Exchange Exploits Go From Bad to Worse 📧, Android Apps Found Distribution Malware 📱, Tesla's Surveillance Cameras Hacked 🎥

CyberLite Mar 16, 2021

Welcome to all the new CyberLite readers who’ve joined since the last issue! If you haven’t joined them yet, you can get the most impactful news in cybersecurity delivered to you each week by subscribing here.

See a term you don’t understand in this issue? Any word that’s in italics and underlined is explained in a guide that accompanies each issue. Just click on them and you’ll be taken to the guide!

📧 Exchange Exploits Go From Bad to Worse

The biggest story of the last two weeks has been the exploitation of a set of Microsoft Exchange Server vulnerabilities. This week things have continued to go from bad to worse. If you missed last week's issue here's a quick recap:

Microsoft's Exchange server is responsible for managing users’ mail and calendar data. This week Microsoft disclosed four new zero-day vulnerabilities in Exchange which were being actively exploited by several global threat actors, but the exploitation was primarily attributed to a Chinese actor that’s been given the name HAFNIUM. The vulnerabilities could be used to access users’ email accounts and install malware on victims’ computers.

Wherever the vulnerability has been exploited attackers have left behind a web-shell, a piece of code that enables a server to be controlled/administrated remotely. Researchers have found web shells in place at many US organizations including police departments, local governments and hospitals.

Microsoft has released patches for the vulnerabilities and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive to companies to apply these patches. This doesn't happen very often and speaks to the severity of these flaws; the last emergency directive was issued in December 2020 in response to the SolarWinds attack.

Estimates for the number of affected organizations have soared this week, going as high as 100,000 organizations affected worldwide. Microsoft has also detected a new family of ransomware dubbed DearCry. Attackers have been deploying this after using the Exchange vulnerabilities to compromise an organization.

By the time Microsoft released a patch for the vulnerability attackers had already managed to compromise a majority of the vulnerable Exchange servers and install a backdoor. Making the patch has been largely ineffective at stopping them. If anyone needed another reminder to move to the cloud and stop running your own Exchange server, this is it.

📱 Nine Android Apps Found Installing Malware

Nine Android apps have been discovered installing malware capable of accessing users' financial accounts and taking control of their devices. Attackers are always finding new ways to stop their malicious apps from being detected by Google Play. These apps had generic names like BeatPlayer and eVPN and were all given lots of fake reviews to lure users in. The apps themselves didn't contain any malicious code but after being installed they prompted users to give them permission to install apps from unknown sources. This allowed them to download malware onto users' devices.

Another popular technique that has been used in attacks like this is for attackers to initially upload a safe, non-malicious app to the play store. This allows attackers to build up a userbase that trusts the app, then they can slowly introduce malicious functionality. It's also common to encrypt malicious code within the app to make it harder for Google Play to detect.

Attackers will keep finding ways of uploading malicious apps to Android's Google Play Store. Knowing this, we need to encourage skepticism when installing apps without an established reputation.

🎥 Tesla’s Surveillance Cameras Hacked

A group of hackers by the name of Arson Cats have accessed the live surveillance cameras at a staggering list of companies and institutions including Tesla and Cloudflare. All of the affected companies used surveillance company Verkada. The hackers were able to find the credentials for a Verkada admin account exposed within their publically accessible code.

The hackers don't appear to have clear malicious intentions but one of the group’s members, Tillie Kottman, has been happily flaunting videos from inside Tesla warehouses on social media. Disclosing the issue to Verkada might have been a more responsible course of action.

🔥 Rapid Fire

Some shorter stories…

🌐 Firefox 86 will bring with it Total Cookie Protection. It confines cookies to the site where they were created, which prevents companies from using third-party cookies to track your browsing activity from site to site. The days where cookies can track across sites are numbered, and browsers are all taking slightly different approaches to what the future of tracking and advertising will look like. It'll be interesting to see which approach is able to keep both users and advertisers happy. Link.

👩‍💻 A threat group known as TA800 has been distributing malware written in the Nim programming language. I'll take it I'm not the only one hearing about the language for the first time... Given it's relatively unknown the attackers have chosen it to avoid detection. If security researchers don't understand the code it definitely makes their lives more difficult! Link.

💻 In January there was a world-wide law enforcement effort to take down the Emotet botnet. The Emotet malware that was used to infect devices and add them to the botnet was the most popular malware in the world last year, but since its takedown that crown has been handed to the Trickbot botnet. Trickbot was disrupted by Microsoft last year but has returned with a vengeance, launching a massive spam campaign to infect new victims. It'll be interesting to see whether or not the efforts to disrupt Emotet will be successful enough to prevent a similar resurgence. Link.

💾 Academics have developed a new type of attack that exploits web browsers’ caches to determine what websites users have visited recently. Without third-party cookies web tracking is hard and bad actors will keep finding ways to track you. It’s up to researchers to try and stay ahead. Link.

👮‍♀️ Europol has been monitoring encrypted messages on the Sky ECC service, which sells specialized mobile phones for encrypted communication. This has led to arrests across the continent as many organized crime outfits used Sky ECC devices. Link.

🎯 New Vulnerabilities

The most interesting new vulnerabilities disclosed this week. We had March's Patch Tuesday last week. Patch Tuesday is when Microsoft and other software makers like Adobe all release security updates - it’s the second Tuesday of each month.

Apple has a service called Offline Finding which helps users locate lost devices. If an online iPhone comes into contact with a device marked as lost it will then notify the owner of where the lost device is. Apple has always promised that the service is built to be anonymous, so when your iPhone detects a lost device nobody knows that it was you that located it. This is important because it would be sharing your current location with a stranger. However, researchers have uncovered vulnerabilities in Offline Finding that would have allowed the location history of users to be accessed. Apple has responded and fixed the flaws. Link.

Apple update number two! They also released a security patch addressing a vulnerability that would allow attackers to run malicious code on users' devices if victims viewed specially crafted web content. The vulnerability was in Safari and it affected iOS, macOS and watchOS. Link.

Researchers at the University of Illinois have discovered a vulnerability in Intel's 8th and 9th generation processors. The vulnerability could be used to launch what's called a side-channel attack where sensitive information can be extracted as it is moved between sections of the processor. The vulnerability exploits the CPU Ring Interconnect that passes information between the CPU cores and caches. Exploiting this vulnerability is technically difficult and it remains to be seen if any active exploitation will occur; sending phishing emails to millions of peoples is a lot easier than carrying out a processor side-channel attack. Link.

Microsoft's March update patched more than 82 security flaws across all of their software; ten flaws earned Microsoft’s critical rating, meaning they can be exploited without help from an insider. The most notable vulnerability was in Internet Explorer, allowing attackers to run a malicious file by getting victims to view specially crafted web content. This vulnerability was being actively exploited by attackers. Link.

Google has addressed an actively exploited zero-day in Chrome this week. Details are sparse but it’s been classified as a “use after free” vulnerability. These can cause a program to crash, use unexpected values or execute an attacker’s code. Link.

💭 Anything Else?

Other news, ideas and insights from around the web that you might enjoy.

💾 The causes and impacts of the world semi-conductor shortage. Link.

📁 Data left in the PDFs of security agencies could be revealing information about their IT infrastructure to bad actors. Link.

📊 Packy McCormick on why Excel will never die. Although I don't share his love for excel, he makes some excellent points. Link.

🦠 Yuval Noah Harari: Lessons from a year of Covid. A fantastic free article in the Financial Times from the author of Sapiens. Link.

❤ Liked what you read?

Nothing helps me out more than sharing CyberLite with a friend who might enjoy it. If you do please tag me so I can say thanks!

If you’re that friend… Sign up here to receive CyberLite every week!

🎁 Wrapping Up

If you’ve got questions, comments or just fancy a chat then shoot me an email or send me a message on Linkedin/Twitter. I’d love to hear from you!

Thanks for reading, I’ll catch you next week!


Oliver Kitchin

Cybersecurity consultant. Passionate about people, technology and the great outdoors. He/Him.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.