Widespread hacking continued to be on everyone’s mind this week as countless companies and organizations continued to grapple with a slew of major hacks. With Microsoft’s patches out for a while, a series of nation-states and criminal actors are becoming more aggressive in exploiting a series of Microsoft Exchange Server bugs that have already been actively attacked by the Chinese group Hafnium. Meanwhile, the White House is considering a response to Russia’s recent, high-profile SolarWinds espionage campaign, which compromised data at numerous U.S. government agencies and private companies around the world. For the Biden administration, there is a risk that too much retaliation would erode norms and be seen as hypocritical, given that the US and virtually every government engage in digital espionage.
Criminal hackers have also continued their extortion disaster related to a network equipment breach and firewall maker Accellion. The world of digital chess is in turmoil, bending over to digital harassment, over allegations of a Twitch and YouTube chess star who cheated on an upstart challenger in a match the master lost. And Google researchers developed a proof-of-concept browser exploit to raise awareness of the threat posed by speculative execution attacks, such as those exploiting the infamous “Specter” vulnerability, still posed on the web three years later.
The privacy-focused Brave browser launched its own search engine this week that aims to get Google running its money without sucking up so much user data. And we took another look at the top five password managers we can use right now. Now is a good time to brush them up, especially considering that Netflix may be sharing passwords forcibly.
And there is more! Every week we collect all the news that we have not discussed in detail. Click on the headlines to read the full stories. And stay safe out there.
Hackers violated the video surveillance company Verkada on Monday, Bloomberg reported, and were given access to a ‘super admin’ account that allowed them to view more than 150,000 live feeds and video archives from Verkada’s customers. Organizations exposed included prisons, schools and hospitals – such as the Madison County Jail in Huntsville, Alabama, and Sandy Hook Elementary School – as well as technology companies such as Tesla and Cloudflare. More than 100 Verkada employees had access to thousands of customer flows – an extra surprising and probably disturbing revelation for the customers of the customers. Tillie Kottman, a hacker who claimed responsibility for the breach, said in a Mastodon post on Friday that officials raided their apartment in Lucerne, Switzerland, and seized their electronic devices. The search warrant apparently related to an alleged hack from last year and not the Verkada breach.
Security researchers warned this week that a full, public proof-of-concept exploit for recently patched Microsoft Exchange Server vulnerabilities would spark a hacking frenzy that had already escalated in recent days. On Wednesday, independent security researcher Nguyen Jang uploaded such an exploit to the code repository platform Github. Within hours, Github had deleted the post. The incident caused controversy within the security community as Microsoft owns both Github and Exchange Server. The idea that an overlord of the company could control content on Github, or otherwise encroach on the open source community, caused widespread controversy during Microsoft’s acquisition of the service.
“We understand that the publication and distribution of proof-of-concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the wider ecosystem safe,” a Github spokesperson told Thursday. to Motherboard. “In accordance with our acceptable use policy, we disabled the core following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited.”