Daily NCSC-FI news followup 2021-03-12

Exploits on Organizations Worldwide Tripled every Two Hours after Microsoft’s Revelation of Four Zero-days

blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/ Following the revelation of four zero-day vulnerabilities currently affecting Microsoft Exchange Server, Check Point Research (CPR) discloses its latest observations on exploitation attempts against organizations that it tracks worldwide. myös:

www.tivi.fi/uutiset/tv/31187ac4-d460-4a33-be35-0256443bbb11

F-Secure: “Tilanne voi revetä käsiin” Exchange-hyökkäysten hirmumyrsky repii maailmaa

www.tivi.fi/uutiset/tv/fe917487-6fb2-435b-b7a8-301a8b42ff85 F-Securen tietoturvakonsultti Antti Laatikainen arvelee, että Microsoftin Exchange-palvelimista löytynyt haavoittuvuus on saamassa aikaan vuosikymmenen pahimman tietoturvakatastrofin.

Hackers Are Targeting Microsoft Exchange Servers With Ransomware

thehackernews.com/2021/03/icrosoft-exchange-ransomware.html According to the latest reports, cybercriminals are leveraging the heavily exploited ProxyLogon Exchange Server flaws to install a new strain of ransomware called “DearCry.”. “Microsoft observed a new family of human operated ransomware attack customers detected as Ransom:Win32/DoejoCrypt.A, ” Microsoft researcher Phillip Misner tweeted. “Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers.”. also:

www.bleepingcomputer.com/news/security/ransomware-now-attacks-microsoft-exchange-servers-with-proxylogon-exploits/

Microsoft Exchange exploits now used by cryptomining malware

www.bleepingcomputer.com/news/security/microsoft-exchange-exploits-now-used-by-cryptomining-malware/ The operators of Lemon_Duck, a cryptomining botnet that targets enterprise networks, are now using Microsoft Exchange ProxyLogon exploits in attacks against unpatched servers.

Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on Github

www.vice.com/en/article/n7vpaz/researcher-publishes-code-to-exploit-microsoft-exchange-vulnerabilities-on-github Microsoft-owned Github quickly deleted the code, which exploited vulnerabilities apparently used by Chinese hackers to break into a series of companies. also:

arstechnica.com/gadgets/2021/03/critics-fume-after-github-removes-exploit-code-for-exchange-vulnerabilities/

Reproducing the Microsoft Exchange Proxylogon Exploit Chain

www.praetorian.com/blog/reproducing-proxylogon-exploit/ The Praetorian Labs team has reverse engineered the initial security advisory and subsequent patch and successfully developed a fully functioning end-to-end exploit. This post outlines the methodology for doing so but with a deliberate decision to omit critical proof-of-concept components to prevent non-sophisticated actors from weaponizing the vulnerability.

Kuntayhtiön tietomurto odotettua laajempi jopa 1200 ihmisen tiedot vuotaneet

www.tivi.fi/uutiset/tv/7b40a4c8-4f61-4e23-843f-e9c816b7429f Suuri kuntien järjestelmiä toimittava yhtiö Sarastia tiedotti aiemmin epäilevänsä tietomurtoa asiakaspalvelusivustollaan. Nyt yhtiö on antanut lisätietoja tietoturvaloukkauksesta. Tietomurto voi Sarastian mukaan koskea palvelussa 28. helmikuuta 3. maaliskuuta välisenä aikana asioineita henkilöitä sekä heidän palvelussa ilmoittamiaan palkanmaksuun liittyviä tietoja, kuten identiteetti-, osoite- tai pankkitietoja. Lisäksi tietomurto saattaa koskettaa myös muita palvelussa asioineita henkilöitä, asiakaspalvelulomakkeilla siirrettyjen liitetiedostojen osalta. Uusia murtoja ei ole havaittu.

NimzaLoader: TA800’s New Initial Access Malware

www.proofpoint.com/uk/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware Proofpoint researchers observed an interesting email campaign by a threat actor we track as TA800. This actor has predominantly used BazaLoader since April of 2020, but on February 3rd, 2021 they distributed a new malware we are calling NimzaLoader.

What is OT malware?

www.ncsc.gov.uk/blog-post/what-is-ot-malware How malware works on Operational Technology (OT) and how to stop it.

Defending SOGARD: Behind the Scenes at the 2021 SANS ICS Summit CTF

www.dragos.com/blog/defending-sogard-behind-the-scenes-at-the-2021-sans-ics-summit-ctf/ At this year’s SANS ICS Summit Dragos was asked to develop a “capture the flag” (CTF) event that highlights an industrial control system (ICS) cybersecurity scenario. CTFs are a great way to learn, practice, and develop new skills and knowledge, not only as a red-teamer but also as a blue-teamer.

Securing industrial networks: What is ISA/IEC 62443?

blogs.cisco.com/security/securing-industrial-networks-what-is-isa-iec-62443 Cyber attacks targeting industrial networks increased by 2000% from 2018 to 2019. Attacks on operational technology (OT) can interrupt production and revenue, expose proprietary information, or taint product quality. They can even put employees in harm’s way or damage the environment. Attacks on critical infrastructurewater, power, and transportationcan inflict devastating effects on the economy and public health.

Understanding Accellion’s FTA Appliance Compromise, DEWMODE, and Its Supply Chain Impact

www.recordedfuture.com/dewmode-accellion-supply-chain-impact/ This report provides a high-level overview of the Accellion File Transfer Appliance compromise and analysis of the DEWMODE webshell employed in the resulting breaches.

A Spectre proof-of-concept for a Spectre-proof web

security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html In this post, we will share the results of Google Security Team’s research on the exploitability of Spectre against web users, and present a fast, versatile proof-of-concept (PoC) written in JavaScript which can leak information from the browser’s memory. We’ve confirmed that this proof-of-concept, or its variants, function across a variety of operating systems, processor architectures, and hardware generations.. also: leaky.page/ Spectre javascript poc

Quickpost: “ProxyLogon PoC” Capture File

blog.didierstevens.com/2021/03/12/quickpost-proxylogon-poc-capture-file/ I was able to get the “ProxyLogon PoC” Python script running against a vulnerable Exchange server in a VM.

You might be interested in …

Daily NCSC-FI news followup 2020-11-23

Critical Controls 2021 www.cert.govt.nz/it-specialists/critical-controls/10-critical-controls/ CERT NZs ten critical controls are designed to help you decide where best to spend your time and money. These have been developed based on the data and insights we received from reports and international threat feeds. . The 2021 top ten list includes two new controls:. Provide and use a […]

Read More

Daily NCSC-FI news followup 2021-03-19

Identifying suspicious credential usage www.ncsc.gov.uk/blog-post/identifying-suspicious-credential-usage How NCSC guidance can help organisations detect and protect themselves from credential abuse. Weekly Threat Report 19th March 2021 www.ncsc.gov.uk/report/weekly-threat-report-19th-march-2021 The NCSC’s weekly threat report is drawn from recent open source reporting. “Expert” hackers used 11 0-days to infect Windows, iOS, and Android users arstechnica.com/information-technology/2021/03/expert-hackers-used-11-zerodays-to-infect-windows-ios-and-android-users/ A team of advanced hackers […]

Read More

Daily NCSC-FI news followup 2021-08-28

Update on the vulnerability in the Azure Cosmos DB Jupyter Notebook Feature msrc-blog.microsoft.com/2021/08/27/update-on-vulnerability-in-the-azure-cosmos-db-jupyter-notebook-feature/ On August 12, 2021, a security researcher reported a vulnerability in the Azure Cosmos DB Jupyter Notebook feature that could potentially allow a user to gain access to another customers resources by using the accounts primary read-write key. We mitigated the vulnerability […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.