[HN Gopher] 30k U.S. organizations newly hacked via holes in Mic...
___________________________________________________________________
30k U.S. organizations newly hacked via holes in Microsoft Exchange
Server
Author : parsecs
Score : 86 points
Date : 2021-03-05 21:11 UTC (1 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| social_quotient wrote:
| I wish the title was a bit more clear from the original post.
| This feels a little bit vague on purpose.
|
| Microsoft Exchange server software , not to be confused with MS
| Outlook email software or the lesser Windows Mail software.
| klingon79 wrote:
| Exchange is often externally open in some way for OWA.
|
| One that server is hacked, you may be wide-open internally.
|
| I'd be at least as concerned about an Exchange vulnerability as
| I would be about Outlook, but probably more.
| exporectomy wrote:
| I can't tell from the article, but was this vulnerability already
| being exploited but to a lesser extent or did the hackers
| apparently discover it as a result of the patch being released?
| If the latter, then maybe we need processes for patching faster
| than people can reverse engineer the patches.
| krebsonsecurity wrote:
| Yes, it was being used to target specific organizations prior
| to Microsoft's patches this week. Since then, attackers have
| basically used tools like Shodan to find unpatched servers, and
| mass-backdoored them -- regardless of who the victim
| organization is.
| nosmokewhereiam wrote:
| Are there any statistics or even anecdotes that say just how
| rampant large scale hacks such as this this have been in the
| last year compared to any previous years? Two fold increase?
| More?
| colechristensen wrote:
| Bigger companies or at least ones with significant
| relationships with Microsoft often get NDA-covered security
| bulletins before they are publicly released to help mitigate
| this.
| gzer0 wrote:
| Interesting! This seems futile at times, especially with the
| SolarWinds espionage that went undetected for so long.
|
| The question that comes to mind is: to what extent did Threat
| Actors have unfettered access to security bulletins?
|
| There is no easy solution to the issue. Thank you for
| bringing this up.
| diskmuncher wrote:
| MSFT still outperformed SP500 index this week.
| panarky wrote:
| Security vulns are a profit center for Microsoft.
|
| I have a client who was hit with ransomware that exploited
| holes in RDP. They paid Microsoft about 5% of their annual IT
| budget to upgrade.
|
| How much more license revenue and 365 subscriptions will this
| latest fuckup generate?
|
| And if vulns are this profitable, where's the incentive to
| prevent them in the first place?
| johncessna wrote:
| > And if vulns are this profitable, where's the incentive to
| prevent them in the first place?
|
| Prior to upgrading their software, where was the incentive
| for your client to keep everything up to date and put in the
| infrastructure needed to patch _all_ of their systems minutes
| /hours/days of a new zero day?
|
| I can't speak for your customer (obviously), but do you think
| they would have invested 5% of their budget in upgrades for
| this particular hack? A ransomware attack shuts you down.
| This is blackmail/corporate espionage stuff. Very easy to
| ignore depending on what your company is saying in their
| email.
| waynesoftware wrote:
| Wow. Patching (or using cloud mail providers) would have
| mitigated the risk for this one...and many others in the past
| (and the future). The cleanup from this is big for those who were
| hit.
|
| Launching attacks during major news events surely also helped the
| attackers stay under the radar for longer.
| walrus01 wrote:
| If I had to guess it's a huge laundry-list of organizations
| that for some legacy reason (Going back 10, 15, 20 years) are
| running on-premises Exchange, and don't have a full time person
| one of whose roles is to keep up on patches, security
| advisories and such.
| logifail wrote:
| > to keep up on patches, security advisories and such
|
| Until you've personally experienced the full horror of
| attempting to keep on-premises Exchange patched, especially
| in the SME space where you may have few servers, it's hard to
| imagine how awful this is.
|
| Cumulative Updates are essentially "completely uninstall
| Exchange" and then "reinstall Exchange again". This is not
| what one might call a "patch". Then you get into dependencies
| on .Net and suddenly you need to upgrade the OS as well while
| you're in the middle of completely-uninstalling-and-
| reinstalling-Exchange.
|
| Last time I got sucked into this, I told my client it was
| nuts to run on-premises Exchange, to bin it completely and
| move to a cloud-hosted [Linux] IMAP mailbox system.
| walrus01 wrote:
| Thankfully for my mental well being it has been 15+ years
| since I touched Exchange.
| EvanAnderson wrote:
| It's hardly a "full horror". I manage on-prem Excahnge in
| the SME space, with single-server installations and multi-
| server installations (with and without high availability).
| The patching process is, arguably, inefficient (doing full
| installs over top of the existing installation) but, in
| terms of success rate, I've had good luck.
|
| I wouldn't put out any new on-prem Exchange today, but the
| ones I support have reasons to be on-prem or planned
| migration off-prem.
|
| Aside: I've been administering Exchange since version 4.0.
| I've never experienced "horrors" like so many people talk
| about. Failing to follow best practices, using dodgy
| hardware, and cutting corners are the reasons for problems
| that I've been privy to by way of friends, emergency
| engagements with non-Customers, etc.
| brundolf wrote:
| The cloud angle is interesting; on one hand, it creates an
| even-more-centralized single point of failure. On the other
| hand, given that virtually every computing system out there is
| a house of cards, letting the experts focus on securing (and
| updating!) just a single one might be the best defense.
| mywittyname wrote:
| The cloud providers can afford to hire and train elite teams
| to handle security. I remember seeing a post about a guy
| trying to break out of the docker container used by Cloud SQL
| on GCP, and apparently the GCP admins made it known that he
| was being watched pretty early on. I believe the issue was
| patched fairly quickly too.
|
| It's possible that <Random F500 Co> has a great security
| team. But it's also possible that <Other F500 Co> doesn't.
| brundolf wrote:
| Really what we need is the ability to self-host reasonably
| secure systems _without_ a team of experts working round
| the clock... but that doesn 't appear to be the hand we've
| been dealt
| EvanAnderson wrote:
| The vulnerabilities being exploited were all zero-day. Up-to-
| date installations were still vulnerable.
| tehjoker wrote:
| They attribute the attack to a particular actor without providing
| any evidence to the public. A bug could exist that enables such
| an attack, but it's not proven any emails were ever even taken.
|
| They did find a tool left behind it seems.
|
| I am just increasingly skeptical of these hacking stories that
| have a nat sec angle on them after the previous ones have been
| shown to be mostly or entirely fraudulent years later.
| fouric wrote:
| > the previous ones have been shown to be mostly or entirely
| fraudulent years later
|
| ...they said, while providing no evidence to the public.
| rhacker wrote:
| I remember this kind of thing happening all the time in the 90s
| and part of the 00s... It's just 10 to 1000 times worse now days
| since EVERYTHING is online now.
| brundolf wrote:
| It's almost like all of our institutions shouldn't use the exact
| same software vendors
| throwawayboise wrote:
| It's almost like we shouldn't indiscriminately connect
| everything to the internet.
| brundolf wrote:
| I mean in this case it was email, so I don't know how you
| usefully disconnect that from the internet
| throwawayboise wrote:
| The attacks were on port 443, i.e. the webmail interface.
| That could be behind a VPN.
| mywittyname wrote:
| Just drop the 'e' from email.
|
| /s
| [deleted]
| px43 wrote:
| I'd rather just hate on Microsoft specifically :-p
| exporectomy wrote:
| Really? Wouldn't multiple softwares be equally vulnerable
| overall but the hacks would be more distributed in time as
| they're discovered at different times? Is that the problem
| you'd hope to solve? That it all happened within a few days
| instead of at different institutions at different times?
| brundolf wrote:
| Yes, distributing the same number of hacks over a period of
| time would on its own make things a little bit less fragile.
| In general, having a single point of failure is bad for the
| stability of any large system. But more likely: imagine all
| these orgs were distributed across three or four providers. A
| bad actor comes up with a zero-day for one of them. They can
| now a) go ahead and use that, far fewer systems are
| compromised and awareness of the threat is raised, or b) wait
| a much longer time until they come up with vulns for all the
| other systems. Either of those is less bad than the current
| situation.
|
| These days it's starting to feel like China might get to a
| point where they could shut down an entire country, all at
| once, with the flip of a switch.
| exporectomy wrote:
| One hack happening doesn't raise awareness for the risk of
| different unknown vulnerabilities in different software. So
| the total number of institutions getting hacked would be
| the same.
|
| It's not really one system. It just looks like that because
| it's one news story. If instead, all school districts were
| hacked this year and all police departments next year, how
| is that any better than both together?
|
| Would you personally use uncommon software to avoid being
| part of a big hack like this? I don't think that's a valid
| way of protecting yourself.
| jgalt212 wrote:
| or Identity Providers.
| annoyingnoob wrote:
| This is the kind of thing that keeps me up at night.
| bezelbuttons wrote:
| > Adair said he's fielded dozens of calls today from state and
| local government agencies that have identified the backdoors in
| their Exchange servers and are pleading for help.
|
| I can imagine they are sending an email to support@microsoft.com
| pleading for help. A future attacker would be well served to deny
| email to be sent to any mailbox @microsoft.com
|
| EDIT: I'm now realizing that this follows the Microsoft-angle of
| the Solarwinds' attack. These customers are not going to be happy
| with $MS
| mschuster91 wrote:
| > EDIT: I'm now realizing that this follows the Microsoft-angle
| of the Solarwinds' attack. These customers are not going to be
| happy with $MS
|
| Won't hurt MS in the long run. There is no viable alternative
| to switch to, for _any_ of their products:
|
| * OS: macOS runs only on expensive Apple hardware, Linux can't
| run business software, plus both have retraining costs for
| employees
|
| * Office software: Libreoffice just... doesn't cut it, let's be
| honest. Apple's stuff only runs on Macs.
|
| * Exchange: Lotus Notes is dead, and while there _are_ open
| source solutions, there is no _comprehensive_ single solution.
___________________________________________________________________
(page generated 2021-03-05 23:00 UTC)