKEN/STIR and enough FCC enforcement activity will kill them off, but that day isn’t here yet.
Still, with the right mix of services, you can preserve some peace from your phone today. It’s not perfect, but it’s better than nothing.
Related Stories: More

A new malspam campaign is abusing icon files to dupe victims into executing the NanoCore Trojan. 

On Thursday, SpiderLabs at Trustwave said a recent phishing campaign has outlined a technique for spreading NanoCore, a remote access Trojan (RAT). 
The emails pretend to be from a “Purchase Manager” of organizations that are being spoofed, such as legitimate business partners. These phishing messages contain an attachment, named “NEW PURCHASE ORDER.pdf*.zipx,” which are actually image binary files. 
The icons have additional information attached to them in a .RAR format. 
By using an icon file, the fraudsters are likely attempting to avoid security and protections offered by email gateways. 

If the victim clicks on the attachment and their PC has an unzip tool installed, such as WinZip or WinRAR, an executable file is extracted. 7Zip, too, can extract the file — but it takes more than one attempt. 
“There is no need for the extension of the recent attachments to be renamed to something else other than .zipx or .zip just for their executables to be extracted using 7Zip,” the researchers say. 

Successful extraction leads to the deployment of NanoCore RAT version 1.2.2.0. First detected in the wild in 2013, this Remote Access Trojan (RAT) includes a keylogger, information stealer, dropper for additional malware, and also contains the ability to access and steal webcam footage as well as exfiltrate data to send to a command-and-control (C2) server. 
The malware has been sold previously in underground forums and is often spread through financially-related phishing campaigns. 
This version of the Trojan is able to create copies of itself within the AppData folder and will also compromise the RegSvcs.exe process. Information stolen by the malware is sent to multiple C2s. 
The technique noted by SpiderLabs is similar to a past phishing campaign that also utilized .zipx. In 2019, the researchers said in a blog post that Lokibot, another Trojan that also includes the ability to compromise cryptocurrency wallets, was being spread in malspam campaigns through a .zipx extension and .JPG icons. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More