Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Microsoft Exchange. Show all posts
Microsoft Exchange
Algorithm attacks Cyber defense Cyber Security Machine learning Microsoft Exchange

A New Era is Emerging in Cybersecurity, but Only the Best Algorithms will Survive

 

The industry identified that basic fingerprinting could not maintain up with the rate of these developments, and the requirement to be everywhere, at all times, pushed the acceptance of AI technology to deal with the scale and complexity of modern business security. 

Since then, the AI defence market has become crowded with vendors promising data analytics, looking for "fuzzy matches": close matches to previously encountered threats, and eventually using machine learning to detect similar attacks. While this is an advancement over basic signatures, using AI in this manner does not hide the fact that it is still reactive. It may be capable of recognizing attacks that are very similar to previous incidents, but it is unable to prevent new attack infrastructure and techniques that the system has never seen before.

Whatever you call it, this system is still receiving the same historical attack data. It recognises that in order to succeed, there must be a "patient zero" — or first victim. Supervised machine learning is another term for "pretraining" an AI on observed data (ML). This method does have some clever applications in cybersecurity. For example, in threat investigation, supervised ML has been used to learn and mimic how a human analyst conducts investigations — asking questions, forming and revising hypotheses, and reaching conclusions — and can now carry out these investigations autonomously at speed and scale.

But what about tracking down the first traces of an attack? What about detecting the first indication that something is wrong?

The issue with utilising supervised ML in this area is that it is only as good as its historical training set — not with new things. As a result, it must be constantly updated, and the update must be distributed to all customers. This method also necessitates sending the customer's data to a centralised data lake in the cloud to be processed and analysed. When an organisation becomes aware of a threat, it is frequently too late.

As a result, organisations suffer from a lack of tailored protection, a high number of false positives, and missed detections because this approach overlooks one critical factor: the context of the specific organisation it is tasked with protecting.

However, there is still hope for defenders in the war of algorithms. Today, thousands of organisations utilise a different application of AI in cyber defence, taking a fundamentally different approach to defending against the entire attack spectrum — including indiscriminate and known attacks, as well as targeted and unknown attacks.

Unsupervised machine learning involves the AI learning the organisation rather than training it on what an attack looks like. In this scenario, the AI learns its surroundings from the inside out, down to the smallest digital details, understanding "normal" for the specific digital environment in which it is deployed in order to identify what is not normal.

This is AI that comprehends "you" in order to identify your adversary. It was once thought to be radical, but it now protects over 8,000 organisations worldwide by detecting, responding to, and even avoiding the most sophisticated cyberattacks.

Consider last year's widespread Hafnium attacks on Microsoft Exchange Servers. Darktrace's unmonitored ML identified and disrupted a series of new, unattributed campaigns in real time across many of its customer environments, with no prior threat intelligence associated with these attacks. Other organisations, on the other hand, were caught off guard and vulnerable to the threat until Microsoft revealed the attacks a few months later.

This is where unsupervised ML excels — autonomously detecting, investigating, and responding to advanced and previously unseen threats based on a unique understanding of the organization in question. Darktrace's AI research centre in Cambridge, UK, tested this AI technology against offensive AI prototypes. These prototypes, like ChatGPT, can create hyperrealistic and contextualised phishing emails and even choose a suitable sender to spoof and fire the emails.

The conclusions are clear: as attackers begin to weaponize AI for nefarious reasons, security teams will require AI to combat AI. Unsupervised machine learning will be critical because it learns on the fly, constructing a complex, evolving understanding of every user and device across the organisation. With this bird's-eye view of the digital business, unsupervised AI that recognises "you" will detect offensive AI as soon as it begins to manipulate data and will take appropriate action.

Offensive AI may be exploited for its speed, but defensive AI will also contribute to the arms race. In the war of algorithms, the right approach to ML could mean the difference between a strong security posture and disaster.
Read more »
Vulnerabilities and Exploits
Exploit Flaws GitHub Microsoft Microsoft Exchange Microsoft Exchange Server ProxyShell Vulnerabilities Repository Vulnerabilities and Exploits

GitHub: Repositories Selling Fake Microsoft Exchange Exploits

 

Researchers have detected threat actors, impersonating security researchers and selling proof-of-concept ProxyNotShell exploits for the recently discovered Microsoft Exchange zero-day vulnerabilities. 

GTSC, a Vietnamese cybercrime firm confirmed last week their customers were being attacked using two new zero-day vulnerabilities in Microsoft Exchange. 

On being notified about the vulnerability, Microsoft confirmed that the bugs were being Exploited in attacks and that it is working on an accelerated timeline in order to release security updates.  

“Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization," Microsoft states in an analysis.  

Microsoft and GTSC disclosed that the threat actors instigated the campaign to abuse Exchange flaws by creating GitHub repositories for exploits. 

Microsoft has since been tracking the flaws as CVE-2022-41040 and CVE-2022-41082, describing the first as a Server-Side Request Forgery (SSRF) bug. While the second allows scammers to conduct remote code execution (RCE) attacks via PowerShell. 

In one such instance, a threat actor impersonated a renowned security researcher Kevin Beaumont (aka GossTheDog) who is known for documenting the recently discovered Exchange flaws and available mitigation.  

The fraudulent repositories did not include anything necessary, but the README.md confirms what is currently known about the detected vulnerability, followed by a pitch on how they are selling one copy of the PoC exploit for the zero days. 

The README file consists of a link to a SatoshiDisk page, where the threat actor attempts to sell the fake exploit for 0.01825265 Bitcoin, worth $364. 

Since the security researchers are keeping the technical details of the exploit private, it seems only a small number of threat actors are behind the exploit. 

In light of this, more such researchers and threat actors are waiting for the initial publication of the vulnerabilities to the public before using them in their own operations, such as protecting a network of hacking into one. 

Evidently, one can deduce that there are more such threat actors looking forward to taking advantage of this situation. Since Microsoft Exchange Server zero-day vulnerability exploits could be traded for hundreds of thousands of dollars, one must be cautious of handing over any ready money or crypto to anyone suspicious, claiming to have an exploit. 

Read more »
Zero Day
Atlassian CISA Critical Flaw Exploits Flaws Microsoft Exchange Microsoft Exchange Server Vulnerabilities and Exploits Zero Day

CISA: Atlassian Bitbucket Server Flaws added to KEV Catalog List

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three recently disclosed security flaws to its list of Known Exploited Vulnerabilities (KEV ) Catalog, including critical vulnerability in Atlassian’s Bitbucket Server and Data Center, and two Microsoft Exchange zero-days.

At the end of August, Atlassian rectified a security flaw, tracked as CVE-2002-36804 (CVSS score 9.9) in Bitbucket Server and Data Center. The flaw is a critical severity and is related to a command injection vulnerability that enables malicious actors access to arbitrary code execution, by exploiting the flaw through malicious HTTP requests.

"All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," Atlassain states in an advisory released in late August.

Although CISA did not provide further details on how the security flaw is being exploited or how widespread the exploitation efforts are, researchers at GreyNoise, on September 20 and 23 confirms to have detected evidence of in-the-wild abuse.

The other two KEV flaws, Microsoft Exchange zero-days (tracked as CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks according to Microsoft.

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," states Microsoft.

The Federal Civilian Executive Branch Agencies (FCEB) have applied patches or mitigation measures for these three security vulnerabilities after being added to CISA’s KEV catalog as required by the binding operational directive (BOD 22-01) from November.

Since the directive was issued last year, CISA has added more than 800 security vulnerabilities to its KEV catalog, while requiring federal agencies to direct them on a tighter schedule.

Although BOD 22-01 only applies to U.S. FCEB agencies, CISA has suggested to all the private and public sector organizations worldwide to put forward these security flaws, as applying mitigation measures will assist in containing potential attacks and breach attempts. In the same regard, CISA furthermore stated, “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise”
Read more »
Zimbra
Chinese Actors CVE Cyber Security Email Attacks IMAP Microsoft Exchange SQL XSS Flaw Zimbra

Zimbra Memcached Injection Bug Patched

According to SonarSource, an open-source alternative to email servers and collaboration platforms such as Microsoft Exchange. Since May 10, 2022, a patch has been released in Zimbra versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. Zimbra is utilized by organizations, governments, and financial institutions throughout the world. 

Unauthenticated attackers might contaminate an unwary victim's cache, according to Simon Scannell, a vulnerability researcher at Swiss security firm Sonar. The vulnerability has been assigned the number CVE-2022-27924 (CVSS: 7.5), and it has been described as a case of "Memcached poisoning with unauthorized access," which might allow an attacker to inject malicious commands and steal sensitive data. 

Since newline characters (\r\n) in untrusted user input were not escaped, attackers were able to inject arbitrary Memcached instructions into a targeted instance, causing cached entries to be overwritten. Memcached servers keep track of key/value pairs that may be created and retrieved using a simple text-based protocol and analyze data line by line. A malicious actor might alter the IMAP route entries for a known username by sending a specially crafted HTTP request to the susceptible Zimbra server, according to the researchers. When the genuine user logs in, the Nginx Proxy in Zimbra will send all IMAP communication, including the credentials in plain text, to the attacker. 

Knowing the victim's email address, and utilizing an IMAP client makes it easier for the attacker to abuse the vulnerability. A second attack technique allows users to circumvent the aforesaid constraints and steal credentials for any user with no involvement or knowledge of the Zimbra instance. This is accomplished through "Response Smuggling," a different approach that makes use of a web-based Zimbra client. Cross-site scripting (XSS) and SQL injection issues caused by a lack of input escaping "are well known and documented for decades," as per Scannell, but "other injection vulnerabilities can occur that are less well known and can have a catastrophic consequence." 

As a result Scannell, advises programmers to "be cautious of special characters that should be escaped when coping with technology where there is less documentation and research regarding potential vulnerabilities." The bug was discovered four months after Zimbra provided a hotfix for an XSS flaw that was exploited in a series of sophisticated spear-phishing efforts attributed to an undisclosed Chinese threat group.
Read more »
Vulnerabilities and Exploits
Apache Vulnerability Flaws Log4j Log4Shell Microsoft Exchange phishing Security vulnerability Vulnerabilities and Exploits

Phishing Attack Emerges as a Primary Threat Vector in X-Force Threat Intelligence Index 2022

 

IBM published its tenth X-Force Threat Intelligence Index last week unveiling phishing attacks as the primary threat vector in the past year, with manufacturing emerging as the most targeted sector. IBM security analysts spotted a 33% surge in attacks caused by vulnerability exploitation of Log4Shell, a point of entry that malicious actors relied on more than any other to launch their assaults in 2021, representing the cause of 44% of ransomware attacks. 

The 2022 Threat Intelligence Index was compiled from billions of data points, ranging from network and endpoint detection devices, incident response engagements, phishing kits, and domain name tracking. It was revealed that threat actors employed phishing in 41% of attacks, surging from 2020 when it was responsible for 33% of attacks. Interestingly, click rates for the average targeted phishing campaign surged nearly three-fold, from 18% to 53% when phone phishing (vishing) was also employed by malicious actors. 

The X-Force report highlights the record-high number of vulnerabilities unearthed in 2021, including a vulnerability in the Kaseya monitoring software that was exploited by REvil in July, and the Log4j (or Log4Shell) vulnerability in Apache’s popular logging library. Cybercriminals from across the globe were so quick to exploit Log4j that it occupied the number two spot on the X-Force top 10 lists of most exploited vulnerabilities in 2021, despite only being discovered in December last year. The top vulnerability was a flaw in Microsoft Exchange that allowed attackers to bypass authentication to impersonate an administrator. 

Additionally in the UK, nearly 80% of users received a malicious call or text last year. To counter the threat, regulator Ofcom published new guidelines this week which will require more proactive work from operators to root out the use of spoofed numbers. 

“X-Force observed actors leveraging multiple known vulnerabilities, such as CVE-2021-35464 (a Java deserialization vulnerability) and CVE-2019-19781 (a Citrix path traversal flaw), to gain initial access to networks of interest. In addition, we observed threat actors leverage zero-day vulnerabilities in major attacks like the Kaseya ransomware attack and Microsoft Exchange Server incidents to access victim networks and devices,” researchers explained. 

To mitigate the risks, researchers advised organizations to update their vulnerability management system, identify security loopholes, and prioritize vulnerabilities based on the likelihood they will be abused.
Read more »
Threat actors
Cuba Hacking malware Microsoft Exchange Microsoft Exchange Server Ransomware Threat actors

Cuba Ransomware Hacked Microsoft Exchange Servers

 

To get early access to business networks and encrypt devices, the Cuba ransomware campaign is exploiting Microsoft Exchange vulnerabilities. The ransomware group is known as UNC2596, and the ransomware itself is known as COLDDRAW, according to cybersecurity firm Mandiant. 

Cuba is the most popular name for malware. Cuba is a ransomware campaign that began in late 2019, and while it started slowly, it gained traction in 2020 and 2021. In December 2021, the FBI issued a Cuba ransomware notice, stating that the group has infiltrated 49 critical infrastructure firms in the United States. Researchers indicate that the Cuba operation predominantly targets the United States, followed by Canada, according to a new analysis by Mandiant. Since August 2021, the Cuba ransomware gang has been using Microsoft Exchange vulnerabilities to launch web shells, RATs, and backdoors to gain a foothold on the target network. 

"Mandiant has also identified the exploitation of Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon, as another access point leveraged by UNC2596 likely as early as August 2021," explains Mandiant in a new report. 

Cobalt Strike or the NetSupport Manager remote access tool is among the backdoors planted, although the organisation also utilises their own 'Bughatch', 'Wedgecut', 'eck.exe', as well as Burntcigar' tools. 
  • Wedgecut comes in the form of an executable named “check.exe,” which is a reconnaissance tool that enumerates the Active Directory through PowerShell.
  • Bughatch is a downloader that fetches PowerShell scripts and files from the C&C server. To evade detection, it loads in memory from a remote URL.
  • Burntcigar is a utility that can terminate processes at the kernel level by exploiting a flaw in an Avast driver, which is included with the tool for a “bring your own vulnerable driver” attack.
Finally, Termite is a memory-only dropper that downloads and loads the payloads mentioned earlier. However, this tool has been seen in campaigns by a variety of threat groups, indicating that it is not exclusively utilised by Cuba threat actors. 

Threat actors use stolen account credentials obtained with the widely available Mimikatz and Wicker tools to elevate access. They then use Wedgecut to undertake network reconnaissance before using RDP, SMB, PsExec, and Cobalt Strike to move laterally. Bughatch is then loaded by Termite, followed by Burntcigar, which disables security tools and creates the foundation for data exfiltration and file encryption. For the exfiltration process, the Cuba gang does not use cloud services, instead transfers everything to its own private infrastructure. 

Changing Operations 

Cuba ransomware teamed up with spammers behind the Hancitor malware in May 2021 to get access to corporate networks via DocuSign phishing emails. Since then, Cuba's operations have shifted to focus on vulnerabilities in public-facing services, such as the Microsoft Exchange ProxyShell and ProxyLogon flaws. Because security updates to fix the exploited vulnerabilities have been available for months, this move makes the assaults more potent but also easier to prevent. 

Once there are no more valuable targets running unpatched Microsoft Exchange servers, the Cuba operation will likely shift its focus to other vulnerabilities. This means that adopting accessible security updates as soon as they are released by software providers is critical in maintaining a strong security posture against even the most sophisticated threat actors.
Read more »
Microsoft Exchange
Cyber Security email security Firewall Microsoft Exchange

SonicWall's Email Security and Firewall Products Were Hit by the Y2K22 Bug

 

SonicWall acknowledged on January 7th that the Y2K22 bug had affected some of its Email Security and firewall solutions, causing message log updates and junk box failures beginning January 1st, 2022. According to the organization, email users and administrators on affected systems would no longer be able to access the junk box or un-junk newly received emails. They will also be unable to trace incoming/outgoing emails using the message logs because they will no longer be updated.

SonicWall, a private firm based in Silicon Valley that was a Dell subsidiary from 2012 to 2016, produces a variety of Internet equipment aimed largely at content restriction and network security. These include network firewalls, unified threat management (UTM), virtual private networks (VPNs), and email anti-spam devices. 

SonicWall issued updates to North American and European instances of Hosted Email Security, the company's cloud email security service, on January 2nd. It also issued updates for its on-premises Email Security Appliance (ES 10.0.15) for customers that use firewalls with the Anti-Spam Junk Store feature enabled (Junk Store 7.6.9). 

The server administration community has dubbed this bug "Y2K22" because to its resemblance to the infamous Y2K bug, a date-related bug that was feared to cause numerous computer systems, and possibly the whole world economy, to crash at the turn of the century. FIP-FS is a malware-scanning engine built into Microsoft Exchange 2016 and 2019 servers. This engine employs a signature file that holds dates as 32-bit integers. The most significant integer that can be stored in 32 bits is 2147483647. 

Everything was acceptable for the dates in 2021 because it was stamped as 211231XXXX (for 31st December). However, as of the start of the next year, January 1st, 2022, it was converted to 2201010001. When attempting to format in 32 bits, which is greater than the maximum number allowed. As a result, date/time validations on the server software would fail, resulting in emails not being sent and stacking up on servers.

Despite the fact that SonicWall has not explained what is causing the Y2K22 bug in its devices, they are not the only company affected by this problem. Honda and Acura owners began claiming that their in-car navigation systems' clocks were automatically set back 20 years, to January 1st, 2002, beginning on January 1st. According to sources, the Y2K22 bug affects nearly all older vehicle models, including the Honda Pilot, Odyssey, CRV, Ridgeline, Odyssey, and Acura MDX, RDX, CSX, and TL.
Read more »
ProxyShell Vulnerabilities
Cyber Security cybercriminals Malicious Campaign Microsoft Exchange ProxyShell Vulnerabilities

Attackers use ProxyLogon and ProxyShell Flaws to Hijack Email Threads

 

As part of an ongoing spam campaign that uses stolen email chains to bypass security protection and implant malware on vulnerable systems, threat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers. Trend Micro's discoveries are the result of an investigation into a series of Middle Eastern intrusions that resulted in the dissemination of a never-before-seen loader known as SQUIRRELWAFFLE. The attacks, which were first publicly disclosed by Cisco Talos in mid-September 2021, are thought to have started with laced Microsoft Office documents. 

"It is known for sending its malicious emails as replies to pre-existing email chains, a tactic that lowers a victim's guard against malicious activities," researchers Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar said in a report published last week. "To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits." 

According to Trend Micro, public exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell) were used on three of the Exchange servers that were compromised in separate intrusions, with the access being used to hijack legitimate email threads and send malicious spam messages as replies, increasing the likelihood that unsuspecting recipients will open the emails. 

Rogue email messages with a link that, when opened, drops a Microsoft Excel or Word file are part of the assault chain. When the recipient opens the document, the victim is prompted to allow macros, which leads to the download and execution of the SQUIRRELWAFFLE malware loader, which serves as a conduit for the final-stage payloads like Cobalt Strike and Qbot. 

Trend Micro's claim that SquirrelWaffle is operating as a malware dropper for Qbot or other malwares was disputed by Cryptolaemus researcher TheAnalyst. Rather, according to TheAnalyst on Friday, the threat actor is delivering both SquirrelWaffle and Qbot as separate payloads, with the most recent confirmed SquirrelWaffle drop occurring on Oct. 26. 

The actor/activity is recorded as tr01/TR (its QakBot affiliate ID) TA577 by Proofpoint and as ChaserLdr by Cryptolaemus, according to TheAnalyst, and the activity dates back to at least 2020. The actors are simple to follow, according to TheAnalyst, with minor adjustments to their tactics, techniques, and procedures (TTPs). According to TheAnalyst, one of tr01's favorite TTPs is including links to malicious documents in stolen reply chains. They stated the threat actor is notorious for delivering "a variety of malware," including QakBot, Gozi, IcedID, Cobalt Strike, and possibly more.
Read more »
Subscribe to: Posts (Atom)