This article is more than 1 year old

Exchange flaws could be much worse than thought: Six hacking groups suspected of using the zero days pre-patch

Plus: Verkada flaw finder cuffed and Apple boss may have leaked secrets

In brief It's looking like the exploitation of critical Exchange flaws that Microsoft revealed at the start of the month could be much worse than folks first suspected.

An analysis by Slovak security shop ESET claims that six advanced criminal hacking groups, thought to have some level of state sponsorship, used the zero days to attack government and industry sites before the flaws were patched. At the time, Microsoft claimed that only one Chinese-based hacking group, dubbed Hafnium, had illicitly exploited the dodgy code. You can see the timeline below.


How it all went bad. Source: ESET. Click to enlarge

It appears five other groups – Tick, followed by LuckyMouse, Calypso, Websiic, and the Winnti Group – got in on the game before patches were released, although the latter (in the scenario outlined by ESET) used it just hours before the Microsoft announcement. And the timeline for this opens up some interesting possibilities, particularly in light of reports that the flaws were leaked from a February 23 alert sent by Microsoft to key security partners worldwide.

DEVCORE hacker Orange Tsai found the first Exchange bug on December 10, and had weaponized it to an admin-level RCE by New Year's Eve. After the January 5 notification to Microsoft he and the Redmond team finalised the draft report by February 18. It was sent on the 23rd, and five days later the second wave of attacks kicked off.

So pick your nightmare scenario. Either a state-sponsored team found and exploited the flaws – probably for a while before someone else found them – and then shared them out to similar groups. As a second possibility, DEVCORE or Microsoft's security team was penetrated (worrying in light of the targeting of ethical bug hunters), or finally, there's a possibility that one or more of Redmond's security partners is feeding information to the enemy.

The truth could also be a mishmash of all these options.

Could anything make this whole Exchange mess worse? Possibly: Sysadmins have taken to Reddit to complain that Microsoft's MSERT malware protection tool is producing false positives for signs of the attacks on Exchange.

Former Apple materials lead accused of clumsily stealing secrets

Simon Lancaster, one of Apple's Advanced Materials Leads before he left the firm in November 2019, has been sued by his former employer for allegedly stealing company secrets for his own use, and for allegedly leaking to a member of the press.

In a lawsuit first reported on Thursday, Apple has accused Lancaster of intellectual property theft, saying he used the purloined data as the basis for joining a startup. He is also accused of offering to feed Apple secrets to a journalist, who in return offered to write articles about said startup.

It's claimed he attended meetings he shouldn't have to get information on forthcoming Apple products, was passing information physically and digitally to the unnamed journalist, and established a relationship whereby the member of the media would dig into areas of Apple's business Lancaster wanted to know more about.

Lancaster is being sued for violation of Defense of Trade Secret Act, violation of California Uniform Trade Secret Act, and a breach of written contract.

More woes as recorded iPhone calls open to all

Not Apple's fault this one, but still very worrying.

For those iPhone users wanting to record their phone calls there's an app, unsurprisingly called Call Recorder, but it turns out those recordings could have been made available to all. Anand Prakash, founder of bug-hunters Pingsafe AI, spotted a glitch in the app that left a reported 130,000 audio recordings, or around 300GB's of data, open for plundering.

"PingSafe AI decompiled the IPA file and figured out S3 buckets, host names and other sensitive details used by the application," it said.

"The vulnerability allowed any malicious actor to listen to any user's call recording from the cloud storage bucket of the application and an unauthenticated API endpoint which leaked the cloud storage URL of the victim's data."

The app has now been fixed, thanks to responsible disclosure, but it might be worth deleting unwanted recordings.

Swiss police cuff member of Verkada bug finding team

Earlier this week bug hunters found that admin credentials for video surveillance biz Verkada had been left exposed, leaving big-name customers like Cloudflare and Tesla having their in-facility surveillance potentially leaked. Now one of the team that found the issue has been cuffed, but not for that incident it seems.

Tillie Kottmann, the 21-year-old hacker who was mentioned in the original Verkada case, was reportedly arrested by Swiss police on Friday. Not for the video incident, but for an earlier affair of criminal hacking. It's believed this is down to an investigation by the FBI in the Western District of Washington.

Time to get patching Git users

Git has patched an RCE in the delayed checkout mechanism Git LFS uses, and it's a case of fix it now or cripple your systems.

Users need to upgrade to version 2.30.2 to avoid the error "where a specially crafted repository can execute code during a git clone on case-insensitive filesystems which support symbolic links by abusing certain types of clean/smudge filters, like those configured by Git LFS."

The only alternative is to disable support for symbolic links and process filters and avoid untrusted repositories. ®

More about


Send us news

Other stories you might like