Prometei botnet exploits Exchange server bugs
Security researchers have discovered that a persistent cryptocurrency mining botnet is exploiting still-unpatched Microsoft Exchange servers in order to grow globally. Dubbed “Prometei,” the botnet was first reported on in July 2020 and is thought to have been around since 2016. The threat actors behind it have been exploiting Microsoft Exchange vulnerabilities CVE-2021-27065 and CVE-2021-26858 to penetrate victim networks, steal credentials and install malware. These bugs are part of the four zero-days patched by Microsoft back in March after being exploited by Chinese APT group Hafnium.
Facebook wants to ‘normalize’ the mass scraping of personal data
As the social network continues to face fallout from a leak of over 500 million Facebook users’ phone numbers, an internal email accidentally sent by a Facebook representative to a journalist at Dutch publication DataNews, the authenticity of which has been confirmed by Motherboard, states that the longer term plan for FaceBook is to anticipate more scraping incidents and “frame them as a broad industry issue and normalize the fact that this activity happens regularly.” Facebook is planning to publish a blog post that talks about the company’s anti-scraping work.
Microsoft 365 outage affects email delivery
A Microsoft 365 outage yesterday prevented Exchange Online users from sending and receiving emails, with messages being stuck in transit and not reaching the recipients’ inboxes. The event was identified as a a load balancing configuration issue and was resolved within a couple of hours. For reference, the incident is tagged as EX252124 in their admin center.
Rogers blames Canadian outage on Eriksson
On a similar thread, Monday’s nationwide outage of consumer cellular and data services in canada, belonging to the the national cell carrier Rogers has been attributed to a software glitch pertaining to the phone technology supplier Ericsson. The outage was historic in its extent and duration, being across most of Canada for most of the day with very little explanation given by Rogers. They have, however, offered a rebate to inconvenienced customers, equivalent to one day’s service fees, which for most people amounts to about 2 dollars
SolarWinds has not gone away
The SolarWinds supply chain compromise, eclipsed in the news by more recent incidents, is far from over. CISA yesterday released an alert warning that it had found instances of the Supernova malware during a CISA incident response. The “affected entity” is addressing the attack, and CISA says its own engagement with this incident is continuing. Supernova is the backdoor associated with the SolarWinds compromise. Further details are available on the CISA website, reference Analysis Report (AR21-112A).
Thanks to our episode sponsor, Palo Alto Networks
Attackers can hide ‘external sender’ email warnings with HTML and CSS
The “external sender” warnings shown to email recipients by clients like Microsoft Outlook can be hidden by the sender, as demonstrated by a researcher, by altering or removing the warning using just a few lines of HTML and CSS code. Email security products such as enterprise email gateways are often configured to display the “external sender” warning to a recipient when an email arrives from outside of the organization. Email security products and gateways that intercept and scan incoming emails for suspicious content simply inject the “external sender” warning as an HTML/CSS code snippet in the email body itself, as opposed to the UI of the native email client displaying the message. As such, an attacker-crafted email that contains CSS instructions to override the warning snippet’s CSS code (display rules) can make the warning disappear altogether.
Ransomware glitch saves victims $27,000, thanks to sharp-eyed researcher
Stanford University student and security researcher Jack Cable helped out a family friend last Wednesday, a doctor, whose computer had been locked by QLocker ransomware. The 21-year-old Cable, who also served as a cybersecurity adviser to the Department of Homeland Security during the 2020 election, realized that if he changed one letter from lowercase to uppercase in the “transaction ID” the hackers were using to track payments, the system mistook the input for a victim that had already paid and unlocked the files. The ransomware authors were quick to fix their mistake, but not before Cable put the message out on Twitter and was able to help 50 other people, saving a total of $27,000 in victim losses.
Zero-day vulnerabilities in SonicWall email security are being actively exploited
SonicWall is urging customers to apply patches to resolve three zero-day vulnerabilities in its email security solution that are being actively exploited in the wild. In a security alert on Tuesday, the US company said fixes have been published to resolve three critical issues impacting hosted and on-premises email security products. “It is imperative that organizations using SonicWall Email Security (ES) hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade to the respective SonicWall Email Security version listed,” SonicWall says.
Jaguar Land Rover to suspend output due to chip shortage
The difficulties at Britain’s biggest carmaker echo similar problems at other manufacturers who have been hit by a global shortage of chips. A mixture of strong demand and Covid shutdowns at chipmakers has also hit phone, TV and video games companies. The Covid-19 pandemic has driven up demand for semiconductor chips for use in electronics such as computers, as people worked from home, and suppliers are struggling to adjust. There has also been a fire at a Japanese company, part of Renesas Electronics, one of the world’s biggest makers of semiconductors for the car industry. Many other car makers including Ford, Renault, Vaxhaull, Daimler, General Motors, and Volkswagen have all either suspended or are considering suspensions of production, for the same reasons.