Newsletters

CISA has released a rare emergency directive ordering federal agencies to patch a new attack vector in Microsoft Exchange email servers.

Federal agencies have four days, until August 11, to address the issue and apply mitigations shared by Microsoft on Wednesday.

The guidance addresses a vulnerability (actually more of a design flaw) in hybrid environments, where Exchange on-premise servers sync data to an Exchange Online instance.

The Russian government is planning to designate enterprise resource planning (ERP) software as "critical information infrastructure" and require all Russian businesses to migrate to a domestic solution.

The move comes after Russia updated its critical infrastructure law in April this year. The government ordered the operators of all critical infrastructure to migrate to Russian software by September this year.

The government also gave itself the power to designate new items as "critical information infrastructure." This is software large enough to cause nationwide disruptions in the case of a cyberattack, and ERP systems appear to be the first item classified in this new category.

The Chinese government accused the US last week of trying to sneak backdoors into NVIDIA chips and of using Microsoft zero-days to hack and steal its military secrets.

Both accusations came via the Cyberspace Administration of China (CAC), the country's cybersecurity agency and internet regulator.

On Thursday, the CAC summoned American chipmaker NVIDIA to provide details of an alleged backdoor mechanism that could be embedded on chips sold in China.

Russian intelligence services are hacking and spying on foreign embassies and their staff by tampering with their internet connections.

Russian espionage units are using the SORM traffic interception system installed at local ISPs to alter traffic and deliver malware payloads to embassy staff.

According to Microsoft, the campaign has been ongoing since at least last year. The company attributed the attacks to a group it tracks as Secret Blizzard, but more widely known as Turla.

The exploitation of Microsoft SharePoint vulnerabilities by Chinese hackers is a near-exact re-run of the 2021 Microsoft Exchange server mass compromise event. 

The 2021 incident elicited a strong international diplomatic response, but this SharePoint saga makes it clear these efforts failed to deter China from embarking on a similarly damaging campaign again, four years later. A different, bigger picture, approach is needed. 

In both cases:

The FBI has seized around $2.4 million worth of Bitcoin from the relatively new Chaos ransomware group.

According to the US Justice Department, the funds were seized back in April, but only now announced. The funds were taken from a crypto-wallet owned by a Chaos member going by the name of Hors.

This seizure is interesting for one very particular reason—namely, that the Chaos ransomware is a new group. We have rarely seen the FBI crack down and go after a group within months of its launch.

Security researchers have managed to recover and mirror the vast majority of exploits stored in 0day.today, a notorious old-school exploits database that went down earlier this year.

The site is not the go-to portal to get your exploits these days, but it has a historical and educational value to the infosec community, storing PoCs and exploits for some of the internet's oldest bugs.

At the time it went down, it was hosting more than 38,000 exploits dating back almost two decades before a mysterious incident took it out for months.

Microsoft has released this week a new Entra security feature designed to help incident responders track down compromised accounts and malicious activity across organizations.

The new feature is named Linkable Identifiers, sometimes also referred to as Linkable Token Identifiers in some of the Microsoft documentation pages—because, of course, anything Microsoft has to also be confusing.

It is a newly designed mechanism that generates multiple unique identifiers that are embedded inside user access tokens after users authenticate via Entra ID.

Over the past weekend, Microsoft disclosed a zero-day vulnerability that was being exploited in the wild against its SharePoint servers.

Since then, there have been dozens of reports published on the same attacks, and details have come at us from different sources, with varying degrees of information, depending on what was available at the time of each report.

Below, I've tried to gather and simplify all the major points about this attack, so we have a clear picture of what's what. Tbh, I'm doing this more for myself than my readers, since I've also kind of lost track of all the reporting surrounding this topic.

The number of public SMS blasting incidents has slowly increased over the past year, in a clear sign of a rising problem.

SMS blasters are devices that mimic a mobile base station to trick nearby phones into connecting to them. They are a variation of IMSI catchers (aka cell-site simulators, fake base stations, or stingrays), but instead of intercepting mobile traffic to snoop on a target and track their location, SMS blasters are designed to automatically send SMS messages to all users trapped in the fake base station's coverage.

The devices have been used to mass-spam mobile devices over the past decade, typically at organized events, such as concerts, political rallies, or other mass gatherings, and for silly marketing purposes.