Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Microsoft Exchange. Show all posts

A New Era is Emerging in Cybersecurity, but Only the Best Algorithms will Survive

 

The industry identified that basic fingerprinting could not maintain up with the rate of these developments, and the requirement to be everywhere, at all times, pushed the acceptance of AI technology to deal with the scale and complexity of modern business security. 

Since then, the AI defence market has become crowded with vendors promising data analytics, looking for "fuzzy matches": close matches to previously encountered threats, and eventually using machine learning to detect similar attacks. While this is an advancement over basic signatures, using AI in this manner does not hide the fact that it is still reactive. It may be capable of recognizing attacks that are very similar to previous incidents, but it is unable to prevent new attack infrastructure and techniques that the system has never seen before.

Whatever you call it, this system is still receiving the same historical attack data. It recognises that in order to succeed, there must be a "patient zero" — or first victim. Supervised machine learning is another term for "pretraining" an AI on observed data (ML). This method does have some clever applications in cybersecurity. For example, in threat investigation, supervised ML has been used to learn and mimic how a human analyst conducts investigations — asking questions, forming and revising hypotheses, and reaching conclusions — and can now carry out these investigations autonomously at speed and scale.

But what about tracking down the first traces of an attack? What about detecting the first indication that something is wrong?

The issue with utilising supervised ML in this area is that it is only as good as its historical training set — not with new things. As a result, it must be constantly updated, and the update must be distributed to all customers. This method also necessitates sending the customer's data to a centralised data lake in the cloud to be processed and analysed. When an organisation becomes aware of a threat, it is frequently too late.

As a result, organisations suffer from a lack of tailored protection, a high number of false positives, and missed detections because this approach overlooks one critical factor: the context of the specific organisation it is tasked with protecting.

However, there is still hope for defenders in the war of algorithms. Today, thousands of organisations utilise a different application of AI in cyber defence, taking a fundamentally different approach to defending against the entire attack spectrum — including indiscriminate and known attacks, as well as targeted and unknown attacks.

Unsupervised machine learning involves the AI learning the organisation rather than training it on what an attack looks like. In this scenario, the AI learns its surroundings from the inside out, down to the smallest digital details, understanding "normal" for the specific digital environment in which it is deployed in order to identify what is not normal.

This is AI that comprehends "you" in order to identify your adversary. It was once thought to be radical, but it now protects over 8,000 organisations worldwide by detecting, responding to, and even avoiding the most sophisticated cyberattacks.

Consider last year's widespread Hafnium attacks on Microsoft Exchange Servers. Darktrace's unmonitored ML identified and disrupted a series of new, unattributed campaigns in real time across many of its customer environments, with no prior threat intelligence associated with these attacks. Other organisations, on the other hand, were caught off guard and vulnerable to the threat until Microsoft revealed the attacks a few months later.

This is where unsupervised ML excels — autonomously detecting, investigating, and responding to advanced and previously unseen threats based on a unique understanding of the organization in question. Darktrace's AI research centre in Cambridge, UK, tested this AI technology against offensive AI prototypes. These prototypes, like ChatGPT, can create hyperrealistic and contextualised phishing emails and even choose a suitable sender to spoof and fire the emails.

The conclusions are clear: as attackers begin to weaponize AI for nefarious reasons, security teams will require AI to combat AI. Unsupervised machine learning will be critical because it learns on the fly, constructing a complex, evolving understanding of every user and device across the organisation. With this bird's-eye view of the digital business, unsupervised AI that recognises "you" will detect offensive AI as soon as it begins to manipulate data and will take appropriate action.

Offensive AI may be exploited for its speed, but defensive AI will also contribute to the arms race. In the war of algorithms, the right approach to ML could mean the difference between a strong security posture and disaster.

GitHub: Repositories Selling Fake Microsoft Exchange Exploits

 

Researchers have detected threat actors, impersonating security researchers and selling proof-of-concept ProxyNotShell exploits for the recently discovered Microsoft Exchange zero-day vulnerabilities. 

GTSC, a Vietnamese cybercrime firm confirmed last week their customers were being attacked using two new zero-day vulnerabilities in Microsoft Exchange. 

On being notified about the vulnerability, Microsoft confirmed that the bugs were being Exploited in attacks and that it is working on an accelerated timeline in order to release security updates.  

“Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization," Microsoft states in an analysis.  

Microsoft and GTSC disclosed that the threat actors instigated the campaign to abuse Exchange flaws by creating GitHub repositories for exploits. 

Microsoft has since been tracking the flaws as CVE-2022-41040 and CVE-2022-41082, describing the first as a Server-Side Request Forgery (SSRF) bug. While the second allows scammers to conduct remote code execution (RCE) attacks via PowerShell. 

In one such instance, a threat actor impersonated a renowned security researcher Kevin Beaumont (aka GossTheDog) who is known for documenting the recently discovered Exchange flaws and available mitigation.  

The fraudulent repositories did not include anything necessary, but the README.md confirms what is currently known about the detected vulnerability, followed by a pitch on how they are selling one copy of the PoC exploit for the zero days. 

The README file consists of a link to a SatoshiDisk page, where the threat actor attempts to sell the fake exploit for 0.01825265 Bitcoin, worth $364. 

Since the security researchers are keeping the technical details of the exploit private, it seems only a small number of threat actors are behind the exploit. 

In light of this, more such researchers and threat actors are waiting for the initial publication of the vulnerabilities to the public before using them in their own operations, such as protecting a network of hacking into one. 

Evidently, one can deduce that there are more such threat actors looking forward to taking advantage of this situation. Since Microsoft Exchange Server zero-day vulnerability exploits could be traded for hundreds of thousands of dollars, one must be cautious of handing over any ready money or crypto to anyone suspicious, claiming to have an exploit. 

CISA: Atlassian Bitbucket Server Flaws added to KEV Catalog List

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three recently disclosed security flaws to its list of Known Exploited Vulnerabilities (KEV ) Catalog, including critical vulnerability in Atlassian’s Bitbucket Server and Data Center, and two Microsoft Exchange zero-days.

At the end of August, Atlassian rectified a security flaw, tracked as CVE-2002-36804 (CVSS score 9.9) in Bitbucket Server and Data Center. The flaw is a critical severity and is related to a command injection vulnerability that enables malicious actors access to arbitrary code execution, by exploiting the flaw through malicious HTTP requests.

"All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," Atlassain states in an advisory released in late August.

Although CISA did not provide further details on how the security flaw is being exploited or how widespread the exploitation efforts are, researchers at GreyNoise, on September 20 and 23 confirms to have detected evidence of in-the-wild abuse.

The other two KEV flaws, Microsoft Exchange zero-days (tracked as CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks according to Microsoft.

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," states Microsoft.

The Federal Civilian Executive Branch Agencies (FCEB) have applied patches or mitigation measures for these three security vulnerabilities after being added to CISA’s KEV catalog as required by the binding operational directive (BOD 22-01) from November.

Since the directive was issued last year, CISA has added more than 800 security vulnerabilities to its KEV catalog, while requiring federal agencies to direct them on a tighter schedule.

Although BOD 22-01 only applies to U.S. FCEB agencies, CISA has suggested to all the private and public sector organizations worldwide to put forward these security flaws, as applying mitigation measures will assist in containing potential attacks and breach attempts. In the same regard, CISA furthermore stated, “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise”

Zimbra Memcached Injection Bug Patched

According to SonarSource, an open-source alternative to email servers and collaboration platforms such as Microsoft Exchange. Since May 10, 2022, a patch has been released in Zimbra versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. Zimbra is utilized by organizations, governments, and financial institutions throughout the world. 

Unauthenticated attackers might contaminate an unwary victim's cache, according to Simon Scannell, a vulnerability researcher at Swiss security firm Sonar. The vulnerability has been assigned the number CVE-2022-27924 (CVSS: 7.5), and it has been described as a case of "Memcached poisoning with unauthorized access," which might allow an attacker to inject malicious commands and steal sensitive data. 

Since newline characters (\r\n) in untrusted user input were not escaped, attackers were able to inject arbitrary Memcached instructions into a targeted instance, causing cached entries to be overwritten. Memcached servers keep track of key/value pairs that may be created and retrieved using a simple text-based protocol and analyze data line by line. A malicious actor might alter the IMAP route entries for a known username by sending a specially crafted HTTP request to the susceptible Zimbra server, according to the researchers. When the genuine user logs in, the Nginx Proxy in Zimbra will send all IMAP communication, including the credentials in plain text, to the attacker. 

Knowing the victim's email address, and utilizing an IMAP client makes it easier for the attacker to abuse the vulnerability. A second attack technique allows users to circumvent the aforesaid constraints and steal credentials for any user with no involvement or knowledge of the Zimbra instance. This is accomplished through "Response Smuggling," a different approach that makes use of a web-based Zimbra client. Cross-site scripting (XSS) and SQL injection issues caused by a lack of input escaping "are well known and documented for decades," as per Scannell, but "other injection vulnerabilities can occur that are less well known and can have a catastrophic consequence." 

As a result Scannell, advises programmers to "be cautious of special characters that should be escaped when coping with technology where there is less documentation and research regarding potential vulnerabilities." The bug was discovered four months after Zimbra provided a hotfix for an XSS flaw that was exploited in a series of sophisticated spear-phishing efforts attributed to an undisclosed Chinese threat group.

Phishing Attack Emerges as a Primary Threat Vector in X-Force Threat Intelligence Index 2022

 

IBM published its tenth X-Force Threat Intelligence Index last week unveiling phishing attacks as the primary threat vector in the past year, with manufacturing emerging as the most targeted sector. IBM security analysts spotted a 33% surge in attacks caused by vulnerability exploitation of Log4Shell, a point of entry that malicious actors relied on more than any other to launch their assaults in 2021, representing the cause of 44% of ransomware attacks. 

The 2022 Threat Intelligence Index was compiled from billions of data points, ranging from network and endpoint detection devices, incident response engagements, phishing kits, and domain name tracking. It was revealed that threat actors employed phishing in 41% of attacks, surging from 2020 when it was responsible for 33% of attacks. Interestingly, click rates for the average targeted phishing campaign surged nearly three-fold, from 18% to 53% when phone phishing (vishing) was also employed by malicious actors. 

The X-Force report highlights the record-high number of vulnerabilities unearthed in 2021, including a vulnerability in the Kaseya monitoring software that was exploited by REvil in July, and the Log4j (or Log4Shell) vulnerability in Apache’s popular logging library. Cybercriminals from across the globe were so quick to exploit Log4j that it occupied the number two spot on the X-Force top 10 lists of most exploited vulnerabilities in 2021, despite only being discovered in December last year. The top vulnerability was a flaw in Microsoft Exchange that allowed attackers to bypass authentication to impersonate an administrator. 

Additionally in the UK, nearly 80% of users received a malicious call or text last year. To counter the threat, regulator Ofcom published new guidelines this week which will require more proactive work from operators to root out the use of spoofed numbers. 

“X-Force observed actors leveraging multiple known vulnerabilities, such as CVE-2021-35464 (a Java deserialization vulnerability) and CVE-2019-19781 (a Citrix path traversal flaw), to gain initial access to networks of interest. In addition, we observed threat actors leverage zero-day vulnerabilities in major attacks like the Kaseya ransomware attack and Microsoft Exchange Server incidents to access victim networks and devices,” researchers explained. 

To mitigate the risks, researchers advised organizations to update their vulnerability management system, identify security loopholes, and prioritize vulnerabilities based on the likelihood they will be abused.

Cuba Ransomware Hacked Microsoft Exchange Servers

 

To get early access to business networks and encrypt devices, the Cuba ransomware campaign is exploiting Microsoft Exchange vulnerabilities. The ransomware group is known as UNC2596, and the ransomware itself is known as COLDDRAW, according to cybersecurity firm Mandiant. 

Cuba is the most popular name for malware. Cuba is a ransomware campaign that began in late 2019, and while it started slowly, it gained traction in 2020 and 2021. In December 2021, the FBI issued a Cuba ransomware notice, stating that the group has infiltrated 49 critical infrastructure firms in the United States. Researchers indicate that the Cuba operation predominantly targets the United States, followed by Canada, according to a new analysis by Mandiant. Since August 2021, the Cuba ransomware gang has been using Microsoft Exchange vulnerabilities to launch web shells, RATs, and backdoors to gain a foothold on the target network. 

"Mandiant has also identified the exploitation of Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon, as another access point leveraged by UNC2596 likely as early as August 2021," explains Mandiant in a new report. 

Cobalt Strike or the NetSupport Manager remote access tool is among the backdoors planted, although the organisation also utilises their own 'Bughatch', 'Wedgecut', 'eck.exe', as well as Burntcigar' tools. 
  • Wedgecut comes in the form of an executable named “check.exe,” which is a reconnaissance tool that enumerates the Active Directory through PowerShell.
  • Bughatch is a downloader that fetches PowerShell scripts and files from the C&C server. To evade detection, it loads in memory from a remote URL.
  • Burntcigar is a utility that can terminate processes at the kernel level by exploiting a flaw in an Avast driver, which is included with the tool for a “bring your own vulnerable driver” attack.
Finally, Termite is a memory-only dropper that downloads and loads the payloads mentioned earlier. However, this tool has been seen in campaigns by a variety of threat groups, indicating that it is not exclusively utilised by Cuba threat actors. 

Threat actors use stolen account credentials obtained with the widely available Mimikatz and Wicker tools to elevate access. They then use Wedgecut to undertake network reconnaissance before using RDP, SMB, PsExec, and Cobalt Strike to move laterally. Bughatch is then loaded by Termite, followed by Burntcigar, which disables security tools and creates the foundation for data exfiltration and file encryption. For the exfiltration process, the Cuba gang does not use cloud services, instead transfers everything to its own private infrastructure. 

Changing Operations 

Cuba ransomware teamed up with spammers behind the Hancitor malware in May 2021 to get access to corporate networks via DocuSign phishing emails. Since then, Cuba's operations have shifted to focus on vulnerabilities in public-facing services, such as the Microsoft Exchange ProxyShell and ProxyLogon flaws. Because security updates to fix the exploited vulnerabilities have been available for months, this move makes the assaults more potent but also easier to prevent. 

Once there are no more valuable targets running unpatched Microsoft Exchange servers, the Cuba operation will likely shift its focus to other vulnerabilities. This means that adopting accessible security updates as soon as they are released by software providers is critical in maintaining a strong security posture against even the most sophisticated threat actors.

SonicWall's Email Security and Firewall Products Were Hit by the Y2K22 Bug

 

SonicWall acknowledged on January 7th that the Y2K22 bug had affected some of its Email Security and firewall solutions, causing message log updates and junk box failures beginning January 1st, 2022. According to the organization, email users and administrators on affected systems would no longer be able to access the junk box or un-junk newly received emails. They will also be unable to trace incoming/outgoing emails using the message logs because they will no longer be updated.

SonicWall, a private firm based in Silicon Valley that was a Dell subsidiary from 2012 to 2016, produces a variety of Internet equipment aimed largely at content restriction and network security. These include network firewalls, unified threat management (UTM), virtual private networks (VPNs), and email anti-spam devices. 

SonicWall issued updates to North American and European instances of Hosted Email Security, the company's cloud email security service, on January 2nd. It also issued updates for its on-premises Email Security Appliance (ES 10.0.15) for customers that use firewalls with the Anti-Spam Junk Store feature enabled (Junk Store 7.6.9). 

The server administration community has dubbed this bug "Y2K22" because to its resemblance to the infamous Y2K bug, a date-related bug that was feared to cause numerous computer systems, and possibly the whole world economy, to crash at the turn of the century. FIP-FS is a malware-scanning engine built into Microsoft Exchange 2016 and 2019 servers. This engine employs a signature file that holds dates as 32-bit integers. The most significant integer that can be stored in 32 bits is 2147483647. 

Everything was acceptable for the dates in 2021 because it was stamped as 211231XXXX (for 31st December). However, as of the start of the next year, January 1st, 2022, it was converted to 2201010001. When attempting to format in 32 bits, which is greater than the maximum number allowed. As a result, date/time validations on the server software would fail, resulting in emails not being sent and stacking up on servers.

Despite the fact that SonicWall has not explained what is causing the Y2K22 bug in its devices, they are not the only company affected by this problem. Honda and Acura owners began claiming that their in-car navigation systems' clocks were automatically set back 20 years, to January 1st, 2002, beginning on January 1st. According to sources, the Y2K22 bug affects nearly all older vehicle models, including the Honda Pilot, Odyssey, CRV, Ridgeline, Odyssey, and Acura MDX, RDX, CSX, and TL.

Attackers use ProxyLogon and ProxyShell Flaws to Hijack Email Threads

 

As part of an ongoing spam campaign that uses stolen email chains to bypass security protection and implant malware on vulnerable systems, threat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers. Trend Micro's discoveries are the result of an investigation into a series of Middle Eastern intrusions that resulted in the dissemination of a never-before-seen loader known as SQUIRRELWAFFLE. The attacks, which were first publicly disclosed by Cisco Talos in mid-September 2021, are thought to have started with laced Microsoft Office documents. 

"It is known for sending its malicious emails as replies to pre-existing email chains, a tactic that lowers a victim's guard against malicious activities," researchers Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar said in a report published last week. "To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits." 

According to Trend Micro, public exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell) were used on three of the Exchange servers that were compromised in separate intrusions, with the access being used to hijack legitimate email threads and send malicious spam messages as replies, increasing the likelihood that unsuspecting recipients will open the emails. 

Rogue email messages with a link that, when opened, drops a Microsoft Excel or Word file are part of the assault chain. When the recipient opens the document, the victim is prompted to allow macros, which leads to the download and execution of the SQUIRRELWAFFLE malware loader, which serves as a conduit for the final-stage payloads like Cobalt Strike and Qbot. 

Trend Micro's claim that SquirrelWaffle is operating as a malware dropper for Qbot or other malwares was disputed by Cryptolaemus researcher TheAnalyst. Rather, according to TheAnalyst on Friday, the threat actor is delivering both SquirrelWaffle and Qbot as separate payloads, with the most recent confirmed SquirrelWaffle drop occurring on Oct. 26. 

The actor/activity is recorded as tr01/TR (its QakBot affiliate ID) TA577 by Proofpoint and as ChaserLdr by Cryptolaemus, according to TheAnalyst, and the activity dates back to at least 2020. The actors are simple to follow, according to TheAnalyst, with minor adjustments to their tactics, techniques, and procedures (TTPs). According to TheAnalyst, one of tr01's favorite TTPs is including links to malicious documents in stolen reply chains. They stated the threat actor is notorious for delivering "a variety of malware," including QakBot, Gozi, IcedID, Cobalt Strike, and possibly more.

Iranian Hackers are Exploiting Microsoft and Fortinet Flaws

 

Australia, the United Kingdom, and the United States issued a combined advisory on Wednesday of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored hackers. CVE-2021-34473, 2020-12812, 2019-5591, and 2018-13379 are the four vulnerabilities they urged administrators to fix right away.

"FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021, and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware," a joint release stated. "Australian Cyber Security Centre (ACSC) is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia."

Rather than targeting a specific industry, the authorities said that the attackers merely focused on exploiting vulnerabilities wherever they could and then attempting to convert that initial access into data exfiltration, a ransomware assault, or extortion. 

To maintain access, the attackers would use the Fortinet and Exchange vulnerabilities to add tasks to the Windows Task Scheduler and create new accounts on domain controllers and other systems that looked like existing accounts. The next step was to enable BitLocker, post a ransom note, and download the files through FTP. 

In May 2021, CISA and FBI noticed the adversary misusing a Fortigate appliance to acquire a foothold on a web server holding the domain for a US municipal government, in addition to exploiting the ProxyShell vulnerability to obtain access to vulnerable networks. The APT attackers "exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children," according to the advisory. 

This is the second time the US government has issued a warning on advanced persistent threat groups targeting Fortinet FortiOS servers by exploiting CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to attack government and commercial systems. 

The FBI and CISA released warnings in April that Fortinet gear vulnerabilities were being regularly exploited, and in July, the complete quartet of authorities listed Fortinet among the top 30 exploited vulnerabilities. Separately, Microsoft issued a warning on Wednesday about six Iranian groups that were utilizing vulnerabilities in the same set of products to spread ransomware.

Organizations should immediately patch software affected by the aforementioned vulnerabilities, enforce data backup and restoration procedures, implement network segmentation, secure accounts with multi-factor authentication, and patch operating systems, software, and firmware as and when updates are released as mitigations, according to the agencies.

Latest Microsoft Exchange Server Feature Mitigates High-Risk Bugs

 

One of the prominent targets for hackers is Microsoft Exchange, and the attack vector typically involves a popular vulnerability which the organization hasn't recently patched. A new solution by Microsoft aims at providing urgent protection after several attacks over the last year that used zero-days against on-site versions of Microsoft Exchange servers. 

Microsoft has implemented a new Exchange Server capability that automatically implements interim mitigations to protect on-site systems against incoming cyberattacks, against high-risk (and probably regularly exploited) security vulnerabilities, and allows administrators to deploy security upgrades. 

This update comes following a series of zero-day vulnerabilities detected in Microsoft Exchange, which was used to infiltrate servers by state-supported hacker organizations with no patch or mitigation information accessible for administrators. 

Built on the Microsoft Emergency Exchange Mitigation (EM), which was launched in March to limit the attack surface, exposes the ProxyLogon vulnerabilities, the new Exchange Server component, suitable for the Microsoft exchange Emergency Mitigation (EM) service. EM is operating on Exchange Mailbox servers as a Windows service. 

After implementing the September 2021 (or later) CU on Exchange Server 2016 or Exchange Server 2019 it will be installed automatically on servers having the Mail Box role. It detects Exchange Servers susceptible to one or many known threats and provides provisional mitigation until security updates can be installed by administrators. 

Automatically deployed EM service mitigation is temporary until the security update could be loaded that resolves the issue and does not supersede Exchange SUs. 

"This new service is not a replacement for installing Exchange Server Security Updates (SUs), but it is the fastest and easiest way to mitigate the highest risks to Internet-connected, on-premises Exchange servers before installing applicable SUs," the Exchange Team explained. 

EM is an EOMT variant created in an Exchange server that can download from and defend against high-risk issues with existing mitigation using the cloud-based Office Config Service (OCS). Admins may deactivate the EM service unless Microsoft would like to automatically implement attenuations to its Exchange servers. They may also manage applied mitigation strategies via PowerShell cmdlets or scripts that allow mitigations to be seen, reapplied, blocked, or removed. 

"Our plan is to release mitigations only for the most severe security issues, such as issues that are being actively exploited in the wild," the Exchange Team added. "Because applying mitigations may reduce server functionality, we plan on releasing mitigations only when the highest impact or severity issues are found."

Spoofed Zix Encrypted Email is Used in Credential Spear-Phishing

 

Hackers have used a credential phishing attack to steal data from Office 365, Google Workspace, and Microsoft Exchange by spoofing an encrypted mail notification from Zix. According to Armorblox security researchers, the assault impacted around 75,000 users, with small groups of cross-departmental staff being targeted in each customer environment. 

Social engineering, brand impersonation, replicating existing workflows, drive-by downloads, and accessing valid domains were among the methods employed by the hackers to obtain data. “Secure Zix message” emails were sent to victims. In the body of the email, there was a header that repeated the email subject and claimed the victim had received a secure communication from Zix, a security technology company that provides email encryption and data loss prevention services.

The victim is invited to view the secure message by clicking on the "Message" button in the email. While the phoney email is not a facsimile, it is similar enough on the surface to fool the unwary victims. According to researchers, clicking the “Message” link in the email causes an HTML file entitled “securemessage” to be installed on the victim's PC. The file could not be opened in a virtual machine (VM) because the download redirect did not show within the VM.

Using valid (albeit unrelated) domains to send emails, according to Armorblox researcher Abhishek Iyer, is “more about tricking security measures (i.e. evading authentication checks) than it is about tricking recipients, especially if the domains are not forged to appear like the real thing.”

A Verizon credential phishing campaign located on the website of a Wiccan coven, for example, was discovered by Armorblox last year. Another example is an Amazon credential phishing email sent from the domain of Blomma Flicka Flowers, a tiny floral design firm situated in Vermont. Under the pretext of Amazon item delivery notices, the campaign intended to steal passwords and other personal information. 

“Whether these domains are used to send the email or host the phishing page, the attackers’ intent is to evade security controls based on URL/link protection and get past filters that block known bad domains,” Iyer said via email.

"To host phishing pages on legitimate domains, attackers usually exploit vulnerabilities in the web server or the Content Management Systems (CMS) to host the pages without the website admins knowing about it," he continued.

With ProxyShell Exploits, Conti Ransomware is Now Targeting Exchange Servers

 

Using recently disclosed ProxyShell vulnerability exploits, the Conti ransomware group is hacking into Microsoft Exchange servers and compromising corporate networks. ProxyShell is a moniker for an attack that uses three chained Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to allow unauthenticated, remote code execution on susceptible servers that haven't been patched. 

The attacks occur at a breakneck speed. A second web shell was installed minutes after the first web shell was installed on one occasion. The Conti attackers compiled a complete list of the network's computers, domain controllers, and domain administrators in less than 30 minutes. After obtaining the credentials of domain administrator accounts, the attackers began executing demands four hours later. 

The attackers had exfiltrated around 1 terabyte of data within 48 hours of gaining access. Conti malware was installed on every system on the network within five days, specifically targeting individual network shares on each workstation. 

The Conti affiliates also installed no fewer than seven back doors on the network during the attack: two web shells, Cobalt Strike, and four commercial remote access programmes dubbed AnyDesk, Aterta, Splashtop, and Remote Utilities. Early access was provided by web shells, with Cobalt Strike and AnyDesk serving as the primary tools for the rest of the attack. 

“We want to highlight the speed at which the attack took place,” said Peter Mackenzie, manager of incident response at Sophos. “Contrary to the typical attacker dwell time of months or weeks before they drop ransomware, in this case, the Conti attackers gained access to the target’s network and set up a remote web shell in under one minute.” 

Microsoft reported and patched the vulnerabilities early this year, but not all firms updated their systems, as is often the case with software upgrades. In March, Microsoft issued a warning that Chinese state-sponsored hackers were targeting the flaws. The best approach to protect against the assaults, according to Tom Burt, Microsoft's corporate vice president of customer security and trust, is to apply the updates. In April, the US Federal Bureau of Investigation took the unusual step of breaking into compromised Exchange servers to fix the flaws. 

The Conti ransomware group has been active since 2020, and it has been linked to a number of attacks, including one in May that targeted Ireland's health system. Industrial computer firm Advantech Co. Ltd. was a victim of Conti in November, as was VOIP hardware and software supplier Sangoma Technologies Corp. in December, and hospitals in Florida and Texas in February. 

Microsoft Exchange Bug Report Allowed Attackers to take Advantage of the Situation

 

Every moment a threatening actor begins a new public web-based search for vulnerable systems which advances faster than international companies in their systems to recognize serious vulnerabilities to attack. 

Once critical vulnerabilities occur, the efforts of attackers are greatly enhanced and new checks are made on the Web within minutes of publication. 

In their quest for new victims, attackers aim untiringly to win the tournament for weak patching systems. 

Within five minutes of the Microsoft security advisory going public, researchers noted that the cybercriminals started to scan the internet for insecure Exchange Servers. As in Palo Alto Networks' 2021 Cortex Xpanse Attack Surface threat report, released on Wednesday, threatening attackers were fast off the mark to scan for servers ready to take advantage, according to an analysis of threat data collected from companies from January to March of this year. 

It can cause race between attackers and IT administrators whenever critical vulnerabilities in widely accepted software are public: a race to find the correct goals – specifically when proof-of-concept (PoC) code exists or when a bug is trivial to take advantage of – and IT personnel to carry out risk analysis and enforce patches required. 

The report states that zero-day vulnerabilities, in particular, will cause attackers to search within 15 minutes of public disclosure. 

However, when it comes to Microsoft Exchange, Palo Alto researchers stated that attackers "worked faster" and scans were identified within 5 minutes. 

On March 2nd, in its Exchange Server, Microsoft revealed about four zero-day vulnerabilities. The Chinese advanced persistent threat (APT) group Hafnium and other APTs, including Lucky Mouse, Tick, and Winnti Group, immediately followed up on the four security problems that had potentially an effect on-prem Exchange Servers 2013, 2016, and 2019. 

The security release caused a flood of attacks and was continuing three weeks later. At that moment, researchers at F-Secure stated that vulnerable servers are "being hacked faster than we can count." 

"Computing has become so inexpensive that a would-be attacker need only spend about $10 to rent cloud computing power to do an imprecise scan of the entire internet for vulnerable systems," the report says. "We know from the surge in successful attacks that adversaries are regularly winning races to patch new vulnerabilities." 

The report also highlights the much more common cause of system vulnerabilities in corporate networks, the Remote Desktop Protocol (RDP), representing 32 percent of the total security problems, which is a particularly problematic field over the past year as many businesses switch to cloud quickly to enable their workers to work remotely. 

“Asset discovery typically occurs only once a quarter and uses a mosaic of scripts and programs that testers have created to find some of the potentially vulnerable infrastructures. However, their methods are seldom comprehensive and often fail to find the entire vulnerable infrastructure of a given organization. ”- Palo Alto Networks.

32 Indian Organisations Attacked by Hackers via Microsoft Exchange Server

 

A new study published last Monday on 8th March cautioned stating that financial and banking institutions in India have been the most preferred target for cyberattacks by con men. At least 32 Indian firms were attacked by hackers who exploited vulnerabilities on unpatched Microsoft business emails. 
However according to Check Point Research, the organizations of finance and banking (28 percent) are being preceded by government/military (16 percent), manufacturing (12.5 percent), insurance/legal (9.5 percent) in the list of attacked institutions. Overall, in the past few years, hacking operations have multiplied over six times (or tripled) in companies utilizing resources of unpatched on-site servers. 

The most attacked country, without a doubt, was the US (21 percent of all exploit attempts), it was preceded by the Netherlands (12 percent) and Turkey (12 percent) along with India. The industry sector was mostly aimed at government/military (27% of all operations), and then production (22%), accompanied by software vendors (9%), researchers pointed out. 

"A full race has started among hackers and security professionals. Global experts are using massive preventative efforts to combat hackers who are working day-in and day-out to produce an exploit that can successfully leverage the remote code execution vulnerabilities in Microsoft Exchange," said the researchers from the cybersecurity firm. 

Amid reports that some five separate hacker organizations target Microsoft's company email servers, a new family of ransomware has also been found by the tech giant. Identified as "DearCry," the latest ransomware is "used after an initial compromise of unpatched on-premises Exchange servers," stated Microsoft last week in a tweet. The vulnerabilities are the same as those that Microsoft connects with a recent hacking community named Hafnium, which is funded by China. 

A patch for its Exchange Server service, the world's most common email server, was released by Microsoft on 3rd March. The Exchange server provides both incoming and outgoing emails, calendar invites, and nearly everything available within Outlook. 

In January, two vulnerabilities were identified by DEVCORE's Orange Tsai, a security company based in Taiwan. Microsoft was unaware of the full magnitudes of these results and was asked to examine its Exchange server more closely. Five more important vulnerabilities were identified in the research. These vulnerabilities enable an attacker to check messages without authenticating from an Exchange server or accessing an email account. Additional vulnerability chaining helps attackers to take over all the mail servers entirely. 

"If your organization's Microsoft Exchange server is exposed to the internet, and if it has not been updated with the latest patches, nor protected by a third-party software, then you should assume the server is completely compromised," warned Lotem Finkelsteen, Manager of Threat Intelligence, Check Point Software.

Norway Parliament, Storting, Hit by a Microsoft Exchange Cyber Attack

 

Yet again for the second time in about six months, Norway's parliament has been hacked. Government officials acknowledged the infiltration of information networks and the extraction of data of the Norwegian Parliament by the attackers. Officials said on Wednesday 10th of March that just six months after a previous cyber-attack, Hackers infiltrated and harvested data from the Norwegian Parliament computing devices.

Officials also said that attackers who seemed to exploit the program, used to handle MPs' emails, had stolen an undisclosed amount of data. The intrusion is thought to have been part of a global attack on the commonly used e-mail system, Microsoft Exchange, which is believed to have reached about 250,000 objectives, including health researchers, US defense allies, and European banking regulators. 

To repair a zero-day vulnerability- ProxyLogon, was used in attacks, Microsoft has released immediate security patches for Microsoft Exchange, last week. Initially, this attack was accredited to a China hacking organization named HAFNIUM, sponsored by a government, that used vulnerabilities to infiltrate servers, install backdoor web shells and enter internal corporate networks.

Parliament President, Tone Wilhelmsen Troen informed in a press conference, the current attack was much more serious than last year. “This is an attack on our democracy,” she said. “The severity is underscored by the fact that this is happening in the run-up to a parliamentary election and as parliament is handling a pandemic.” 

"The Storting does not yet know the full extent of the attack. A number of measures have been implemented in our systems, and the analysis work is ongoing. The Storting has received confirmation that data has been extracted," the Storting disclosed in a statement. 

The Norwegian government has estimated that at least 269 Servers, involving local authorities, a university, and the Parliament known as the Storting, have been exposed. The Parliament or Storting, which complained to the police, said that the source hasn't been determined and that there was no proof to date that the attack had been connected to the previous attack whereby Norway's intelligence service stated the same to have originated from Russia.

The Storting, for now, has stated that the threat perpetrators have stolen data but still, they are investigating as part of the cyber-attack. At present, the condition is uncertain and the total damage potentials are not known. 

In addition to Hafnium, other cybercrime groups identified as Tick, LuckyMouse, and Calypso have used zero-day vulnerability before patches were issued, as per the latest report by cybersecurity firm ESET which also told in a new study that many more hacking firms leaped into the Microsoft Exchange frenzy before patching them to hack systems.