Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label ProxyShell Vulnerabilities. Show all posts

GitHub: Repositories Selling Fake Microsoft Exchange Exploits

 

Researchers have detected threat actors, impersonating security researchers and selling proof-of-concept ProxyNotShell exploits for the recently discovered Microsoft Exchange zero-day vulnerabilities. 

GTSC, a Vietnamese cybercrime firm confirmed last week their customers were being attacked using two new zero-day vulnerabilities in Microsoft Exchange. 

On being notified about the vulnerability, Microsoft confirmed that the bugs were being Exploited in attacks and that it is working on an accelerated timeline in order to release security updates.  

“Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization," Microsoft states in an analysis.  

Microsoft and GTSC disclosed that the threat actors instigated the campaign to abuse Exchange flaws by creating GitHub repositories for exploits. 

Microsoft has since been tracking the flaws as CVE-2022-41040 and CVE-2022-41082, describing the first as a Server-Side Request Forgery (SSRF) bug. While the second allows scammers to conduct remote code execution (RCE) attacks via PowerShell. 

In one such instance, a threat actor impersonated a renowned security researcher Kevin Beaumont (aka GossTheDog) who is known for documenting the recently discovered Exchange flaws and available mitigation.  

The fraudulent repositories did not include anything necessary, but the README.md confirms what is currently known about the detected vulnerability, followed by a pitch on how they are selling one copy of the PoC exploit for the zero days. 

The README file consists of a link to a SatoshiDisk page, where the threat actor attempts to sell the fake exploit for 0.01825265 Bitcoin, worth $364. 

Since the security researchers are keeping the technical details of the exploit private, it seems only a small number of threat actors are behind the exploit. 

In light of this, more such researchers and threat actors are waiting for the initial publication of the vulnerabilities to the public before using them in their own operations, such as protecting a network of hacking into one. 

Evidently, one can deduce that there are more such threat actors looking forward to taking advantage of this situation. Since Microsoft Exchange Server zero-day vulnerability exploits could be traded for hundreds of thousands of dollars, one must be cautious of handing over any ready money or crypto to anyone suspicious, claiming to have an exploit. 

Attackers use ProxyLogon and ProxyShell Flaws to Hijack Email Threads

 

As part of an ongoing spam campaign that uses stolen email chains to bypass security protection and implant malware on vulnerable systems, threat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers. Trend Micro's discoveries are the result of an investigation into a series of Middle Eastern intrusions that resulted in the dissemination of a never-before-seen loader known as SQUIRRELWAFFLE. The attacks, which were first publicly disclosed by Cisco Talos in mid-September 2021, are thought to have started with laced Microsoft Office documents. 

"It is known for sending its malicious emails as replies to pre-existing email chains, a tactic that lowers a victim's guard against malicious activities," researchers Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar said in a report published last week. "To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits." 

According to Trend Micro, public exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell) were used on three of the Exchange servers that were compromised in separate intrusions, with the access being used to hijack legitimate email threads and send malicious spam messages as replies, increasing the likelihood that unsuspecting recipients will open the emails. 

Rogue email messages with a link that, when opened, drops a Microsoft Excel or Word file are part of the assault chain. When the recipient opens the document, the victim is prompted to allow macros, which leads to the download and execution of the SQUIRRELWAFFLE malware loader, which serves as a conduit for the final-stage payloads like Cobalt Strike and Qbot. 

Trend Micro's claim that SquirrelWaffle is operating as a malware dropper for Qbot or other malwares was disputed by Cryptolaemus researcher TheAnalyst. Rather, according to TheAnalyst on Friday, the threat actor is delivering both SquirrelWaffle and Qbot as separate payloads, with the most recent confirmed SquirrelWaffle drop occurring on Oct. 26. 

The actor/activity is recorded as tr01/TR (its QakBot affiliate ID) TA577 by Proofpoint and as ChaserLdr by Cryptolaemus, according to TheAnalyst, and the activity dates back to at least 2020. The actors are simple to follow, according to TheAnalyst, with minor adjustments to their tactics, techniques, and procedures (TTPs). According to TheAnalyst, one of tr01's favorite TTPs is including links to malicious documents in stolen reply chains. They stated the threat actor is notorious for delivering "a variety of malware," including QakBot, Gozi, IcedID, Cobalt Strike, and possibly more.

MS ProxyShell Vulnerabilities Exploited By Threat Actor

 

Security professionals from Cisco Talos have revealed that a fresh Babuk ransomware operation is attacking ProxyShell vulnerabilities in Microsoft Exchange Server. 
The scientists found evidence that the attackers are using a China Chopper web shell for the first intrusion and then using that to install Babuk. 

The vulnerabilities, identified as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, were resolved in April and May, including technical details publicly disclosed in August. An unauthenticated attacker can use the flaws to execute arbitrary code. 

Operations targeting the security vulnerabilities have indeed been underway for some months, according to Cisco experts, as well as the Tortilla threat actor, which has been operational since July 2021, has begun attacking the Exchange Server vulnerability. 

An intermediate unpacking component is downloaded via pastebin.pl (a pastebin.com clone) and afterward decoded in memory before the ultimate payload is encrypted and run. For the original attack, Cisco Talos discovered a customized EfsPotato attack that targets both the ProxyShell and PetitPotam flaws. 

When the Babuk ransomware is activated, it tries to deactivate a range of procedures on the victim server, stops backup products, and erases volume shadow service (VSS) snapshots. Following that, it encodes all files on the server and adds the file extension .babyk to them. The ransomware subsequently issues a ransom note seeking a $10,000 ransom payment from the victim in return for the decryption key. 

“Organizations should regularly update their servers and applications with the latest available patches from the vendors eliminating the vulnerabilities in their environment. Defenders should be constantly looking for suspicious events generated by detection systems for abrupt service termination, abnormally high I/O rates for drives attached to their servers, the deletion of shadow copies, or system configuration changes,” Cisco Talos said. 

Babuk, which was first disclosed in January 2021, targets both Windows and Linux computers in business situations and employs a highly sophisticated key generation process to hinder file recovery.

With ProxyShell Exploits, Conti Ransomware is Now Targeting Exchange Servers

 

Using recently disclosed ProxyShell vulnerability exploits, the Conti ransomware group is hacking into Microsoft Exchange servers and compromising corporate networks. ProxyShell is a moniker for an attack that uses three chained Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to allow unauthenticated, remote code execution on susceptible servers that haven't been patched. 

The attacks occur at a breakneck speed. A second web shell was installed minutes after the first web shell was installed on one occasion. The Conti attackers compiled a complete list of the network's computers, domain controllers, and domain administrators in less than 30 minutes. After obtaining the credentials of domain administrator accounts, the attackers began executing demands four hours later. 

The attackers had exfiltrated around 1 terabyte of data within 48 hours of gaining access. Conti malware was installed on every system on the network within five days, specifically targeting individual network shares on each workstation. 

The Conti affiliates also installed no fewer than seven back doors on the network during the attack: two web shells, Cobalt Strike, and four commercial remote access programmes dubbed AnyDesk, Aterta, Splashtop, and Remote Utilities. Early access was provided by web shells, with Cobalt Strike and AnyDesk serving as the primary tools for the rest of the attack. 

“We want to highlight the speed at which the attack took place,” said Peter Mackenzie, manager of incident response at Sophos. “Contrary to the typical attacker dwell time of months or weeks before they drop ransomware, in this case, the Conti attackers gained access to the target’s network and set up a remote web shell in under one minute.” 

Microsoft reported and patched the vulnerabilities early this year, but not all firms updated their systems, as is often the case with software upgrades. In March, Microsoft issued a warning that Chinese state-sponsored hackers were targeting the flaws. The best approach to protect against the assaults, according to Tom Burt, Microsoft's corporate vice president of customer security and trust, is to apply the updates. In April, the US Federal Bureau of Investigation took the unusual step of breaking into compromised Exchange servers to fix the flaws. 

The Conti ransomware group has been active since 2020, and it has been linked to a number of attacks, including one in May that targeted Ireland's health system. Industrial computer firm Advantech Co. Ltd. was a victim of Conti in November, as was VOIP hardware and software supplier Sangoma Technologies Corp. in December, and hospitals in Florida and Texas in February. 

Microsoft Issues an Advisory on ProxyShell Vulnerabilities

 

Microsoft this week published guidance about three vulnerabilities referred to collectively as ProxyShell days after security researchers at the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers were actively trying to exploit them. 

The ProxyShell vulnerabilities, which are tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, could allow hackers to run arbitrary code on a vulnerable machine without authentication. The first two flaws were fixed in April, while the third received a patch in May.

Orange Tsai, a security researcher at consulting firm DEVCORE exploited the ProxyShell vulnerabilities to target a Microsoft Exchange server during the Pwn2Own 2021 hacking contest, but technical details were made public only a few weeks ago, at the Black Hat and DEF CON cybersecurity conferences. Earlier, Orange Tsai had identified the ProxyLogon and ProxyOracle vulnerabilities in Exchange servers.

Last week, cybersecurity experts unearthed more than 1,900 unpatched systems that were exploited, and CISA issued a warning on attacks targeting Exchange servers impacted by the ProxyShell vulnerabilities.

In a blog post on Wednesday, Microsoft urged the customers to install patches as soon as possible, noting that only systems without the already issued patches are vulnerable to the attack. The company also advised users to install the latest set of updates on their Exchange servers, which would ensure they are shielded from any compromise attempts. 

“This past week, security researchers discussed several ProxyShell vulnerabilities, including those which might be exploited on unpatched Exchange servers to deploy ransomware or conduct other post-exploitation activities. If you have installed the May 2021 security updates or the July 2021 security updates on your Exchange servers, then you are protected from these vulnerabilities,” Microsoft stated.

According to the advisory, systems without either security updates are vulnerable to attacks. Furthermore, the company pointed out, Exchange servers should always be kept updated with the latest available Cumulative Update (CU) and Security Update (SU). Furthermore, Exchange servers are vulnerable if the server is running an older, unsupported CU; or those running older, unsupported CUs that have the March 2021 mitigations applied.

 “In all of the above scenarios, you must install one of the latest supported CUs and all applicable SUs to be protected. Any Exchange servers that are not on a supported CU and the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities,” the company added.