Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Exchange Server. Show all posts

Microsoft Accepts Breach of Two Zero Day Vulnerabilties

Exchange Server Vulnerabilities

Microsoft accepted that it knows about the two Exchange Server zero-day vulnerabilities that have been compromised in targeted cyberattacks. GSTC, a cybersecurity agency from Vietnam, reports finding attacks comprising two latest Microsoft Exchange zero-day vulnerabilities. It thinks that the attacks, which first surfaced in August and aimed at crucial infrastructure, were orchestrated by Chinese threat actors. 

Technical details about the vulnerabilities have not been disclosed publicly yet, however, GSTC says that the attacker's exploitation activities following the attack include the installation of backdoors, deployment of Malware, and lateral movement. 

Details about zero-day vulnerabilities

Microsoft was informed about vulnerabilities through the Zero Day Initiative (ZDI), by Trend Micro. Microsoft posted a blog telling its customers that the company is looking into two reported zero-day vulnerabilities. As per Microsoft, one flaw is a server-side request forgery (SSRF) issue, identified as CVE-2022-41040 and the second flaw is an RCE (remote code execution) flaw identified as CVE-2022-41082. The security loopholes seem to affect Exchange Server 2013, 2016, and 2019. 

According to Microsoft, it is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities. 

Microsoft fixing the issue

Microsoft is currently working on an accelerated timeline to fix the vulnerabilities. For the time being, it has given detailed guidelines to protect against the vulnerability. It believes that its products should identify post-exploitation malware and any malicious activities related to it. Microsoft Online Exchange users don't have to do anything. 

"Security researcher Kevin Beaumont has named the vulnerabilities ProxyNotShell due to similarities with the old ProxyShell flaw, which has been exploited in the wild for more than a year. In fact, before Microsoft confirmed the zero-days, Beaumont believed it might just be a new and more effective variant of the ProxyShell exploit, rather than an actual new vulnerability," reports Security Week.

MM.Finance, a DeFi platform, Had More Than $2 Million Stolen

 

In a Domain Name System (DNS) attack, hackers decided to retrieve $2 million worth of digital assets, as per MM.Finance. It is a DeFi ecosystem with the largest decentralized exchange on the Cronos blockchain. 

Hackers target the reliability or integrity of a network's DNS service in these attacks. The attacker could "inject a malicious contract address into the frontend code," as per the team behind MM.Finance, which bills itself as the world's largest decentralized finance ecosystem on the Cronos blockchain. "Attacker changed the network contract address in our hosted files via a DNS vulnerability." In a Medium post-mortem, the business claimed, "We understand that some of you have suffered considerable sums and are filled with anxieties and despair." 

After completing swaps or adding and deleting liquidity on the MM.Finance site starting on May 4, users lost money. "The malicious router kicked in and the LPs were withdrawn to the attacker's address when victims navigated to mm. finance to remove liquidity," the company revealed. MM.Finance has offered the attacker 48 hours to refund 90% of the stolen funds, warning that if the deadline is not met, it will notify the FBI. 

The attacker made off with more than $2 million in cryptocurrencies before laundering it all through Tornado Cash, a service that allows users to hide the source of their payments. The company is forming a compensation fund for anyone affected, and the platform's creators have stated that they will forego its part of trading revenue to pay the losses. The reward pool will be open for 45 days, with a procedure in place to reimburse individuals that participate. 

The company said it linked the seized assets to the OKX exchange in follow-up postings on Twitter, threatening to contact the FBI if the funds were not restored. OKX's CEO stated that the company is looking into the matter. According to DeFi Llama data, liquidity is still strong, with $804 million in total worth locked up (TVL).

Hackers Exploit Microsoft Exchange for IcedID Reply-Chain Hijacking Attacks

 

Cybersecurity researchers at Intezar, an Israeli security firm have identified a brand-new electronic mail phishing campaign employing the conversation hijacking strategy to ship the IcedID info-stealing malware onto compromised devices by making use of vulnerable Microsoft Change servers. 

"The emails use a social engineering technique of conversation hijacking (also known as thread hijacking)," researchers Joakim Kennedy and Ryan Robinson explained. "A forged reply to a previous stolen email is being used as a way to convince the recipient to open the attachment. This is notable because it increases the credibility of the phishing email and may cause a high infection rate." 

The most recent wave of attacks, spotted in mid-March 2022, is believed to have targeted businesses within the energy, healthcare, law, and pharmaceutical sectors. IcedID, (also known as BokBot) is a banking trojan-type malware that has advanced to turn into an entry-level for more refined threats, together with human-operated ransomware and the Cobalt Strike adversary simulation device. 

The banking trojan has the capability of communicating with a remote server and downloading next-stage implants and software that allow malicious actors to perform follow-on activities and move laterally throughout impacted networks to spread additional malware. 

Last year in June 2021, American enterprise security company Proofpoint revealed an evolving strategy within the cybercrime panorama whereby preliminary access brokers were spotted invading target networks via first-stage malware payloads equivalent to IcedID to deploy Egregor, Maze, and REvil ransomware payloads. 

Previously IcedID campaigns employed website contact forms to deliver malware-laced links to organizations, the present model of the campaign banks on susceptible Microsoft Change servers to ship the lure emails from a hijacked account, indicating a further evolution of the social engineering scheme.

"The payload has also moved away from using Office documents to the use of ISO files with a Windows LNK file and a DLL file," researchers added. "The use of ISO files allows the threat actor to bypass the Mark-of-the-Web controls, resulting in execution of the malware without warning to the user." 

To make the phishing emails seem more legitimate, the victim’s email address is used to send fraudulent replies to an already existing email thread plundered from the compromised individual’s account. 

"The use of conversation hijacking is a powerful social engineering technique that can increase the rate of a successful phishing attempt. By using this approach, the email appears more legitimate and is transported through the normal channels which can also include security products,” the researchers concluded.

IKEA's Email System Hit by a Cyber Attack

 

Threat actors are targeting IKEA employees in an internal phishing attack via malicious reply-chain email links. 

As per the reports of bleeping computer, email reply-chain phishing begins by taking over a legitimate email account to send malicious emails to its contact lists. In turn, the malicious email further spreads, in this case, to the internal emails of IKEA. 

"There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organizations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA," explained an internal email sent to IKEA employees.

"This means that the attack can come via email from someone that you work with, from any external organization, and as a reply to an already ongoing conversation. It is therefore difficult to detect, for which we ask you to be extra cautious." 

The above message warns employees to remain vigilant and explains that fraudulent emails are difficult to detect because of internal mailboxes. The reply-chain emails contain links with seven digits at the end, and employees have been asked to watch out for such links and avoid clicking on them or even opening suspicious emails. Employees are also told to tell the sender of the emails via Microsoft Teams chat. 

According to Trend Micro, attackers have recently started to exploit internal Microsoft Exchange servers via ProxyShell and ProxyLogin vulnerabilities to perform phishing attacks. Once they secure access to a server, they use stolen internal reply-chain emails to evade detection.

Another concern is that recipients may release the malicious phishing emails from quarantine, thinking they were caught in filters by mistake. Due to this, they are disabling the ability for employees to release emails until the attack is resolved.

"Our email filters can identify some of the malicious emails and quarantine them. Due to that, the email could be a reply to an ongoing conversation, it's easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine," IKEA communicated to employees.