#AxisOfEasy 186: Boatload Of Organizations Hacked Via Microsoft Exchange 0-days

Weekly Axis Of Easy #186

Last Week’s Quote was   “The law of unintended consequences is the only real law of history” was Niall Ferguson, winner was Lonny Simmons, again.

This Week’s Quote:  “Thinking is difficult, that’s why most people judge”… by???

THE RULES: No searching up the answer, must be posted to the blog – the place to post the answer is at the bottom of the post, in the comments section.

The Prize: First person to post the correct answer gets their next domain or hosting renewal is on us.


In this issue:

  • Boatload of organizations hacked via Microsoft Exchange 0-days
  • Big Tech break-up advocate appointed to National Economic Council
  • Analysis of Google’s announcement to end ad targeting based on browser history
  • Brave web browser acquires its own search engine
  • ACH payment system clearing house crashes for several hours
  • New Yorkers will require immunity passports for sports events, theatres (Israel freedom bracelet)
  • Chatbots digitally “resurrect” the dead
  • Threat actors start using “dependancy confusion” attacks
  • Browser extensions introduce various backdoors
  • Post-mortem of perl.com hijacking
  • Amazon Alexa’s “Skills” ecosystem is a privacy disaster
  • Eric Schmidt advises ignoring international call to ban autonomous weapons
  • This week on the AxisOfEasy

Boatload of organizations hacked via Microsoft Exchange 0-days

This sounds a lot like what we here at AxisOfEasy News Central called “The Solar Winds Shit Show,” but it’s a different shit show.

Last week Microshit Microsoft frantically scrambled to rush out a fix for four 0-day vulnerabilities that facilitated remote code execution from unauthenticated users on unpatched Microsoft Exchange servers. At least three nation state threat actors have been linked to the attacks, three of them Chinese: APT27, Bronze Butler and Calypso. Most of the targets have been in the US but also reported across Europe. By some accounts the number of targets range north of 30,000 organizations.

The vulnerabilities are CVE-2021-26855CVE-2021-26857CVE-2021-26858, and CVE-2021-27065.

Microsoft issued an urgent alert with instructions on mitigation here. If you, or somebody you trust is running a Microsoft Exchange Server, might want to give it a read.

Read: https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/

Big Tech break-up advocate appointed to National Economic Council

An advocate of breaking up Big Tech has been named to the US National Economic Council in a newly created post under the Biden Administration.

Tim Wu, author of such books as The Master Switch: The Rise and Fall of Information Empires and The Attention Merchants: The Scramble to get Inside our Heads (I have both and they’re pretty good. The former is a detailed history of the evolution of the broadcast, telecom, and broadband industries, while the latter is a look at surveillance capitalism before it was called that).

“Wu is a leader in the progressive movement to break up Big Tech. As special assistant to the president for technology and competition policy, a newly-created position under Biden, he will work across the federal government to identify policies that could loosen the grip the major tech companies hold on the economy and encourage competition in the tech industry, according to sources familiar with the position.”

File under the unfolding battle between the nation state and the network state.

Analysis of Google’s announcement to end ad targeting based on browser history

When I first saw the announcement via WSJ that next year Google was going to eliminate the ability to buy ads based on your browsing history,  I thought this was a big deal and a nail in the coffin of surveillance capitalism. I thought ad retargeting was going to be dead.

Then I wondered why Google would suddenly get religion around this and suspected maybe I was being a tad naive. Sure enough, as I found more material covering the announcement, it appeared as though this is part PR play and part reshuffling of the deck to further consolidate Google’s power.

The EFF also covered this and surmises the proposed Federated Learning of Cohorts (FLOC) “is a terrible idea.”

“FLoC is meant to be a new way to make your browser do the profiling that third-party trackers used to do themselves: in this case, boiling down your recent browsing activity into a behavioral label, and then sharing it with websites and advertisers. The technology will avoid the privacy risks of third-party cookies, but it will create new ones in the process. It may also exacerbate many of the worst non-privacy problems with behavioral ads, including discrimination and predatory targeting. ”

Internet Privacy advocate Johnny Ryan saw four big unknowns about it:

  1. It is not clear whether Google’s new approach protects privacy, because critically important aspects of the system have not been defined.
  2. Google may expose itself to competition complaints on two fronts.
  3. It is not clear how the creation of a new market for “interest groups” impact on legitimate publishers.
  4. Algorithmic discrimination.

And wrote them up here.

The big structural change is that Google is finally banishing the 3rd party cookies, which will be disruptive to the ad-tech, data tracking industry.

Instead of collating the data at various remote endpoints via cookies, Google’s “privacy sandbox“ will tabulate data on the browser side, and then group you into “cohorts” based on your interests (read: browser history).

Read: https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea

Brave web browser acquires its own search engine

The privacy-minded web browser Brave has made a strategic acquisition by picking up its own search engine.

Similar to how the Brave browser blocks web trackers and confers more privacy to the end user by default, they pledge not to track user searches or datamine their activity.

What will be interesting to see now is how successfully they piece together the parts of their platform: the Brave browser and now a search engine, powered by the Basic Attention Token, an Ethereum ERC-20 token designed to power the ecosystem.

Could be a winning combination to finally crack the Holy Grail of decentralized blockchain applications: a web browsing, user oriented (à la
Intention Economy style VRM) with (wait for it….) micropayments.

Read: https://www.theregister.com/2021/03/03/brave_buys_a_search_engine/

Basic Attention Token (BAT) price up nearly 40% the day this news broke, nearly at 0.80 now… I actually was investing in BAT when it was .11 *sniff*. Shoulda HODL-ed.

Browser extensions introduce various backdoors

There is an interesting article over on Krebs on Security which looks at the murky world of Chrome browser extensions. These are typically developed as a labour of love and if successful, put the coder in the unenviable position of expending cycles to support it, but unable to monetize in any viable way (Chrome announced it was shutting down paid browser extensions last year).

The result is that there are a lot of browser extensions which are abandoned. What is happening now, according to Krebs, is that companies are stepping into this vacuum and offering to buy up abandoned extensions, or pay their owners a monthly retainer.

The catch? They have to insert code into those extensions which enable various levels of access to the endpoint – such as proxying web traffic of other people through the browser in a VPN style service.

One such company is Infatica, based in Russia, which approaches extension authors with at least 50,000 installations who can then earn anywhere between $15 and $40 per 1,000 users per month.

New Yorkers will require immunity passports for sports events, theatres (Israel freedom bracelet)

A few days before his emergency powers were revoked in the face of an ongoing sexual harassment scandal, NY governor Andrew Cuomo announced a pilot program in which New Yorkers would require a COVID-19 immunity passport in order to enter sports venues and movie theatres. The program is called Excelsior Pass

“The plan is to test the “Excelsior Pass,” which will use secure technology to confirm if a person has gotten vaccinated or has had a recent negative COVID-19 exam result, during events at Madison Square Garden and Barclays Center,”

Excelsior Pass is a JV between New York State and IBM.

Read: https://nypost.com/2021/03/02/new-yorkers-must-flash-covid-19-passport-to-enter-venues-under-new-program/

On a similar note, Israel has rolled out “Freedom Bracelets” to enforce quarantine requirements on everybody entering the country. It’s “freedom” in the sense that it means you can go home instead of into a 14 day quarantine (or, as in Canada, a minimum 3-day stay at an internment hotel), but it’s a tracker device, like an ankle bracelet, that makes sure you don’t leave your home.

Read: https://reclaimthenet.org/israel-introduces-so-called-freedom-bracelet-to-enforce-lockdowns/

Threat actors start using “dependancy confusion” attacks

A few weeks back in AoE 183 we talked about “dependency confusion” attacks, how one researcher started testing whether collisions in commonly used private package names could be used to infect and exfiltrate data from private networks.

He was astounded by the results, and wrote them up.

Now it looks like the threat actors are getting onboard as we are now seeing actual attacks of this nature in the wild.

The first forays into the space were just people knocking off the original researcher’s methodology in order to collect bug bounties from various companies (Birsan took home bug bounties from over 35 companies in his original work).
But now at least one actual hacker has entered the fray as security firm Sonatype has found hostile packages aimed at Zillow, Amazon, Slack and Lyft that attempt to scoop passwords and install remote shells.

Post-mortem of perl.com hijacking

Here’s an in depth post-mortem of the perl.com  hijacking as experienced by Brian D Foy, one of the admins overseeing it.

The TL,DR is a weak registrar and lack of event notifications when things that weren’t supposed be happening were happening

We expanded on this a touch over on the Domainsure blog, which is our new high security registrar platform.

Amazon Alexa’s “Skills” ecosystem is a privacy disaster

Via Zdnet’s “Technically Incorrect” column is a look at the “Skills” ecosystem within Amazon’s Alexa system. Apparently (I had to get my cousins to explain it to me), Alexa “Skills” are like apps or plugins for other systems. You ask Alexa who won the hockey game last night, I guess it gets handled by a “Skill” some developer coded to plug into Alexa. That may be a bad example.

At any rate, according to this article, hardly any Skills have published privacy policies. It used to be the case that you had to explicitly activate a Skill, but apparently partially activated Skills are now easier or automatically activated.

Finally, there is no real vetting process behind the identity of Skills developers, making it possible for somebody to set themselves up in the Alexa ecosystem passing themselves off as some other, well known organization.

Read: https://www.zdnet.com/article/why-would-you-ever-trust-amazons-alexa-after-this/

More confirmation on why I would never turn any of these cloud connected agents on in my home.

Eric Schmidt advises ignoring international call to ban autonomous weapons

Former Google CEO Eric Schmidt now heads a US National Security Panel for AI that was tasked with preparing a briefing to the Biden administration about the role of AI in military weaponry.

While the UN and NGOs throughout the world are calling for a global ban on the use of AI in weapons and against autonomous weapons, the panel recommends that the US ignore such calls and proceed with development, full steam ahead.

The rationale is that because China and Russia likely won’t comply with a global ban on autonomous weaponry, the US would be at a disadvantage if it did.  He’s not necessarily wrong. (Next up, carbon emissions).

This week on the AxisOfEasy (salon 39 and SFB)

Last week we held another salon, #39, and we did a deep dive into the nature of money, currency, wealth and crypto currencies.

Watch: https://axisofeasy.com/podcast/salon-39-capital-vs-currency-vs-cash-vs-crypto/

I also appeared on Aussie entrepreneur’s James Shramcko’s SuperFastBusiness podcast to talk about defending your business from cancel culture.

Listen: https://www.superfastbusiness.com/business/807-control-versus-cancelled/?fbclid=IwAR1N9arrh5nSuu_gcTk1lT_ixNabF18AGFn_FyfKoycUp5-cfUAMBZduIfE



4 thoughts on “#AxisOfEasy 186: Boatload Of Organizations Hacked Via Microsoft Exchange 0-days

  1. “Thinking is difficult, that’s why most people judge” must have been by Piglet in Winnie the Pooh. Or it’s in an instruction manual for Civil Servants and Police Officers.

Leave a Reply

Your email address will not be published. Required fields are marked *