Aids and techniques demonstrated at this year’s arsenal track

Aids and techniques demonstrated at this year’s arsenal track

  

Tools to enable the work of security researchers, pen testers, and bug bounty hunters were demonstrated at this year’s Black Hat Europe conference, held at London’s Excel Centre this week.

The annual security conference saw hackers from across the world gather to share research and other insights.

One of the conference’s regular features is the arsenal track, where attendees can witness live demos of various hacking tools.

**Node Security Shield**

One of the tools showcased this year, Node Security Shield, “provides zero-day protection for NodeJS applications”, Lavakumar Kuppan of Domsdog Security, which created the tool, told The Daily Swig.

“It is a defensive tool designed to be used by developers as well as security engineers,” they said.

“Existing defensive systems like WA \[web application firewall\], RASP or any of the supply chain attack protection systems all take a similar approach. They look for known bad patterns. This approach is fine for blocking well known attacks, but it is ineffective against zero-days.

“Node Security Shield takes the opposite approach. Application owners typically know and can define the expected behavior of their application. Node Security Shield ensures that only the defined good behavior is allowed, and any deviations are either blocked or trigger an alert.”

Node Security Shield supports a ‘Resource Access Policy’, inspired by Content Security Policy, a simple JavaScript object where the application owner defines the expected behavior of their app.

Read more of the latest news about hacking tools

“This enables us to block or provide exploitation mitigation against zero-day attacks. Also this approach is extremely fast compared to the other systems that have to compare every incoming request against an ever increasing list of attack patterns.

“With systems like WAF and RASP (runtime application self-protection) there is a risk of legitimate functionality being affected because it is unclear what those products will block and allow. That risk is significantly less with this approach since the application owners have a very clear understanding of what this tool will allow and what it will block.”

The tool was inspired by the Log4Shell vulnerability, a zero-day vulnerability in Log4j, a popular Java logging framework, which could lead to arbitrary code execution. Many application that relied on Log4j became vulnerable as a result of the problem.

“The fact that an application can just randomly make a network connection to a server that the developer’s never intended it to, bothered us a lot.

“So \[we\] set out to build a system where the application owners can define who their application can talk to and enforce it, thereby blocking the exploitation of zero-days like Log4Shell.”

The tool was developed as an internal project at Domdog Security to protect their own NodeJS applications, however the team said they are “aware of at least two other companies that are experimenting with it now”.

Kuppan added: “We are looking to add the ability to control file system access in the next release. Most user feedback has pointed towards wanting the ability to update the Resource Access Policy dynamically without requiring app restart. So that is also in the roadmap.”

**JavaScript obfuscation**

Also presenting at the show was Or Katz, who showed a tool designed to be able to detect JavaScript code as being obfuscated, detecting obfuscation by using structure-based signatures.

It detects JavaScript code before being rendered by the browser “which is more challenging as the obfuscation tool will create different variations of the same malicious JavaScript each time \[it is\] being obfuscated”, Katz told The Daily Swig ahead of his presentation JavaScript Obfuscation – It’s All About the P-a-c-k-e-r-s.

“Using this static code detection approach has \[meant it has\] better performance compared to techniques that require rendering of the page.

The tool also exposes a set of features collected from JavaScript code that enables more detection and classification capabilities.

Katz added: “We have future thoughts on adding more capabilities for more coverage on obfuscation tools, using collecting features for training of machine learning modules that will enable classification of malicious versus benign code.”

**Invoke-DNSteal**

A third tool, Invoke-DNSteal, allows users to perform file transfers using the DNS protocol as a covert communications channel, its creator Joel Gamez told The Daily Swig.

Although it has been designed primarily for pen testers, bug bounty hunters could also use it in “very restricted environments, in order to exfiltrate information from a compromised computer”, Gamez noted.

“Unlike other DNS data exfiltration tools, Invoke-DNSteal stands out for two main features:

The first, is that it does not use any type of library nor does it depend on third parties to work.

“For the server side, it only uses Python and sockets, so any device (however limited) that can run Python can run the server.

“For the victim (or client, if you prefer) side, native PowerShell queries will be used to send information via DNS, thus bypassing many anti-virus and EDR solutions.”

Also unlike other tools, says Gamez, Invoke-DNSteal focuses on the resolver and not the DNS domain.

“All DNS exfiltration tools need a domain to send information to. To do so, they will need to resolve that request using any DNS resolver.

“In the case of Invoke-DNSteal, we focus on using a resolver (or a list of them) controlled by the attacker, which will resolve any domain, even if it does not exist.

“In this way, it is possible to send information to random domains that do not exist, thus circumventing most DNS anti-spoofing solutions on the market.”

Users are also able to control the size and sending time of the payloads, which will also help them to evade protections.

“I decided to create this tool because I did not find any that solved this problem, or that used this technique of using random domains that do not exist to perform these bypasses,” Gamez said.

“In the next versions we will add a sequence control (remember that UDP \[User Datagram Protocol\] does not exist by default), payload encryption by default, a client for Linux and some improvements in payload compression, among many other things.”

YOU MAY ALSO LIKE Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover

Black Hat Europe 2022: Hacking tools showcased at annual security conference

By Deeba Ahmed
At the moment, Zombinder is focusing entirely on Android apps but the service operators are offering Windows apps binding services.
This is a post from HackRead.com Read the original post: Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

ThreatFabric’s security researchers have reported a new **dark web** platform through which cybercriminals can easily add malware to legitimate Android applications.

Dubbed Zombinder, this platform was detected while investigating a campaign in which scammers were distributing multiple kinds of **Windows and Android malware**, including Android banking malware like Ermac, Laplas “clipper,” Erbium, and the Aurora stealer, etc.

This comes just days after a new dark web marketplace called **InTheBox** surfaced online, serving smartphone malware developers and operators.

Further probe helped researchers trace the adversary to a third-party dark web service provider called Zombinder. It was identified as an app programming interface binding service launched in March 2022.

According to ThreatFabric’s **blog post**, numerous different threat actors are using this service and advertising it on hacker forums. On one such forum, the service was promoted as a universal binder that binds malware with almost any legitimate app.

The campaign is designed to appear as it helps users access internet points by imitating the WiFi authorization portal. In reality, it pushes several different malware strains.

**What does Zombinder Do?**

In the campaign detected by ThreatFabric’s researchers, the service is distributing the **Xenomorph banking malware** disguised as the VidMate app. It is distributed via modified apps advertised/downloaded from a malicious website mimicking the application’s original website. The victim is lured to visit this site via malicious ads.

The Zombinder-infected app works just as it is marketed while the malicious activity carries on in the background and the victim stays unaware of the malware infection.

At the moment, Zombinder is focusing entirely on Android apps but the service operators are offering Windows apps binding services. Those who downloaded **the infected Windows app** were delivered the Erbium stealer as well. It is an infamous Windows malware distributed to steal stored passwords, cookies, credit card details, and cryptocurrency wallet data.

It is worth noting that two downloaded buttons on the malicious website’s landing page, one for Windows and the other for Android. when a user clicks on the Download for Windows button, they are delivered malware designed for Microsoft operating system, including Aurora, Erbium, and Laplas clipper. Conversely, the Download for Android button distributes the **Ermac malware**.

**How to Stay Protected?**

If you want to stay safe, do not sideload apps even if you are desperate to make a specific product work. Also, avoid installing apps from unauthentic or unknown sources onto your Android mobile phone and rely on legitimate sources such as Google Play Store, Amazon Appstore, or Samsung Galaxy Store. Always check the app’s rating, and reviews, and check out the app developers’ website before installing a new app.

1.  **Psst! tool lets users share passwords using a link**
2.  **Chinese Hackers Hiding Malware in Windows Logo**
3.  **Trojan Source attack lets hackers exploit source code**
4.  **Android apps on Play Store infected with Windows malware**
5.  **Spyware Vendor Exploited Chrome, Firefox and Windows 0-days**

Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

A new report helps companies understand an ever-changing threat landscape and how to strengthen their defenses against emerging cybersecurity trends.

The "Microsoft Digital Defense Report" is a compilation of insights from 43 trillion daily security signals that provides organizations with a high-level picture of the threat landscape and current state of cybersecurity. This annual report aggregates security data from organizations and consumers across the cloud, endpoints, and the intelligent edge to help better predict what attackers will do next.

Keep reading for a high-level overview of our findings, and click here to access the full report.

**The State of Cybercrime**

2022 saw a significant increase in indiscriminate phishing and credential theft to gain information for targeted ransomware, data exfiltration and extortion, and business email compromise attacks. Human-operated ransomware was the most prevalent type of ransomware attack observed, with one-third of targets successfully compromised and 5% ransomed. The evolving cybercrime-as-a-service (CaaS) economy is also a concern, as Microsoft blocked 2.75 million site registrations successfully to get ahead of criminal actors that planned to use them to engage in global cybercrime.

During ransomware recovery engagements, 93% of Microsoft investigations revealed insufficient privilege access and lateral movement controls. The most effective defense against ransomware includes multifactor authentication (MFA), frequent security patches, and zero-trust principles across network architecture.

**The Nature of Nation-State Threats**

Nation-state cyber threat groups have shifted from exploiting the software supply chain to exploiting the IT services supply chain. Oftentimes they target cloud solutions and managed services providers to reach downstream customers in government, policy, and critical infrastructure sectors.

Nation-state actors are also getting savvier, pursuing new and unique tactics to deliver attacks and evade detection in response to strengthened cybersecurity postures. Zero-day vulnerabilities are particularly key for initial exploitation. On average, it takes only 14 days for an exploit to become available in the wild after a vulnerability is publicly disclosed. These zero-day exploits are often discovered by other actors and reused broadly in a short period of time, leaving unpatched systems at risk.

**Attacks on Devices and Infrastructure**

Did you know that 68% of "Microsoft Digital Defense Report" respondents believe that adopting Internet of Things/operations technology (IoT/OT) is critical to their strategic digital transformation? Yet 60% of those same respondents recognize that IoT/OT security is one of the least secured aspects of their infrastructure. Attacks against remote management devices are on the rise, with more than 100 million attacks observed in May 2022 — a fivefold increase in the past year.

Accelerating digital transformation has increased the cybersecurity risk to critical infrastructure and cyber/physical systems. Likewise, growing IoT solutions have increased the number of attack vectors and the exposure risk of organizations. While policymakers are seeking to build trust in critical infrastructure cybersecurity through increased regulations, the public and private sector must collaborate to find a balance between compliance and truly effective cybersecurity practices.

**Tackling Cyber Influence Operations**

Democracy needs trustworthy information to flourish, yet we’ve observed a 900% year-over-year increase in the proliferation of deepfakes since 2019. AI-enabled media creation and manipulation make it easier than ever for cybercriminals to create highly realistic synthetic images, videos, audio, and text. This false content can then be optimized and disseminated to target audiences, challenging our collective understanding of the truth.

In response, governments, the private sector, and civil society must work together to increase transparency of these influence campaigns and to expose and disrupt their operations. We recommend implementing strong digital hygiene practices and considering ways to reduce any unintended enabling of cyber influence campaigns by your employees or your business practices. Business should support information literacy campaigns, civic engagement campaigns, and industry-specific counter-influence groups to help defend against propaganda and foreign influence.

**The Path to Cyber Resilience**

Nation-state actors have escalated their use of offensive cyber operations to destabilize governments and impact global trade operations. As these threats increase and evolve, it’s crucial to build cyber resilience into the fabric of the organization.

Basic security hygiene still protects against 98% of attacks, yet many threat actors succeed simply because these foundational security practices have not been followed. In fact, more than 90% of accounts that were compromised by password-based attacks did not have strong authentication practices in place. Organizations should enable MFA, apply zero-trust principles, implement modern anti-malware software, ensure all systems are kept up to date, and protect data by knowing where important information is located and whether the right systems are implemented.

Download the full "Microsoft Digital Defense Report" to better understand today’s cyber threat landscape. For even more details, check out our recent webinar, "Build Cyber Resilience by Leveraging Microsoft Experts' Digital Defense Learnings."

Explore more threat intelligence insights on Microsoft Security Insider.

43 Trillion Security Data Points Illuminate Our Most Pressing Threats

Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.

CVE-2022-38765: Canon Medical Software Security Updates

By Habiba Rashid
Here is everything you need to know about the first two days at the Pwn2Own hacking contest.
This is a post from HackRead.com Read the original post: Pwn2Own Day 1 and 2: Samsung, HP, MikroTik & Netgear Pwned

Being held at Zero Day Initiative (ZDI)’s Toronto office, this year’s **Pwn2Own** kicked off smoothly on 6th December 2022 with contestants participating both in person and remotely. Before we dive into the proceedings on the event days, let’s talk about what Pwn2Own is and how it started. 

**What is Pwn2Own?**

Pwn2Own is a hacking contest where security researchers are invited to hack into devices that IT hardware and software manufacturers believe are secure.

At Pwn2Own Toronto 2022, contestants would have targets such as mobile phones, wireless routers, home automation hubs, printers, smart speakers, and NAS devices for hacking into.

For their efforts resulting in a successful hack, the participants are rewarded with prize money. 

Starting in April 2007 during the CanSecWest conference in Vancouver, Pwn2Own has come a long way to become the highly reputable competition that it is. It began when security researcher Dragos Ruiu wanted to put Apple’s impenetrable security system to the test and ever since, the competition has followed a similar mission statement.

Not only has it allowed organizations to normalize bug reporting but has also changed how the industry looks at security. 

This fall’s Pwn2Own event introduced a new category called “SOHO Smashup” (Small Office/Home Office) to incorporate a real-world setting where a threat actor would exploit a home office.

A contestant would be required to pick a router and begin exploiting the WAN interface and then they would pivot to the LAN, where a second device is hacked such as a NAS appliance, a smart speaker, or a printer. 

**DAY 1 PROCEEDINGS**

The **first day** of the competition welcomed participants who won a total of $400,000 for exploits targeting phones, printers, routers, and NAS devices. 

The Devcore team which is a recurring contestant in the competition won the highest single reward of $100,000 in the SOHO Smashup category for hacking a MikroTik router and a Canon printer connected to it. 

Coming in second with a reward of $50,000 was the team Neodyme which successfully hacked a Netgear router and an HP printer.

Meanwhile, the Star Labs team also earned $50,000 for hacking a Samsung Galaxy S22 smartphone. The same device was also hacked by a participant named Chim who earned $25,000. 

Researchers at industrial and IoT cybersecurity firm Claroty earned $40,000 for hacking a Synology DiskStation NAS device.

There were also multiple $20,000 rewards for hacking Canon, HP, Lexmark printers, TP-Link, and Synology routers. Two teams earned $10,000 each for Synology NAS and HP printer hacks.

Excluding the SOHO Smashup entry, Netgear router exploits earned smaller rewards. The Netgear exploits by some contestants including Tenable were neutralized just days before the competition due to a last-minute hotfix released by the vendor.

With 26 contestants signing up for 66 exploits, ZDI decided that the full cash prize would be awarded to the first winner of each target, with subsequent exploits getting 50% of the prize money. 

**DAY 2 PROCEEDINGS**

On the second day of the competition, participants earned a total of more than $280,000 for their exploits. A large sum of the total amount was earned by targeting the smart speaker, specific vulnerabilities in the Sonos One smart speakers. 

$60,000 went to a team from Qrious Secure for hacking a Sonos One speaker while $22,500 went to the Star Labs team for an exploit that involved targeting one new and one previously known flaw. 

The Bugscale team earned $37,500 for a SOHO Smashup exploit targeting a Synology router and an HP printer where again, new and previously known bugs were used. 

Another significant reward was earned by researcher Luca Moro, who was awarded $40,000 for a WD My Cloud Pro hack in the NAS category. Interrupt Labs earned $25,000 for hacking a Samsung Galaxy S22 phone.

The list of devices hacked on the **second day of Pwn2Own**, for which participants earned between $1,250 and $10,000, includes HP, Lexmark, Canon printers, Netgear, Synology, and TP-Link routers.

ZDI announced that a total of $681,000 was paid out in the first two days for 43 new and unique vulnerabilities. As the event progresses successfully, we look forward to it serving as a beacon to improve the relationship between vendors and independent researchers. 

1.  **Firefox, Edge, Safari, Tesla & VMware pwned at Pwn2Own**
2.  **Pwn2Own 2022 – Windows 11, MS Teams and Firefox Pwned**
3.  **Mobile Pwn2Own: Hackers pwn iPhone, Huawei, Galaxy & Pixel**
4.  **MS Exchange server, Teams, Zoom, Chrome pwned at Pwn2Own**
5.  **Pwn2Own: Xiaomi, Amazon Echo, Sony & Samsung** **Smart** **TVs pwned**

Pwn2Own Day 1 and 2: Samsung, HP, MikroTik & Netgear Pwned

IE is still a vector: South Koreans lured in with references to the deadly Halloween celebration crowd crush in Seoul last October.

North Korean threat group APT37 was able to exploit an Internet Explorer zero-day vulnerability to deploy documents loaded with malware as part of its ongoing campaign targeting users in South Korea, including defectors, journalists, and human rights groups.

Google's Threat Analysis Group (TAG) found the zero-day flaw in the Internet Explorer JScript engine in late October, tracked under CVE-2022-41128, and now reports that Microsoft was responsive and has issued applicable patches.

To lure in potential victims, the malicious documents referenced the deadly crowd crushing incident in Seoul that happened during Halloween celebrations on Oct. 29.

"This incident was widely reported on, and the lure takes advantage of widespread public interest in the accident," the TAG team reported. "This is not not the first time APT37 has used Internet Explorer 0-day exploits to target users."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

APT37 Uses Internet Explorer Zero-Day to Spread Malware

An Internet Explorer zero-day vulnerability was actively exploited by a North Korean threat actor to target South Korean users by capitalizing on the recent Itaewon Halloween crowd crush to trick users into downloading malware.
The discovery, reported by Google Threat Analysis Group researchers Benoît Sevens and Clément Lecigne, is the latest set of attacks perpetrated by ScarCruft, which is

Patch Management / Zero-Day

An Internet Explorer zero-day vulnerability was actively exploited by a North Korean threat actor to target South Korean users by capitalizing on the recent Itaewon Halloween crowd crush to trick users into downloading malware.

The discovery, reported by Google Threat Analysis Group researchers Benoît Sevens and Clément Lecigne, is the latest set of attacks perpetrated by **ScarCruft**, which is also called APT37, InkySquid, Reaper, and Ricochet Chollima.

"The group has historically focused their targeting on South Korean users, North Korean defectors, policy makers, journalists, and human rights activists," TAG said in a Thursday analysis.

The new findings illustrate the threat actor's continued abuse of Internet Explorer flaws such as CVE-2020-1380 and CVE-2021-26411 to drop backdoors like BLUELIGHT and Dolphin, the latter of which was disclosed by Slovak cybersecurity firm ESET late last month.

Another key tool in its arsenal is RokRat, a Windows-based remote access trojan that comes with a wide range of functions that allow it to capture screenshots, log keystrokes, and even harvest Bluetooth device information.

The attack chain observed by Google TAG entails the use of a malicious Microsoft Word document that was uploaded to VirusTotal on October 31, 2022. It abuses yet another Internet Explorer zero-day flaw in the JScript9 JavaScript engine, CVE-2022-41128, that was patched by Microsoft last month.

The file references the October 29 incident that took place in the Itaewon neighborhood of Seoul and exploits public interest in the tragedy to retrieve an exploit for the vulnerability upon opening it. The attack is enabled by the fact that Office renders HTML content using Internet Explorer.

Successful exploitation is followed by the delivery of a shellcode that wipes all traces by clearing the Internet Explorer cache and history as well as downloading the next stage payload.

Google TAG said it could not recover the follow-on malware used in the campaign, although it's suspected to have involved the deployment of RokRat, BLUELIGHT, or Dolphin.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Warns of Internet Explorer Zero-Day Vulnerability Exploited by ScarCruft Hackers

Security researchers share their biggest initial screwups in some of their key vulnerability discoveries.

BLACK HAT EUROPE 2022 – London – Researcher Douglas McKee was having no luck extracting the passwords in a medical patient-monitor device he was probing for vulnerabilities. The GPU password-cracking tool he had run to lift the layers of credentials needed to dissect the device came up empty. It wasn't until a few months later when he sat down to read the medical device's documentation that he discovered that the passwords had been right there in print the whole time.

"I finally got around reading the documentation, which clearly had all the passwords in plaintext right in the documents," McKee, director of vulnerability research at Trellix, recounted in a presentation here today. It turned out the passwords were hardcoded into the system as well, so his failed password-cracking process was massive overkill. He and his team later discovered bugs in the device that allowed them to falsify patient information on the monitor device.

Failing to pore over documentation is a common misstep by security researchers eager to dig into the hardware devices and software they are studying and reverse-engineering, according to McKee. He and his colleague Philippe Laulheret, senior security researcher at Trellix, in their "Fail Harder: Finding Critical 0-Days in Spite of Ourselves" presentation here, shared some of their war stories over mistakes or miscalculations they made in their hacking projects: mishaps that they say serve as useful lessons for researchers.

"At all conferences we go to \[they\] show the shiny results" and successes in security research like zero-days, Laulheret said. You don't always get to hear about the strings of failures and setbacks along the way when sniffing out vulns, the researchers said. In their case, that's been everything from hardware hacks that burned circuit boards to a crisp, to long-winded shellcode that failed to run.

In the latter case, McKee and his team had discovered a vulnerability in the Belkin Wemo Insight SmartPlug, a Wi-Fi-enabled consumer device for remotely powering on and off devices connected to it. "My shellcode was not getting through to the stack. If I had read the XML library, it was clear that XML filters out characters and there's a limited character set allowed through the XML filter. This was another example of lost time if I had read through the code I was actually working with," he says. "When we deconstructed it, we found a buffer overflow that allowed you to remotely control the device."

**Don't ASSume: Schooled by Distance-Learning App 'Security'**

In another project, the researchers studied a distance-learning software tool by Netop called Vision Pro that, among other things, includes the ability for teachers to remote into students' machines and exchange files with their students. The Remote Desktop Protocol-based feature seemed straightforward enough: "It allows teachers to log in using Microsoft credentials to get full access to a student's machine," McKee explained.

The researchers had assumed that the credentials were encrypted on the wire, which would have been the logical security best practice. But while monitoring their network captures from Wireshark, they were shocked to discover credentials traveling across the network unencrypted. "A lot of times assumptions can be the death of the way you do a research project," McKee said.

Meantime, they recommend having in hand multiple versions of a product you're researching in case one gets damaged. McKee admitted getting a bit overzealous in deconstructing the battery and internals of the B Bruan Infusomat infusion pump. He and his team took apart the battery after spotting a MAC address on a sticker affixed to it. They found a circuit board and flash chip inside, and they ended up physically damaging the chip while trying to get to the software on it.

"Try to do the least invasive process first," McKee said, and don't jump into breaking open the hardware from the start. "Breaking things is part of the hardware hacking process," he said.

Hacker Fails for the Win

A ransomware attack on the company's Hosted Exchange environment disrupted email for thousands of mostly small and midsize businesses.

A Dec. 2 ransomware attack at Rackspace Technology — which the managed cloud hosting company took several days to confirm — is quickly becoming a case study on the havoc that can result from a single well-placed attack on a cloud service provider.

The attack has disrupted email services for thousands of mostly small and midsize organizations. The forced migration to a competitor's platform left some Rackspace customers frustrated and desperate for support from the company. It has also already prompted at least one class-action lawsuit and pushed the publicly traded Rackspace's share price down nearly 21% over the past five days.

**Delayed Disclosure?**

"While it's possible the root cause was a missed patch or misconfiguration, there's not enough information publicly available to say what technique the attackers used to breach the Rackspace environment," says Mike Parkin, senior technical engineer at Vulcan Cyber. "The larger issue is that the breach affected multiple Rackspace customers here, which points out one of the potential challenges with relying on cloud infrastructure." The attack shows how if threat actors can compromise or cripple large service providers, they can affect multiple tenants at once.

Rackspace first disclosed something was amiss at 2:20 a.m. EST on Dec. 2 with an announcement it was looking into "an issue" affecting the company's Hosted Exchange environment. Over the next several hours, the company kept providing updates about customers reporting email connectivity and login issues, but it wasn't until nearly a full day later that Rackspace even identified the issue as a "security incident."

By that time, Rackspace had already shut down its Hosted Exchange environment citing "significant failure" and said it did not have an estimate for when the company would be able to restore the service. Rackspace warned customers that restoration efforts could take several days and advised those looking for immediate access to email services to use Microsoft 365 instead. "At no cost to you, we will be providing access to Microsoft Exchange Plan 1 licenses on Microsoft 365 until further notice," Rackspace said in a Dec. 3 update.

The company noted that Rackspace's support team would be available to assist administrators configure and set up accounts for their organizations in Microsoft 365. In subsequent updates, Rackspace said it had helped — and was helping — thousands of its customers move to Microsoft 365.

**A Big Challenge**

On Dec. 6, more than four days after its first alert, Rackspace identified the issue that had knocked its Hosted Exchange environment offline as a ransomware attack. The company described the incident as isolated to its Exchange service and said it was still trying to determine what data the attack might have affected. "At this time, we are unable to provide a timeline for restoration of the Hosted Exchange environment," Rackspace said. "We are working to provide customers with archives of inboxes where available, to eventually import over to Microsoft 365."

The company acknowledged that moving to Microsoft 365 is not going to be particularly easy for some of its customers and said it has mustered all the support it can get to help organizations. "We recognize that setting up and configuring Microsoft 365 can be challenging and we have added all available resources to help support customers," it said. Rackspace suggested that as a temporary solution, customers could enable a forwarding option, so mail destined to their Hosted Exchange account goes to an external email address instead.

Rackspace has not disclosed how many organizations the attack has affected, whether it received any ransom demand or paid a ransom, or whether it has been able to identify the attacker. The company did not respond immediately to a Dark Reading request seeking information on these issues. In a Dec. 6. SEC filing, Rackspace warned the incident could cause a loss in revenue for the company's nearly $30 million Hosted Exchange business. "In addition, the Company may have incremental costs associated with its response to the incident."

**Customers Are Furious and Frustrated**

Messages on Twitter suggest that many customers are furious at Rackspace over the incident and the company's handling of it so far. Many appear frustrated at what they perceive as Rackspace's lack of transparency and the challenges they are encountering in trying to get their email back online.

One Twitter user and apparent Rackspace customer wanted to know about their organization's data. "Guys, when are you going to give us access to our data," the user posted. "Telling us to go to M365 with a new blank slate is not acceptable. Help your partners. Give us our data back."

Another Twitter user suggested that the Rackspace attackers had also compromised customer data in the incident based on the number of Rackspace-specific phishing emails they had been receiving the last few days. "I assume all of your customer data has also been breached and is now for sale on the dark web. Your customers aren't stupid," the user said.

Several others expressed frustration over their inability to get support from Rackspace, and others claimed to have terminated their relationship with the company. "You are holding us hostages. The lawsuit is going to take you to bankruptcy," another apparent Rackspace customer noted.

Davis McCarthy, principal security researcher at Valtix, says the breach is a reminder why organizations should pay attention to the fact that security in the cloud is a shared responsibility. "If a service provider fails to deliver that security, an organization is unknowingly exposed to threats they cannot mitigate themselves," he says. "Having a risk management plan that determines the impact of those known unknowns will help organizations recover during that worst case scenario."

Meanwhile, the lawsuit, filed by California law firm Cole & Van Note on behalf of Rackspace customers, accused the company of "negligence and related violations" around the breach. "That Rackspace offered opaque updates for days, then admitted to a ransomware event without further customer assistance is outrageous,” a statement announcing the lawsuit noted.

**Did the Attackers Exploit "ProxyNotShell" Exchange Server Flaws?**

No details are publicly available on how the attackers might have breached Rackspace's Hosted Exchange environment. But security researcher Kevin Beaumont has said his analysis showed that just prior to the intrusion, Rackspace's Exchange cluster had versions of the technology that appeared vulnerable to the "ProxyNotShell" zero-day flaws in Exchange Server earlier this year.

"It is possible the Rackspace breach happened due to other issues," Beaumont said. But the breach is a general reminder why Exchange Server administrators need to apply Microsoft's patches for the flaws, he added. "I expect continued attacks on organizations via Microsoft Exchange through 2023."

Rackspace Incident Highlights How Disruptive Attacks on Cloud Providers Can Be

Empower buyers and stop fixating about zero-days, conference attendees told

Empower buyers and stop fixating about zero-days, conference attendees told

  

Steps towards building a defendable internet are possible, but to get there the industry needs to accept baseline security regulations and move away from a fixation about zero-day vulnerabilities.

Opening the Black Hat Europe conference on Tuesday, security researcher Daniel Cuthbert praised security improvements gained with the wider adoption of cloud computing, improvements in iOS, and tighter web security controls in Google Chrome, among other developments.

One problem, however, is that these improvements are not feeding down to provide improvements in security practices more generally.

Read more of the latest news about Black Hat conference

Cuthbert posed the question: “Does good security mean a lock-in approach or are we actually capable of building an open, transparent, and yet secure internet for all to enjoy?”

According to Cuthbert, the industry is too fixated on zero-days, despite most cyber-attacks still proving successful using run-of-the-mill techniques such as phishing.

“During Covid we saw a lot of people tear apart products to look for bugs,” Cuthbert said. “A lot of criminals did too.”

There were 32 zero-days recorded in 2019, according to figures cited by Cuthbert. This figure dropped to 30 in 2021 before rising to 70 in 2021.

“Lots of zero-days arise because vendors failed to fix bugs,” according to Cuthbert.

Because zero-day exploits can be a weapon in the hands of cybercriminals or spies, researchers need to be more responsible and release detection methods alongside proof-of-concept exploits when they release research, according to Cuthbert.

**Knee jerk reactions need to stop**

Cuthbert criticized the industry for falling into a cycle of offering tools to overcome the shortcomings of earlier security products rather than attempting to identify and address the root cause of problems.

For example, the shortcomings of first-generation firewalls were addressed with the development of web application firewalls – a class of product that has itself been a source of security problems.

Cuthbert said: “Can we stop the cycle of building tools to fix the tools that aren’t secure enough?”

The researcher also criticized the industry from blaming end users – such as, as he put it, ‘Dave from accounts’ – for falling victim to phishing attacks.

Buyers currently have no meaningful influence on the security of products, a trend that needs to change.

Vendors should also be asked hard questions about threat modeling, supply chain security, and should be pushed to use memory safe languages during the procurement process.

YOU MAY ALSO LIKE Cybersecurity conferences 2022: A rundown of online, in person, and ‘hybrid’ events

Tag

#zero_day