Morphisec Cybersecurity Blog

Security News in Review: Microsoft Exchange Server Hack “Doubling” Every Two Hours; Linux Foundation Creates New Software Signing Service

Written by Matthew Delman | March 13, 2021 at 2:00 PM

In this week’s edition of our roundup of the cybersecurity news, you’ll find information on Microsoft’s Patch Tuesday in case you missed it, new insights into the Server hack, and information on the rise in K-12 cyberattacks among other important security news stories from the past week. 

Read on for the latest Security News in Review, and let us know if we missed anything. 

Microsoft Exchange Server hacks ‘doubling’ every two hours -- Threat actors are taking advantage of slow patch or mitigation processes at companies with the affected Microsoft Exchange Servers. Security researchers have found at least 10 APT groups using Exchange Server exploits as part of their arsenals, and there’s now a ransomware -- known as DearCry -- using the Exchange Server zero days in its attacks. Microsoft said the new ransomware is reminiscent of the WannaCry attacks from 2017. 

Microsoft Delivers Patches for 89 Vulnerabilities in March Security Release -- Microsoft released patches for 89 software vulnerabilities in its March Patch Tuesday. This latest update included 14 CVEs labeled “critical” and five under active exploit. Four of those Critical CVEs are related to Exchange Server, which is said to be under active attack by the "Hafnium" advanced persistent threat group. Morphisec’s CTO Michael Gorelik recently provided advice on how to mitigate the four Exchange Server vulnerabilities.

Linux Foundation announces new open-source software signing service -- In the wake of the SolarWinds supply chain attack, the Linux Foundation has worked with Google, Red Hat, and Purdue University to create a new open-source software signing service called “sigstore.” The goal of the sigstore project is to enable the easy adoption of cryptographic software signing backed by transparency log technologies. According to ZDnet reporting, “It will do this by empowering developers to securely sign software artifacts such as release files, container images, and binaries. These signing records will then be kept in a tamper-proof public log. This service will be free for all developers and software providers to use. The sigstore code and operation tooling that will be used to make this work is still being developed by the sigstore community.”

Nim-Based Malware Loader Spreads Via Spear-Phishing Emails -- The TA800 threat group is distributing a malware loader, which researchers call NimzaLoader, via ongoing, highly-targeted spear-phishing emails, according to Threatpost reporting. Nim is an unusual programming language for malware, and it appears to be that threat actors are trying to use it to avoid detection-based solutions. 

Everything you need to know about the Microsoft Exchange Server hack -- ZDnet runs down the history of the Microsoft Exchange Server critical vulnerabilities. According to sources ZDnet spoke with, the Exchange Server vulnerabilities were first reported to Microsoft on January 5. There’s no indication the hack was related to the SolarWinds breach, but any lag in patching vulnerabilities can create major issues. 

New malware tied to China targets Linux endpoints and servers -- Malware targeting Linux endpoints and servers has started to proliferate. Security researchers recently identified a new piece of Linux malware called RedXOR because it was composed on Red Hat Enterprise Linux and uses a network data encoding scheme based on XOR. According to researchers, it would be very easy to pair RedXOR with any initial access exploit and it also has the ability to be updated. 

Ransomware “Paralyzes” Spanish Employment Agency -- The State Public Employment Service in Spain was recently taken offline following a ransomware attack. Face-to-face appointments have been canceled as the attack took out computer systems in 710 SEPE offices as well as the laptops of remote workers nationwide. According to the agency, unemployment benefits will not be affected.

Third French hospital hit by cyberattack -- A hospital in the southwest of Frances had some of its systems locked down by ransomware on Monday, marking the third such attack on French hospitals in the past month. Hospital workers have resorted to using pen and paper while their systems are locked down. Beyond that, however, the hospital -- a 320-bed facility in Oloron-Sainte-Marie near the Pyrenees mountains -- is taking part in COVID-19 vaccination efforts and the attack may short-circuit those. 

Cyberattacks against K-12 schools rose 18% in 2020, report finds -- The K-12 Cybersecurity Resource Center and the K12 Security Information Exchange, or K12 Six, a new nonprofit group, recently published new research that shows an increase in cyberattacks against K-12 schools. The two organizations counted 408 incidents occuring throughout 2020, and found that 377 organizations across 40 states had experienced a cyberattack. Most telling is that 51% of attacks were carried out on rural school districts. 

GitHub users forcibly logged out of accounts to patch ‘potentially serious’ security bug -- All GitHub user sessions were cancelled on March 8 because of a security bug that could have allowed access to a user’s session cookies. According to GitHub, the vulnerability was a race condition in a backend process that could have misrouted a user’s session to another authenticated user and allow the second user access to the first one’s session cookie.