This week’s security news: China’s breach of Microsoft’s cloud email may expose deeper problems
The cyberattack that compromised tens of thousands of Microsoft Exchange servers worldwide in March was one of the most significant security incidents of the year. The hackers, believed to be linked to the Chinese government, exploited four previously unknown vulnerabilities in the popular email software to gain access to sensitive data and install malware on the affected systems.
Si bien Microsoft lanzó rápidamente parches para corregir las fallas, muchas organizaciones tardaron en aplicarlos o no eran conscientes de la urgencia. Como resultado, los atacantes tuvieron una oportunidad de comprometer tantos servidores como pudieron antes de ser detectados. Según algunas estimaciones, más de 60.000 organizaciones sólo en Estados Unidos se vieron afectadas por la infracción, incluidas pequeñas empresas, gobiernos locales, escuelas y organizaciones sin fines de lucro.
The impact of the breach is still being revealed as security researchers and law enforcement agencies attempt to assess the extent of the damage and identify the victims. It is possible that some of the compromised servers still host malicious web shells that allow hackers to maintain remote access and execute commands. In addition, the stolen data can be used for other attacks, such as phishing, identity theft or espionage.
The breach also raises questions about the security and reliability of cloud-based services, especially those provided by Microsoft, which dominates the enterprise software market.
While Microsoft has claimed that its cloud-based version of Exchange was not affected by the attack, some experts have argued that the company’s complex and interconnected cloud infrastructure can pose hidden risks and vulnerabilities that are not well understood or disclosed.
For example, some researchers have suggested that hackers may have used a technique called «cross-cloud compromise» to leverage their access to Exchange servers to gain access to other Microsoft cloud services, such as Azure or Office 365. This could potentially expose more data and systems to attackers, as well as making it more difficult to detect and remove their presence.
Another concern is that Microsoft had been aware of the vulnerabilities in Exchange for months before publicly disclosing them and releasing patches. According to a report in The Wall Street Journal, Microsoft was notified of the flaws by a Taiwanese security company called Devcore in January, but did not act on them until March, when it learned that they were being actively exploited by hackers.
This delay may have given attackers more time to prepare and launch their campaign, as well as increased the chances of other threat actors discovering and exploiting the same vulnerabilities. It also raises questions about Microsoft’s vulnerability disclosure policy and its responsibility to inform and protect its customers.
The breach of Microsoft Exchange servers is a reminder that cloud-based services are not immune to cyber attacks and that organizations must take proactive steps to protect their data and systems.
This includes patching quickly, monitoring network activity, implementing backup and recovery plans, and educating users about cyber hygiene. It also means demanding more transparency and accountability from cloud providers, such as Microsoft, about their security practices and policies.
If you are interested in the latest developments in civil rights, cybersecurity and surveillance, you may want to read this blog post. It covers three important stories that have recently emerged and explains why they are important to our society.
The first story is about a landmark settlement of a class action lawsuit against the New York Police Department (NYPD) for its violent and illegal treatment of protesters in 2020. The NYPD was accused of using excessive force, making false arrests and violating constitutional law. rights of thousands of people who took to the streets following the murder of George Floyd by a Minneapolis police officer. The lawsuit was backed by a powerful tool that analyzed massive amounts of video evidence from a variety of sources, including police body cameras, helicopters and social media.
The tool, created by SITU Research, a design agency that specializes in civil liberties issues, was able to identify patterns and trends in police behavior and provide concrete evidence of systemic abuses. The settlement, which amounts to more than $13 million for 1,380 plaintiffs, is one of the largest in U.S. history for a protest-related case.
The second story is about a new research paper that exposes alarming vulnerabilities in orbiting satellites. The article, written by researchers at the University of Bochum in Germany, reveals that three different satellite models have multiple critical flaws that could allow hackers to take control of them, disrupt their operations or even crash them into other satellites or the Earth.
The researchers tested the satellites using publicly available information and tools and found that they lacked basic security measures such as encryption, authentication and integrity checks. The paper highlights the urgent need to improve the cybersecurity of satellites, which are essential to many aspects of our modern lives, such as communications, navigation, weather forecasting and military intelligence.
The third story is about a bipartisan bill aimed at preventing U.S. intelligence and law enforcement agencies from buying Americans’ personal data from outside intermediaries without a warrant. The bill, called the Fourth Amendment Not for Sale Act, was introduced by Senators Ron Wyden and Rand Paul, known for their strong opposition to surveillance overreach.
The bill would close a loophole that allows federal agencies to circumvent Fourth Amendment protections by purchasing data from companies that collect it from a variety of sources, such as apps, websites or devices. The bill would also prohibit agencies from buying data obtained illegally or without consent from foreign governments or hackers. The bill has garnered support from both Democrats and Republicans, as well as civil liberties groups and technology companies.
