Risky Business #616 -- Exchange 0day party time for Chinese APT crew

But it's not supply chain-related, so it's no big deal, right?
03 Mar 2021 » Risky Business

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

  • Chinese APT crew goes berserk with Exchange 0day
  • Russia hacks Ukraine and USA, India hacks China, China hacks India
  • The NYTimes got something big wrong again (shock horror)
  • CANVAS exploit pack leaks, including their sweet, sweet Spectre exploit
  • Atlantic Council report into offensive capability vendors/contractors
  • Your vCentre gear it probably already on fire: find out why!
  • Much, much more

This week’s show is brought to you by Yubico, the makers of the Yubikey.

Yubico Chief Solutions Officer Jerrod Chong will be along in this week’s sponsor interview to talk about “passwordless authentication”. Some organisations have a pretty bad understanding of what passwordless is, while other organisations are running into the mountains to avoid even thinking about it. But with hardware supported WebAuthn becoming pretty much ubiquitous, Jerrod thinks a tipping point is coming. Also, they’ve launched passwordless auth for AzureAD.

NOTE: This podcast introduces Jerrod Chong as the CTO of Yubico. He’s actually the Chief Solutions Officer. It was our mistake, apologies!

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Microsoft says China-backed hackers are exploiting Exchange zero-days | TechCrunch
Orange Tsai 🍊 on Twitter: "The patch release of this BIG ONE is coming soon, and a short advisory is also standing by! (BTW, no one guess the right target in comments😛)" / Twitter
HAFNIUM targeting Exchange Servers with 0-day exploits - Microsoft Security
Hackers Tied to Russia's GRU Targeted the US Grid for Years, Researchers Warn | WIRED
Suspected China-linked hackers targeted India's energy sector, research suggests
China Appears to Warn India: Push Too Hard and the Lights Could Go Out - The New York Times
No 'Sabotage' Behind Mumbai Power Outage, Chinese Hacking Attempt a Month Later: Power Minister
Indian cyber-espionage activity rising amid growing rivalry with China, Pakistan | The Daily Swig
Chinese cyberspies targeted Tibetans with a malicious Firefox add-on | ZDNet
Ukraine says Russia hacked its document portal and planted malicious files | Ars Technica
Ege Balcı on Twitter: "OMG !! Rumors are real😱😱 Immunity CANVAS 7.26 exploit pack is leaked. More than 800 1days and weaponized spectre exploit. https://t.co/N14QjMlKtD" / Twitter
First Fully Weaponized Spectre Exploit Discovered Online | The Record by Recorded Future
daveaitel on Twitter: "Just some random video that MAY or MAY NOT be interesting to you! :)" / Twitter
More Zero-Days Have Been Linked to Private Companies Than Any Nation State | The Record by Recorded Future
Countering cyber proliferation: Zeroing in on Access-as-a-Service - Atlantic Council
More than 6,700 VMware servers exposed online and vulnerable to major new bug | ZDNet
Far-Right Platform Gab Has Been Hacked—Including Private Data | WIRED
Rookie coding mistake prior to Gab hack came from site’s CTO | Ars Technica
Universal Health Services reports $67 million in losses after apparent ransomware attack
Payroll/HR Giant PrismHR Hit by Ransomware? — Krebs on Security
Is Your Browser Extension a Botnet Backdoor? — Krebs on Security
Suspicious finds: Researcher discovers Go typosquatting package that relays system information to Chinese tech firm | The Daily Swig
Microsoft shares tool to hunt for compromise in SolarWinds breach
Biden signs executive order demanding supply chain security review
H2C smuggling named top web hacking technique of 2020 | The Daily Swig
Hackers release a new jailbreak tool for almost every iPhone | TechCrunch
Yubico | #YubiKey on Twitter: "📍We've reached a new milestone in our #passwordless journey! Today, #YubiKey passwordless authentication is now generally available to @Microsoft’s #AzureAD users, a critical step toward achieving better security without compromising usability. https://t.co/u892JFipR9" / Twitter