Another year, Another Exchange Server flaw
Microsoft acknowledges new flaws in Exchange Server that's being exploited in attacks
Microsoft has disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining two newly disclosed zero-day flaws in a limited set of attacks aimed at less than 10 organizations globally.
“These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration,” the Microsoft Threat Intelligence Center (MSTIC) said in a new analysis.
The findings come days after Vietnamese cybersecurity company GTSC disclosed it found evidence of active exploitation of the flaws — dubbed “ProxyNotShell” — in attacks targeting one of its customers in August 2022.
Microsoft is yet to release fixes, but said it’s working on an “accelerated timeline,” attributing the ongoing attacks with medium confidence to a state-sponsored organization. It also cautioned of more attacks in the coming days, urging customers to apply temporary workarounds to mitigate the problem.
What’s trending in security?
💵 The ransomware group behind the Colonial Pipeline ransomware attack upgraded its tactics, tools, and procedures to its operation to evade detection and expand its reach. This includes a data exfiltration tool called Exmatter that comes with data corruption capabilities. BlackCat is linked to a threat actor called Coreid, which has been in one form or the other since 2012, previously using the Carbanak malware for their financially motivated attacks. It has since switched up its tactics to focus on ransomware in 2020. [The Hacker News]
💲 In a related development, a disgruntled developer associated with the LockBit 3.0 operation is said to have leaked the builder used to create custom versions of the ransomware, a move that could lead to copycat versions and make it easier for other actors to mount their own attacks. Indeed, a new ransomware strain called BL00DY has already started using the leaked builder in its attacks against companies. [Dark Reading / The Record / MalwareHunterTeam]
💎 The North Korea-backed threat actor known as Lazarus Group is making use of fake job lures to target cryptocurrency exchange platforms such as Coinbase and Crypto.com. Crypto firms are a popular target for Lazarus, but the fact that the campaigns have continued despite public reporting into the campaigns indicates the brazen nature of the intrusions that are primarily designed to loot digital funds. [The Hacker News]
👨💻️ In yet another indicator of the Lazarus Group’s prolific attacks, the threat actor is using open source software and bogus social media accounts to dupe software engineers and IT support staff with fake job offers that in reality lead to malware attacks. Targets were approached on LinkedIn by claimed to be recruiters to establish trust, before guiding them off the platform to WhatsApp to share malware-laced documents or software. [The Hacker News]
🗂️ The alleged hacker behind the Optus breach apologized for the hack and claimed to have deleted all the stolen data, with the exception of a sample of 10,200 records that were earlier leaked in an extortion attempt to seek $1 million from the telco. The sudden change of heart likely comes as the Australia Federal Police said it’s working with overseas law enforcement to track down the individual or group responsible for it. The leak of the data also puts those affected 10,200 users at risk of fraud and identify theft. [The Hacker News / Associated Press]
🚩 A new malware dropper called NullMixer has been spotted infecting Windows devices with a dozen different malware families simultaneously through fake software cracks promoted on malicious sites in Google Search results. What's notable about the dropper is that it acts as an infection funnel to launch dozens of malware families, although the motive behind using all of them simultaneously is unclear. [The Hacker News]
📡 A previously unknown threat actor that researchers have named Metador has been breaching telecommunications, internet services providers (ISPs), and universities for at least two years. Details about the initial infection vector are not available, but the attacks make use of a single IP address per victim as well as already existing tools in the compromised environment to evade detection. [The Hacker News]
❌ A new information stealer called Doenerium stealer has been spotted impersonating the Microsoft Windows Malicious Software Removal Tool application to steal cryptocurrency wallet data and discord tokens. [Cyble]
💣 ChromeLoader, the malware that exploded onto the scene this year by hijacking browsers to redirect users to advertising sites to perform click fraud, is morphing into a more significant threat by deploying malicious payloads that go beyond malvertising, such as ZipBomb and the Enigma ransomware. It’s another example of how threat actors are experimenting with more potent payloads, exploring more profitable alternatives to advertising fraud. [VMware]
⚙️ Researchers have disclosed more high severity flaws in UEFI firmware from Insyde (InsydeH2O) and AMI-Based Devices that impact multiple vendors, underscoring the gaps in the firmware supply chain ecosystem. These flaws could enable a privileged bad actor to achieve long-term persistence invisible to most of the security solutions by means of firmware implants. [Binarly]
💳 A massive fraudulent online credit card scheme, likely operated by a Russian crime syndicate, has reportedly siphoned tens of millions of dollars from credit cards since its launch in 2019 by operating a network of scam dating and adult sites that subscribe the victims to recurring payments. [ReasonLabs]
⚠️ A never-before-seen piece of cross-platform malware called Chaos has infected a wide range of Linux and Windows devices, including small office routers, FreeBSD boxes, and large enterprise servers. Chaos is believed to be an offshoot of another DDoS malware Kaiji. Since coming into its own, Chaos has gained a host of new features, including support for more architectures and operating systems. Infections are most heavily concentrated in Europe, with smaller hotspots in North and South America, and Asia Pacific. [The Hacker News]
🕸️ A new botnet named MikuBot is being advertised on cybercrime forums with capabilities to steal sensitive data, launches hidden VNC sessions that allow the threat actor to access the victim’s machine remotely, spread through USB, and download and execute other malware. [Cyble]
🏦 Over 40 Peruvian bank apps alongside WhatsApp and Gmail are being targeted by a new Android trojan called Zanubis, which masquerades as a PDF app and allows its operators to access sensitive information such as contacts, SMSes, external storage, and camera. In two others campaign, fake Telegram and Zoom websites have been found delivering malware with RAT features, including Vidar. [Cyble]
👀 A new investigative report from Reuters revealed that a “faulty CIA covert communications system” made it possible for Iranian intelligence agencies to identify Iranian engineer Gholamreza Hosseini as a spy. Front websites like iraniangoals[.]com were set up in which search box acted as a password input field to access its hidden messaging interface. [Reuters / Citizen Lab / Yahoo! News]
💥 The Brute Ratel (BRc4) post-exploitation toolkit has been cracked and is now being shared for free across Russian-speaking and English-speaking hacking communities, making it an ideal alternative to Cobalt Strike. Chetan Nayak, the developer of the framework, claimed “Brc4 v1.2.2/5 was leaked by MdSec and is circling the internet,” adding it has been “cracked by a Russian group Molecules.” Nayak also said the licensing algorithm has been modified to make the software harder to crack. [BushidoToken]
🧿 Malicious attacks on Taiwan surged days ahead of U.S. House Speaker Nancy Pelosi's visit to the country in early August. The attacks have been claimed by a group called APT27_Attack, although it’s suspected to be a case of a false flag operation. [Trellix]
💰 Cryptojacking schemes are proving to be costly for victims, with cybersecurity company Sysdig finding that threat actors consume $53 in cloud resources for every $1 worth of cryptocurrency illicitly mined from the compute reserves. TeamTNT, a notorious financially motivated hacking group, is said to have compromised over 10,000 cloud and container devices during one of its most prevalent attack campaigns, Chimera, netting it $8,120 (39 XMR) and incurring the victims a total loss of $430,000 by mining those coins. [Sysdig]
⌛ A survey of more than 300 ethical hackers has found that “nearly 64% [...] reported being able to collect and potentially exfiltrate data in five hours or less, with an astounding 41% in two hours or less.” Additionally, an average ethical hacker can find a vulnerability that allows the breach of the network perimeter and then exploit the environment in less than 10 hours. The findings demonstrate the limited amount of time that companies have to detect and respond to threats. [Bishop Fox]
🪪 A new information-stealing malware called Erbium is being distributed in the form of fake cracks and cheats for popular video games to steal victims’ credentials and cryptocurrency wallets. The malware, sold as a service, costs $100 a month or $1000 for a full-year license. [Cluster25 / Cyfirma]
🗄️ The past week in data breaches, leaks, and ransomware: Auth0, Corbeil-Essonnes, Elbit, Fast Company, and Xinai Electronics.