Microsoft confirms that two Exchange Server zero days are used in cyberattacks
Microsoft confirmed it was investigating two zero days affecting its Exchange Server software on Thursday night following a report from Vietnamese cybersecurity firm GTSC that vulnerabilities are being exploited in the wild. GTSC said it discovered the issues in August while monitoring and responding to security incidents and then reported the issue to Microsoft’s Zero Day initiative, which confirmed the bugs. The attacks reported by GTSC chain the two vulnerabilities. One is a server-side request forgery vulnerability designated as CVE-2022-41040, which may allow an attacker with credentials for a user account on the mail server to obtain security levels. unauthorized access. The second vulnerability, identified as CVE-2022-41082, allows remote code execution similar to the ProxyShell 2021 issues that caused chaos for many companies according to GTSC, although the company wrote that it was not not yet comfortable divulging the technical details.
(The record)
Lazarus Hackers Abuse Dell Driver Bug Using New FudModule Rootkit
The notorious North Korean hacking group has been observed installing a Windows rootkit that abuses a Dell hardware driver in a Bring Your Own Vulnerable Driver attack. The spear phishing campaign took place in the fall of 2021 and the confirmed targets, an aerospace expert in the Netherlands and a political journalist in Belgium, were emailed bogus job offers at Amazon. ESET reports that among the tools deployed in this campaign, the most interesting is a new FudModule rootkit that abuses a BYOVD (Bring Your Own Vulnerable Driver) technique to exploit a vulnerability in a Dell hardware driver for the first time.
(computer beeping)
Ex-NSA employee charged with breaking espionage law and selling US cyber secrets
Former employee Jareh Sebastian Dalke appeared in federal court on Thursday for attempting to pass classified “national defense information” to an FBI agent he believed to be a Russian agent, in exchange for $85,000, according to the Department of Justice. He allegedly told the undercover agent that he had access to information “relating to foreign targeting of US systems and information on cyber operations,” according to the affidavit. Dalke was only employed by the NSA for about three weeks before resigning on July 1, but while he was there he had top-secret clearance in his role as “designer of information systems security “, according to the FBI.
(Cyber coop)
Microsoft allows Office 365 users to report Teams phishing messages
Microsoft is working on updating Microsoft Defender for Office 365 to enable Microsoft Teams users to alert their organization’s security team to any suspicious messages they receive. Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection or Office 365 ATP) protects organizations against malicious threats from email messages, links, and collaboration tools. This developing feature aims to allow administrators to filter out potentially dangerous messages targeting employees with malicious payloads or trying to redirect them to phishing websites. “End users will be able to report suspicious Microsoft Teams messages as a security threat, just like they do for emails,” Microsoft says on the Microsoft 365 roadmap. The feature is expected to be generally available by January .
(computer beeping)
And now, thanks to the sponsor of this week’s episode, Hunters
BlackCat ransomware gang claims to have hacked US defense contractor NJVC
The ALPHV/BlackCat ransomware gang claims to have breached computer company NJVC, which supports the federal government and the US Department of Defense. The company supports intelligence, defense and geospatial organizations and has more than 1,200 employees located around the world. BlackCat has added NJVC to the list of victims on its Tor leak site and is threatening to release the allegedly stolen data if the company does not pay the ransom. The claims are still uncertain as the group’s Tor leak site has since removed the listing.
(Security Affairs)
Steganography Alert: Backdoor Spyware Hidden in Microsoft Logo
Internet snoopers caught hiding spyware in an old Windows logo in an attack on Middle Eastern governments. The Witchetty gang used steganography to conceal the backdoor Windows malware – dubbed Backdoor.Stegmap – in the bitmap image. “Although rarely used by attackers, if executed successfully, steganography can be used to conceal malicious code in seemingly innocuous image files,” researchers from Symantec’s Threat Hunter team said last week. They added, “Disguising the payload in this way allowed the attackers to host it on a free and trusted service.”
(The register)
German police identify gang that stole 4 million euros via phishing attacks
The phishing campaigns were carried out between October 3, 2020 and May 29, 2021, the gang sent the victims messages posing as German banks. A statement released by the Bundeskriminalamt, Germany’s Federal Criminal Police Office, said the emails were visually and linguistically credible, and informed recipients of changes in the bank’s security system and asked them to clicking an embedded link that redirected them to a landing page that asked them to enter their credentials and TAN (transaction authentication number). One of the accomplices now faces 124 computer fraud charges.
(Security Affairs)
Last week in ransomware
As expected, threat actors are now using the leaked LockBit 3.0 ransomware generator for their ransomware operations. For example, the Bl00Dy Ransomware Gang, which previously used Babuk and Conti encryptors, has now switched to a LockBit 3.0 encryptor in an attack on a Ukrainian company. The researchers also reported that TargetCompany ransomware affiliates are now targeting publicly exposed Microsoft SQL servers. New research predicts that ransomware gangs may move away from encryption altogether and move to pure data exfiltration and file deletion to eliminate the ransomware developer. This idea stems from a new file deletion/corruption feature in a data theft tool used by a BlackMatter affiliate. Finally, this week we heard about Royal Ransomware, which has been quietly working in the shadows since February but has more recently intensified its attacks.
(computer beeping)
Microsoft confirms that two Exchange Server zero days are used in cyberattacks
Microsoft confirmed it was investigating two zero days affecting its Exchange Server software on Thursday night following a report from Vietnamese cybersecurity firm GTSC that vulnerabilities are being exploited in the wild. GTSC said it discovered the issues in August while monitoring and responding to security incidents and then reported the issue to Microsoft’s Zero Day initiative, which confirmed the bugs. The attacks reported by GTSC chain the two vulnerabilities. One is a server-side request forgery vulnerability designated as CVE-2022-41040, which may allow an attacker with credentials for a user account on the mail server to obtain security levels. unauthorized access. The second vulnerability, identified as CVE-2022-41082, allows remote code execution similar to the ProxyShell 2021 issues that caused chaos for many companies according to GTSC, although the company wrote that it was not not yet comfortable divulging the technical details.
(The record)
Lazarus Hackers Abuse Dell Driver Bug Using New FudModule Rootkit
The notorious North Korean hacking group has been observed installing a Windows rootkit that abuses a Dell hardware driver in a Bring Your Own Vulnerable Driver attack. The spear phishing campaign took place in the fall of 2021 and the confirmed targets, an aerospace expert in the Netherlands and a political journalist in Belgium, were emailed bogus job offers at Amazon. ESET reports that among the tools deployed in this campaign, the most interesting is a new FudModule rootkit that abuses a BYOVD (Bring Your Own Vulnerable Driver) technique to exploit a vulnerability in a Dell hardware driver for the first time.
(computer beeping)
Ex-NSA employee charged with breaking espionage law and selling US cyber secrets
Former employee Jareh Sebastian Dalke appeared in federal court on Thursday for attempting to pass classified “national defense information” to an FBI agent he believed to be a Russian agent, in exchange for $85,000, according to the Department of Justice. He allegedly told the undercover agent that he had access to information “relating to foreign targeting of US systems and information on cyber operations,” according to the affidavit. Dalke was only employed by the NSA for about three weeks before resigning on July 1, but while he was there he had top-secret clearance in his role as “designer of information systems security “, according to the FBI.
(Cyber coop)
Microsoft allows Office 365 users to report Teams phishing messages
Microsoft is working on updating Microsoft Defender for Office 365 to enable Microsoft Teams users to alert their organization’s security team to any suspicious messages they receive. Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection or Office 365 ATP) protects organizations against malicious threats from email messages, links, and collaboration tools. This developing feature aims to allow administrators to filter out potentially dangerous messages targeting employees with malicious payloads or trying to redirect them to phishing websites. “End users will be able to report suspicious Microsoft Teams messages as a security threat, just like they do for emails,” Microsoft says on the Microsoft 365 roadmap. The feature is expected to be generally available by January .
(computer beeping)
And now, thanks to the sponsor of this week’s episode, Hunters
BlackCat ransomware gang claims to have hacked US defense contractor NJVC
The ALPHV/BlackCat ransomware gang claims to have breached computer company NJVC, which supports the federal government and the US Department of Defense. The company supports intelligence, defense and geospatial organizations and has more than 1,200 employees located around the world. BlackCat has added NJVC to the list of victims on its Tor leak site and is threatening to release the allegedly stolen data if the company does not pay the ransom. The claims are still uncertain as the group’s Tor leak site has since removed the listing.
(Security Affairs)
Steganography Alert: Backdoor Spyware Hidden in Microsoft Logo
Internet snoopers caught hiding spyware in an old Windows logo in an attack on Middle Eastern governments. The Witchetty gang used steganography to conceal the backdoor Windows malware – dubbed Backdoor.Stegmap – in the bitmap image. “Although rarely used by attackers, if executed successfully, steganography can be used to conceal malicious code in seemingly innocuous image files,” researchers from Symantec’s Threat Hunter team said last week. They added, “Disguising the payload in this way allowed the attackers to host it on a free and trusted service.”
(The register)
German police identify gang that stole 4 million euros via phishing attacks
The phishing campaigns were carried out between October 3, 2020 and May 29, 2021, the gang sent the victims messages posing as German banks. A statement released by the Bundeskriminalamt, Germany’s Federal Criminal Police Office, said the emails were visually and linguistically credible, and informed recipients of changes in the bank’s security system and asked them to clicking an embedded link that redirected them to a landing page that asked them to enter their credentials and TAN (transaction authentication number). One of the accomplices now faces 124 computer fraud charges.
(Security Affairs)
Last week in ransomware
As expected, threat actors are now using the leaked LockBit 3.0 ransomware generator for their ransomware operations. For example, the Bl00Dy Ransomware Gang, which previously used Babuk and Conti encryptors, has now switched to a LockBit 3.0 encryptor in an attack on a Ukrainian company. The researchers also reported that TargetCompany ransomware affiliates are now targeting publicly exposed Microsoft SQL servers. New research predicts that ransomware gangs may move away from encryption altogether and move to pure data exfiltration and file deletion to eliminate the ransomware developer. This idea stems from a new file deletion/corruption feature in a data theft tool used by a BlackMatter affiliate. Finally, this week we heard about Royal Ransomware, which has been quietly working in the shadows since February but has more recently intensified its attacks.
(computer beeping)