Microsoft is pressing customers to install emergency patches as soon as possible. So far, there is only one highly skilled hacker group actively exploiting the vulnerabilities – named Hafnium – but the situation could change at any time. The best protection against this attack will be applying new patches now, not tomorrow or one week from today. More information about MS Exchange zero-days can be found below.
Microsoft patched four actively exploited Exchange zero-day bugs
Microsoft has released emergency out-of-band security updates for all supported Microsoft Exchange versions that fix four zero-day vulnerabilities actively exploited in targeted attacks. Chained together they allow attackers to gain access to Microsoft Exchange servers, steal email, and plant further malware for increased access to the network.
For the attack to work, remote attackers would need to access an on-premise Microsoft Exchange server on port 443. If access is available, the threat actors would then utilize the following vulnerabilities:
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service.
CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange.
CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange.
After gaining access to a vulnerable Microsoft Exchange server, attackers could install a web shell that allows them to steal data, upload files, and execute almost any command on the compromised system. In the next step, they could also perform a memory dump of the LSASS.exe executable to harvest cached credentials using this web shell. It would allow them to export mailboxes and stolen data from the Exchange server and upload it to file-sharing services, such as MEGA, where they could later retrieve it. Attackers could create a remote shell back to their servers to access the machine and its internal network.
That’s the theory, now cold facts…
Attacks appear to have started as early as Jan. 6, 2021. Volexity researchers – who detected anomalous activity from two Microsoft’s customers – noticed a large amount of data sent to IP addresses they believed was not tied to actual users. Closer inspection revealed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access.
While Microsoft describes this activity as “limited and targeted,” fresh reports indicate that this is now evolving into a larger-scale campaign. For many organizations Exchange server is essential. And that’s why it is also such a hot target. Attackers seem to be scanning the Web to find vulnerable endpoints. Nearly 200 organizations and more than 350 Web shells have been compromised. Affected companies include small hotels, kitchen appliance manufacturer, ice cream company, senior citizen communities, and other mid-market businesses
How to know if you’ve been compromised?
Check for an unfamiliar activity in Web server logs connecting to the attackers’ implanted Web shells. A change in user permissions or administrative users may also raise suspicion and prompt a closer look.
Five security holes in the Linux kernel’s virtual socket implementation discovered
Alexander Popov – a security developer at Positive Technologies – discovered a set of five security holes in the Linux kernel’s virtual socket implementation. These vulnerabilities (CVE-2021-26708, scored 7.0 CVSS) could be used to gain root access and knock out servers in a Denial of Service (DoS) attack.
High severity bugs
The bugs were discovered in Red Hat’s community Linux distribution Fedora 33 Server. They exist in the systems which are using the Linux kernel from November 2019’s version 5.5 to the current mainline kernel version 5.11-rc6.
Holes entered Linux when virtual socket multi-transport support was added. It’s commonly used by guest agents and hypervisor services that need a communications channel that is independent of the VM network configuration.
The core problem…
… is race conditions in the CONFIG_VSOCKETS and CONFIG_VIRTIO_VSOCKETS kernel drivers. These are shipped as kernel modules in all major Linux distributions. The reason why this is such a serious problem is whenever an ordinary user creates an AF_VSOCK socket, the vulnerable modules are automatically loaded. A race condition exists when a system’s substantive behaviour depends on the sequence or timing of uncontrollable events.
The patch provided by Alexander Popov has been added into Linux 5.10.13 on February 3. And has been merged into mainline kernel version 5.11-rc7. It has also been incorporated into popular Linux distributions – Red Hat Enterprise Linux (RHEL) 8, Debian, Ubuntu, and SUSE.
Hackers use black hat SEO to push ransomware, trojans via Google
The delivery system for the Gootkit information stealer has evolved into a complex and stealthy framework, which earned it the name Gootloader. Now is pushing a wider variety of malware via hacked WordPress sites and malicious SEO techniques for Google results.
Apart from increasing the number of payloads, Gootloader has been seen distributing them across multiple regions from hundreds of hacked servers that are active at all times.
First documented in 2014, Gootkit is a Javascript-based malware platform capable of carrying out an array of covert activities, including web injection, capturing keystrokes, taking screenshots, recording videos, as well as email and password theft.
Over the years, the cybercrime tool has evolved to gain new information-stealing features, with the Gootkit loader repurposed in combination with REvil/Sodinokibi ransomware infections reported last year. Recently the actors regrouped by forming a vast network of hacked WordPress sites and using SEO poisoning to show in Google forum posts fake forums with malicious links.
The threat actor modified the content management system (CMS) of the hacked websites to show fake message boards only to visitors from specific geographies and present them a “discussion” that allegedly contains the answer to their query in a post from “site administrator,” who publishes a link to a malicious file.
What’s more, the search engine results point to websites that have no “logical” connection to the search query, implying that the attackers must be in possession of a vast network of hacked websites.
Clicking on the link takes the visitor to a ZIP archive of a JavaScript file that acts as the initial infector. The initial JavaScript payload is twice obfuscated to evade detection from traditional antivirus solutions. It also includes two layers of encryption to strings and data blobs that relate to the next stage of the attack, which is the sole purpose of the malicious code.
If the move to the second stage is successful, the Gootloader command and control (C2) server delivers a string of numeric values that represent ASCII characters, which is loaded into the system memory.
It’s purpose is to decode the contents written earlier in the registry keys. This ultimately ends with downloading the final payload, which can be Gootkit, REvil, Kronos, or Cobalt Strike.
Microsoft confirmed today the Gootloader infection method and said that it is seeing numerous attacks, most of them targeting Germany.
‘ObliqueRAT’ hides behind images on compromised websites
In the latest example of threat actors quickly shifting gears when their methods are discovered and exposed publicly, the operator of the remote access Trojan ObliqueRAT has now changed its infection tactics.
Researchers from Cisco Talos recently discovered that the so-called Transparent Tribe attack group behind ObliqueRAT is using malicious Microsoft Office documents to point users to compromised websites hosting its malicious payload. In previous campaigns, the attackers had used the weaponized Office documents to drop ObliqueRAT directly onto the victim’s system. In the new one, it’s hiding the malware in seemingly benign image files on compromised websites, and using the poisoned Office documents merely to direct victims to the payload.
Steganography is nothing new. But using malicious documents to point users to payloads in image files isn’t very common. This shows that the actors are constantly designing new infection techniques and evolving their capabilities with a focus on stealth
ObliqueRAT is a trojan equipped to primarily spy on users, including via the system webcam. It can take screenshots, steal files, and gives attackers the ability to deliver malicious content and execute arbitrary commands on compromised systems.
Cisco Talos researchers have been unable to determine exactly how the attackers are delivering the malicious Microsoft Office documents to victims. One possibility is that they are distributing it via an email-based infection vector, which is how a majority of malware is delivered these days. Another possibility is that the attacker is using URLs to deliver the malicious documents rather than email attachments. Also, they are unsure about the methods the attackers might be using to compromise websites and to plant a poisoned image file with the ObliqueRAT payload. Potential infection vectors could include everything from easily guessed weak credentials to known exploits hitting outdated and unpatched hosting platforms.
So probably this threat topic is to be continued…
Do you have thirst for knowledge? There are ten more cybersecurity stories below
1. Is Your Browser Extension a Botnet Backdoor? (Krebs on Security)
2. This dangerous ransomware is using a new trick to encrypt your network (ZDNet)
3. A $50,000 Bug Could’ve Allowed Hackers Access Any Microsoft Account (The Hacker News)
4. Malicious Code Bombs Target Amazon, Lyft, Slack, Zillow (Threat Post)
5. New ‘unc0ver’ Tool Can Jailbreak All iPhone Models Running iOS 11.0 – 14.3 (The Hacker News)
6. Google Patches Actively-Exploited Flaw in Chrome Browser (Threat Post)
7. GRUB2 boot loader maintainers fixed hundreds of flaws (Security Affairs)
8. Maza Russian cybercriminal forum suffers data breach (ZDNet)
9. Windows DNS SIGRed bug gets first public RCE PoC exploit (Bleeping Computer)
10. Microsoft, FireEye Uncover More Malware Used in the SolarWinds Campaign (Dark Reading)