Microsoft Exchange Flaws Affect 30,000 Orgs 📧, Malware uses SEO 🔎, Airlines Suffer Supply Chain Attack ✈

CyberLite Mar 9, 2021

Welcome to all the new CyberLite readers who’ve joined since the last issue! If you haven’t joined them yet, you can get the most impactful news in cybersecurity delivered to you each week by subscribing here.

See a term you don’t understand in this issue? Any word that’s in italics and underlined is explained in a guide that accompanies each issue. Just click on them and you’ll be taken to the guide!

📧 Actively Exploited Flaws Found in Microsoft Exchange

Microsoft's Exchange server is responsible for managing user's mail and calendar data. This week Microsoft disclosed four new zero-day vulnerabilities in Exchange which were being actively exploited by several global threat actors, but the exploitation was primarily attributed to a Chinese actor that’s been given the name HAFNIUM. The vulnerabilities could be used to access users’ email accounts and install malware on victim's computers.

Wherever the vulnerability has been exploited attackers have left behind a web-shell, a piece of code that enables a server to be controlled/administrated remotely. Researchers have found web shells in place at over 30,000 US organizations, including police departments, local governments and hospitals.

Microsoft has released patches for the vulnerabilities and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive to companies to apply these patches. This doesn't happen very often and speaks to the severity of these flaws; the last emergency directive was issued in December 2020 in response to the SolarWinds attack.

☀ SolarWinds Update

We got two new developments from the SolarWinds investigations this week.

Quick Recap: It’s been a hot minute since we’ve spoken about SolarWinds so let’s quickly recap the biggest attack of last year. SolarWinds are a software company that produces popular IT management software. State-backed Russian hackers gained access to their network and were able to insert malicious code into one of SolarWinds’ products - the Orion IT monitoring platform. About 18,000 SolarWinds customers received this malicious version of Orion, which gave the attackers a backdoor to all of the customers’ networks. In the US these customers included the Treasury, Commerce, and Homeland Security Departments.

Now onto the updates: In a hearing before the US Congress SolarWinds blamed an intern for setting a server password to solarwinds123. SolarWinds have insisted that this security lapse isn't what enabled the large-scale cyberattack on SolarWinds. Either way, it isn't a good look for them. If an intern can set a password to one of your servers to something as simple as "solarwinds123" that's your problem, not theirs.

Researchers at FireEye and Microsoft have uncovered three new malware strains associated with the SolarWinds hack:

  • GoldMax (a.k.a. Sunshuttle) establishes a connection between an attacker-controlled server and the infected system. Allowing the attackers to issue commands.
  • Goldfinder was used to find undetectable ways of sending data between the attacker-controlled server and the infected system. It searched for points where internet traffic was being logged by the organization.
  • Sibot was designed to achieve persistence on the infected system. If malware achieves persistence it can continue running permanently, even if the system is restarted or logged on and off. Sibot then downloaded and executed a piece of malware from the attacker-controlled server.

🔎 Gootkit Malware uses Search Engine Optimisation to Drive Infections

Microsoft Security Intelligence detected numerous attacks this week emanating from the Gootkit malware. The attack uses lots of interesting tactics to get users to unknowingly install the malware. The attackers created blog posts on sites that they'd compromised which contained terms that would make the posts appear higher up in google searches. These are known as SEO (Search Engine Optimisation) friendly terms. Clicking on links in the blog posts would then install the Gootkit malware which would allow the attacker to take control of the victim's devices.

✈ Supply Chain Attack Targets Airlines

As if Covid-19 wasn’t giving the airlines a hard enough time already… SITA, a leading provider of air transport communications and information technology has suffered a data breach, potentially compromising all of the passenger data stored on their US servers. SITA claims to supply 90% of the world’s airlines with their technology, and as a result many airlines have reached out to passengers notifying them that their data may have been compromised.

With each new data breach, we see the commentary that “insert industry” is a new target for cybercriminals; the reality is that any industry that stores personal data is a target. Increasingly every industry stores personal data, or is moving to do so to build better customer relationships. TLDR: Every industry is a target, or if it isn’t yet, it will be.

This breach is also a reminder of the increasing importance of supply chain security. Supply chain attacks are some of the most lucrative for attackers, what cybercriminal wouldn’t want to breach 30 organizations for the price of one?

🔥 Rapid Fire

Some shorter stories…

💳 A new version of the Ryuk ransomware has been discovered that's more adept at spreading through an organization's network. All the technical details can be found in the linked article. Link.

👩‍💻 Last month one of the top stories was security researcher Alex Birstan's disclosure of a new type of attack dubbed dependency confusion. For a full dependency confusion explainer check out my recent issue here. Alex's disclosure created a massive influx of researchers trying to find other companies who were vulnerable, but unsurprisingly this also attracted those with malicious intent. Open-source security firm Sonatype has uncovered malicious packages designed to target Amazon, Lyft and Slack. Link.

💭 Distributed Denial of Secrets (DDOSecrets) claim to have exfiltrated 70GB of data from the social media network Gab. Gab is known for its far right-userbase and it advertises a focus on "free speech, individual liberty and the free flow of information online”. Although the information was evidently flowing a little too freely in this case. Link.

🎯 New Vulnerabilities

The most interesting new vulnerabilities disclosed this week.

A critical zero-day vulnerability in Chrome that was being actively exploited has been patched. Google described it as "an object lifecycle issue in audio" but full details are yet to been released. This vulnerability was one of 47 security vulnerabilities fixed in the most recent update. Link.

💭 Anything Else?

Other news, ideas and insights from around the web that you might enjoy.

🌐 KrebsonSecurity discusses browser extension security. Why they're so problematic and some of the less than desirable ways authors are monetizing extensions. Link.

🔑 A great blog post from security researcher Laxman Muthiyah about how he found a vulnerability in Microsoft's account system that would've let him reset anyone's password. He received a $50,000 bug bounty for his disclosure last year and has just been allowed to release all the details. Link.

💸 Conversations around NFTs (Non-fungible tokens) have exploded in the last few weeks. If you've got no idea what that is or just want to learn more here are the two NFT articles I enjoyed most this week, The Verge article is a great starting point. The Verge. a16z.

📧 A great episode of the Ezra Klein show with Cal Newport discussing the impact that constant online communication has on our productivity, and our lives. Link.

❤ Liked what you read?

Nothing helps me out more than sharing CyberLite with a friend who might enjoy it. If you do please tag me so I can say thanks!

If you’re that friend… Sign up here to receive CyberLite every week!

🎁 Wrapping Up

If you’ve got questions, comments or just fancy a chat then shoot me an email or send me a message on Linkedin/Twitter. I’d love to hear from you!

Thanks for reading, I’ll catch you next week!


Oliver Kitchin

Cybersecurity consultant. Passionate about people, technology and the great outdoors. He/Him.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.