Apr 13, 2024NewsroomCryptocurrency / Regulatory Compliance

A former security engineer has been sentenced to three years in prison in the U.S. for charges relating to hacking two decentralized cryptocurrency exchanges in July 2022 and stealing over $12.3 million.

Shakeeb Ahmed, the defendant in question, pled guilty to one count of computer fraud in December 2023 following his arrest in July.

“At the time of both attacks, Ahmed, a U.S. citizen, was a senior security engineer for an international technology company whose resume reflected skills in, among other things, reverse engineering smart contracts and blockchain audits, which are some of the specialized skills Ahmed used to execute the hacks,” the U.S. Department of Justice (DoJ) noted at the time.

While the name of the company was not disclosed, he was residing in Manhattan, New York, and working for Amazon before he was apprehended.

Court documents show that Ahmed exploited a security flaw in an unnamed cryptocurrency exchange’s smart contracts to insert “fake pricing data to fraudulently generate millions of dollars’ worth of inflated fees,” which he was able to withdraw.

Subsequently, he initiated contact with the company and agreed to return most of the funds except for $1.5 million if the exchange agreed not to alert law enforcement about the flash loan attack.

It’s worth noting that CoinDesk reported in early July 2022 that an unknown attacker returned more than $8 million worth of cryptocurrency to a Solana-based crypto exchange called Crema Finance, while keeping $1.68 million as a “white hat” bounty.

Ahmed has also been accused of carrying out an attack on a second decentralized cryptocurrency exchange called Nirvana Finance, siphoning $3.6 million in the process, ultimately leading to its shutdown.

“Ahmed used an exploit he discovered in Nirvana’s smart contracts to allow him to purchase cryptocurrency from Nirvana at a lower price than the contract was designed to allow,” the DoJ said.

“He then immediately resold that cryptocurrency to Nirvana at a higher price. Nirvana offered Ahmed a ‘bug bounty’ of as much as $600,000 to return the stolen funds, but Ahmed instead demanded $1.4 million, did not reach agreement with Nirvana, and kept all the stolen funds.”

The defendant then laundered the stolen funds to cover up the trail using cross-chain bridges to move the illicit digital assets from Solana to Ethereum and exchanging the proceeds into Monero using mixers like Samourai Whirlpool.

Besides the three-year jail term, Ahmed has been sentenced to three years of supervised release and ordered to forfeit approximately $12.3 million and pay restitution amounting more than $5 million to both the impacted crypto exchanges.

Mar 28, 2024NewsroomTechnology / Data Privacy

In June 2017, a study of more than 3,000 Massachusetts Institute of Technology (MIT) students published by the National Bureau for Economic Research (NBER) found that 98% of them were willing to give away their friends’ email addresses in exchange for free pizza.

“Whereas people say they care about privacy, they are willing to relinquish private data quite easily when incentivized to do so,” the research said, pointing out a what’s called the privacy paradox.

Now, nearly seven years later, Telegram has introduced a new feature that gives some users a free premium membership in exchange for allowing the popular messaging app to use their phone numbers as a relay for sending one-time passwords (OTPs) to other users who are attempting to sign in to the platform.

The feature, called Peer-to-Peer Login (P2PL), is currently being tested in selected countries for Android users of Telegram. It was first spotted by tginfo in February 2024 (via @AssembleDebug).

According to Telegram’s Terms of Service, the phone number will be used to send no more than 150 OTP SMS messages – including international SMS – per month, incurring charges from the user’s mobile carrier or service provider.

That said, the popular messaging app notes that it “cannot prevent the OTP recipient from seeing your phone number upon receiving your SMS” and that it “will not be liable for any inconvenience, harassment or harm resulting from unwanted, unauthorized or illegal actions undertaken by users who became aware of your phone number through P2PL.”

Even worse, the mechanism – which largely relies on a honor system – doesn’t prohibit users from contacting strangers to whose number the OTP authentication SMS was sent, and vice versa, potentially leading to an increase in spam calls and texts.

Telegram said it reserves the right to unilaterally terminate an account from the P2PL program if participants are found sharing personal information about recipients. It also warns users not to contact any OTP recipients or reply to them even if they message them.

As of March 2024, Telegram has more than 900 million monthly active users. It launched the Premium subscription program in June 2022, allowing users to unlock additional features like 4 GB file uploads, faster downloads, and exclusive stickers and reactions.

With online services still relying on phone numbers to authenticate users, it’s worth keeping in mind the privacy and security risks that could arise from partaking in the experiment.

Meta in Legal Crosshairs for Intercepting Snapchat Traffic

The development comes as newly unsealed court documents in the U.S. alleged that Meta launched a secret project called Ghostbusters to intercept and decrypt the network traffic from people using Snapchat, YouTube and Amazon to help it understand user behavior and better compete with its rivals.

This was accomplished by leveraging custom apps from a VPN service called Onavo, which Facebook acquired in 2013 and shut down in 2019 after it came under scrutiny for using its products to track users’ web activity related to its competitors and secretly paying teens to capture their internet browsing patterns.

The data-interception scheme has been described as a “man-in-the-middle” approach, in which Facebook essentially paid people between ages 13 and 35 up to $20 per month plus referral fees for installing a market research app and giving it elevated access to inspect network traffic and analyze their internet usage.

The tactic relied on creating “fake digital certificates to impersonate trusted Snapchat, YouTube, and Amazon analytics servers to redirect and decrypt secure traffic from those apps for Facebook’s strategic analysis.”

The apps were distributed through beta testing services, such as Applause, BetaBound, and uTest, to conceal Facebook’s involvement. The program, which later became known as the In-App Action Panel (IAAP), ran from 2016 to 2018.

Meta, in its response, said there is no crime or fraud, and that “Snapchat’s own witness on advertising confirmed that Snap cannot ‘identify a single ad sale that [it] lost from Meta’s use of user research products,’ does not know whether other competitors collected similar information, and does not know whether any of Meta’s research provided Meta with a competitive advantage.”

Feb 15, 2024NewsroomThreat Intelligence / Vulnerability

Microsoft on Wednesday acknowledged that a newly disclosed critical security flaw in Exchange Server has been actively exploited in the wild, a day after it released fixes for the vulnerability as part of its Patch Tuesday updates.

Tracked as CVE-2024-21410 (CVSS score: 9.8), the issue has been described as a case of privilege escalation impacting the Exchange Server.

“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability,” the company said in an advisory published this week.

“The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf.”

Successful exploitation of the flaw could permit an attacker to relay a user’s leaked Net-NTLMv2 hash against a susceptible Exchange Server and authenticate as the user, Redmond added.

The tech giant, in an update to its bulletin, revised its Exploitability Assessment to “Exploitation Detected,” noting that it has now enabled Extended Protection for Authentication (EPA) by default with the Exchange Server 2019 Cumulative Update 14 (CU14) update.

Details about the nature of the exploitation and the identity of the threat actors that may be abusing the flaw are currently unknown. However, Russian state-affiliated hacking crews such as APT28 (aka Forest Blizzard) have a history of exploiting flaws in Microsoft Outlook to stage NTLM relay attacks.

Earlier this month, Trend Micro implicated the adversary to NTLM relay attacks targeting high-value entities at least since April 2022. The intrusions targeted organizations dealing with foreign affairs, energy, defense, and transportation, as well as those involved with labor, social welfare, finance, parenthood, and local city councils.

CVE-2024-21410 adds to two other Windows flaws – CVE-2024-21351 (CVSS score: 7.6) and CVE-2024-21412 (CVSS score: 8.1) – that have been patched by Microsoft this week and actively weaponized in real-world attacks.

The exploitation of CVE-2024-21412, a bug that enables a bypass of Windows SmartScreen protections, has been attributed to an advanced persistent threat dubbed Water Hydra (aka DarkCasino), which has previously leveraged zero-days in WinRAR to deploy the DarkMe trojan.

“The group used internet shortcuts disguised as a JPEG image that, when selected by the user, allows the threat actor to exploit CVE-2024-21412,” Trend Micro said. “The group can then bypass Microsoft Defender SmartScreen and fully compromise the Windows host as part of its attack chain.”

Microsoft’s Patch Tuesday update also addresses CVE-2024-21413, another critical shortcoming affecting the Outlook email software that could result in remote code execution by trivially circumventing security measures such as Protected View.

Codenamed MonikerLink by Check Point, the issue “allows for a wide and serious impact, varying from leaking of local NTLM credential information to arbitrary code execution.”

The vulnerability stems from the incorrect parsing of “file://” hyperlinks by adding an exclamation mark to URLs pointing to arbitrary payloads hosted on attacker-controlled servers (e.g., “file:///\\10.10.111.111\test\test.rtf!something”).

“The bug not only allows the leaking of the local NTLM information, but it may also allow remote code execution and more as an attack vector,” the cybersecurity firm said. “It could also bypass the Office Protected View when it’s used as an attack vector to target other Office applications.”

In the current digital landscape, data has emerged as a crucial asset for organizations, akin to currency. It’s the lifeblood of any organization in today’s interconnected and digital world. Thus, safeguarding the data is of paramount importance. Its importance is magnified in on-premises Exchange Server environments where vital business communication and emails are stored and managed.

In this article, you will learn about the evolving threats of data loss, the shift in responsibilities of administrators, and key backup and recovery strategies for preventing data loss in the Exchange Server environment.

Data Loss Scenarios in Exchange Servers

Data loss in on-premises Exchange Server environment has become increasingly common. Cybersecurity threats, like ransomware attacks, have emerged as a significant cause of data loss in recent years, with many financially motivated threat actors increasingly targeting the vulnerabilities in Exchange Servers. These attackers try to exploit the vulnerabilities, such as ProxyLogon, to gain unauthorized access to the server or users’ email accounts.

Besides vulnerabilities in the system, hardware failure and human errors can also cause data loss in on-premises Exchange Servers. According to a study by Gartner, it is estimated that 30% of organizations will experience an incident involving data loss caused by a negligent employee by 2025.

Evolving Role of Exchange Server Administrators

The role of Exchange Server administrators has significantly evolved in recent years due to increasing malware/ransomware attacks, forcing them to quickly adapt and act as guardians to protect the organizations’ data and reputation.

However, the complexity of managing huge volumes of data in modern on-premises Exchange Server environments has also increased substantially. Today, administrators need to navigate the complexity of the Exchange Server environment, which is primarily driven by factors such as requirements for enhanced security measures to fight against sophisticated cybercriminals and newer threats.

Understanding the Stakes

The consequences of data loss in Exchange Server environments are profound.

1. Financial Losses

Financial losses are one of the most common consequences of data loss. The operations of an organization are supported by data. If the data is lost, it means the organization loses not only its ability to generate income but also its ways of operating. In addition, when data is lost, a considerable amount of resources are channeled towards data recovery.

2. Reputational Damage

Building trust takes time. However, losing it takes only one bad decision. A data breach or ransomware attack can severely tarnish an organization’s reputation in the market, breaking customers’ or clients’ trust. Nobody wants to end up in the headlines of the media for all the wrong reasons.

3. Downtime and Lack of Business Continuity

Email communication is essential for daily operations. Loss of critical data can disrupt workflow and hamper productivity, which can have severe implications on the organization.

A report by IDC states that the average cost of downtime due to data loss in a mid-sized organization is approximately $1.25 million per year.

4. Business Closure

Data loss can potentially lead to an organization’s bankruptcy or closure. According to the University of Texas, 94% of companies that suffer from catastrophic data loss do not survive. Out of these, 43% never reopened, and 51% closed within two years.

5. Regulatory and Legal Fines

Businesses are obliged by the data protection laws, rules, regulations, and industry standards. Failing to do so can have severe implications, such as hefty fines. Legal actions can also undermine your organization’s reputation.

Prevent Data Loss – Develop a Thoughtful Backup Strategy

The most common reason for data loss in Exchange Servers is database corruption or damage. To safeguard against data loss, administrators need a comprehensive backup strategy tailored to their Exchange Server environments.

Below are some Exchange Server backup methods and strategies that administrators can follow to prevent permanent data loss.

1. Utilize VSS-Based Backup

Exchange Server supports Volume Shadow Copy Service (VSS)-based backups. You can use the Exchange-aware Windows Server Backup application with a VSS plug-in to back up active and passive Exchange database copies and restore the backed-up database copies.

2. Backup Combination

Exchange administrators should ideally use a combination of full and incremental backups. Full backups capture the entire Exchange Server database, while Exchange Server incremental backupscapture and store the changes since the last full backup.

In addition, there are differential backups that record changes since the last full backup without truncating transaction logs. However, these are used less frequently due to their complexity.

3. Transaction Log Management

Transaction logs play a crucial role in maintaining database consistency. It’s also critical for database recovery on Exchange Servers. When you perform a full backup, it automatically truncates the transaction logs to save disk storage. Thus, always backup the transaction logs before performing a full backup.

4. Circular Logging

Circular logging is disabled in Exchange Server by default. However, administrators can enable it to truncate the database logs automatically. You can use this when the transaction logs are not purging automatically after a full backup.

5. Follow the 3-2-1 Backup Rule

Follow the 3-2-1 backup strategy to protect your Exchange Server data from permanent loss. The strategy simply states that you must have the following:

• At least three copies of your data on different media, such as disks and tape.
• One copy is stored off-site or in a remote location to ensure that natural, man-made, or geographical disasters cannot damage all the backup copies (disaster recovery).

Proactive Measures for Data Protection

A proactive approach has been fundamental in preventing data loss. Therefore, administrators should consider the following best practices for data protection:

• Robust Security Measures
• Implement robust security protocols, regularly update security software, and install Exchange Server and Windows updates to protect against threats.
• Continuous Learning
• Continuous learning and training about email security and cyber-attacks among administrators, employees, and customers is critical to stay informed about emerging threats and vulnerabilities.
• Access Control
• Restrict access to sensitive data and implement strong authentication mechanisms. Make sure to use the RBAC to restrict access on Windows and Exchange Server environments.

Exchange Server Recovery Strategies

Exchange administrators also need to be ready when it comes to the recovery of corrupt or dismounted databases in case something happens. Here are some strategies that can help in the quick recovery of the database in case of an issue or incident.

1. Recovery Databases

Recovery databases (RDBs) are special Exchange Server databases that allow administrators to mount and extract data from the restored mailbox database. RDBs help in restoring data without impacting the live environment.

2. Use Exchange Native Data Protection

Exchange Server 2016 and 2019 have capabilities to safeguard data without relying solely on traditional backups.

3. Dial Tone Portability

Administrators can use Dial Tone Portability or Dial Tone Recovery. In this, an empty Exchange database with the same database name and schema version is created that allows users to continue to send and receive new emails while the administrators restore and recover the failed databases. This method provides continuity during disaster recovery.

4. Exchange Recovery Tools

In case of a server crash and/or when the Exchange database backup isn’t available or obsolete, Exchange recovery tool, such as Stellar Repair for Exchange, can help Exchange administrators extract mailboxes from severely corrupt or damaged Exchange database. The tool also assists in the dial tone recovery method. It allows the extraction and export of recovered mailboxes from damaged EDB files to the dial tone database or any existing healthy database on the same Exchange Server. This helps restore the mailboxes of users and their Outlook connectivity and minimize downtime and disruption.

Conclusion

Exchange Server administrators play a critical role in protecting crucial business data in an increasingly challenging landscape. The risks associated with data loss are substantial and range from financial repercussions to damage to the organization’s reputation. To mitigate these risks, administrators must develop thoughtful backup strategies and adopt proactive security measures along with robust recovery plans in place.

To mitigate data loss risks, organizations should prioritize backup and recovery strategies. Regularly backing up Exchange Server data and having a well-defined recovery plan can significantly reduce the impact of data loss incidents.