Thousands of Vulnerable Microsoft Exchange Servers Detected; EU Cyber Resilience Act; 23andMe Breach Upgraded to Millions

It really is time to not host your own Exchange server. The cost of keeping it updated as well as keeping up with security settings needed in today's threat landscape generally exceeds the cost of M365 or other hosted service.

As all these exchange servers are externally facing, they can, and likely will be targeted by evil doers. What’s unknown is whether some of these servers are simply honeypots used to collect malware. In any event the only solution is to upgrade to a supported version of the mail server.

If your company cafeteria still serves sandwiches using mayonnaise with a “Use before April 12th, 2007” warning, you should probably fire the cafeteria manager. The same is probably true for whoever has made the decision to continue using Exchange Server 2007.

This is a significant piece of regulation that is going to have a major, and in my opinion positive, impact on cybersecurity. Vendors will have to ensure their products, software and/or hardware, meet a minimum level of requirements. For far too long the onus on securing a product has been laid at the consumer; vendors now have to be responsible for ensuring the security of their products. This will have far reaching implications for cybersecurity outside of the EU and should only be seen as a net positive in making systems more secure.

The act inserts the EU as the single authority of what’s good enough from a security perspective for all digital products destined for the European market. In today’s global marketplace, that’s all the world’s digital products. As written, there are 15 sets of ‘essential cybersecurity requirements’ for all products with digital elements and an even larger set of requirements for products deemed ‘critical.’ The act also imposes sanctions and substantial fines for non-compliance. Perhaps the act is nothing more than a new revenue source for the EU under the guise of increasing cybersecurity resiliency. What’s unclear is whether vendors a) ignore the CRA, tempting enforcement action; b) seek State-level diplomacy; or c) simply abandon the EU market altogether.

I’m excited about this one as there are millions of devices on the Internet with absolutely no security baked into them (wide open ports, no updating processes, default passwords, confusing interfaces, difficult to maintain). This is a first step requiring vendors to bake security into this devices. What will be interesting is a huge number of those devices are designed and manufactured in China.

An article by CNBC from 2018 states about companies offering DNA testing: "their business future depends on maintaining the trust of consumers." The article was written after the FTC started investigating some of these companies, including 23 and me, for their data handling and sharing practices. Consumers need to carefully compare the risk of having their data stolen over the health benefit. Sadly, most consumers will just compare price, which means that companies are better off saving money on data protection and adding additional revenue from data sharing agreements to offer cheaper tests. https://www.cnbc.com/2018/06/16/5-biggest-risks-of-sharing-dna-with-consumer-genetic-testing-companies.html

This really doesn’t come as a surprise to anyone as organizations typically underestimate the data loss while the forensics investigation continues. Perhaps the standard should be, assume 100 percent data loss until the investigation concludes.

These include credential stealing attacks. Whether you’re actively using 23andMe or you did their DNS test and nothing more, go to your account and enable two-factor authentication. Help users leverage a password manager to make sure that credentials aren’t reused.

Trellance owns Ongoing Operations. Users of any Trellance services should check for compromise and obtain assurances from Trellance about their vulnerability management processes.

Unlike big banks, Credit Unions often depend on service providers to provide the services members need. Like an outsource called a Credit Union Service Organization (CUSO). While they work hard to make sure they are secure, just as when one of our third party providers falls they are similarly affected. What’s interesting here is the affected credit unions are working together with the CUSO on the recovery.

An example of a ransomware attack on a managed service provider (MSP) affecting a segment of the financial industry. Intentional and unintentional (in this case) supply chain attacks are becoming all too common. Disruption of IT services should be a normal part of risk management planning and part of the risk register for regular review by the executive team.

Citrix users need to go beyond patching. Review the controls you have enabled around your Citrix deployment, and what else you can do to detect compromise. Citrix's history suggests that there will be more vulnerabilities in the future. In particular for installs that are critical for remote access, you will need to enable whatever controls you can to prevent compromise. Do not just rely on reactive patching.

Threat actors are actively scanning for systems vulnerable to CitrixBleed. This going to be like MOVEit or other recent vulnerabilities, apply the patch and make sure these services are not internet accessible.

What’s troubling is that HHS still felt the need to publish an alert 50-ish days after initial vulnerability disclosure by Citrix. That’s like an eternity is attacker time. If hospitals haven’t prioritized the patch by now, well, frankly, it’s too late.

CVE-2023-40088, is the zero-click RCE which requires no added privileges to execute, doesn’t yet have a CVSS score. Treat this like you would a zero day or mitigating the Pegasus malware. Push this update to your devices as soon as it’s available from your OEMs. This is a good time to verify the level of visibility you have to your devices and patch levels.

Google both issues these security bulletins and provides software updates for its Pixel devices at the same time. Unfortunately, the rest of the Android ecosystem must test their devices prior to releasing patches. This presents an opportunity for attackers to reverse engineer the Google supplied patches, find the root vulnerability, and target unpatched devices – a vicious cycle that currently favors evil-doers.