March 16, 2021
Good morning, everyone!
More on the Microsoft Exchange Server debacle
The news about the Microsoft Exchange Server debacle just keeps getting worse. Brian Krebs warns that many servers now have multiple backdoors installed, as threat actors are competing to control as many servers as possible before patches are applied. Some cyber criminal groups are already using the backdoors to install ransomware. Microsoft has even released additional patches for older, unsupported verisons of Exchange.
The New York Times reports that Microsoft was forced to release the patch a week early, because of a huge spike in attacks on the vulnerability, possibly due to a leak during the patch testing phase. As of March 14, 82,000 servers are still unpatched.
At this point, given the scale of the attacks, many experts say you should assume that all Exchange servers may be compromised, even if patched, and need to be carefully monitored for signs of compromise. If you do not have the expertise to handle this currently, please seek outside assistance and/or consider moving your email to the cloud.
Apple releases updates for all operating systems
Apple has released new versions of macOS, iOS, and iPadOS to fix a code execution vulnerability that is believed to be quite serious.
Adobe has released security updates for Framemaker, Connect, and Creative Cloud
Five critical vulnerabilities were patched in updates this week. Creative Cloud users should get the updates automatically, while others should run a manual update as soon as possible.
Verkada Surveillance Cameras Breached
Internet-facing surveillance cameras installed in hospitals, jails and Silicon Valley icons like Tesla and Cloudflare were exposed this week in a massive attack on saved default administrative credentials.
What have I told you before about default passwords? The first thing you do when you bring home a new smart device of any kind is change the default passwords.
That makes a good segue to my next installment of:
When “smart” devices let you down
Last week I talked about smart devices being killed and/or restricted by the manufacturer, leaving consumers with a worthless (or suddenly terribly expensive) device. But that’s not all that can happen!
Loss of connectivity renders smart things dumb
Smart things use networks and the Internet to learn and react – that’s what makes them “smart.” So what happens when the network is down?
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source.
It doesn’t have to be an attack that brings down your smart devices, though, any loss of connectivity can have the same effect. I’ve read many reports like this one where a connected car won’t start outside urban areas, because it needs an Internet connection to verify it hasn’t been stolen. Call AAA and get the car towed to the nearest cell tower to continue your trip. Crazy.
I think that's enough for this week. Go forth and apply your patches, enable 2FA and think before you click!
Talk to you again soon!
Security Awareness Training Goes Virtual
Thanks to COVID-19, lots of things are going virtual, and that includes my employee Security Awareness Training. I've set up a small studio in our conference room (nobody there but me) so I can provide live training (almost) just like before! You can see me wave my hands and make faces while a wall of fascinating facts and practical tips slideshow across your screens, wherever you and your employees may be.
Contact me to schedule your employee training sessions. They're fun! ☺