Cyber Security Headlines – March 17, 2021

Microsoft shares one-click ProxyLogon mitigation tool for Exchange servers

Microsoft published the tool application on Monday that applies all the necessary mitigations for the ProxyLogon vulnerabilities to Microsoft Exchange servers that can’t be updated for the time being. The new tool is named EOMT (or the Exchange On-premises Mitigation Tool), is written in PowerShell, and available for download via Microsoft’s official GitHub account. Microsoft said it released the tool to help companies that don’t have dedicated IT or security teams to handle updating their on-premises Exchange servers. The tool also includes a copy of the Microsoft Safety Scanner app that will scan the Exchange server for known web shells that have been seen deployed in past ProxyLogon attacks.

(The Record)

Microsoft Teams, Exchange and more went down for four hours on Monday

In addition to Microsoft Teams, Azure, SharePoint, XBox and other Microsoft 365 services were also down. Microsoft blamed the issues on “a recent change to an authentication system.” A roll back to the change took longer than Microsoft expected, with the company confirming at 12:35AM ET Tuesday that “impact has been largely mitigated.” This is the first major Microsoft Teams outage since the service went down back in September, which was also blamed on a configuration change.

(The Verge)

Signal is down in China after 100 million reported downloads

Signal users have begun reporting issues with the encrypted messaging app in China, a sign that the government may be adding another chat application to its list of banned services. It is the latest application or internet service that has appeared to encounter China’s so-called Great Firewall, following Google, Facebook, Instagram, Twitter, and Clubhouse among others. It was not immediately clear if the Chinese government had moved to permanently ban Signal’s use in the country. 

(Cyberscoop)

Hackers hide credit card data from compromised stores in JPG files

To steal payment card data from compromised online stores and reduce their suspicious traffic footprint, hackers are now hiding card information in JPG images and storing them on the store’s own infected website. Researchers at website security company Sucuri found the new exfiltration technique when investigating a compromised online shop running version 2 of the open-source Magento e-commerce platform. This technique is a variation on the Magecart attacks with the advantage that attackers can easily download the JPG file without triggering any alarms.

(Bleeping Computer)

Thanks to our episode sponsor, Trend Micro

The conversation between you and your board of directors is not always a walk in the park. With more cloud projects coming your way, it’s time to change the conversation to speak their language and start paving the way for a secure future. For more, go to http://trendmicro.com/CISO

New Mirai variant malware emerges in the wild

Cybersecurity researchers on Monday disclosed a new wave of ongoing attacks exploiting multiple vulnerabilities to deploy Mirai variants on compromised systems. Palo Alto Networks’ Unit 42 Threat Intelligence Team stated that the attack chain involves the use of wget utility to download a shell script that’s then used to fetch Mirai binaries, a notorious malware that turns networked IoT devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. RCE vulnerabilities being exploited are affecting technologies from SonicWall SSL-VPN, D-Link, YeaLink, and Netgear.

(The Hacker News)

Nokia to cut 10,000 jobs worldwide to bankroll new 5G drive

Nokia plans to increase investments in research and development and future capabilities including 5G, cloud and digital infrastructure. To that end, it has announced plans to cut up to 10,000 jobs within two years to trim costs and invest more in research capabilities, to catch up to Sweden’s Ericsson and China’s Huawei. Nokia has not won any 5G radio contract in China – whereas Ericsson has – and it has also lost out to Samsung Electronics on a part of a contract to supply 5G equipment to Verizon.

(Reuters)

Two cryptocurrency portals experience simultaneous DNS hijack 

The Cream Finance and PancakeSwap crypto services are currently dealing with DNS hijacking attacks that are redirecting visitors to fake versions of their websites where crooks are trying to collect seed phrases and private keys. The same attacker is believed to be behind both incidents as DNS records for both websites were changed within a minute of each other. Both services are hosted at GoDaddy. While nothing is yet proven, there is the possibility that attackers might have compromised a GoDaddy employee’s account to change DNS server records and execute the attack.

(The Record)

Twitter accidentally blocks users who post the word “Memphis”

Over the weekend, users of the social network discovered that simply tweeting the word “Memphis” was enough to land them with an automatic 12-hour suspension, and a requirement to delete the tweet.“There was a system issue impacting accounts that tweeted the word ‘Memphis’,” the company said in a statement. Twitter did not explain why Memphis was blocked, but Swift on Security has speculated that an attempt to prevent a specific user’s personal information being shared was incorrectly entered. “What’s possible is a Twitter staffer tried to block a street address, but the postal syntax acted as an escape sequence, or the original was multi-line and they only pasted the city.” In 2016, Jack Dorsey himself was banned temporarily from Twitter due to a similar “internal mistake”.

(The Guardian)


Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.