Skip links

US government to investigate China’s Microsoft email breach

Infosec in brief The July breach of Microsoft Exchange Online by suspected Chinese hackers is the next topic up for review by the Department of Homeland Security’s Cyber Safety Review Board (CSRB). 

DHS secretary Alejandro Mayorkas announced the review last Friday, saying it would assess the Microsoft intrusion, as well as conducting a broader review of identity and authentication infrastructure used by cloud providers. 

“Organizations of all kinds are increasingly reliant on cloud computing to deliver services to the American people, which makes it imperative that we understand the vulnerabilities of that technology,”  Majorkas said. 

This will be the third investigation by the recently formed CSRB. It first reviewed Log4j vulnerabilities discovered in 2021, concluding the exploit would likely be a problem for at least a decade. Its second report, which was released earlier this week, focused on the threats from hacking group Lapsus$. In that report, the CSRB said the international cyber crime group used “simple techniques” to evade security tools, and offered ten recommendations for hardening environments against such attackers. 

The decision to investigate the July Outlook intrusion, and cloud security more broadly, was welcomed by senator Ron Wyden (D-OR), who last week blamed Microsoft for its failure to protect cloud accounts belonging to US government officials and called for the CSRB to investigate the incident. 

“I applaud president Biden and CISA director Easterly for acting on my request for the board to review this recent espionage campaign, including cyber security negligence by Microsoft that enabled it,” Wyden said. “The government will only be able to protect federal systems against cyber attacks by getting to the bottom of what went wrong. Ignoring problems is both a waste of taxpayer dollars and a massive gift to America’s adversaries.”

CISA director Jen Easterly said the CSRB’s findings would help advance cyber security across the cloud – both government and enterprise. 

It’s worth noting that the CSRB has no regulatory or enforcement powers. Rather, “its purpose is to identify relevant lessons learned to inform future improvements,” DHS said. In other words, none of what the CSRB eventually decides is binding in any way. 

The Government Accountability Office said that it has made more than 4,000 recommendations to federal agencies to address cyber security issues, and as of December 2022 more than 880 (nearly a quarter) had yet to be fully implemented. 

Critical vulnerabilities: A short list

It’s been a relatively quiet week, what with Black Hat and Def Con dominating the security space. Things aren’t much more lively when it comes to critical vulnerabilities, most of which were already covered in our August Patch Tuesday story earlier this week. 

Still, there was one particular vulnerability that’s worth mentioning.

A command injection attack in Zyxel routers that was first identified in 2017 has been spotted being exploited in the wild, CISA said earlier this week. As Fortinet pointed out, the affected Zyxel router – the P660HN-T1A – is a legacy product that is no longer under support. 

The attack is using a variant of Gafgyt with the aim of infecting vulnerable routers and recruiting them into a botnet. 

A patch was released in 2017, and anyone still running an affected router that can’t be replaced should ensure said patch is installed. Better yet, get that out-of-support hardware out of your environment and replace it with something that’s still getting security updates.

Watch out: Phishing campaign spotted targeting C-suite users

Security researchers from Proofpoint say they’ve discovered a phishing campaign using EvilProxy to bypass multi-factor authentication, and which appears to be specifically targeting corporate higher-ups and other high-value targets. 

Proofpoint said this week that the campaign has been ongoing since March, and has since sent approximately 120,000 phishing emails to more than 100 companies around the world. Interestingly enough, 39 percent of the “hundreds of … users” compromised during the campaign were C-level executives, 17 percent of whom were chief financial officers, and another nine percent were presidents and/or CEOs. 

“Not all users who fell for the initial phishing lure and submitted their credentials were accessed by bad actors,” Proofpoint said. “In contrast to other malicious campaigns we’ve observed … attackers clearly prioritized only ‘VIP’ targets, while ignoring those of lesser value.” 

EvilProxy, a threat that continues to grow in popularity, is a phishing as a service app that uses fake login pages and redirects to fool users into inputting credentials. EvilProxy can reportedly steal session cookies and MFA tokens, giving users access to compromised accounts “within seconds,” Proofpoint said. 

Last week was a bad time to be an international cyber criminal

International law enforcement has had a good week in terms of cracking down on criminals enabling international cyber crime.

Europol reported last week that it had arrested five people associated with cyber crime hosting site, as well as seizing the site’s servers and taking it offline. 

LolekHosted, Europol said, had been used to facilitate distribution of malware, launch DDoS attacks, manage botnets, send spam and host fictitious online shops, all while maintaining a no-log policy. Officials from the US FBI assisted in the investigation, Europol said. 

Interpol, meanwhile, reported the arrest of more than 100 people across the EU and Africa, identification of over 1,000 suspects, the shutdown of 208 bank accounts, and seizure of more than €‎2.15 million ($2.4m) in assets belonging to the Black Axe crime/cyber crime syndicate. 

Black Axe is one of a number of West African crime syndicates known for its violent, mafia-like style and cyber crime initiatives. Black Axe has conducted “business email compromise schemes, romance scams, inheritance scams, credit card fraud, tax fraud, advance payment scams and money laundering,” per Interpol. ®