#AxisOfEasy 189: MS Exchange Servers Are Being Hacked Faster Than Can Be Counted

Weekly Axis Of Easy #189

Last Week’s Quote was   “The way to crush the bourgeoisie is to grind them between the millstones of taxation and inflation” was Vladimir Ilyich Lenin, the father of Communism and the man voted “Most Admired Historical Figure” by university professors and media pundits every year since 2009. Winner was Nick.

This Week’s Quote:
“Historically, the claim of consensus has been the first refuge of           scoundrels; it is a way to avoid debate by claiming the matter is already settled… There is no such thing as consensus science. If it’s consensus, it isn’t science. If it’s science, it isn’t consensus. Period.”… by???

THE RULES: No searching up the answer, must be posted to the blog – the place to post the answer is at the bottom of the post, in the comments section.

The Prize: First person to post the correct answer gets their next domain or hosting renewal is on us.


In this issue:

  • Microsoft wants to buy Discord for 10B
  • MS Exchange servers being hacked faster than can be counted
  • Newest DDOS vector is using DTLS servers
  • Coinsquare ordered to hand over client data to CRA
  • UK engineer visited by police for reporting data leak
  • Facebook Messenger’s role in organizing the Capital Hill riots
  • Singaporean blogger shares Facebook post, fined $100,000 USD for defaming PM
  • Google to monitor your sleep and health via Nest
  • Someday autonomous vehicles will stop for police, roll down windows and unlock doors
  • Reports resurface that Amazon drivers pee in bottles, defecate in bags ahead of union vote
  • PHP Git repo hacked, will move to GitHub
  • Immunity Passports are officially here
  • Update on the easyDNS Fold@Home team
Discord is considered largely to be a platform for gamers and my exposure to it is minimal. What involvement I do have in it is unrelated to gaming, like the Mastodon sponsors (easyDNS is a gold sponsor) and when I realized that the Ethereum Name Service (ENS) Gitter channel had turned into Zombieland I was duly informed that everything had moved to Discord.
Now Microsoft has their eyes on them with a rumoured acquisition bid in the area of $10 Billion USD to be in the offing. Discord reportedly has multiple options, including going public. Their business model is freemium – free access with premium add-ons for business users.  They reportedly generated $45M USD in revenues in 2019 and $130M USD in 2020. A 10B acquisition would be about a 76X earnings revenues transaction.
Recall, Microsoft acquired GitHub in 2018 for a reported $7.5B USD.
Read: https://thenextweb.com/hardfork/2021/03/23/microsoft-discord-purchase-10-billion-analysis/ 
(If anybody wants to buy easyDNS for 76X revenues, just tell me where to sign).
MS Exchange servers being hacked faster than can be counted 
Also Microsoft: The worst hack since the SolarWinds Sunburst looks to be the recent MS Exchange ProxyLogon vulnerability. That was a series of 0-day exploits against MS Exchange servers that enabled Remote Code Execution (RCE) and complete server takeover which attackers could use as jumping-off points to compromise entire networks.
The wider security community is now in a state of near overwhelm. Despite Microsoft rushing out patches to fix the flaws several weeks ago, so many unpatched servers remain that they are being compromised literally faster than can be enumerated.
Read: https://www.zdnet.com/article/microsoft-exchange-server-attacks-theyre-being-hacked-faster-than-we-can-count-says-security-company/
And: https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/
If you still have unpatched MS Exchange servers lying around, I urge you to stop reading this newsletter (as compelling as it is) and go do that right now. 

Newest DDOS vector is using DTLS servers 
In the never-ending arms race against DDoS perpetrators, the latest amplification vector for carrying out attacks are DTLS servers. D/TLS provides a UDP version of Transport Security Layer. In December a flaw was found in Citrix ADC devices which enabled attackers to amplify traffic at a ratio around 34:1.
(In amplification attacks, attackers send a low amount of specially crafted traffic at a vulnerable service on remote servers that cause them to reply with a much greater amount of traffic directed at the DDoS target. That used to happen a lot in our sphere with DNS reflection attacks (we’ve been on the wrong side of our share of those), and a few years back it was NTP reflection).
With D/TLS reflection attacks, DDOS-es have been seen in the wild in excess of 44 GB/s and even over 200 GB/s in the case of one multi-variant attack (which means it used multiple reflection techniques).
Citrix has since issued a patch for the flaw to the “HelloVerifyRequest” bug that enables the attack, but there are still an estimated 4,200 DTLS servers that are unpatched and usable in these types of attacks.
Read: https://www.bleepingcomputer.com/news/security/ddos-booters-now-abuse-dtls-servers-to-amplify-attacks/
Coinsquare ordered to hand over client data to CRA 
One of the larger Canadian Bitcoin exchanges, Coinsquare, has been ordered to hand over user data to the Canada Revenue Service (CRA). While the CRA wants pretty well all of the data, Coinsquare went to court and ended up being ordered to surrender data on a smaller percentage of customers (estimated to be 5% to 10% of their 400K accounts).
Apparently there is a follow up legal case in the works with CRA serving Coinsquare asking for more data under something called the “Unnamed Persons Requirement” under Canada’s Income Tax Act.
Coinsquare faced a similar legal case from the US IRS a few years ago and managed to also reduce the number of accounts surrendered there as well.
In any case, the largest accounts by trading volume: Accounts that held $20,000 in crypto, cumulatively from 2014 thru 2020 as well as the top 16,500 accounts from each year.
Read: https://www.coindesk.com/coinsquare-canada-tax-customer-records
UK engineer visited by police for reporting data leak 
File under “No good deed goes unpunished,” a cloud security engineer in the UK found himself under the gaze of the police there after he stumbled across a data leak belonging to an open systems  non-profit he used to work for.
Rob Dyke found data belonging to the Apperta Foundation, which is supported by the NHS, on GitHub. The data included passwords, API keys and sensitive financial data. He duly reported it privately to Appertains, who initially thanked him.
Then, things got weird. He next heard from Apperta’s lawyers, advising him to hire lawyers of his own to represent himself. Then he received an email from a cyber-crime investigator working out of the Northumbria Police department (where Apperta is based) seeking to speak with him about “computer misuse.”
The incident reinforces trepidations many IT professionals have around legitimate reporting of security issues as it is viewed through the UK Computer Misuse Act.
“The provisions of the UK Computer Misuse Act of 1990 are vast and extensive and may even consider simply coming across a data leak as an “offence.” Even work activities of UK-based threat intelligence providers probing foreign systems may be considered illegal under the Act.” 
Neither the Northumbria Police nor Apperta responded to Bleeping Computer’s requests for comment.
Read: https://www.bleepingcomputer.com/news/security/engineer-reports-data-leak-to-nonprofit-hears-from-the-police/
Facebook Messenger’s role in organizing the Capital Hill riots 
The US Department of Justice presented evidence against one of the Capitol Hill rioters showing that Facebook Messenger played a central role in organizing the movements and communications of the activists seeking to prevent the certification of the US election results.
On Wednesday, the DOJ released a slew of private Facebook messages sent and received by Kelly Meggs, the Florida leader of the militia group Oath Keepers, as part of a case in which Meggs is accused of conspiring to stop Congress from certifying the election.
In the messages, which begin on Nov. 9, shortly following the election, and grow increasingly detailed in the days leading up to the riot, Meggs describes having formed an “alliance” with the Proud Boys and the Three Percenters and responds to one of former President Trump’s tweets, in which Trump suggested that Jan. 6 “will be wild.”‘ 

The article outlines the measures Facebook had been undertaking in order to combat both domestic and foreign groups with terrorist designations. In a 2018 interview with CEO Mark Zuckerberg, he revered that Facebook used automated algorithms to monitor private messages. A year later Facebook announced it was implementing end-to-end encryption.
Here’s an interesting data point from the “Rise of the Network State” file: Facebook has a head of “counter terrorism and dangerous organizations policy .“ His name is Brian Fishman, and he did 
an earlier interview with Protocol about the challenges and nuances between combating domestic and foreign terrorist groups online (although any mention of far-left groups in the discussions around domestic terrorism are conspicuously absent).
Read: https://www.protocol.com/policy/capitol-riot-facebook-messenger
What else is missing is the part where Big Tech moved in concert against Facebook to deplatform their app. That’s what happens when your messaging platform gets used to organize riots, isn’t it?
A blogger in Singapore has been successfully sued for defamation by that country’s Prime Minister, who has been awarded $133,000 USD in damages. Leong Sze Hian was accused by PM Lee Hsien Loong  of making false claims about his involvement with the 1MDC scandal (that was a Malaysian sovereign wealth fund that was allegedly plundered by its managers – some of the ill gotten gains having purportedly gone to finance the Hollywood film “Wolf of Wall Street”).
The actual defamation suit was based on Hian’s sharing a link on Facebook.
Read: https://hongkongfp.com/2021/03/25/singapore-blogger-ordered-to-pay-us100000-for-defaming-prime-minister-lee-hsien-loong-with-facebook-link/
Google to monitor your sleep and health via Nest 
As part of Google’s expansion into health tech, the next generation of the Nest Smart Hub will be able to detect and analyze your sleep patterns. Nextgen Nests will ship with
“A function called Sleep Sensing that monitors the breathing and movement of a person sleeping next to the screen — without a camera or needing to wear a device in bed.
The system also detects disturbances such as coughing and snoring, along with light and temperature changes using the Nest Hub’s built-in microphones and ambient light and temperature sensors. Over time, it learns the user’s sleep patterns and gives personalized recommendations.”
Google addressed privacy concerns around the issue by saying “Soli” the low energy radar the system uses, can be disabled by users, and that analysis of the user snores and sleep sounds is done on the device itself, rather than sent back to Google data centres. “There is even a hardware switch the physically disables the microphone.” 
Read: https://finance.yahoo.com/news/google-nest-adds-sleep-tracking-130000660.html 
Someday autonomous vehicles will stop for police, roll down windows and unlock doors 
There’s a fascinating policy development track going on in the world of autonomous vehicles. Law enforcement agencies and AV manufacturers are working on figuring out the safest ways to handle traffic events when vehicles are running under their own steam. This includes things like automated ticketing, automated pulling over for emergency vehicles and even co-operative police stops, where the vehicle would pull over for police, roll down the windows and unlock the doors.
The article references an incident from an earlier Medium post in which police found themselves on the highway trying to stop a Tesla on auto-pilot whose driver had gone to sleep behind the wheel (note: Tesla’s are not Full Self-Driving, they’re Level 2 autonomy, they don’t even have Lidar systems). The police had to pull in front of the moving vehicle and “brake-check” it to force the Tesla to engage its own braking systems and pull over. Waymo vehicles, by contrast, provide a 24-hour hotline that law enforcement could use to initiate a remote pull over and shutdown of a vehicle.
Read: https://www.activistpost.com/2021/03/autonomous-vehicles-will-automatically-stop-for-police-roll-down-windows-and-unlock-doors.html 
Reports resurface that Amazon drivers pee in bottles, defecate in bags ahead of union vote 
I’m writing this item on Monday, March 29th, the day voting ends and the vote count starts at Amazon’s Bessemer, Alabama warehouse on whether or not to unionize. As a capitalist pig, I’m generally anti-union. But then again, I’ve never worked at a place (or run one) where the employees were so mechanically beholden to algos and analytics that they had to urinate in empty bottles and defecate into plastic bags in order to maintain their order in the job queue and keep their “scores” up.
Reports of workers skipping breaks and peeing in bottles go back as far as 2018, and Amazon has publicly denied them. However, as the Intercept reports, this practice is still widespread, and further, Amazon management knows about it:
“Amazon workers with whom I spoke said that the practice was so widespread due to pressure to meet quotas that managers frequently referenced it during meetings and in formal policy documents and emails, which were provided to The Intercept. The practice, these documents show, was known to management, which identified it as a recurring infraction but did nothing to ease the pressure that caused it. In some cases, employees even defecated in bags.” 
If I worked in a place like that, I’d be sympathetic to a union. If I ran my business like that, I’d deserve one.
Read: https://theintercept.com/2021/03/25/amazon-drivers-pee-bottles-union/
And: https://www.npr.org/2021/03/29/981573228/historic-amazon-union-vote-count-begins-this-week-for-alabama-warehouse
The entire phenomenon of Amazon is another data point in what I have increasingly noticed is an overlap in the proverbial Venn diagram of progressives and (real) capitalists:
From a labour perspective: what is wrong with this picture when one of the largest companies in the world, one whose business grew so much and so fast during one of the worst years in economic history, that workers need to shit in bags and rely on food stamps to feed their families? Isn’t that a little oppressive?
From the investor, capitalist mindset, what is wrong with the same picture when the Federal Reserve prints money out of thin air 
to buy this company’s bonds, and other nation’s central banks literally print up their own currency to purchase their equity? Isn’t that a little anti-competitive?

PHP Git repo hacked, will move to GitHub 
In late breaking news (in terms of when I write this letter), I woke up Monday morning to the news that the PHP git server had been breached and attackers placed a remote code execution into the php-src repository on git.php.net. The hostile commit was detected “within hours” as part of a standard, post-commit code review.
In response to this, PHP has elected to move the entire repository over to GitHub.
My read on this is that it was detected before the backdoor was incorporated into any packages or binaries and thus before it could turn into a full blown supply chain attack à la Solarwinds or Microsoft.
Read: https://www.wordfence.com/blog/2021/03/php-compromised-what-wordpress-users-need-to-know/ 
Immunity Passports are officially here 
Well, we’ve been dancing around the issue for the better part of the year since “all this” began and it looks like The New Normal includes immunity passports. New York State’s “Excelsior Pass” went online over the weekend.
“The online program is designed to securely display New Yorkers’ COVID-related information and help authenticate a person’s vaccination or proof of a recent negative COVID-19 test.” 
We’ve all known this is the direction things were headed. With COVID-19 all but in the rear-view mirror, so to are our freedoms and our privacy. We now live in a world where “that which is not expressly permitted, is forbidden” and for the most part, we are cheering it on.
Read: https://www.nbcnewyork.com/news/coronavirus/new-yorks-excelsior-pass-is-now-online-what-is-it-and-how-does-it-work/2968012/ 
Here in Canada the 
Justice Centre for Constitutional Freedoms just released a video yesterday about the “not mandatory vaccines” that will result in “certain restrictions being placed on any citizens who decide not to take them” in the words of Christina Freeland. Watch it here.  I recently became a financial contributor to their work by making a regular monthly donation. If you care about your Constitutional rights as guaranteed by the Canadian Charter of Rights and Freedoms, I encourage you to do the same. The JCCF is a registered charity and donations over $50 are tax deductible.
Update on the easyDNS Fold@Home team 
It’s been awhile since we ran an update on the easyDNS Fold@Home team – that’s the hive computing project where teams muster to harness unused CPU cycles to carry out molecular folding calculations to solve various diseases. With COVID-19 “solved,” at least in terms of vaccines and herd immunity near, my guess is the system will shift calculations onto 
the other diseases that the project contributes to, including Zika, Ebola, cancer, Alzheimers, Parkinsons and Huntington’s.
So let’s keep the effort going, because as I type this Team easyDNS is in (check it out!) 215th place out of 225,551 teams. Yes! Top 100 here we come.
Thank you to everybody who is contributing cycles to this effort.

7 thoughts on “#AxisOfEasy 189: MS Exchange Servers Are Being Hacked Faster Than Can Be Counted

  1. “Historically, the claim of consensus has been the first refuge of scoundrels; it is a way to avoid debate by claiming the matter is already settled… There is no such thing as consensus science. If it’s consensus, it isn’t science.”

    By the great physicist Richard Feynman


  2. I picked up some new computing hardware in December and, because it was not yet needed for anything real, put it back to work on Folding. That “free time” is nearing an end and I probably won’t be able to continue after April – at least not on a steady basis – but it has been a blast watching the stats accumulate.

    If you want to see a very cool stats site for Folding teams, check this out: https://folding.extremeoverclocking.com/team_summary.php?s=&t=248458

    It’s way more comprehensive than the data found on the official Folding@Home site, and the F@H management team actually recommends it as a reference. Team EasyDNS may be able to drop below 200 in the rankings in the next few weeks.

  3. Sorry Nick, I’m going with any Premier talking to his Cabinet as they try and get through running their Provinces during this pandemic…

  4. Without Googling or checking comments, that sounds like something Richard Feynman would say. Thanks for the shoutout to the Justice Centre, by the way!

Leave a Reply

Your email address will not be published. Required fields are marked *