Daily NCSC-FI news followup 2021-03-12

Exploits on Organizations Worldwide Tripled every Two Hours after Microsoft’s Revelation of Four Zero-days

blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/ Following the revelation of four zero-day vulnerabilities currently affecting Microsoft Exchange Server, Check Point Research (CPR) discloses its latest observations on exploitation attempts against organizations that it tracks worldwide. myös:

www.tivi.fi/uutiset/tv/31187ac4-d460-4a33-be35-0256443bbb11

F-Secure: “Tilanne voi revetä käsiin” Exchange-hyökkäysten hirmumyrsky repii maailmaa

www.tivi.fi/uutiset/tv/fe917487-6fb2-435b-b7a8-301a8b42ff85 F-Securen tietoturvakonsultti Antti Laatikainen arvelee, että Microsoftin Exchange-palvelimista löytynyt haavoittuvuus on saamassa aikaan vuosikymmenen pahimman tietoturvakatastrofin.

Hackers Are Targeting Microsoft Exchange Servers With Ransomware

thehackernews.com/2021/03/icrosoft-exchange-ransomware.html According to the latest reports, cybercriminals are leveraging the heavily exploited ProxyLogon Exchange Server flaws to install a new strain of ransomware called “DearCry.”. “Microsoft observed a new family of human operated ransomware attack customers detected as Ransom:Win32/DoejoCrypt.A, ” Microsoft researcher Phillip Misner tweeted. “Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers.”. also:

www.bleepingcomputer.com/news/security/ransomware-now-attacks-microsoft-exchange-servers-with-proxylogon-exploits/

Microsoft Exchange exploits now used by cryptomining malware

www.bleepingcomputer.com/news/security/microsoft-exchange-exploits-now-used-by-cryptomining-malware/ The operators of Lemon_Duck, a cryptomining botnet that targets enterprise networks, are now using Microsoft Exchange ProxyLogon exploits in attacks against unpatched servers.

Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on Github

www.vice.com/en/article/n7vpaz/researcher-publishes-code-to-exploit-microsoft-exchange-vulnerabilities-on-github Microsoft-owned Github quickly deleted the code, which exploited vulnerabilities apparently used by Chinese hackers to break into a series of companies. also:

arstechnica.com/gadgets/2021/03/critics-fume-after-github-removes-exploit-code-for-exchange-vulnerabilities/

Reproducing the Microsoft Exchange Proxylogon Exploit Chain

www.praetorian.com/blog/reproducing-proxylogon-exploit/ The Praetorian Labs team has reverse engineered the initial security advisory and subsequent patch and successfully developed a fully functioning end-to-end exploit. This post outlines the methodology for doing so but with a deliberate decision to omit critical proof-of-concept components to prevent non-sophisticated actors from weaponizing the vulnerability.

Kuntayhtiön tietomurto odotettua laajempi jopa 1200 ihmisen tiedot vuotaneet

www.tivi.fi/uutiset/tv/7b40a4c8-4f61-4e23-843f-e9c816b7429f Suuri kuntien järjestelmiä toimittava yhtiö Sarastia tiedotti aiemmin epäilevänsä tietomurtoa asiakaspalvelusivustollaan. Nyt yhtiö on antanut lisätietoja tietoturvaloukkauksesta. Tietomurto voi Sarastian mukaan koskea palvelussa 28. helmikuuta 3. maaliskuuta välisenä aikana asioineita henkilöitä sekä heidän palvelussa ilmoittamiaan palkanmaksuun liittyviä tietoja, kuten identiteetti-, osoite- tai pankkitietoja. Lisäksi tietomurto saattaa koskettaa myös muita palvelussa asioineita henkilöitä, asiakaspalvelulomakkeilla siirrettyjen liitetiedostojen osalta. Uusia murtoja ei ole havaittu.

NimzaLoader: TA800’s New Initial Access Malware

www.proofpoint.com/uk/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware Proofpoint researchers observed an interesting email campaign by a threat actor we track as TA800. This actor has predominantly used BazaLoader since April of 2020, but on February 3rd, 2021 they distributed a new malware we are calling NimzaLoader.

What is OT malware?

www.ncsc.gov.uk/blog-post/what-is-ot-malware How malware works on Operational Technology (OT) and how to stop it.

Defending SOGARD: Behind the Scenes at the 2021 SANS ICS Summit CTF

www.dragos.com/blog/defending-sogard-behind-the-scenes-at-the-2021-sans-ics-summit-ctf/ At this year’s SANS ICS Summit Dragos was asked to develop a “capture the flag” (CTF) event that highlights an industrial control system (ICS) cybersecurity scenario. CTFs are a great way to learn, practice, and develop new skills and knowledge, not only as a red-teamer but also as a blue-teamer.

Securing industrial networks: What is ISA/IEC 62443?

blogs.cisco.com/security/securing-industrial-networks-what-is-isa-iec-62443 Cyber attacks targeting industrial networks increased by 2000% from 2018 to 2019. Attacks on operational technology (OT) can interrupt production and revenue, expose proprietary information, or taint product quality. They can even put employees in harm’s way or damage the environment. Attacks on critical infrastructurewater, power, and transportationcan inflict devastating effects on the economy and public health.

Understanding Accellion’s FTA Appliance Compromise, DEWMODE, and Its Supply Chain Impact

www.recordedfuture.com/dewmode-accellion-supply-chain-impact/ This report provides a high-level overview of the Accellion File Transfer Appliance compromise and analysis of the DEWMODE webshell employed in the resulting breaches.

A Spectre proof-of-concept for a Spectre-proof web

security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html In this post, we will share the results of Google Security Team’s research on the exploitability of Spectre against web users, and present a fast, versatile proof-of-concept (PoC) written in JavaScript which can leak information from the browser’s memory. We’ve confirmed that this proof-of-concept, or its variants, function across a variety of operating systems, processor architectures, and hardware generations.. also: leaky.page/ Spectre javascript poc

Quickpost: “ProxyLogon PoC” Capture File

blog.didierstevens.com/2021/03/12/quickpost-proxylogon-poc-capture-file/ I was able to get the “ProxyLogon PoC” Python script running against a vulnerable Exchange server in a VM.

You might be interested in …

Daily NCSC-FI news followup 2019-09-28

More SIM Cards Vulnerable to Simjacker Attack Than Previously Disclosed thehackernews.com/2019/09/dynamic-sim-toolkit-vulnerability.html Remember the Simjacker vulnerability? Now, it turns out that the [email protected] Browser is not the only dynamic SIM toolkit that contains the Simjacker issue which can be exploited remotely from any part of the world without any authorizationregardless of which handsets or mobile operating […]

Read More

Daily NCSC-FI news followup 2019-11-20

A Notorious Iranian Hacking Crew Is Targeting Industrial Control Systems www.wired.com/story/iran-apt33-industrial-control-systems/ The recent shift away from IT networks raises the possibility that Irans APT33 is exploring physically disruptive cyberattacks on critical infrastructure. Ransomware Gangs Adopt APT Tactics in Targeted Attacks www.bleepingcomputer.com/news/security/ransomware-gangs-adopt-apt-tactics-in-targeted-attacks/ Ransomware operators are moving away from mass volume attacks and partnering with specialists who […]

Read More

Daily NCSC-FI news followup 2020-12-20

Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ In many of their actions, the attackers took steps to maintain a low profile. For example, the inserted malicious code is lightweight and only has the task of running a malware-added method in a parallel thread […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.