Two attacks found on the Maze ransomware list have been confirmed.
The original list of alleged Maze ransomware victims, posted earlier this month, included seven possible victims, as well as sample files the group claimed were stolen during the attacks and a full 3 GB dump from one company. SearchSecurity discovered two more companies were added to the Maze ransomware victim’s list, one of which had previously confirmed a ransomware attack.
On Dec. 13, Busch’s Fresh Food Markets, an independently owned supermarket chain based in Michigan, disclosed that it was the victim of a ransomware attack on Dec. 9. Busch’s asserted it there was no evidence that payment card data was compromised and that they believed “this ransomware was only designed to lockdown our internal systems and interrupt our business, not to steal data.” Busch’s also detailed the reasons it didn’t pay the ransom.
“First, even if we had paid the ransom, there was no guarantee that we would ever actually get access to our systems again. Second, if we had paid them it was more likely that they would try and extort us again,” Busch’s wrote in a blog post. “Finally, we chose not to pay because doing so would perpetuate this type of behavior and give them funds to go after other companies.”
Busch’s spokesperson had not responded to SearchSecurity’s request for comment at the time of this post, so the validity of the documents leaked by Maze could not be confirmed.
On Wednesday, Canadian insurance firm Andrew Agencies Ltd., one of the original companies listed on the Maze ransomware site, admitted to being hit with ransomware.
Dave Schioler, executive vice president and general counsel for Andrew Agencies, confirmed in an email to CTV News that the company was the victim of a ransomware attack and said the company did not pay the ransom. Schioler did not mention the Maze gang, but the threat group contacted Lawrence Abrams, CEO of BleepingComputer, to provide more proof it was behind that attack.
The stated goal of the victim’s list published by Maze was to pressure companies to pay the ransom, but it is unclear how successful the group has been with that goal. The two new names added to the list add up to nine possible victims that have not paid, but only two of those companies have even admitted to being attacked. There is no information on how many organizations were hit with Maze ransomware and did pay the ransom.
An Exchange hybrid deployment generally provides a good experience for the administrator, but it can be found lacking in a few areas, such as transport rules.
Transport rules — also called mail flow rules — identify and take actions on all messages as they move through the transport stack on the Exchange servers. Exchange hybrid mail flow rules can be tricky to set up properly to ensure all email is reviewed, no matter if mailboxes are on premises or in Exchange Online in the cloud.
Transport rules solve many compliance-based problems that arise in a corporate message deployment. They add disclaimers or signatures to messages. They funnel messages that meet specific criteria for approval before they leave your control. They trigger encryption or other protections. It’s important to understand how Exchange hybrid mail flow rules operate when your organization runs a mixed environment.
Mail flow rules and Exchange hybrid setups
The power of transport rules stems from their consistency. For an organization with compliance requirements, transport rules are a reliable way to control all messages that meet defined criteria. Once you develop a transport rule for certain messages, there is some comfort in knowing that a transport rule will evaluate every email. At least, that is the case when your organization is only on premises or only in Office 365.
Things change when your organization moves to a hybrid Exchange configuration. While mail flow rules evaluate every message that passes through the transport stack, that does not mean that on-premises transport rules will continue to evaluate messages sent to or from mailboxes housed in Office 365 and vice versa.
Depending on your routing configuration, email may go from an Exchange Online mailbox and out of your environment without an evaluation by the on-premises transport rules. It’s also possible that both the mail flow rules on premises and the other set of mail flow rules in Office 365 will assess every email, which may cause more problems than not having any messages evaluated.
To avoid trouble, you need to consider the use of transport rules both for on-premises and for online mailboxes and understand how the message routing configuration within your hybrid environment will affect how Exchange applies those mail flow rules.
Message routing in Exchange hybrid deployments
A move to an Exchange hybrid deployment requires two sets of transport rules. Your organization needs to decide which mail flow rules will be active in which environment and how the message routing configuration you choose affects those transport rules.
All message traffic that passes through an Exchange deployment will be evaluated by the transport rules in that environment, but the catch is that an Exchange hybrid deployment consists of two different environments, at least when they relate to transport rules. A message sent from an on-premises mailbox to another on-premises mailbox generally won’t pass though the transport stack, and, thus, the mail flow rules, in Exchange Online. The opposite is also true: Messages sent from an online mailbox to another online mailbox in the same tenant will not generally pass though the on-premises transport rules. Copying the mail flow rules from your on-premises Exchange organization into your Exchange Online tenant does not solve this problem, but that can lead to some messages being handled by the same transport rule twice.
When you configure an Exchange hybrid deployment, you need to decide where your mail exchange (MX) record points. Some organizations choose to have the MX record point to the existing on-premises Exchange servers and then route message traffic to mailboxes in Exchange Online via a send connector. Other organizations choose to have the MX record point to Office 365 and then flow to the on-premises servers.
There are more decisions to be made about the way email leaves your organization as well. By default, an email sent from an Exchange Online mailbox to an external recipient will exit Office 365 directly to the internet without passing through the on-premises Exchange servers. This means that transport rules, which are intended to evaluate email traffic before it leaves your organization, may never have that opportunity.
Exchange hybrid mail flow rules differ for each organization
No two organizations are alike, which means there is more than one resolution for working with Exchange hybrid mail flow rules.
For organizations that want to copy transport rules from on-premises Exchange Server into Exchange Online, you can use PowerShell. The Export-TransportRuleCollection PowerShell cmdlet works on all currently supported versions of on-premises Exchange Server. This cmdlet creates an XML file that you can load into your Exchange Online tenant with another cmdlet called Import-TransportRuleCollection. This is a good first step to ensure all mail flow rules are the same in both environments, but that’s just part of the work.
Transport rules, like all Exchange Server features, have evolved over time. They may not work the same in all supported versions of on-premises Exchange Server and Exchange Online. Simply exporting and importing your transport rules may cause unexpected behavior.
One way to resolve this is to duplicate transport rules in both environments by adding two more transport rules on each side. The first new transport rule checks the message header and tells the transport stack — both on premises and in the cloud — that the message has already been though the transport rules in the other environment. This rule should include a statement to stop processing any further transport rules. A second new transport rule should add to the header with an indication that the message has already been though the transport rules in one environment. This is a difficult setup to get right and requires a good deal of care to implement properly if you choose to go this route.
I expect that the fairly new hybrid organization transfer feature of the Hybrid Configuration Wizard will eventually handle the export and import of transport rules, but that won’t solve the routing issues or the issues with running duplicate rules.
Security researchers found vulnerabilities in the Qualcomm TrustZone secure element extension that could allow attackers to steal the most sensitive data stored on mobile devices.
TrustZone implements architectural security extensions on ARM processors that can be integrated into the bootloader, radio, Android system image and a trusted execution environment (TEE) in mobile devices. Slava Makkaveev, security researcher at Check Point Software Technologies, discovered the issues in the Qualcomm TrustZone implementation often used by major Android manufacturers.
“TEE code is highly critical to bugs because it protects the safety of critical data and has high execution permissions. A vulnerability in a component of TEE may lead to leakage of protected data, device rooting, bootloader unlocking, execution of undetectable APT and more. Therefore, a Normal world OS restricts access to TEE components to a minimal set of processes,” Makkaveev wrote in his analysis. “Examples of privileged OS components are DRM service, media service and keystore. However, this does not reduce researchers’ attention to the TrustZone.”
Makkaveev said the Qualcomm TrustZone components can be found in popular Android devices from Samsung, Google, LG and OnePlus. He used fuzzing tools to discover the vulnerabilities and exploited them in order to install a trusted app in a normal environment.
Check Point claimed the flaws affect all versions of Android up to the most recent Android 10; however, Makkaveev mentions testing on only a Nexus 6 running Android 7.1, an LG G4 running Android 6 and Moto G4/G4 Plus running an unknown version of Android.
Samsung, Motorola, LG and Qualcomm did not respond to requests for comment at the time of this post. Google responded but did not have information readily available as to whether more recent Google Pixel devices are at risk.
Liviu Arsene, global cybersecurity researcher at antimalware firm Bitdefender, based in Romania, told SearchSecurity this research is important because “high-complexity and high-reward vulnerabilities [like this] can potentially offer untethered access to critical assets and data on the device.”
“When a vulnerability in the software that sits between the hardware and the operating system running on top of it is found, successful exploitation can have serious security and privacy implications,” Arsene said. “Not because attackers could potentially access critical and sensitive data, but because attackers can compromise the security of the device, while being invisible to the victim. Depending on how the vulnerability is triggered, weaponized attackers might successfully exfiltrate sensitive data such as passwords, financial information, or even planting additional software on the device.”
Ekram Ahmed, head of public relations at Check Point, told SearchSecurity, “it’s only a matter of time before we find more vulnerabilities.”
Ekram AhmedHead of public relations, Check Point
“Once someone gains access into Trust Zone, it’s game over. They can get unprecedented access to our credit cards, biometric data, keys, passwords,” Ahmed said. “It wouldn’t be too difficult for a medium-skilled cyber actor to exploit. What is difficult is knowing exactly who is affected. The vulnerability is a deeper infrastructure issue.”
Arsene said he wouldn’t expect to see these Qualcomm TrustZone flaws exploited “en masse in the wild.”
“While weaponizing the vulnerability may be possible, it’s likely that only a handful of users could potentially be impacted, possibly in highly targeted attacks,” Arsene said. “However, the difficulty of pulling off these attacks lies in how easily the vulnerability can be weaponized.”
Ahmed added that Check Point notified all potentially affected device manufacturers, but the company had “strange” interactions with Qualcomm leading up to the patch being released.
“We asked them to patch, and they only told us they patched a day before we published the blog, because the media was reaching out to them,” Ahmed said. “They went months without communicating a single word to us.”
not going to lie, I found this in a drawer, totally forgot we had it as my wife hasn’t switched it on in two years since getting her iPad Pro.
It’s in remarkably good condition for its age with only a few minor marks on it and a battery cycle of a mere 141. I left it on the desk with the screensaver on for an hour and it lost 10% of its battery, not sure what that will translate to in real world use
I purchased new from Apple, upgraded it out of the box did a bit of Xcode and then never really used it. My wife picked it up for the odd email but it’s spent most of its life in a padded case.
the only thing I can’t find is the original Appleplug that goes on the MagSafe charger, but it comes with a UK plugbug adapter that has a USB port on it.
running the latest OSX and has been scrubbed ready for the next user
Announcing the September 17 TweetMeet and a new Live Event
Minecraft: Education Edition has found a place in many classrooms around the world, empowering students and teachers to take charge of their learning, boost their STEM and 21st-century skills to solve problems through inquiry, creativity and collaboration—in the immersive and fun world of Minecraft.
On September 17, in celebration of the new Back to School updates by Minecraft: Education Edition, we’re excited to host two Minecraft-themed events to inspire you for the new school year: a #MSFTEduChat TweetMeet immediately followed by a new Live Event.
Keep reading for detailed information about this new, dual TweetMeet event.
TweetMeet on Teaching and Learning with Minecraft starting at 10 a.m. PDT
Whether you’re a newcomer to MinecraftEdu or have been working with it for years, our TweetMeet has something for you. Hosted by 21 passionate Minecraft Global Mentors, this Twitter conversation invites you to share and learn from the best ideas, tips and resources. Our hosts will provide you with implementation checklists and exciting examples of interactive lessons and activities that keep your learners motivated while they collaborate on solving real-world problems. With all this in mind, we welcome you to a 75-minute TweetMeet on September 17 at 10 a.m. PDT.
Live Event with Meenoo Rami from the MinecraftEdu Team at 11:15 a.m. PDT
Just a few weeks ago, Minecraft: Education Edition released the Back to School update for all users, which include Immersive Reader integration, an improved multiplayer experience with join codes, single sign-on (SSO) support and more.
Twitter Header Photos are available in many languages and time zones.
Create your own TweetMeet Friend Card
Another way to share your enthusiasm for MinecraftEdu and the TweetMeets in general is to create a TweetMeet Friend Card. Share your own version of this image anytime, anywhere. It will come in handy when introducing yourself at the start of a TweetMeet. Just follow the steps in the TweetMeet Friend Cards PowerPoint.
Here’s an example:
Looking back on the August TweetMeet on Back to School
TweetMeets are monthly recurring Twitter conversations about themes relevant to educators, facilitated by Microsoft Education. The purpose of these events is to help professionals in education learn from each other and inspire their students while they are preparing for their future. The TweetMeets also nurture personal-learning networks among educators from across the globe.
Check out this helpful blog post by former host James Kieft that describes why educators should consider participating in Twitter chats and how to get started.
When and how can I join?
Join us Tuesday, September 17 from 10:00 a.m. to 11:15 a.m. PDT on Twitter using the hashtags #MinecraftEdu, #MSFTEduChat and#MicrosoftEDU(which you can always use to stay in touch with us). Be sure to double-check your own local event time. You can find the event time for 215 countries with this time zone announcer.
Our next recommendation for you is to set up a Twitter dashboard TweetDeck and add columns for the hashtag #MSFTEduChat, #MinecraftEdu and #MicrosoftEDU. If you are new to TweetDeck, then check out this brief TweetDeck tutorial by Marjolein Hoekstra.
When a tweet appears that you want to respond to, press the retweet button and type your comments.
Additional tips are offered in this animated GIF that you’re most welcome to share with newcomers:
Too busy to join at event time? No problem!
From our monthly surveys we know that you may be in class at event time, busy doing other things or may even be asleep—well, no problem! All educators are welcome to join any time after the event. Simply look at the questions below and respond to these at a day and time that suit you best.
You can also schedule your tweets in advance. In such cases, be sure to include the entire question in your tweet and include the hashtag #MSFTEduChat so that everyone knows to which question in which conversation you are responding.
To better allow everyone to prepare for the event, from now on we’re providing the question timings in a text table:
September 17–TweetMeet question timings
Please introduce yourself. Use hashtag #MSFTEduChat.
Why Minecraft in education?
What helps teachers get started with #MinecraftEdu?
How does Minecraft transform education? Share stories.
What practical Minecraft tips, resources and lessons do you recommend?
What’s the next step in your #MinecraftEdu adventure?
Join our Live Event with Meenoo Rami from the MinecraftEdu team.
SuperWakelet: resources curated by this month’s hosts
Meet the 21 hosts for this month’s TweetMeet! After going through weeks of preparation for this TweetMeet, they are thrilled to engage with you on their favorite topic: Teaching and Learning with Minecraft.
Anis Amouri @Anis_amouri (Fine arts teacher, MIE Expert and MIE Master Trainer, Master Skype Teacher, Minecraft Global Mentor, SDG Ambassador, EU Code Week Ambassdor, HundrED Ambassador, CoSpaces Ambassador—Sfax, Tunisia)
Becky Keene @BeckyKeene (Director, Content and Professional Learning, insight2execution; Director of Amazing Things, Phygital Labs; Minecraft Global Mentor, MIE Expert and Master Trainer, Flipgrid Student Voice Ambassador, OneNote Junkie—Seattle WA, USA)
Bryan Sanders @nayrbgo (Doctor of Education, Educational Technology Researcher, Academic Technology Specialist, High School English Teacher, Minecraft Global Mentor—Los Angeles CA, USA)
Carlos Solano @Carlos_Rsolano (Teacher and NTI coordinator, passionate of learning gaming, using Minecraft in daily classes and also to promote social inclusion of both gifted and autistic childs, Minecraft Global Mentor, MIE Expert—Madrid, Spain)
Cheryn Ridge @cherynbaier (MIE Expert and Master Trainer, Minecraft Global Mentor, Teacher, EdTech Teacher Support at Computers 4 Kids—Cape Town, South Africa)
Elena Vladescu @VladescuElena (Physics teacher, Minecraft Global Mentor, MIE Expert, eTwinning and Scientix Ambassador—Slatina, Romania)
Erik Post @ErikPost9 (Geography and Technology teacher, Minecraft Global Mentor, MIE Expert, MIE Master Trainer—Hardenberg, The Netherlands)
Francisco Tupy @FranciscoTupy (Minecraft PhD (literally). Game designer, speaker and consultant on education and innovation projects worldwide—São Paulo, Brazil)
Jeff Gearhart @TechJeff09 (Technology Director at Brinnon School, NCCE Professional Learning Specialist, MIE Trainer, Surface Pro Expert, MIE Expert, Minecraft Global Mentor—Brinnon WA, USA)
Kristoffer Thomsen @kristoffer_th (Solution Specialist on Education at Microsoft, Former Minecraft Global Mentor. Technology and Education excites me—Oslo, Norway)
Mary Elizabeth Pearson @pearsonmep (Educator, NCCE Professional Learning Specialist, Madison International School Technology Consultant and Minecraft in Education academy coordinator, MIE Expert and Master Trainer, Minecraft Global Mentor—Merida, Mexico)
Merry Willis @merrywillis (Instructional Technology Specialist, Cherokee County, GA School District, Minecraft Global Mentor, MIE Expert, MIE Fellow and Master Trainer, Fulbright DAT Alumni—Woodstock GA, USA)
Michael Flashhacker @MiFleischhacker (Secondary teacher at NMS Kinzerplatz, Minecraft Global Mentor, flipping the classroom, passionate about game-based and lifelong learning—Vienna, Austria)
Mike Washburn @misterwashburn (Head of Curriculum and Training at Logics Academy, Host of OnEducation Podcast, Minecraft Global Mentor; MIE Expert—Barrie ON, Canada)
Nelly Hamed @nelly_hamed (MIEE fellow, Minecraft Mentor, MergeCube Ambassador, Cospaces Ambassador, Microsoft Trainer, ScreenBeam Expert, Work in Hayah International Academy, Associate at Immersive Minds UK, Hayah International Academy—Cairo, Egypt)
Noreen Dooley @nodooley (Classroom Technology Designer, NCCE Professional Learning Specialist, MIE Expert and Master Trainer, Minecraft Global Mentor, passionate about preparing students for success in the real world—Katy TX, USA)
Paola Lopez @pacsita (EdTech entrepreneur enthusiast, passionate about neurodiversity and Google Certified Innovator #MEX18 & Microsoft Innovative Educator Expert, Flipgrid Ambassador and Minecraft Global Mentor—Monterrey, Mexico)
Pekka Ouli @pekkaouli (eLearning Specialist and Minecraft Global Mentor who loves international Minecraft projects and collaboration—Äänekoski, Finland)
Stéphane Cloâtre @StephaneCloatre (Technology Teacher, Robotics educator, Minecraft Global Mentor, Digital Education Consultant at Immersive Minds, passionate about making learning fun AND meaningful—Fougères, France)
Tina Coffey @elemitrt (Instructional Technology Teacher, Minecraft Global Mentor, passionate about finding ways to engage students, make learning relevant, promote global literacy, and foster 21st Century skills—Roanoke VA, USA)
Trish Cloud @trishcloud (Coordinator, Personalized Digital Learning, Charlotte Mecklenburg Schools, Minecraft Global Mentor, using Minecraft: EE to integrate CS into elementary and middle schools throughout CMS—Huntersville NC, USA)
Next month’s event: STEM and NASA
The theme of the TweetMeet on October 15 will be STEM and NASA. We’re looking forward to this event and hope you’ll spread the word!
Got questions about the #MSFTEduChat TweetMeets?
Please connect with TweetMeet organizer Marjolein Hoekstra @TweetMeet on Twitter if you have any questions about the TweetMeets or how to become a host at a future event.
It’s 2008 all over again as researchers have found a way to leverage cold boot attacks against modern computers to steal sensitive data from lost or stolen devices.
Olle Segerdahl and Pasi Saarinen, security consultants for F-Secure, developed the new cold boot attack method and claim it “will work against nearly all modern computers,” including both Windows and MacOS devices.
In classic cold boot attacks, threat actors could recover data stored in RAM after a computer was improperly shut down, but modern operating systems have mitigations against this by way of overwriting RAM. Segerdahl and Saarinen found a way to disable this feature.
“It takes some extra steps compared to the classic cold boot attack, but it’s effective against all the modern laptops we’ve tested,” Segerdahl said in a written press statement. “And since this type of threat is primarily relevant in scenarios where devices are stolen or illicitly obtained, it’s the kind of thing an attacker will have plenty of time to execute.”
Segerdahl and Saarinen developed a tool that could re-write the mitigation settings in memory, which would disable memory overwriting and allow them to boot from an external device that could read the target system’s memory. The researchers said cold boot attacks like this could be used to steal sensitive data like credentials or even encryption keys held in memory.
“It’s not exactly easy to do, but it’s not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out,” Segerdahl said in a statement. “It’s not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use.”
The @fsecure cold boot technique requires physical access. To protect sensitive info, at a minimum, we recommend using a device with a discreet TPM, disabling sleep/hibernation and configuring bitlocker with a PIN. #protect#coldbootpic.twitter.com/VagpcBjkTG
The researchers said cold boot attacks like this could provide a consistent way for threat actors to steal data because it works across platform. And although the researchers have shared their findings with Microsoft, Intel and Apple, mitigations are still a work in progress.
Apple claims that Macs with the T2 chip are immune to cold boot attacks — though this only includes the iMac Pro and 2018 MacBook Pro models — and suggested users with other Mac devices set a firmware password. Microsoft updated Bitlocker guidance to help users protect sensitive information.