Hacking group targets organizations via Microsoft server software – Researcher

An unknown hacking group recently broke into organizations using a newly discovered flaw in Microsoft mail server software, a researcher said on Tuesday, in an example of how commonly used programs can be exploited to cast a wide net online.

Microsoft’s near-ubiquitous suite of products has been under scrutiny since the hack of SolarWinds, the Texas-based software firm that served as a springboard for several intrusions across government and the private sector. In other cases, hackers took advantage of the way customers had set up their Microsoft services to compromise their targets or dive further into affected networks.

Hackers who went after SolarWinds also breached Microsoft itself, accessing and downloading source code – including elements of Exchange, the company’s email and calendaring product.

Mike McLellan, director of intelligence for Dell Technologies Inc’s Secureworks, said he noticed the recent issue after a sudden spike in activity touching Exchange servers overnight on Sunday, with around 10 customers affected at his firm.

“It appears to be someone scanning and exploiting Microsoft Exchange servers in some way. We don’t know how,” he told Reuters.

Microsoft said in a statement that it would be “releasing an update and additional guidance to customers as soon as possible.” The statement said there was no relationship between the recent activity and the SolarWinds-tied hacking campaign.

McLellan said that for now, the hackers appeared focused on seeding malicious software and setting the stage for a potentially deeper intrusion rather than aggressively moving into networks right away.

“We haven’t seen any follow-on activity yet,” he said. “We’re going to find a lot of companies affected but a smaller number of companies actually exploited.”

McLellan said he had no solid indication of who might be responsible. The hackers in this case were using a strain of malware called “China Chopper,” which – despite the name – is used by a variety of digital spies.

The profile of the targets did not match any particular online threat, McLellan said. “It looks like a bit of a random mix.”

CoreLogic asks CoStar for assurances on antitrust risk – Sources

U.S. property data and analytics company CoreLogic Inc has asked peer CoStar Group Inc for more assurances that it can complete their combination should it attract antitrust scrutiny, people familiar with the matter said.

CoStar unveiled a $6.9 billion all-stock bid for CoreLogic earlier this month, after the latter agreed to sell itself to a private equity consortium of Stone Point Capital and Insight Partners for about $6 billion.

CoreLogic has informed CoStar it would be willing to declare its bid superior and abandon its deal with the private equity firms if CoStar provides more certainty that the transaction will be completed expeditiously, the sources said.

A decline in recent days in CoStar shares has highlighted the need for such certainty for CoreLogic’s board, according to the sources. CoStar’s bid was worth $95.76 per share when it was unveiled on Feb. 16. It was worth about $82 per share on Thursday afternoon because of the decline in CoStar’s shares, only slightly more than the $80 per share all-cash bid it accepted from Stone Point Capital and Insight Partners. The more time lapses, the more the value of CoStar’s bid could change.

While some of CoreLogic’s demands involving technical aspects of the deal are expected to be ironed out with CoStar, the antitrust provisions remain a significant sticking point, the sources said.

CoreLogic initially asked for a “hell-or-high-water” clause that would force CoStar to undertake all actions that antitrust regulators may request for the deal to happen, including any necessary divestitures, the sources said.

It has since dropped this request but still wants CoStar to make commitments to closing the deal, including accepting a deadline for completing the transaction akin to the six-month deadline that the private equity firms agreed to, the sources said. CoStar is currently pushing for a 12-month deadline, the sources added.

CoStar has argued there is little antitrust risk for the deal, and that regulators may be able to approve it in as little as one month, according to the sources.

An attempt last year by CoStar to buy another company, apartment search site operator RentPath Holdings Inc, for $588 million was thwarted by U.S antitrust regulators. RentPath sued CoStar over the deal’s $58 million breakup fee, and last week reached a settlement recovering most of that fee.

CoreLogic’s board wants to make sure that any deal it inks with CoStar does not get torpedoed by regulators, the sources said. It has asked for CoStar to pre-fund its proposed $330 million breakup fee, and also not to negotiate with potential acquirers of its assets until the deal closes, the sources added.

It remains unclear whether CoStar and CoreLogic will be able to negotiate a deal, the sources said, requesting anonymity because the talks are confidential. CoStar and CoreLogic did not immediately respond to requests for comment.


The takeover interest in CoreLogic came after activist investors Senator Investment Group LP and Cannae Holdings Inc began pushing the company to seek a sale by mounting their own acquisition bid, which they abandoned once the sale process got under way.

A big part of CoreLogic’s business is thriving, as low interest rates have fueled a boom in parts of the property market.

CoStar, which also participated in the auction for CoreLogic before losing out to the private equity consortium, reported fourth-quarter earnings on Tuesday that beat most analysts’ expectations. Yet its shares have been dropping amid a broader sell-off in technology stocks and uncertainty over its bid for CoreLogic.

CoStar has said its acquisition of CoreLogic would result in $150 million to $250 million in annual cash flow synergies. It has argued those synergies alone are worth several billion dollars to shareholders of the combined company.

It has also argued that it does not need to place an “equity collar” on its all-stock bid, which would protect CoreLogic shareholders from CoStar shares dropping too much, given the value of these synergies and the deal’s rational.

CoreLogic shareholders would own 16.2% of the combined company under CoStar’s terms. Were it to sweeten its bid further by offering more of its shares, it would trigger a requirement under its bylaws for CoStar shareholders to vote on the deal. Under the proposed offer, only CoreLogic shareholders need to vote on the deal should its board approve it.

Britain’s GCHQ cyber spies embrace the AI revolution

By: Guy Faulconbridge

Britain’s cyber spies at the GCHQ eavesdropping agency say they have fully embraced artificial intelligence (AI) to uncover patterns in vast amounts of global data to counter hostile disinformation and snare child abusers.

AI, which traces its history back to British mathematician Alan Turing’s work in the 1930s, allows modern computers to learn to sift through data to see the shadows of spies and criminals that a human brain might miss.

GCHQ, where Turing cracked Germany’s naval Enigma code during World War Two, said advances in computing and the doubling of global data every two years meant it would now fully embrace AI to unmask spies and identify cyber attacks.

The world’s biggest spy agencies in the United States, China, Russia and Europe are in a race to embrace the might of the technological revolution to bolster their defensive and offensive capabilities in the cyber realm.

“AI, like so many technologies, offers great promise for society, prosperity and security. Its impact on GCHQ is equally profound,” said Jeremy Fleming, the director of GCHQ.

The Cheltenham-based Government Communications Headquarters (GCHQ) – the British equivalent of the NSA – is publishing a paper “Pioneering a New National Security: The Ethics of AI” confirming its full use of the technology.

“AI will be a critical issue for our national security in the 21st century,” the report, released on Thursday, said.

While AI is not yet at the science-fiction stage of competing with humans to generate revolutionary ideas such as AI itself, computer software can see patterns in data within seconds that human minds would take hundreds of years to see.

GCHQ has been using basic forms of AI such as translation technology for years but is now stepping up its use, partly in response to the use of AI by hostile states and partly due to the data explosion which makes it effective.

Hostile states were using AI tools in an attempt to undermine free societies by spreading disinformation, GCHQ said, so it would use AI to counter such networks.

Similarly, AI could be deployed against organised crime or child abusers to uncover their networks or the maze of complex financial transactions which have traditionally been used to shield criminal empires.

In cyber intelligence, the United States is ranked by the Harvard Kennedy School’s Belfer Center as the top global power, followed by Britain, China and Israel.

“We can expect the deployment of new computing techniques, synthetic biology and other emerging technologies over the next few years,” GCHQ said in the report.

“Each new development helps our economy and society grow stronger, and provides opportunities to keep us secure, but also has the potential to be misused by those who seek to do us harm.”

Apple adds ‘BlastDoor’ security feature to fight iMessage hacks

Apple Inc has added a security feature across its operating systems to battle hacks into its devices that rely on incoming iMessages, it said on Thursday.

The “BlastDoor” feature processes incoming iMessage traffic and only passes on safe data to the rest of an Apple device’s operating system, company officials said in a briefing.

Starting in 2016, a team of former U.S. government intelligence operatives working for the United Arab Emirates hacked into the iPhones of activists, diplomats and rival foreign leaders, Reuters reported here in 2019.

Using a sophisticated spying tool called Karma, which relied on a flaw in Apple’s iMessage system, they accessed iPhones without requiring the targets to click on anything to establish a connection. A new wave of attacks last year used similar tools to target journalists at Al Jazeera.

While largely invisible to users, BlastDoor is present on iOS 14, the most recent version of Apple’s iPhone operating system, and systems for all its other devices, company officials said.

Apple held the briefing around the release of its annual security guide for cybersecurity researchers.

The latest update included new details on how many security features long found in iPhones are being brought over to Apple’s Mac computer line, which in November began to integrate custom-designed processor chips after more than a decade of relying on Intel Corp processors.

Source: Reuters Business

U.S. says threat posed by North Korea cyber activity part of policy review

(Reuters) – North Korea’s malicious cyber activities threaten the United States and its allies and will be included in an ongoing review of U.S. policy toward the country, State Department spokesman Ned Price said on Wednesday.

“North Korea poses a significant cyber threat to financial institutions, it remains a cyber espionage threat, it retains the ability to conduct disruptive cyber attacks,” Price told a news briefing.

“Our review of our policy to North Korea will take into account the totality of the malign activity and the threats that are emanating from North Korea. … Of course its malicious cyber activity is something we are carefully evaluating and looking at as well.”

French IT monitoring company was targeted by hackers, cyber agency says

(Reuters) – Hackers have spent up to three years breaking into organizations by targeting monitoring software made by the French company Centreon, France’s cybersecurity watchdog said on Monday.

The watchdog, known by its French acronym ANSSI, stopped short of identifying the hackers but said that they had a similar modus operandi as the Russian cyberespionage group often nicknamed “Sandworm.”

ANSSI, Centreon, and the Russian embassy in Paris did not immediately return messages seeking comment.

The targeting of Centreon, a Paris-based company which specializes in information technology monitoring, further highlights how attractive such firms are to digital spies.

Cybersecurity officials in the United States are still trying to get their hands around an ambitious espionage campaign that hijacked IT monitoring software made by the Austin, Texas-based firm SolarWinds. American officials, who have blamed Moscow for the hacking, have hinted that other firms have also been hit in similar ways.

Earlier this month Reuters reported that suspected Chinese hackers also targeted SolarWinds customers, using a different and less serious bug to help spread it across their victims’ networks.

The initial vector for the campaign of intrusions that targeted Centreon software was not known, ANSSI said in a 40-page report posted on its website. It said it had discovered intrusions dating back to late 2017 and stretching into 2020.

The watchdog did not identify the names or number of victims involved but said they were mainly IT services firms such as internet hosting providers.

Cloud first: T-Systems announces new strategy

T-Systems is strategically repositioning itself with cloud services. With “Cloud First”, the company will focus on cloud computing in the future – from private cloud to public cloud to hybrid cloud. To this end, T-Systems has deepened its partnerships with Amazon Web Services AWS and Microsoft.

In addition, the Telekom subsidiary is increasingly training cloud experts and expanding its Open Telekom Cloud. In total, investments sum-up to a three-digit million euro amount in the expansion of cloud services.

“Everything is becoming cloud,” says Adel Al-Saleh, member of the Deutsche Telekom Board of Management and CEO of T-Systems. “The trick is no longer to operate data centers, but to map work processes intelligently in highly automated infrastructures, which we call cloud computing. We are consistently aligning our company to this.”  

For example, T-Systems has expanded its strategic cooperation with Microsoft and AWS in recent months. Customers now receive a cloud solution based on Microsoft Azure from a single source with a single invoice. Customers also now benefit from faster migration to the cloud on AWS infrastructure.

The range of services also includes the Google Cloud. T-Systems can thus manage multi-cloud landscapes for customers. For all cloud solutions, the IT service provider also offers data security. For customers with the highest compliance and data protection requirements, T-Systems is also expanding the capacities of its own public cloud, the Open Telekom Cloud.

More than 3,000 cloud architects and experts work for T-Systems. The IT service provider plans to equip 5,000 additional employees with deep cloud capabilities.

T-Systems will present its new cloud offering for the first time at Accelerate Digital Now on February 16 and 17. The biggest digital customer event of the year will focus on secure migration to the modern IT world:

Future IT Transformation brings legacy IT systems into the modern era. A total of six modules transfer inflexible Cobol programs to Java or Linux, rescue information from old databases or bring mainframe systems into the cloud.

Cloud Migration Framework is the recipe for a fast path to the public cloud. T-Systems experts analyze the initial situation for each customer individually, then automatically transfer the applications to the target platform and support them there.

Unfortunately, the number of cyberattacks on companies’ networks and IT infrastructure continues to rise steadily. Telekom’s Security Operations Center keeps an eye on several million attempted attacks on companies every day so that it can intervene if necessary.

Increasingly, networked machines are now being targeted by hackers. With its new Magenta Industry Security offering, Telekom is extending its protection to control systems in the manufacturing industry.

Europol: 10 arrested for $100m cryptocurrency theft from celebs & others

Reuters – Europol, the European police agency, said on Wednesday it had assisted in the arrest of 10 hackers suspected of stealing $100 million in cryptocurrency in “SIM-swapping” attacks that allowed suspects to gain access to their victims’ phones.

“The attacks orchestrated by this criminal gang targeted thousands of victims throughout 2020, including famous internet influencers, sport stars, musicians and their families,” the agency said in a statement.

The arrests were made after an investigation with cooperation from Britain, the United States, Belgium, Malta and Canada, Europol said.

In a SIM-swapping attack, criminals can gain control over a SIM – the small computer chip that carries a phone number used to identify a customer on a telecommunication network. Usually a phone company is tricked into deactivating a working SIM and transferring its functions to one controlled by the hackers.

“This enabled (hackers) to steal money, cryptocurrencies and personal information, including contacts synced with online accounts,” Europol said in a press statement detailing the operation.

“They also hijacked social media accounts to post content and send messages masquerading as the victim.”

Europol did not identify the victims or say where the arrests took place. It advised the public not to use services that use text messages to help log in to online accounts, as these are vulnerable in SIM-swapping attacks, which it said are on the rise.

One of the most notable victims of a SIM-swapping attack in the past was Twitter CEO Jack Dorsey, in 2019.

Suspected Chinese hackers used SolarWinds bug to spy on U.S. payroll agency – Sources

Suspected Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break into U.S. government computers last year, five people familiar with the matter told Reuters, marking a new twist in a sprawling cybersecurity breach that U.S. lawmakers have labeled a national security emergency.

Two people briefed on the case said FBI investigators recently found that the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, was among the affected organizations, raising fears that data on thousands of government employees may have been compromised.

The software flaw exploited by the suspected Chinese group is separate from the one the United States has accused Russian government operatives of using to compromise up to 18,000 SolarWinds customers, including sensitive federal agencies, by hijacking the company’s Orion network monitoring software.

Security researchers have previously said a second group of hackers was abusing SolarWinds’ software at the same time as the alleged Russian hack, but the suspected connection to China and ensuing U.S. government breach have not been previously reported.

Reuters was not able to establish how many organizations were compromised by the suspected Chinese operation. The sources, who spoke on condition of anonymity to discuss ongoing investigations, said the attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies.

The Chinese foreign ministry said attributing cyberattacks was a “complex technical issue” and any allegations should be supported with evidence. “China resolutely opposes and combats any form of cyberattacks and cyber theft,” it said in a statement.

SolarWinds said it was aware of a single customer that was compromised by the second set of hackers but that it had “not found anything conclusive” to show who was responsible. The company added that the attackers did not gain access to its own internal systems and that it had released an update to fix the exploited software bug in December.

A USDA spokesman acknowledged a data breach had occurred but declined further comment. The FBI declined to comment.

Although the two espionage efforts overlap and both targeted the U.S. government, they were separate and distinctly different operations, according to four people who have investigated the attacks and outside experts who reviewed the code used by both sets of hackers.

While the alleged Russian hackers penetrated deep into SolarWinds network and hid a “back door” in Orion software updates which were then sent to customers, the suspected Chinese group exploited a separate bug in Orion’s code to help spread across networks they had already compromised, the sources said.


The side-by-side missions show how hackers are focusing on weaknesses in obscure but essential software products that are widely used by major corporations and government agencies.

“Apparently SolarWinds was a high value target for more than one group,” said Jen Miller-Osborn, the deputy director of threat intelligence at Palo Alto Networks’ Unit42. Former U.S. chief information security officer Gregory Touhill said separate groups of hackers targeting the same software product was not unusual. “It wouldn’t be the first time we’ve seen a nation-state actor surfing in behind someone else, it’s like ‘drafting’ in NASCAR,” he said, where one racing car gets an advantage by closely following another’s lead.

The connection between the second set of attacks on SolarWinds customers and suspected Chinese hackers was only discovered in recent weeks, according to security analysts investigating alongside the U.S. government.

Reuters could not determine what information the attackers were able to steal from the National Finance Center (NFC) or how deep they burrowed into its systems. But the potential impact could be “massive,” former U.S. government officials told Reuters.

The NFC is responsible for handling the payroll of multiple government agencies, including several involved in national security, such as the FBI, State Department, Homeland Security Department and Treasury Department, the former officials said.

Records held by the NFC include federal employee social security numbers, phone numbers and personal email addresses as well as banking information. On its website, the NFC says it “services more than 160 diverse agencies, providing payroll services to more than 600,000 Federal employees.” The USDA spokesman said in an email: “USDA has notified all customers (including individuals and organizations) whose data has been affected.”

“Depending on what data were compromised, this could be an extremely serious breach of security,” said Tom Warrick, a former senior official at the U.S Department of Homeland Security. “It could allow adversaries to know more about U.S. officials, improving their ability to collect intelligence.”

Home working increases cyber-security fears

Peter says that the cyber-attacks on his company are relentless.

A man typing on a keyboard
image captionCompanies are constantly facing cyber-attacks, and staff working from home can make them more vulnerable

“We see tens of different hacking attacks every single week. It is never ending.”

A senior computer network manager for a global financial services company, Peter (who did not want to give his surname, or the name of his employer, due to his firm’s anxieties surrounding cyber-security), says they are bombarded from all directions.

“We see everything,” he says. “Staff get emails sent to them pretending to be from the service desk, asking them to reset their log-in passwords.

“We see workers being tricked into downloading viruses from hackers demanding ransoms, and we have even had employees sent WhatsApp messages pretending to be from the CEO, asking for money transfers.

“And having staff working from home during the lockdowns has just made it worse, as it is much harder to keep an eye on everyone.”

A man working in his kitchen
image captionIf you thought your cyber-security had been compromised, would you know how to contact your IT department?

With one in three UK workers currently based exclusively at home, and the same level in the US, this remote working on a vast scale continues to be a major headache for the IT security bosses of companies large and small around the world.

And studies shows that many firms are not taking the issue as seriously as they should. For example, one in five UK home workers has received no training on cyber-security, according to a recent survey by legal firm Hayes Connor Solicitors.

The report also found that two out of three employees who printed potentially sensitive work documents at home admitted to putting the papers in their bins without shredding them first.

Meanwhile, a separate UK study last year found that 57% of IT decision makers believe that remote workers will expose their firm to the risk of a data breach.

“In the rush and panic to set remote working practices up, even simple data protection practices were ignored,” says Christine Sabino, a senior associate at Hayes Connor.

Christine Sabino
image captionChristine Sabino fears that in the haste to set up home working, some firms ignored cyber-security issues

“Companies did not provide additional security relating to computers, electronic communication, phone communication.”

So what can both companies and home working staff do to make things as safe and secure as possible?

Ted Harrington, a San Diego-based cyber-security specialist, and author of Hackable: How To Do Application Security Right, says firms should have started by giving all home workers a dedicated work laptop. While many larger companies may well have done this, not all smaller firms necessarily have the resources to do so, but Mr Harrington stresses its importance.

“Supply staff with laptops and other equipment that are owned, controlled and configured by the company,” he says. “This alleviates the burden on your people to set things up right, and ensures they follow the security controls the company wants.”

Ted Harrington
image captionTed Harrington says that workers should not be too scared to report a possible cyber-security breach

Definitely don’t have staff using their personal computers for work, says Sam Grubb, an Arkansas-based cyber-security consultant, and author of forthcoming book How Cybersecurity Really Works.

“The main problem with using your own computer to do work is that you are not limited in what you can do on it, nor are you necessarily the only one that uses it,” he says.

“So while you might not be visiting a shady website to download movies for free, your teenage son could be doing that exact thing on your home laptop without you even knowing.

“This makes it much easier for malware or other attacks to happen. This might affect the work you are doing, or in a worst-case scenario, lead to the compromise of co-workers’ devices, or other company devices such as servers.”

Mr Harrington says that the next step is that companies must set up a VPN or virtual private network, so that remote computers have secure and encrypted connections with the firm’s servers and everyone else in the company.

A man shredding paper
image captionShould firms give home workers shredders?

Mr Grubb uses a transport and wildlife analogy to explain how VPNs work. “A VPN is like a tunnel between two cities,” he says.

“Instead of driving through the dark forest full of tigers, lions and bears, you drive through the underground tunnel, where no one can see you driving until you reach your destination on the other side.”

However, even with work laptops, VPNs and the latest cyber-security software systems in place, staff can still make damaging mistakes, such as falling prey to a “phishing” email – a malicious email pretending to be a legitimate one in order to trick someone into handing over sensitive data.

Currently such scam emails doing the rounds include some that are pretending to be informing the targeted person that they have been exposed to Covid-19, or invited to have the vaccine. They ask the recipient to clink on the link, which then tries to download malware onto his or her computer.

Presentational grey line
New Tech Economy

New Tech Economy is a series exploring how technological innovation is set to shape the new emerging economic landscape.

Presentational grey line

For this reason, both Mr Harrington and Mr Grubb say that it is essential that businesses give staff proper cyber-security training.

“Firms should be providing training to help their employees understand the threats they face,” says Mr Grubb. 

Ms Sabino adds that both staff and their bosses need to do their bit. She says, for example, that employees should avoid talking about work on social media, while firms should give shredders to home workers who need to print things out.

Tsedal Neeley
image captionHarvard University’s Tsedal Neeley says that staff need to know who to call in the IT department

With even the most cyber-security aware home workers just one click away from making a mistake, Mr Harrington says that firms need policies in place so that staff know who to immediately report a threat to.

“If an employee falls victim to an attack, make sure that they know a) who to contact, and b) that their outreach is welcome and won’t result in termination,” he says. “You don’t want people afraid of repercussions and thus covering up mistakes.”

Tsedal Neeley, a professor of business administration from Harvard Business School who is an expert on remote working, agrees that home workers should know exactly who to report cyber-security problems to. “Engaging with their firm’s IT/cyber-security experts is crucial,” she says.

Peter, the computer network manager, says this engagement should be frequent. “Users should be suspicious of anything that they are not 100% confident about, and it does not hurt to ask your IT department. It is better to check than be compromised.”