[HN Gopher] A Basic Timeline of the Exchange Mass-Hack
       ___________________________________________________________________
        
       A Basic Timeline of the Exchange Mass-Hack
        
       Author : parsecs
       Score  : 61 points
       Date   : 2021-03-08 16:07 UTC (6 hours ago)
        
 (HTM) web link (krebsonsecurity.com)
 (TXT) w3m dump (krebsonsecurity.com)
        
       | naveen_jain07 wrote:
       | Krebsonsecurity.com needs to update it's website to make it
       | mobile responsive.
        
       | afrcnc wrote:
       | this article is a tire fire and even links to the exploitation of
       | a different exchange bug
       | 
       | i don't see an issue here
       | 
       | microsoft patched a bug within a 90-day disclosure timeline and
       | even released patched before the agreed date when it learned they
       | were exploited
       | 
       | why is krebs making a big deal out of it
        
       | TameAntelope wrote:
       | So like, was the vuln more or less made widely known at some
       | point? This feels like the scope grew so large because many
       | groups obtained the 0day before Microsoft expected it to go wide,
       | which is not what folks seem to have expected.
       | 
       | It'd be interesting to see more info in the timeline about when
       | that might have happened. Just feels like this info is entirely
       | based on what the research community was seeing, not based on any
       | info from the adversary side of this event (not that collecting
       | that kind of data is easy, so fair enough).
        
         | codezero wrote:
         | Not my field but from observation: Other security researchers
         | watch when a CVE/vuln is announced and many have enough
         | experience/knowledge to then know how to reproduce that
         | vulnerability.
         | 
         | I suspect that the researchers involved all saw how bad it was
         | and didn't feel that it was safe to let Microsoft wait, as
         | (although I don't think it's particularly common) they may drag
         | their feet on a patch. Leaking this vulnerable forces MS's hand
         | sooner. So it's not really necessarily totally off from what
         | I've seen in the past. Just not very common.
         | 
         | This tends to happen when researchers discover the zero day is
         | ALREADY pervasive in the wild.
        
       | easton wrote:
       | Something interesting I learned when looking into all of this is
       | that if you have a large environment (2000+ mailboxes) and
       | transition to Exchange Online, Microsoft still (since 2010) has
       | no idea on how to fully decommission your Exchange Server
       | environment, since you need at least 1 to facilitate on-prem AD
       | connectivity (which isn't true if you didn't have a hybrid
       | environment). So even if you transitioned to the cloud, you may
       | not have been safe.
       | 
       | https://docs.microsoft.com/en-us/exchange/decommission-on-pr...
        
       | panarky wrote:
       | Microsoft was aware of the vulns for 2 months before issuing a
       | patch.
       | 
       | Some of the vulns existed in the Exchange codebase for 10 years.
       | 
       | Microsoft faces perverse incentives. When their customers get
       | compromised, Microsoft benefits from accelerated upgrades and
       | cloud subscriptions.
       | 
       | Yet their customers blame foreign threat actors and not
       | Microsoft, so Microsoft suffers no reputational damage.
       | 
       | With these incentives, why would any rational corporation spend
       | resources hardening their software or responding rapidly to new
       | disclosures?
        
         | derivagral wrote:
         | I guess I have 2 questions for you.
         | 
         | First: what if the fix really took 2 months?
         | 
         | Second: I'm not well versed in this kind of software; is this
         | on-prem stuff that clients have to manage (update) themselves,
         | or is this SaaS cloud stuff that MS can immediately update
         | without clients in the loop?
        
           | ianhawes wrote:
           | This is Exchange Server, entirely on-premise that must be
           | updated by clients.
        
         | klingon78 wrote:
         | In Microsoft's defense, most organizations have security
         | vulnerabilities in their code that all may or may not be aware
         | of.
         | 
         | Just because Microsoft has software powering very important
         | things globally doesn't exclude them.
        
         | 1vuio0pswjnm7 wrote:
         | If somone commented "Stop picking on Microsoft", how would you
         | respond, if you chose to respond.
         | 
         | With these incentives, why would any rational _government_
         | spend taxpayer money on this company 's software.
        
           | jjk166 wrote:
           | Would you switch your vote to the opposite party because your
           | party used microsoft software or because the other party
           | promised they wouldn't? If not then what incentive does a
           | rational government have to avoid using this software?
        
         | Lammy wrote:
         | Some of the "foreign threat actors" are also major Microsoft
         | customers.
        
       ___________________________________________________________________
       (page generated 2021-03-08 23:01 UTC)