A one-stop shop for opinion, analysis, and/or coverage of the Microsoft Exchange Hafnium compromise. Coverage includes official statements and filings, accredited media coverage, industry analyisis, and noteworthy blogs, digital media, and other mediums as deemed worthwhile. Note: All links shared here have gone through the normal DevOps’ish editorial and curation process. To add content for review, issue a pull request against this file in GitHub. Official Statements Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871) Joint Cybersecurity Advisory Compromise of Microsoft Exchange Server CISA Strongly Urges All Organizations to Immediately Address Microsoft Exchange Vulnerabilities | CISA Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021 – Microsoft Security Response Center Multiple Security Updates Released for Exchange Server – updated March 12, 2021 – Microsoft Security Response Center “Patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted.” —National Security Council Twitter Guidance on Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise | CISA CSS-Exchange/Security at main · microsoft/CSS-Exchange Background Press Call by Senior Administration Officials on the Administration’s Response to the Microsoft and SolarWinds Intrusions | The White House Press No sign of Exchange-related ransomware hitting UK orgs, claims NCSC as it urges admins to scan for compromises • The Register Exchange servers first compromised by Chinese hackers hit with ransomware | Ars Technica Report: At least 10 hacking groups are exploiting Microsoft Exchange flaws | VentureBeat White House cites ‘active threat,’ urges action despite Microsoft patch | Reuters Microsoft Exchange server attacked by Hafnium, company says - CNN Biden administration expected to form task force to deal with Microsoft hack linked to China - CNNPolitics Tens of thousands of US organizations hit in ongoing Microsoft Exchange hack | Ars Technica Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims | WIRED There’s a vexing mystery surrounding the 0-day attacks on Exchange servers | Ars Technica Critical 0-day that targeted security researchers gets a patch from Microsoft | Ars Technica White House task force met with private sector to discuss Microsoft software vulnerabilities | VentureBeat Microsoft Exchange Server hacks ‘doubling’ every two hours | ZDNet Exchange Server attacks: Microsoft shares intelligence on post-compromise activities | ZDNet AP sources: SolarWinds hack got emails of top DHS officials Exchange Server attacks: Microsoft shares intelligence on post-compromise activities | ZDNet Industry Hackers dropping DearCry ransomware using Exchange Server exploit Microsoft Exchange hack, larger than originally believed, prompts emergency task force - SiliconANGLE Microsoft was warned months ago — now, the Hafnium hack has grown to gigantic proportions - The Verge US National Security Council urges review of Exchange Servers in wake of Hafnium attack • The Register The Microsoft Exchange Server mega-hack – what you need to know – HOTforSecurity More hacking groups join Microsoft Exchange attack frenzy Blogs, Newsletters, Digital Media, etc. Researchers warn of a surge in cyber attacks against Microsoft ExchangeSecurity Affairs Microsoft Exchange Server Attack Escalation Prompts Patching Panic Microsoft updated MSERT to detect web shells used in attacks against Microsoft Exchange installsSecurity Affairs Microsoft releases one-click Exchange On-Premises Mitigation Tool 92% of all on-premises Microsoft Exchange servers exposed online affected by the ProxyLogon vulnerabilities are now patched

This week I heard about and witnessed some pretty disgusting behavior in the greater cloud native community. First, I saw a tweet from a CNCF Ambassador saying KubeCon was pay to play (the tweet is gone now but, you better believe they lost a follower that day). If KubeCon were pay to play, I’d have spoken at the last three years of KubeCons. Red Hat spends a shitload of money sponsoring KubeCon and the Linux Foundation. It does not, nor should it ever influence the talk selection process. Next, I heard firsthand about people jumping into KubeCon track committee members’ DMs and chastising them for not selecting their talk. I won’t be naming and shaming. They’ve done that for themselves. But, I can guarantee you, this is not how you want to make a name for yourself in the community. Oh… Some random Google software engineer got blocked because they did not understand any word I wrote. Then proceeded to put words into my mouth about how the selection process works. At some point in the process, a deciding factor in the talk selection process could be looking for a submitter’s online presence (yes, speaker names get Googled routinely). The submission process does involve some links to social media and/or GitHub, for example, if memory serves me right. Building a KubeCon track is a super laborious process that you have to dedicate serious time to in a brief time window. IT’S HARD WORK. ...

DevOps’ish is in a state of spring cleaning. First, I’ve found a tool that I like more than Pocket to bookmark and save pages in Raindrop.io. All the Recommended Reads automation is now pulling from Raindrop.io. Then three Zapier rules ferry everything off to the appropriate places. I made that transition midweek. Next is the newsletter service itself. I’ve been unhappy with the current provider ever since doing the never-easy switch from Mailchimp (how forward-thinking that was) to the current provider. I’ve had more tickets opened than newsletters sent; enough was enough. Last week, I discovered EmailOctopus. I have been researching it in my spare time. Yesterday was a day off for me, so I started the switch to making DevOps’ish a Google Workplace domain and use EmailOctopus to send newsletters. It takes a lot more work than it should to get and send an email than it used to, but it’ll be worth it. The DevOps’ish Solarwinds supply chain compromise Index has many updates this week. Including the former Solarwinds CEO blaming an intern for the mistake and a congressional hearing on the matter. ...

Sometimes you don’t know what the world needs until someone tells you. On Monday this week, a friend asked if I had any additional books to point them to for Kubernetes help. I have a mile-long list in my head. I said, yeah, let me punch that up for you real quick. But, instead of creating a locked down doc or dust bin email, I built a website. Behold, Kubernetes README. It’s nothing really fancy. A copy of an existing site, with a different name, and data to help folks make a selection that fits their needs. But, this is the beauty of working in an open source environment. I didn’t even think of typing them an email. It was going to be a website the second the ask came in. There was no reason to go to the effort of creating a list of books that would live in a vacuum. Sharing knowledge helps us all. It’s how folks can figure out how to grow on their own. Thanks for the idea, Justin. I hope it helps. ...

First off, Happy Valentine’s Day. I hope you’re enjoying it as best you can. This week I learned that an organization in the healthcare industry is working on a large project involving Kubernetes Pod Security Policies as a mainstay in their project. In case you haven’t heard, Pod Security Policies (PSPs) will begin the Kubernetes deprecation process in the 1.21 release. Kubernetes 1.21 releases on or about Thursday, April 8th, 2021. With PSPs being completely phased out by the 1.25 release (sometime in mid’ish 2022). When 1.21 is released, you’ll see a message similar to the following when touching PSPs, “The PodSecurityPolicy API is deprecated in 1.21, and will no longer be served starting in 1.25.” The Kubernetes Contributor Marketing Team is working on an official blog post, but it is taking longer than I’d prefer given the amount of PSP utilization that’s out there. I’m writing this here because I have worked in large banks, healthcare systems, and government agencies where changes like this could take quite some time to plan, test, verify, and implement. But, what is replacing PSPs? Well, that’s to be determined, which is equally terrifying to some. But, this is where folks have to have faith in the process. Sometimes we have to plan deprecation of something to force the community to respond to fill the gap. ...