Microsoft Exchange zero-days, the Cyber Power Index and one publisher’s hacking nightmare

T T/Flickr

Welcome to Changelog for 10/2/22, published by Synack! It’s me, Blake, reporting with help from README senior editor Nate Mott. It was yet another busy week for cyber news, so let’s cut to the chase:

The payload

It feels like we’ve had zero days to prepare for Cybersecurity Awareness Month as it snuck up on us this year. So perhaps it’s fitting for the October occasion to kick off with a few actual zero-days.

A pair of previously unknown Microsoft Exchange Server flaws could allow for remote code execution on targets running Microsoft Exchange on premises, officials confirmed Friday.

Microsoft noted attackers have exploited the vulnerabilities in the wild since at least August. The company said in a blog post yesterday that CVE-2022–41040 and CVE-2022–41082 have been triggered in “a small number of targeted attacks” affecting fewer than 10 organizations globally, adding that the group behind the attacks is likely state-sponsored.

Are you feeling aware yet?

The latest zero-days aren’t nearly as alarming as the massive China-linked hack of Microsoft Exchange servers in early 2021. But they are still severe enough to have drawn a warning from the U.S. Cybersecurity and Infrastructure Security Agency.

Microsoft is rushing to roll out an official fix for the flaws nicknamed ProxyNotShell, as Protocol reported. It’s also shared mitigations while customers wait for a patch.

But as President Biden officially ushers in Cybersecurity Awareness Month, the Microsoft Exchange flaws underscore how difficult it will be to shake the endless cycle of breach, patch, repeat.

The week, compiled

Fast Company had a bad week.

The outlet’s Apple News account was used to send push notifications containing racist, explicit messages to iPhone owners Tuesday night. Fast Company later revealed that its content management system (which happened to be WordPress) had been compromised on Sept. 25 and used to post the same message on the magazine’s home page and several recent articles.

This is every digital publisher’s nightmare — but in some respects, Fast Company got off easy. The person who compromised the outlet, who goes by “thrax,” told Motherboard the notification “could have been a hoax threat-to-life event, a hoax nuclear fallout, the hoax death of President Biden, a crypto scam or anything else which could have had the potential to shift markets. Instead, I chose to embarrass Fast Company.”

The attacker has also said that several of Fast Company’s accounts relied on a simple password that, according to an online tool, could be cracked within 0.25 seconds.

Fast Company took its website down shortly after the notifications were sent via Apple News. (The site currently redirects visitors to a company statement on the incident.) It said on Sept. 28 that it had “retained a leading global incident response and cybersecurity firm and, together, we are investigating the situation.” The publication added it would keep its website down until that investigation concluded.

In the meantime, here’s the biggest news of the week:

CyberScoop: Defense Intelligence of Ukraine warned that Russia “is planning to carry out massive cyberattacks on the critical infrastructure facilities of Ukrainian enterprises and critical infrastructure institutions of Ukraine’s allies” and will draw on operations conducted in 2015 (BlackEnergy) and 2016 (Industroyer) to “try to increase the effect of missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine,” in response to Ukraine’s counteroffensive.

1_lThTCQI9LYCHQlLoVYyRdQ
The Duga Radar Station near Chernobyl, Ukraine. Kevin Dooley/Flickr

Eurogamer: The alleged Uber and Rockstar Games hacker arrested by City of London Police on Sept. 22 was “one of seven arrested under suspicion of hacking other high-profile companies such as Microsoft, before bragging about it online,” Eurogamer reports. Police said the 17-year-old associated with the Lapsus$ group “pleaded guilty to breaching his bail conditions and not guilty to computer misuse” and has been “remanded to a youth detention [center].”

The Guardian: Meta said this week that it had disrupted two influence operations — which it tracks as “coordinated inauthentic behavior” — conducted by China and Russia. The former was noteworthy because it “was the first Chinese network we disrupted that focused on U.S. domestic politics ahead of the midterm elections and Czechia’s foreign policy toward China and Ukraine,” the company said, while the latter was the “largest and most complex Russian operation we’ve disrupted since the war in Ukraine began.”

A message from Synack

There is a better way to pentest that meets compliance requirements, ensures vulnerabilities are remediated and augments existing security teams, allowing them to focus on other risk management projects. Learn how continuous pentesting achieves all that in an Oct. 19 webinar featuring Adam Keown, global CISO of Eastman Chemical Company; David R. Hale of Brownstein Hyatt Farber Schreck LLP; and Synack co-founder and CEO Jay Kaplan. Learn more and register for the 11 a.m. PT webinar here.

Flash memory

Yahoo revealed on Sept. 22, 2016 that at least 500 million accounts had been compromised in a 2014 breach. NBC News reported that the stolen information “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and in some cases… encrypted or unencrypted security questions and answers.”

Reuters described it as “a theft that appeared to be the world’s biggest known cyber breach by far”… only for it to be dwarfed by other breaches Yahoo discovered and disclosed in the ensuing months like bigger and bigger dominoes.

The company said in December 2016 that an even earlier breach had affected 1 billion accounts. That estimate proved to be conservative: Yahoo concluded in October 2017 that it believed all 3 billion accounts registered at the time of the 2013 attack were probably affected.

Yahoo never should have lost the exclamation mark.

Local files

BankInfoSecurity: A hacker who stole an estimated 10 million customer records from the Optus telecommunications company in Australia initially demanded a $1 million ransom in exchange for not leaking all of the data, which includes passport and license information. But several days later, the attacker deleted the samples they’d already posted and said they wouldn’t sell the records even though Optus refused to pay the ransom.

1_jx4AeL36NHAmIlNGohKMnQ
Optus head office in Queensland, Australia. Kgbo/Wikimedia Commons

The Washington Post: The Harvard Kennedy School Belfer Center said in the second edition of the National Cyber Power Index that the U.S. — which the Washington Post helpfully points out “ranks 16th on the World Happiness list, last place on health-care systems among 11 high-income countries and 129th on the Global Peace Index” — is the world’s leading cyber power. (Whatever that means.)

Risky Biz News: Chile has been hit by cybercriminals twice in less than a month. Risky Biz News reports that a ransomware attack targeted the National Consumer Service on Aug. 25, and on Sept. 26, the country’s judiciary branch was targeted by a second ransomware attack.

Decipher: The U.S. Government Accountability Office said that the National Nuclear Security Administration and its contractors “have not fully implemented six foundational cybersecurity risk practices” in the office’s traditional IT environment, its nuclear weapons IT environment or its operational technology networks.

Off-script

It’s been hard to watch the images of devastation emerging from my hometown of Sanibel Island, Fla., in the wake of Hurricane Ian, which ripped through the tranquil barrier island as a Category 4 storm last week.

I’m lucky that my immediate family and friends are all safe, but it may be a while before anyone can return home to assess the damage: The lone causeway connecting Sanibel to the mainland has been breached in multiple places.

The Tampa Bay Times has assembled a helpful list of places to donate to aid in recovery efforts. I’ll be keeping everyone harmed or displaced by Ian in my thoughts.

1_kds6E5LMTOAoe5li6yHTtg
What remains of part of the Sanibel Causeway in southwest Florida, as photographed Sept. 29. FEMA

That’s all for now — send tips and feedback to bsobczak@synack.com or nmott@synack.com. See you Oct. 9!