Microsoft Exchange Server Has a Zero-Day Problem

There were global ripples in tech policy this week as a new data collection law in India forced PureVPN to pull out of the country, and a new head of the International Telecommunications Union prepares to be elected.

A complicated hunt is on to identify the person or people responsible for the destruction of theNord Stream gas line. Hyperjacking victims are being used by still-unidentified hackers to grab data.

The notorious Lapsus$ hackers have been back on their hacking joyride, compromising massive companies around the world and delivering a dire but important warning about how vulnerable large institutions are to compromise There were serious and concerning vulnerabilities patched this week.

A trial of an automated tool that pushes users searching for child sexual abuse material to seek help for their behavior was launched by PornHub. The free Captcha alternative was rolled out by Cloudflare to make it easier to find bicycles in a grid or decipher blurry text.

We have advice on how to stand up to Big Tech and advocate for data privacy and users' rights in your community, as well as tips on the latestiOS, Chrome, and HP updates you need to install.

There's more. The news we didn't cover is highlighted each week. The full stories can be found below. Stay safe out there.

Two unpatched Exchange server vulnerabilities are being exploited by criminals. According to a post on its website, the two zero-days have been used in attacks against its customers. The zero-days can be chained together to create back doors into the vulnerable server. The researchers said that the vulnerability allowed the attacker to do RCE on the compromised system.

The first flaw is a server-side request forgery vulnerability, and the second is an attack that allows remote code execution on a vulnerable server. Guidance is provided for how on-premises Microsoft Exchange customers should deal with the attack.

The Iranians were partially able to identify and capture people who risked their lives to give the US information because of sloppy development-ops and the CIA's carelessness. A year-long investigation followed the story of six Iranian men who were jailed as part of an aggressive counterintelligence operation by Iran. A flawed web-based covert communications system that led to the arrest and execution of dozens of CIA spies in Iran and China partially outed the men, according to a new report. There was a report on the system by Yahoo News.

Because the CIA appeared to have purchased web-hosting space in bulk from the same provider, the news agency was able to enumerate hundreds of secret CIA websites. Beauty, fitness, and entertainment were some of the topics that the sites were devoted to. The Star Wars fan page was included in the group. The fake websites were assigned to only one spy in order to limit the exposure of the entire network in the event of a single agent being captured, according to two former CIA officials.

If we're careless, if we're reckless, and we've been penetrated, then shame on us.

On Wednesday, a former National Security Agency staffer was charged with three violations of the Espionage Act for trying to sell classified national defense information to an unnamed foreign government. The US Department of Justice stated in a press release that Jareh Sebastian Dalke, of Colorado Springs, Colorado, sent excerpts of three classified documents to an undercover FBI agent who he thought was working with a foreign government. The agent was told by Dalke that he was in serious financial debt and needed to be paid in cryptocurrencies.

Dalke was arrested by the FBI when he arrived at Union Station in Denver to deliver a classified document. He could be sentenced to life in prison or the death penalty if found guilty.

Two obscene push notifications were sent to the publication's Apple News followers after Fast Company's content management system was hijacked. Fast company.com and Inc.com were shut down by the publication's parent company. The Fast Company said that the messages were not in line with the ethos of the outlet. An article posted to Fast Company's website claimed that they were able to gain access through a password that was shared across many accounts, including an administrator.

The company's websites were offline as of yesterday, redirecting to a statement about the hack.