CVE-2021-34523

Exbyte is the latest tool developed by ransomware attackers to expedite data theft from victims.

Posted: 21 Oct, 20228 Min ReadThreat Intelligence SubscribeFollowtwitterlinkedinExbyte: BlackByte Ransomware Attackers Deploy New Exfiltration ToolExbyte is the latest tool developed by ransomware attackers to expedite data theft from victims.Symantec’s Threat Hunter Team has discovered that at least one affiliate of the BlackByte ransomware (Ransom.Blackbyte) operation has begun using a custom data exfiltration tool during their attacks. The malware (...

Latest tools, tactics, and procedures being used by the Hive, Conti, and AvosLocker ransomware operations.

Posted: 28 Apr, 20228 Min ReadThreat Intelligence SubscribeFollowtwitterlinkedinRansomware: How Attackers are Breaching Corporate NetworksLatest tools, tactics, and procedures being used by the Hive, Conti, and AvosLocker ransomware operations.Targeted ransomware attacks continue to be one of the most critical cyber risks facing organizations of all sizes. The tactics used by ransomware attackers are continually evolving, but by identifying the most freq...

Summary
At the end of September, GTSC reported an attack on critical infrastructure that took place in August. During the investigation, experts found that two 0-day vulnerabilities in Microsoft Exchange Server were used in the attack. The first one, later identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability that allows an authenticated attacker to remotely trigger the next vulnerability – CVE-2022-41082. The second vulnerability, in turn, allows remote cod...

A Hive ransomware affiliate has been targeting Microsoft Exchange servers vulnerable to ProxyShell security issues to deploy various backdoors, including Cobalt Strike beacon.
From there, the threat actors perform network reconnaissance, steal admin account credentials, exfiltrate valuable data, ultimately deploying the file-encrypting payload.
The details come from security and analytics company 
, who was called in to investigate a ransomware attack on one of i...

As of Friday – as in, shopping-on-steroids Black Friday – retail titan IKEA was wrestling with a then-ongoing reply-chain email phishing attack in which attackers were malspamming replies to stolen email threads.
BleepingComputer got a look at internal emails – one of which is replicated below – that warned employees of the attack, which was targeting the company’s internal email inboxes. The phishing emails were coming from internal IKEA email addresses, as well as from the syst...

A state-backed Iranian threat actor has been using multiple CVEs – including both serious Fortinet vulnerabilities for months and a Microsoft Exchange ProxyShell weakness for weeks – looking to gain a foothold within networks before moving laterally and launching BitLocker ransomware and other nastiness.
A joint advisory published by CISA on Wednesday was meant to highlight the ongoing, malicious cyber assault, which has been tracked by the FBI, the U.S. Cybersecurity and Infrastructur...

A new-ish threat actor sometimes known as “Tortilla” is launching a fresh round of ProxyShell attacks on Microsoft Exchange servers, this time with the aim of inflicting vulnerable servers with variants of the Babuk ransomware.
Cisco Talos researchers said in a Wednesday report that they spotted the malicious campaign a few weeks ago, on Oct. 12.
Tortilla, an actor that’s been operating since July, is predominantly targeting U.S. victims. It’s also hurling a smaller number of...

A new APT group has emerged that’s specifically targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks.
Researchers at security firm Positive Technologies have been tracking the group, dubbed ChamelGang for its chameleon-like capabilities, since March. Though attackers mainly have been seen targeting Russian organizations, they...

Security researchers are compiling an easy-to-follow list of vulnerabilities ransomware gangs and their affiliates are using as initial access to breach victims' networks.
All this started with
, a member of Recorded Future's CSIRT (computer security incident response team), on Twitter over the weekend.
Since then, with the help of several other contributors that joined his efforts, the list quickly grew to include security flaws found in products from over a dozen different s...

The novel backdoor technique called SideWalk, seen in campaigns targeting US media and retailers late last month, has been tied to an adversary that’s been around for quite a while: namely, China-linked Grayfly espionage group.
ESET researchers, who named and discovered the new “SparklingGoblin” advanced persistent threat (APT) actor behind SideWalk, reported at the time that the group is an offshoot of another APT – Winnti Group – first identified in 2013 by Kaspersky.
ESE...

In August 2021, Mandiant Managed Defense identified and responded to the exploitation of a chain of vulnerabilities known as ProxyShell. The ProxyShell vulnerabilities consist of three CVEs (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) affecting the following versions of on-premises Microsoft Exchange Servers.

Exchange Server 2013 (Cumulative Update 23 and below)
Exchange Server 2016 (Cumulative Update 20 and below)
Exchange Server 2019 (Cumulative Update 9 and below)...

Microsoft has broken its silence on the recent barrage of attacks on several ProxyShell vulnerabilities in that were highlighted by a researcher at Black Hat earlier this month.
The company released an advisory late Wednesday letting customers know that threat actors may use unpatched Exchange servers “to deploy ransomware or conduct other post-exploitation activities” and urging them to update immediately.
“Our recommendation, as always, is to install the latest CU and SU on a...

Over the weekend, the Cybersecurity & Infrastructure Security Agency (CISA) issued an urgent alert that attackers are actively attacking ProxyShell vulnerabilities in unpatched Microsoft Exchange Servers, joining researchers in urging organizations to immediately install the latest Microsoft Security Update.
Security researchers at Huntress reported seeing ProxyShell vulnerabilities being actively exploited throughout the month of August to install backdoor access once the ProxyShell e...

Get our weekly newsletter Plus: eBPF Foundation emerges, Exchange severs probed for ProxyShell holes, and more

In brief If your Git operations start failing on Friday, August 13 with GitHub, it may well be because you're still using password authentication – and you need to change that.
In December, the source-code-hosting giant warned it will end password-based authentication for Git pushes and the like. From 1600 UTC (1700 BST, 0900 PST) on Friday, that shutdown will come into effect. As such, you'll need to use authentication tokens to complete your Git operations with GitHub.
"As previo...

Four flaws already being abused in the wild to compromise victims

Microsoft released an XL-sized bundle of security fixes for its products for this month's Patch Tuesday, and other vendors are close behind in issuing updates.
The Windows goliath's batch for July has 117 patches, 13 for what's said to be critical bugs, 103 important, and one moderate. Normally, we'd encourage you to install these updates, testing them as appropriate prior to deployment, before miscreants develop exploits for them. However, four of these holes are already being exploited i...

Three bugs under active exploit were squashed by Microsoft Tuesday, part of its July security roundup of fixes for Windows, Microsoft Office, SharePoint Server and Exchange Server. In all, Microsoft patched 116 bugs. Twelve bugs are rated critical, 103 rated important and one classified as moderate in severity.
Bugs under active attack include a critical scripting engine memory corruption (CVE-2021-34448) flaw and two additional Windows kernel elevation-of-privilege vulnerabilities (CVE-20...

Get our weekly newsletter Threat actor exploited known vulnerabilities in the Microsoft software to compromise multiple systems

An affiliate of the aggressive Hive ransomware group is exploiting known vulnerabilities in Microsoft Exchange servers to encrypt and exfiltrate data and threaten to publicly disclose the information if the ransom isn't paid.
In a recent attack on an unnamed organization, the Hive affiliate rapidly compromised multiple devices and file servers by exploiting the ProxyShell vulnerabilities in Exchange servers, encrypting the data within 72 hours of the start of the attack, threat hunters wit...

Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Now that's sticker shock

Internet snoops has been caught concealing spyware in an old Windows logo in an attack on governments in the Middle East.
The Witchetty gang used steganography to stash backdoor Windows malware, dubbed Backdoor.Stegmap, in the bitmap image.
"Although rarely used by attackers, if successfully executed, steganography can be leveraged to disguise malicious code in seemingly innocuous-looking image files," researchers at Symantec's Threat Hunter Team wrote this week. "Disguising the payl...

Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Malicious cyber actors go after 2021's biggest misses, spend less time on the classics

Security flaws in Log4j, Microsoft Exchange, and Atlassian's workspace collaboration software were among the bugs most frequently exploited by "malicious cyber actors" in 2021 , according to a joint advisory by the Five Eyes nations' cybersecurity and law enforcement agencies.
It's worth noting that 11 of the 15 flaws on the list were disclosed in 2021, as previous years' lists often found miscreants exploiting the older vulns for which patches had been available for years.
Of course...

The US Cybersecurity and Infrastructure Security Agency (CISA) issued its first alert tagged as "urgent," warning admins to patch on-premises Microsoft Exchange servers against actively exploited ProxyShell vulnerabilities.
"Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207," CISA
over the weekend.
"CISA strongly urges organizations to identify vulnerable systems on their networks and im...

Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Now that's sticker shock

Internet snoops have been caught concealing spyware in an old Windows logo in an attack on governments in the Middle East.
The Witchetty gang used steganography to stash backdoor Windows malware – dubbed Backdoor.Stegmap – in the bitmap image.
"Although rarely used by attackers, if successfully executed, steganography can be leveraged to disguise malicious code in seemingly innocuous-looking image files," researchers at Symantec's Threat Hunter Team wrote this week. "Disguising t...

Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Worok uses mix of publicly available tools, custom malware to steal info, gang active since 2020

A cyberespionage group has targeted government agencies and big-name corporations throughout Asia since at least 2020, using the notorious ProxyShell vulnerabilities in Microsoft Exchange to gain initial access.
According to ESET, the crew it has dubbed as Worok may be associated with TA428, a similar group thought to be backed by China, that has been around since 2019.
Threat intelligence researchers with the cybersecurity software vendor saw activity from a range of advanced persis...