US Issues Warning After Microsoft Says China Hacked Its Mail Server Program (nbcnews.com) 122
An anonymous reader quotes a report from NBC News: The U.S. has issued an emergency warning after Microsoft said it caught China hacking into its mail and calendar server program, called Exchange. The perpetrator, Microsoft said in a blog post, is a hacker group that the company has "high confidence" is working for the Chinese government and primarily spies on American targets. The latest software update for Exchange blocks the hackers, prompting the U.S. Cybersecurity and Infrastructure Security Agency to issue a rare emergency directive that requires all government networks do so.
CISA, the U.S.'s primary defensive cybersecurity agency, rarely exercises its authority to demand the entire U.S. government take protective steps to protect its cybersecurity. The move was necessary, the agency announced, because the Exchange hackers are able "to gain persistent system access." All government agencies have until noon Friday to download the latest software update. In a separate blog post, Microsoft Vice President Tom Burt wrote that the hackers have recently spied on a wide range of American targets, including disease researchers, law firms and defense contractors. There was no immediate indication that the hack led to significant exploitation of U.S. government computer networks. But the announcement marks the second instance in recent months that the U.S. scrambled to address a widespread hacking campaign believed be the work of foreign government spies.
CISA, the U.S.'s primary defensive cybersecurity agency, rarely exercises its authority to demand the entire U.S. government take protective steps to protect its cybersecurity. The move was necessary, the agency announced, because the Exchange hackers are able "to gain persistent system access." All government agencies have until noon Friday to download the latest software update. In a separate blog post, Microsoft Vice President Tom Burt wrote that the hackers have recently spied on a wide range of American targets, including disease researchers, law firms and defense contractors. There was no immediate indication that the hack led to significant exploitation of U.S. government computer networks. But the announcement marks the second instance in recent months that the U.S. scrambled to address a widespread hacking campaign believed be the work of foreign government spies.
Confucious say (Score:5, Funny)
... Outlook not so good!
Re: (Score:2)
Microsoft https server config has problems
"server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server."
on a more serious note, they should really really fix their Email to enable DANE for SMTP (RFC 7672) for secure mail server connections!
https://github.com/baknu/DANE-for-SMTP/wiki [github.com]
Re: (Score:1)
DANE is dead and DNSSEC is on life support.
Re: (Score:1)
Yes, replace obscure and little used solution that offers no real value with an even more obscure and little used solution that offers no real value.
As we've seen, spammers can set up DNSSEC just as well, and often better than the "real people", looking at my e-mail servers, a properly configured e-mail domain is more likely to be from spammers than from real businesses.
Likewise none of that would have helped here, as they broke Exchange's proprietary protocols (which aren't standards) to elevate themselves
Re: (Score:2)
Re:Confucious say (Score:4, Funny)
Re:Confucious say (Score:5, Informative)
China has been at war with us since 1949.
Re: (Score:2)
Re: (Score:2)
Which in no way refutes Cmdln Daco's comment.
Re: (Score:3, Insightful)
This is point that should be made over and over again.
At the urging of Vice President Joe Biden,[8] the Jackson-Vanik amendment was repealed with Magnitsky Act (which attempts to punish human rights violations without hampering trade) on December 14, 2012
What this really mean is money before people and before scruples. The simple fact is not hampering trade more or less makes continued and flagrant abuse of human rights entirely painless for all but despots in the tiniest little duchies who actually feels some pain from individual sanctions in their their own domestic economies can't given them access to the banking tools and lifestyle items them want. Its certainly of no real consequence to Vladimir Pu
Re: (Score:2)
Jason-Vanik amendment was intended to sanction countries that restrict emigration, with USSR preventing its Jews from emigrating to Israel particularly in mind. By 2012, Russia hasn't been doing that for over two decades, and many were rightly pointing out that the amendment was effectively obsolete. This isn't to say that Russia isn't authoritarian, or that some form of sanctions isn't a good idea - but that's a separate issue.
Re: (Score:2)
And Russia is just sleeping
Re:Confucious say (Score:4, Insightful)
Well, that's because Joe Biden isn't owned by Russia like Trump was - with lots of interests keeping him afloat.
And President/Dictator for life Xi of China is trying to change the world, literally. Instead of things like "free speech" or "democracy" as driving principles of good government, Xi wants "happiness". The Uyghur genocide is about making people "happy" and suppressing criticism makes people happy as well.
Re: (Score:1)
gosso920 sneered:
Russia is old and busted. China is the new bogeyman. We have always been at war with Eastasia.
Fuck off and die, húndàn ...
Re: (Score:1)
well i guess we all have our hiccups in the first year of business
which one of those two companies was t
Nuke Beijing (Score:3)
If there's one thing those fascists can't stand it's being humiliated and disrespected, so hack Baidu and put a photoshopped picture of Xi sucking a cock on the front page, etc.
Re: (Score:2)
Re: (Score:3)
It's not like the "Russia hacked the election" thing, it's actually well documented, just like their 50 cent army of shills of which you may well be a part of.
Re: (Score:2, Insightful)
You're the one who managed to conflate fascism with communism. That doesn't make you look very intelligent. I think you should avoid using big words until you know and understand the actual dictionary definitions of them.
Re:Nuke Beijing (Score:5, Insightful)
Re: (Score:3, Informative)
Oh look, an internet commenter who knows all about China. Say, why don't we ask Xi Jinping himself? After all, he's written a piece specifically for people like you, called Xi Jinping in Translation: Chinaâ(TM)s Guiding Ideology [palladiummag.com]. Who's got more education on the topic here?
First of all: Socialism with Chinese Characteristics is socialism. It is not any other sort of "ism." The foundational, scientific principles of socialism cannot be abandoned; only if they are abandoned would our system no longer
Re: (Score:1)
socialist democratic politics
Clearly he's talking shit then. Being a dictator and all...
So take everything else with a grain of salt too.
Re: (Score:1)
Re: (Score:3)
First of all you are pretending a dictator fairly tallies any vote. Given the strict control and manipulation of all media and communication in China you wouldn't know. Which comes to the next point... when the government controls all information presented to "smart ones" they get to determine their opinion (which will logically follow from that information) and are rigging the election, even without manipulating a single other thing.
Re: (Score:2)
Re: (Score:2)
False equivalence. A favored tactic of the CCP everywhere... because China most definitely does not limit its information warfare to attacks on its own people.
Re: (Score:2)
Re: (Score:2)
"I have no desire to visit China due to its shitty government, but to not recognize the current anti-China propaganda blitz as being just part of America's trade war with China is just being lazy."
No, it is recognizing that the government of China was evil and well known to be evil all along and some greedy assholes ignored that and sold us out for their own gain. Now China is trying to undermine principles of freedom and personal liberty throughout the world.
Re: Nuke Beijing (Score:5, Insightful)
It is and always will be an independent country, not a separatist state.
Re: (Score:2, Informative)
Taiwan was a seperate state, and there is a Taiwanese nationality seperate from the Han Chinese who resettled there to form the Nationalist government after the Communist revolution in 1949. But the Nationalist government has historically claimed to be part of China.
If you want to piss everybody off, call Taiwan Formosa. That was the name it went by when the Dutch colonialists controlled the island.
Re: (Score:2)
If you want to piss everybody off, call Taiwan Formosa.
That doesn't piss anyone off. Taiwanese call their own island Formosa sometimes.
Re: (Score:1)
Taiwanese who didn't mind the Dutch colonialists do, anyway.
Re: (Score:2)
There is no Taiwanese alive today who remembers the Dutch colonialists.
Re: Nuke Beijing (Score:4, Insightful)
Lmao, you revealed that you're a Chinese shill by labelling Taiwan as part of China.
It is and always will be an independent country, not a separatist state.
We should continue our one China policy. We should go back to recognizing the ROC as the legitimate republican government of all of China and consider Taipei to be its capitol. The PRC/CCP is an oppressive totalitarian evil that should we should oppose.
Dealing with Beijing diplomatically at all is shilling for China.
Re: (Score:2)
I don't really know much about China, but I figure if you wanted to achieve this there would few difficult steps:-
1) a large number of militarily advanced China opposing forces would have to band together and remove the government of China in a battle that could have significant unforeseen consequences world wide
2) The Taiwan governm
Re: (Score:2)
There is one China, one Taiwan, and one Tibet all separate places.
Re: (Score:2)
How is northern China and southern China different? Eastern and western China? What's the difference between HK, Tibet, Taiwan, Xinjiang, and all the other seperatist movements that exist in China? Which parts are the most wealthy?
It doesn't matter. They should all be given freedom of speech.
Re: Nuke Beijing (Score:2)
So you confirmed by our know nothing. Bravo.
Re: (Score:2)
So you confirmed by our know nothing.
This is not a complete sentence.
Re: (Score:2)
Re: (Score:1)
Wasn't the WannaCry ransomware designed by either North Korea or China?
WannaCry is a combination of EternalBlue, the weaponized code the NSA developed to exploit a Microsoft SMB vulnerability they discovered, and a standard ransomeware payload developed by who-knows-who. No one knows who first deployed WannaCry, but evidence suggests it first came out of Asia. Where it physically came out of is not evidence of who was behind its release. Given that we know for sure that the attack vector was of NSA origin, I find it as plausible that the NSA did the whole thing as any other
Re: (Score:2)
Um, no. NSA did no such thing. Go read virtually any reference on it.
Re: (Score:3)
If you think China doesn't hack the US you're mentally disabled. It's not like the "Russia hacked the election" thing, it's actually well documented, just like their 50 cent army of shills of which you may well be a part of.
The: 'Russians hacked the DNC' thing is documented, the: 'Russians hacked the RNC' thing is documented, the: 'Russians tried to hack election systems in all 50 states' thing is documented. The bone of contention is really whether they swung the 2016 election or not. Personally I don't think they did. However, the mere fact that they still got into a large number of election systems before chickening out is still highly problematic. Never mind the fact that both the Russians and the Chinese seem to have hack
Re: (Score:2)
An inconvenient truth, mod'ed down.
Re:Nuke Beijing (Score:4)
And you act like the options are total innocence or moral equivalence. That isn't even remotely true.
Re: (Score:2)
Anonyrnous sneered:
Mmm...koolaid is yummy! I believe every piece of propaganda bullshit mega-corps tell me at face value because critical thinking make my bwainy hurt!
Fuck off and die, húndàn ...
Re: (Score:2)
Re:Nuke Beijing (Score:4, Insightful)
The US should go on an offensive cyber campaign and hack every thing they can in China with the purpose of humiliating the CCP and sending them a message.
What kind of message do you think that would send, exactly? That we're drunk frat boys?
Re: (Score:3)
Well the NSA cannot hire people who smoke weed... so... that leaves few options.
Re:CCP steals our tools (Score:1)
Re: (Score:1)
They cant make any themselves, their to fucking stupid for that.
"They can't make any themselves. They're too stupid for that." I can't decide if that's sarcasm, satire, or if you're really that fucking stupid.
.
Re: (Score:2)
I'll get Anton right onto it. "Suck it, Jin Ping!"
https://steamuserimages-a.akam... [akamaihd.net]
Re: (Score:1)
Comment removed (Score:3, Insightful)
Re: (Score:2)
You must be new here. Happy day after Patch Tuesday everyone.
Re: (Score:2)
In their report, they presented no evidence that China was the culprit.
Re: (Score:2)
This is EXACTLY ON THE NEXT DAY AFTER HE DECLARED CHINA THE US ENEMY OF THE 21ST CENTURY.
Yeah... sure... Coincidence? I think not. More like Convenience. Spelled almost the same.
Re: (Score:2)
Anonyrnous sneered:
China did it!
Fuck off and die, húndàn ...
Re: (Score:2)
Re: (Score:2)
Actually, the notification I received through Microsoft's Partner Network did not mention China specifically. The notification stated...
We are contacting you to alert you to Microsoft’s release of patches for multiple different on-premises Microsoft Exchange Server zero-day vulnerabilities that are being exploited by a nation-state affiliated group.
Re: (Score:2)
Late Nights Tonight (Score:2)
Re: (Score:2)
Actually, we're a day behind. Everybody who had automatic updates on last night got it already. Yesterday was just the typical Patch Tuesday...
Re: (Score:2)
No, they didn't. The patches for this are not part of the monthly roll-up. You need to apply them explicitly, after applying the monthly roll-up. These will be a part of next month's patches, but if you're relying on automatic updates for this, you're screwed.
Today's hackers... (Score:2)
We've seen this before... bug in Microsoft Exchange, everybody take today's patch. The only difference in today's report is that the hackers are in China, cell phones are being made in China, and China is trying to feel better than us.
China, China, China.. feel scared yet? Now go patch your Exchange.
Re: (Score:3)
We did an emergency patch... but have business directly with China, lol. Admittedly, the stuff I work on directly is blocked from anything outside America, but a lot of the stuff that I enhance on is developed in China (and I even lost my Job to China in 2018, but they were fucked doing US customizations, which, I happen to specialize in - thanks for the $80000 pay boost - basically double what I made before).
Re:Today's hackers... (Score:4, Informative)
The New Guy 2.0 sneered:
China, China, China.. feel scared yet? Now go patch your Exchange.
The key detail in the above story is not that the vulnerability exists in Exchange. Anyone who uses Exchange is a damn fool, anyway. The key detail is that CISA has issued an order that ALL U.S. government Exchange servers MUST be updated by the end of the business day on Friday, because China has already been exploiting this zero-day vulnerability for an unknown length of time, and has ALREADY used it to gain access (sorry) to government systems - presumably including every system they could identify - as well as some unknown (but, again presumably, non-trivially-large) number of civilian systems.
Feel scared yet? Because you should.
This is not routine. It's an attack surface so severe that it has Cybersecurity Command shitting its britches, telling EVERY government entity that runs Exchange, "Update, then patch your shit, motherfuckers! You have 36 hours to comply, or your ass is grass!"
CISA has never treated any previous zero-day with that kind of urgency. If unpatched, it allows access to ring 0, you dilettante! That means that, if the system you administer runs Exchange, and the employer for whom you work has ANY data that might interest the Chinese government, it's already inside your network, and that data has already been pwned.
Updating and patching your Exchange server (pro tip: you have to do both, in that order) may staunch the bleeding, but that doesn't reduce this catastrophe to the kind of mundane status you'd like to believe it deserves.
And any fool who buys your casual dismissal of the severity of this zero-day deserves to hang up his or her pocket protector, and slink away in shame to the Old Sysop's Home ...
Re: (Score:2)
CISA has never treated any previous zero-day with that kind of urgency. If unpatched, it allows access to ring 0
Is that true? Why does Exchange have any high level privileges?
Re: (Score:2)
Anyone who uses Exchange is a damn fool, anyway.
Apparently written by another tedious IT practitioner who thinks he's smarter than everyone else. As in "anyone who uses Micro$oft products is a fool". "Anyone who doesn't use sudo is an idiot". Blah blah blah.
For what it's worth, I know a great many people who use Exchange Server and who are not fools. It happens to have a lot of nice features. It sync's e-mail, calendar, contacts, and more across multiple platforms. It has native clients on both Android and iOS. It has a pretty nice web-based interface th
This is my problem with Cloud (Score:5, Insightful)
Re:This is my problem with Cloud (Score:5, Informative)
There is some truth to that.
On the other hand, every patch Tuesday when Microsoft releases another 60 vulnerabilities it's a race between the hackers exploiting them vs the companies trying to first test, then deploy patches. If you're using Microsoft's cloud you are already protected before the vulnerability is released publicly.
Cloud security is *different* from on-prem. Not better or worse, just different.
Re:This is my problem with Cloud (Score:4, Insightful)
It reminds me a lot of the nuclear reactor (NR) versus petroleum debate. Petroleum probably causes more deaths on average than NR's via asthma, cancer, etc.; but NR's make news when they go wrong. NR's create "spiky" risk while petro kills slow and steady.
Re: (Score:3, Interesting)
I understand what you're trying to get it. And ...
There's been exactly ONE nuclear power accident with fatalities greater than about one or two - Chernobyl. A guy, one guy, got cancer attributed to Fukushima. In other accidents, I think one guy died when he dropped a rod; in the early days a researcher accidentally created critical mass and he may have eventually died.
Just ordinary workplace accidents alone, slip and fall type things, in the oil industry kill more people than nuclear power does.
The numbe
Re: (Score:2)
You are completely right about the safety of nuclear power.
About China Syndrome, there is some important context. Right after the China Syndrome movie was released, nuclear power advocates quickly denounced it as utterly unrealistic, saying that it was impossible to have an accident like the one described in the movie: a loss of coolant accident that was caused by a malfunctioning gauge reporting excessive cooling water levels when the water levels were actually dangerously low because a valve got stuck, re
Re: (Score:1)
I want to make sure we don't ignore the indirect or un-countable danger of releasing radiation into the environment. Fukushima's radiation has increased the radioactivity of fish used for food, for example. Almost the entire Pacific Ocean has been affected. Whether that will increase total cancer occurrences in the world to a concern-able level is a matter of debate. Ideally, we don't want that
Re: (Score:2)
> Ideally, we don't want that extra radiation in the ocean.
It's not ideal, in the way 0.000... and perfectly spherical cows are ideal.
Also, the concern about the water at Fukushima is tritium.
There's some tritium, less than a gram I believe, in the wastewater. Tritium is the stuff used to make watches and exit signs glow.
So when we're balancing real-life alternatives, not spherical cows, would you rather have thousands of gallons of uses engine oil leaking onto the ground and eventually into your drinki
Re: (Score:1)
Currently nuclear is roughly 3% of all power generated. If it replaced oil, then the accident rate and results would be much higher.
Anyhow, I already agreed that nuclear is less dangerous than oil on average in my first message.
Re: (Score:2)
If you're using Microsoft's cloud you are already protected before the vulnerability is released publicly.
Also... It's simply not the case that every user of the service would need to assume they are targeted; If the service provider maintains the appropriate logging and auditing, they should be able to narrow down what was accessed in the event of a breach, which customers may be impacted and need to alert -- It's not like services such as O365 are a couple servers resembling an Enterprise on-pr
Re: (Score:2)
Re: (Score:2)
> Most importantly you drastically increase the cost for hackers to penetrate a large number of systems and you force them to make economic decisions about which targets to prioritize.
You forget we're using computers. Computers are really, really good at repeating the same thing really, really fast. Once I develop an exploit for a Exchange vulnerability, my cost to deploy it to 10,000 companies is under $100.
Managing the databases at $large_security_company, I learned that one of the best ways to detect
Re: (Score:2)
Re: (Score:2)
That's true - whether Exchange is on-prem or not.
It's MORE true when Exchange isn't on-prem, because getting into Exchange doesn't out you directly in their network.
That is, if you have an Exchange exploit, that alone will get you access to the Exchange server. If the Exchange server is on the local network, having the Exchange server means you have a foothold in the the local network.
Re: (Score:2)
Re: (Score:3)
Initial numbers from the briefing I just left indicate that about 5-10% of Exchange servers are already *infected*. Not just vulnerable, but already infected as of about an hour ago.
So apparently a lot of companies allow employees to access their work email when they aren't in the office, by exposing their CAS on the web.
Re: (Score:2)
Re: (Score:2)
I should clarify these are very early numbers, to be taken with a grain of salt. It's an evolving situation.
Re: (Score:1)
Re: (Score:2)
I'll just leave you with what one of the experts on Exchange security, @swiftonsecurity had to say yesterday:
"If you're not Fortune 50 company, running your own Exchange Server is organizational clownery at this point."
If you think you know more about Exchange security than Swift does, perhaps we should rename the Dunning-Krueger effect after you.
Re:This is my problem with Cloud (Score:5, Informative)
If you had read the linked directive from DHS, you'd know that this is not an issue with cloud-based services, but on-premises servers:
"CISA partners have observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products. Neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network."
I know we love to gang-up on the cloud, but at least try to be accurate in your criticism, otherwise it just makes you sound like a vacuous blowhard.
Re: (Score:2)
The cloud servers aren't impacted. These are flaws for on-prem Exchange servers, and Exchange 365 in a hybrid configuration. That's a buzzwordy way of saying "we do both cloud and non-cloud".
These are vulnerabilities against the non-cloud stuff.
Re: (Score:2)
Yep. On-Premise only. That Unified Messaging feature (UM) feature that had the component vulnerable due to the serialization issue Doesn't even exist as part of the Exchange 365 service - MS has something completely different there.
Re: (Score:2)
By putting all exchange servers into one cloud as MS pushes it makes it so there is a single target. Once it's compromised everyone using that system has to assume they were hit along with everyone else. It's the equivalent of putting all your eggs in one basket.
I'm genuinely curious as to what you think "the cloud" is? Sure the meme is it's someone else's computer, but the reality is more that it's hundreds of other people's virtual machines spread across various hardware. With every company somehow requiring some kind of access to their networks from outside the actual risk of someone compromising the Exchange Server on the cloud, vs Exchange Server in the IT room is no different. And at these scales the provisioning from resources between companies are also kept
yeah we dont need encryption (Score:1)
Re: (Score:1)
so they said until everyone is hacked
I still have a hell of a time convincing anyone to use encryption. Even windows 10 can load GPG. Outlook supports it. Evolution supports it. Even gmail seems to support it via evolution. I tried to get others to use it and I might as well have asked them to collect all the underwear in their dresser drawers and send it to me. In fact, they may have done that before they'd do encrypted e-mail.
So basic, free and people won't do it. Like a free lock for your front door and nobody wants a lock on their front do
mass pwnage (Score:2)
Blame Management for picking insecure products (Score:3)
Russia, China... or U$A... is the Our Problem? (Score:2)
Russia, China, Israel, Iran, India... and U$A genius RICO families' and
C*Os' perfidious politicians and prosperity cult-clergy are
Wealth/Power Accumulation Clubs (W/PAC) of Luddite-technophobes.
The U$A governance of the USA has put #AllOfUS last in priority. Look at USA State Of Union (Education, Infrastructure, Science, Medicine, Communities, Industry, Economics, Finances...). U$A pays for QAnon (Question Answer nonsense) agitprop and MSM/SM pseudo-news.
Ask:
How does U$A setup US to fail?
Why does U$A want U
Since China is at war with us (Score:2)
When do we mount a minimal defense? And how long after that do we wait before we retaliate?
And as we consider true cyberwar, which, if you consider it for more than a moment, will be not merely disruptive, but disastrous beyond previous measure, consider a lesson from WWI - gas, in particular, was found to be an intolerable weapon. WWII was not as brutal as it could have been, had the belligerents resorted to widespread use of gas and similar weaponry.
Real cyberwar will leave you hungry, cold, and sitting
It turns out (Score:1)
It turns out all the Chinese do is see how their servers were hacked by the Americans then use the same techniques to hack them.