August cyber news round-up

US and allies, including the European Union, the United Kingdom, and NATO, are officially blaming China for this year's widespread Microsoft Exchange hacking campaign.

In early March 2021, Microsoft disclosed four zero-days actively being exploited in attacks targeting on-premises Microsoft Exchange servers.

The vulnerabilities, collectively known as ProxyLogon, were exploited in attacks against tens of thousands of organisations worldwide. Threat actors were observed deploying web shells, cryptomining malware, and DearCry and Black Kingdom ransomware payloads on compromised servers.

The Biden administration attributes "with a high degree of confidence that malicious cyber actors affiliated with People's Republic of China Ministry of State Security (PRC MSS) conducted cyber-espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021."

Transgender charity Mermaids has been fined for a personal data breach which led to sensitive information being put online.

The Information Commissioner’s Office (ICO) has told the charity to pay £25,000 in relation to an internal email group it set up several years ago. The ICO found the group was set up with insufficiently secure settings and as a result, the personal information of 550 people - including names and email addresses - was searchable online. 24 of these included sensitive information, and for 15 it concerned special category data, with details over mental and physical health and sexual orientation exposed.

Steve Eckersley, director of investigations at the ICO, said “The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.”

Microsoft has disclosed details of a year-long social engineering campaign where operators kept changing their obfuscation and encryption mechanisms every 37 days on average, including relying on Morse code.

The phishing attacks take the form of invoice-themed lures mimicking financial-related business transactions, with the emails containing an HTML file ("XLS.HTML"). The ultimate objective is to harvest usernames and passwords, which are subsequently used as an initial entry point for later infiltration attempts.

"This phishing campaign exemplifies the modern email threat: sophisticated, evasive, and relentlessly evolving," Microsoft 365 Defender Threat Intelligence Team said in an analysis. The HTML attachment is divided into several segments and encoded in a variety of ways and includes “old and unusual encryption methods like Morse code, to hide these attack segments.”

You can read the full technical analysis from Microsoft here.

T-Mobile is investigating an online forum post claiming to be selling a trove of customer sensitive data.

Online magazine and video channel Motherboard reported that it was in contact with the seller of the data, who claimed to have stolen data from T-Mobile’s servers that included Social Security numbers, names, addresses, and driver license information related to more than 100 million people. Having reviewed the data, Motherboard reported that it appeared authentic.

“We are aware of claims made in an underground forum and have been actively investigating their validity,” a T-Mobile spokesperson stated. “We do not have any additional information to share at this time.”

T-Mobile has been the target of several data breaches in the last few years, most recently in December 2020 when call-related information and phone numbers for some of its customers may have been exposed.