Connect with us

Biz & IT

High-severity Microsoft Exchange 0-day under attack threatens 220,000 servers

Published

on

Microsoft late Thursday confirmed the existence of two critical vulnerabilities in its Exchange application that have already compromised multiple servers and pose a serious risk to an estimated 220,000 more around the world.

The currently unpatched security flaws have been under active exploit since early August, when Vietnam-based security firm GTSC discovered customer networks had been infected with malicious webshells and that the initial entry point was some sort of Exchange vulnerability. The mystery exploit looked almost identical to an Exchange zero-day from 2021 called ProxyShell, but the customers’ servers had all been patched against the vulnerability, which is tracked as CVE-2021-34473. Eventually, the researchers discovered the unknown hackers were exploiting a new Exchange vulnerability.

Webshells, backdoors, and fake sites

“After successfully mastering the exploit, we recorded attacks to collect information and create a foothold in the victim’s system,” the researchers wrote in a post published on Wednesday. “The attack team also used various techniques to create backdoors on the affected system and perform lateral movements to other servers in the system.”

On Thursday evening, Microsoft confirmed that the vulnerabilities were new and said it was scrambling to develop and release a patch. The new vulnerabilities are: CVE-2022-41040, a server-side request forgery vulnerability, and CVE-2022-41082, which allows remote code execution when PowerShell is accessible to the attacker.

“​​At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems,” members of the Microsoft Security Response Center team wrote. “In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082.” Team members stressed that successful attacks require valid credentials for at least one email user on the server.

The vulnerability affects on-premises Exchange servers and, strictly speaking, not Microsoft’s hosted Exchange service. The huge caveat is that many organizations using Microsoft’s cloud offering choose an option that uses a mix of on-premises and cloud hardware. These hybrid environments are as vulnerable as standalone on-premises ones.

Searches on Shodan indicate there are currently more than 200,000 on-premises Exchange servers exposed to the Internet and more than 1,000 hybrid configurations.

Wednesday’s GTSC post said the attackers are exploiting the zero-day to infect servers with webshells, a text interface that allows them to issue commands. These webshells contain simplified Chinese characters, leading the researchers to speculate the hackers are fluent in Chinese. Commands issued also bear the signature of the China Chopper, a webshell commonly used by Chinese-speaking threat actors, including several advanced persistent threat groups known to be backed by the People’s Republic of China.

GTSC went on to say that the malware the threat actors eventually install emulates Microsoft’s Exchange Web Service. It also makes a connection to the IP address 137[.]184[.]67[.]33, which is hardcoded in the binary. Independent researcher Kevin Beaumont said the address hosts a fake website with only a single user with one minute of login time and has been active only since August.

Kevin Beaumont

The malware then sends and receives data that’s encrypted with an RC4 encryption key that’s generated at runtime. Beaumont went on to say that the backdoor malware appears to be novel, meaning this is the first time it has been used in the wild.

People running on-premises Exchange servers should take immediate action. Specifically, they should apply a blocking rule that prevents servers from accepting known attack patterns. The rule can be applied by going to “IIS Manager -> Default Web Site -> URL Rewrite -> Actions.” For the time being, Microsoft also recommends people block HTTP port 5985 and HTTPS port 5986, which attackers need to exploit CVE-2022-41082.

Microsoft’s advisory contains a host of other suggestions for detecting infections and preventing exploits until a patch is available.

Continue Reading

Biz & IT

Nvidia AI plays Minecraft, wins AI conference award

Published

on

Enlarge / MineDojo’s AI can perform complex tasks in Minecraft.

Nvidia

A paper describing MineDojo, Nvidia’s generalist AI agent that can perform actions from written prompts in Minecraft, won an Outstanding Datasets and Benchmarks Paper Award at the 2022 NeurIPS (Neural Information Processing Systems) conference, Nvidia revealed on Monday.

To train the MineDojo framework to play Minecraft, researchers fed it 730,000 Minecraft YouTube videos (with more than 2.2 billion words transcribed), 7,000 scraped webpages from the Minecraft wiki, and 340,000 Reddit posts and 6.6 million Reddit comments describing Minecraft gameplay.

From this data, the researchers created a custom transformer model called MineCLIP that associates video clips with specific in-game Minecraft activities. As a result, someone can tell a MineDojo agent what to do in the game using high-level natural language, such as “find a desert pyramid” or “build a nether portal and enter it,” and MineDojo will execute the series of steps necessary to make it happen in the game.

Examples of tasks that MineDojo can perform.

Examples of tasks that MineDojo can perform.

Nvidia

MineDojo aims to create a flexible agent that can generalize learned actions and apply them to different behaviors in the game. As Nvidia writes, “While researchers have long trained autonomous AI agents in video-game environments such as StarCraft, Dota, and Go, these agents are usually specialists in only a few tasks. So Nvidia researchers turned to Minecraft, the world’s most popular game, to develop a scalable training framework for a generalist agent—one that can successfully execute a wide variety of open-ended tasks.”

Nvidia

The award-winning paper, “MINEDOJO: Building Open-Ended Embodied Agents with Internet-Scale Knowledge,” debuted in June. Its authors include Linxi Fan of Nvidia and Guanzhi Wang, Yunfan Jiang, Ajay Mandlekar, Yuncong Yang, Haoyi Zhu, Andrew Tang, De-An Huang, Yuke Zhu, and Anima Anandkumar of various academic institutions.

You can see examples of MineDojo in action on its official website, and the code for MineDojo and MineCLIP is available on GitHub.

Continue Reading

Biz & IT

European Parliament DDoSed after declaring Russia a sponsor of terrorism

Published

on

Enlarge / An iteration of what happens when your site gets shut down by a DDoS attack.

The European Parliament website was knocked offline for several hours on Wednesday by a distributed denial-of-service (DDoS) attack that started shortly after the governing body voted to declare the Russian government a state sponsor of terrorism.

European Parliament President Roberta Metsola confirmed the attack on Wednesday afternoon European time, while the site was still down. “A pro-Kremlin group has claimed responsibility,” she wrote on Twitter. “Our IT experts are pushing back against it & protecting our systems. This, after we proclaimed Russia as a State-sponsor of terrorism.”

While this post was being reported and written, the website became available again and appeared to work normally.

The pro-Kremlin group Metsola referred to is likely the one known as Killnet, which emerged at the start of Russia’s invasion of Ukraine and has posted claims of DDoS attacks in countries supporting the smaller nation. Targets have included police departments, airports, and governments in Lithuania, Germany, Italy, Romania, Norway, and the United States.

Shortly after Wednesday’s attack against the European Parliament started, Killnet members took to a private channel on Telegram to post screenshots showing the European Parliament website was unavailable in 23 countries. Text accompanying the images made a homophobic remark directed at the legislative body.

The outage occurred shortly after the parliament overwhelmingly voted to declare the Kremlin a sponsor of terrorism.

Members of the European Parliament “highlight that the deliberate attacks and atrocities committed by Russian forces and their proxies against civilians in Ukraine, the destruction of civilian infrastructure and other serious violations of international and humanitarian law amount to acts of terror and constitute war crimes,” the declaration stated. “In light of this, they recognize Russia as a state sponsor of terrorism and as a state that ‘uses means of terrorism.’”

The resolution was adopted with 494 votes in favor, and 58 against. There were 44 abstentions.

DDoS attacks typically harness the bandwidth of hundreds, thousands, and in some cases, millions of computers infected with malware. After coming into their control, the attackers cause them to bombard a target site with more traffic than they can accommodate, forcing them to deny service to legitimate users. Traditionally, DDoS has been among the crudest forms of attack because it relies on brute force to silence its targets.

Over the years, DDoSes have become more advanced. In some cases, the attackers can increase the bandwidth by as much as a thousand-fold using amplification methods, which send data to a misconfigured third-party site, which then returns a much larger amount of traffic to the target.
Another innovation has been designing attacks that exhaust the computing resources of a server. Rather than clogging the pipe between the website and the would-be visitors—the way more traditional volumetric DDoSes work—packet-per-second attacks send specifc types of compute-intensive requests to a target in an attempt to bring the hardware connected to the pipe to a standstill.

Metsola said the DDoS attacks on the European Parliament were “sophisticated,” a word that’s often misused to describe DDoSes and hacks. She provided no details to corroborate that assessment.

Continue Reading

Biz & IT

Apple iPhone factory workers clash with police in China

Published

on

Enlarge / Workers walk outside Hon Hai Group’s Foxconn plant in Shenzhen, China, in 2010.

Violent worker protests have erupted at the world’s largest iPhone factory in central China as authorities at the Foxconn plant struggle to contain a COVID-19 outbreak while maintaining production ahead of the peak holiday season.

Workers at the factory in Zhengzhou shared more than a dozen videos that show staff in a standoff with lines of police armed with batons and clad in white protective gear. The videos show police beating workers, with some bleeding from their heads and others limping away from chaotic clashes.

Beijing’s strict zero-COVID regime has posed big challenges for the running of Foxconn’s Zhengzhou plant, which typically staffs more than 200,000 workers on a large campus in the city’s suburbs.

Wednesday’s unrest will heighten investor concerns about supply chain risk at Apple, with more than 95 percent of iPhones produced in China.

Problems at the plant earlier this month led Apple to cut estimates for high-end iPhone 14 shipments and to issue a rare warning to investors over the delays.

Two workers at the Foxconn factory said the protests broke out on Wednesday morning after Apple’s manufacturing partner attempted to deny bonuses promised to new workers put into quarantine before being sent to assembly lines.

“Initially they just went into the plant seeking an explanation from executives, but they [the executives] didn’t show their faces and instead called the police,” said one of the workers.

Another worker said there was growing discontent over the factory’s continued inability to curb a COVID outbreak, tough living conditions, and fear among staff that they would test positive.

Foxconn said the company would work with employees and the government to prevent further violent acts.

The company said it had always fulfilled its contracts and would continue to “communicate and explain” that to new staff. It said reports that the company had mixed COVID positive workers with those not yet infected were untrue.

Videos show workers flipping over carts on the Foxconn campus, charging into the factory’s offices and bashing a COVID testing booth. Live streams from the scene on Wednesday afternoon showed groups of workers milling about in a courtyard between buildings. Some workers were livestreaming the protests on social media until censors stepped in to cut off the broadcasts.

“The Foxconn situation raises concern for China’s leaders because it challenges the narrative of being a reliable supplier,” said Shan Guo at Plenum China Research. “It’s clear workers are not happy being locked down,” she said.

Foxconn has been working with the local government in Henan province, where the plant is located, to repopulate its assembly lines with new workers after a mass staff exodus late last month spurred by conditions at the plant.

Local officials have been tasked with helping send workers to the plant, which is a big taxpayer and was responsible for 60 percent of the province’s exports in 2019.

Ivan Lam, an analyst at Counterpoint Research, said Foxconn had already been shifting iPhone 14 production away from the Zhengzhou factory amid the COVID problems. He estimated the Zhengzhou plant’s share of total iPhone 14 production was down to about 60 percent today from about 80 percent before the outbreak began.

Apple did not immediately respond to requests for comment.

© 2022 The Financial Times Ltd. All rights reserved. Please do not copy and paste FT articles and redistribute by email or post to the web.

Continue Reading

Trending