Tens of thousands of US organizations hit in ongoing Microsoft Exchange hack

Tens of thousands of US-based organizations are running Microsoft Exchange servers that have been backdoored by threat actors who are stealing administrator passwords and exploiting critical vulnerabilities in the email and calendaring application, it was widely reported. Microsoft issued emergency patches on Tuesday, but they do nothing to disinfect systems that are already compromised.

KrebsOnSecurity was the first to report the mass hack. Citing multiple unnamed people, reporter Brian Krebs put the number of compromised US organizations at least 30,000. Worldwide, Krebs said there were at least 100,000 hacked organizations. Other news outlets, also citing unnamed sources, quickly followed with posts reporting the hack had hit tens of thousands of organizations in the US.

“This is the real deal,” Chris Krebs, the former head of the Cybersecurity and Infrastructure Security Agency, said on Twitter, referring to the attacks on on-premises Exchange, which is also known as Outlook Web Access. “If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03.” His comments accompanied a Tweet on Thursday from Jake Sullivan, the White House national security advisor to President Biden.

++++++++

Samsung just out-Googled the Pixel at guaranteeing Android updates

Android updates might be the butt of many a joke, but Samsung is working hard to make sure it’s no laughing matter for Galaxy owners. Just months after promising most new Galaxy phones would be receiving three generations of Android version updates, Samsung today vowed to deliver four years of security updates to nearly every Galaxy phone made since 2019.

That’s an impressive promise for a phone company that, just a year ago, wasn’t guaranteeing anything in terms of updates. Most new phone purchases were good for a year or two of updates, but only the Pixel, which is made by Google, and Android One-based phones were on the record about how long you would be receiving updates.

Now Samsung is doing one better than Google, which guaranteed only three years of version and security updates for its Pixel phones. And that’s just a small group of handsets. Samsung is guaranteeing more than 130 models are in line to get updates going back to the Galaxy S10 from 2019

++++++++

Google’s Getting Rid of Third-Party Cookies, But Their Replacement Is a Terrible Idea

Google claims it will stop tracking individual users for ads

The third-party cookie is dying, and Google is trying to create its replacement.

No one should mourn the death of the cookie as we know it. For more than two decades, the third-party cookie has been the lynchpin in a shadowy, seedy, multi-billion-dollar advertising-surveillance industry on the Web; phasing out tracking cookies and other persistent third-party identifiers is long overdue. However, as the foundations shift beneath the advertising industry, its biggest players are determined to land on their feet.

Google is leading the charge to replace third-party cookies with a new suite of technologies to target ads on the Web. And some of its proposals show that it hasn’t learned the right lessons from the ongoing backlash to the surveillance business model. This post will focus on one of those proposals, Federated Learning of Cohorts (FLoC), which is perhaps the most ambitious—and potentially the most harmful.

We continue to get questions about whether Google will join others in the ad tech industry who plan to replace third-party cookies with alternative user-level identifiers. Today, we’re making explicit that once third-party cookies are phased out, we will not build alternate identifiers to track individuals as they browse across the web, nor will we use them in our products.

You might look at that statement and think that Google is sacrificing something or turning over a new leaf when it comes to privacy, but really, Google doesn’t need to track individuals for advertisements. Google’s cookie-tracking replacement technology, the Chrome “Privacy Sandbox,” uses group tracking, which is more in line with how advertisers think anyway.

++++++++

Google claims it will stop tracking individual users for ads

As Google’s plan to kill third-party tracking cookies ramps up, the company is answering questions about what will replace it. Many people have wondered: if Google kills cookies, won’t the company just cook up some other method for individually tracking users?

Today, Google answered that concern in a post on its “Ads & Commerce” blog, pledging it won’t come up with “any technology used for tracking individual people.” The company wrote:

We continue to get questions about whether Google will join others in the ad tech industry who plan to replace third-party cookies with alternative user-level identifiers. Today, we’re making explicit that once third-party cookies are phased out, we will not build alternate identifiers to track individuals as they browse across the web, nor will we use them in our products.

You might look at that statement and think that Google is sacrificing something or turning over a new leaf when it comes to privacy, but really, Google doesn’t need to track individuals for advertisements. Google’s cookie-tracking replacement technology, the Chrome “Privacy Sandbox,” uses group tracking, which is more in line with how advertisers think anyway.

++++++++

Tesla asks fans to lobby the government on its behalf

Tesla fans: Your mission, should you choose to accept it, is to go to bat politically for the company.

The electric automaker has launched a new online portal called the Tesla Engagement Platform, as spotted by CNBC Friday. It is a hub where Tesla posts actions its users can take, like contacting government officials when there is a potential law that would affect the company. 

“Engage Tesla is a new platform for both Tesla’s public policy team and Tesla Owner’s Clubs,” a blog post on the hub reads. “Its goal is to create a digital home base for all of our work and make it easier for Tesla community members to learn what’s top of mind for us, take meaningful action, and stay in the loop. We hope you’ll join us in getting involved.”

Other tech companies, notably rideshare companies including Uber, have asked their customers and employees to politically engage on laws that affect them. Tesla’s new hub is notable, however, because it recently dissolved its public relations team. 

++++++++

Consider Your Data Privacy When Making MyHeritage ‘Deepfakes’

One should always get a little privacy-skeptical when there’s a new flavor-of-the-week meme making the rounds. This time, it’s MyHeritage’s “Deep Nostalgia” photo animation tool, which renders pretty realistic deepfake animations from images you upload to the service.

The premise is simple: It’s a fun way to get an idea of what a person might have been like as a living, breathing human being. So, if you have a super-old photo of your grandparents sitting around somewhere, you can upload it to the site, let the deepfake tool work its magic, and feel that warm, fuzzy nostalgia that only comes from a static image of something ancient now moving around.

I mean, I don’t really get it myself, but I suppose it brings comfort and joy to some during these still-in-a-pandemic times, so I won’t fault anyone for using MyHeritage. However, I did want to take a moment to chat about digital privacy related to the content you’re all just blindly tossing over to the site.

++++++++

Microsoft Exchange Server Exploits Hit Retail, Government, Education

Attackers targeting four critical Microsoft Exchange Server zero-days patched this week hit a range of organizations across retail, government, and higher education, report the Mandiant researchers who today published their observations of the exploit activity.

Microsoft, which issued fixes for the vulnerabilities on March 2, says they have been used in “limited and targeted” attacks against law firms, infectious disease researchers, defense contractors, policy think tanks, and other victims. It attributes the exploits with high confidence to a group it calls Hafnium, which it believes is state-sponsored and operates out of China.

Mandiant began to see instances of abuse of Microsoft Exchange Server in at least one client environment starting in January, researchers write in their report. Their observations included the creation of Web shells for persistent access, remote code execution, and reconnaissance for endpoint security tools. In response, they built threat-hunting campaigns to detect attacker activity on Exchange Server.

++++++++

China’s and Russia’s spying sprees will take years to unpack

First, it was SolarWinds, a reportedly Russian hacking campaign that stretches back almost a year and has felled at least nine US government agencies and countless private companies. Now it’s Hafnium, a Chinese group that’s been attacking a vulnerability in Microsoft Exchange Server to sneak into victims’ email inboxes and beyond. The collective toll of these espionage sprees is still being uncovered. It may never be fully known.

Countries spy on each other, everywhere, all the time. They always have. But the extent and sophistication of Russia’s and China’s latest efforts still manage to shock. And the near-term fallout of both underscores just how tricky it can be to take the full measure of a campaign even after you’ve sniffed it out.

By now you’re probably familiar with the basics of the SolarWinds attack: likely Russian hackers broke into the IT management firm’s networks and altered versions of its Orion network monitoring tool, exposing as many as 18,000 organizations. The actual number of SolarWinds victims is assumed to be much smaller, although security analysts have pegged it in at least the low hundreds so far. And as SolarWinds CEO Sudhakar Ramakrishna has eagerly pointed out to anyone who will listen, his was not the only software supply chain company that the Russians hacked in this campaign, implying a much broader ecosystem of victims than anyone has yet accounted for.

++++++++

A new type of supply-chain attack with serious consequences is flourishing

A new type of supply chain attack unveiled last month is targeting more and more companies, with new rounds this week taking aim at Microsoft, Amazon, Slack, Lyft, Zillow, and an unknown number of others. In weeks past, Apple, Microsoft, Tesla, and 32 other companies were targeted by a similar attack that allowed a security researcher to execute unauthorized code inside their networks.

The latest attack against Microsoft was also carried out as a proof-of-concept by a researcher. Attacks targeting Amazon, Slack, Lyft, and Zillow, by contrast, were malicious, but it’s not clear if they succeeded in executing the malware inside their networks. The npm and PyPi open source code repositories, meanwhile, have been flooded with more than 5,000 proof-of-concept packages, according to Sonatype, a firm that helps customers secure the applications they develop.

Given the daily volume of suspicious npm packages being picked up by Sonatype’s automated malware detection systems, we only expect this trend to increase, with adversaries abusing dependency confusion to conduct even more sinister activities,” Sonatype researcher Ax Sharma wrote earlier this week.

++++++++