Security Snacks #22 – Everything you need to know about the Exchange attacks frenzy, Verkada breach, F5 CVEs & Azure threats

By Anna Hammond

March 12, 2021

Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Click here to subscribe

The security industry is buzzing about unprecedented attacks and vulnerabilities involving MS Exchange, Azure, Verkada, Cloudflare, Tesla, F5 and others.

Because it can be confusing to keep up when you are already busy, we spent time dissecting all noteworthy news so you won’t have to!

Notable Security News

Everything you need to know about the Microsoft Exchange Server hack

The Hafnium hack initially thought to be targeted turned out to be a large scale attack affecting tens of thousands organizations including the European Banking Authority, Norway parliament and US organizations.

Microsoft’s Patch Tuesday includes patches for the Exchange Server vulnerabilities it used (dubbed ProxyLogon), for Internet Explorer vulnerabilities that were recently used to attack security researchers, and five critical DNS vulnerabilities that lead to Remote Code Execution. This is one of those cases where the emphasis on patching ASAP isn’t just FUD. As a sign, Microsoft even released patches for obsolete versions of Exchange Server and Internet Explorer.

The flaws are actively being exploited by threat actors worldwide. At least 10 APT groups were detected by ESET and more criminals, state-sponsored actors and ransomware groups are expected to join the party.

However, note that patching is not enough. You need to also check if your systems were compromised as recommended by CISA which points to Microsoft’s IOC Detection Tool for Exchange Server Vulnerabilities.

Moreover, a researcher published a Proof of Concept for ProxyLogon on GitHub. It was removed for violating terms of service which stirred a debate amongst industry experts since Microsoft owns GitHub.

New critical vulnerabilities found in F5 devices

F5 announced 21 CVEs including four critical vulnerabilities that attackers can use to remotely take over BIG-IP and BIG-IQ systems. Considering the severity of these flaws, the vendor recommends patching as soon as possible. However, according to security researcher Maria Markstedter, they could’ve been prevented if basic exploit mitigations were used.

Hacktivists access security cameras inside Cloudflare, jails, and hospitals

A group of hacktivists breached the cloud-based camera service Verkada that counts amongst its clients Cloudflare, Tesla, Okta, hospitals, prisons, schools and police stations. The attackers found hardcoded Jenkins credentials that allowed them to access live feeds of more than 150,000 surveillance cameras, and to execute shell commands (as root) on some cameras.

From a defender’s perspective, Okta’s CSO offers an interesting perspective on the cyber attack, including measures Okta took that limited the attack’s impact on their systems.

Hackers Waging ‘Living Off the Land’ Attacks on Azure

Microsoft is warning about Azure “Living off the land Binaries” (LoLBins), a set of techniques attackers use to escalate privileges and evade detection on Azure using only built-in legitimate tools. Microsoft’s article provides guidance to Azure users to understand the threat and how to mitigate it.

Linux community project aims to thwart dependency confusion attacks with easy code signing and verification

It’s not all bad news! The Linux foundation launched “sigstore”, a new project that aims to prevent supply chain attacks involving open source code. It provides certificates and tooling for developers to sign code and users to verify it, just like Let’s Encrypt but for Code Signing.

Other Interesting News






You may also like