Ethical Hacking News Hubb
Advertisement Banner
  • Home
  • News
  • Ethical Hackers
  • Contact
No Result
View All Result
  • Home
  • News
  • Ethical Hackers
  • Contact
No Result
View All Result
Wellnessnewshubb
No Result
View All Result
Home Ethical Hackers

Microsoft Urges Customers to Secure On-Premises Exchange Servers

admin by admin
January 28, 2023
in Ethical Hackers


Jan 28, 2023Ravie LakshmananEmail Security / Cyber Threat

Microsoft is urging customers to keep their Exchange servers updated as well as take steps to bolster the environment, such as enabling Windows Extended Protection and configuring certificate-based signing of PowerShell serialization payloads.

“Attackers looking to exploit unpatched Exchange servers are not going to go away,” the tech giant’s Exchange Team said in a post. “There are too many aspects of unpatched on-premises Exchange environments that are valuable to bad actors looking to exfiltrate data or commit other malicious acts.”

Microsoft also emphasized mitigations issued by the company are only a stopgap solution and that they can “become insufficient to protect against all variations of an attack,” necessitating that users install necessary security updates to secure the servers.

Exchange Server has been proven to be a lucrative attack vector in recent years, what with a number of security flaws in the software weaponized as zero-days to hack into systems.

In the past two years alone, several sets of vulnerabilities have been discovered in Exchange Server – including ProxyLogon, ProxyOracle, ProxyShell, ProxyToken, ProxyNotShell, and a ProxyNotShell mitigation bypass known as OWASSRF – some of which have come under widespread exploitation in the wild.

Bitdefender, in a technical advisory published this week, described Exchange as an “ideal target,” while also chronicling some of the real-world attacks involving the ProxyNotShell / OWASSRF exploit chains since late November 2022.

Microsoft

“There is a complex network of frontend and backend services [in Exchange], with legacy code to provide backward compatibility,” Bitdefender’s Martin Zugec noted. “Backend services trust the requests from the front-end [Client Access Services] layer.”

Another reason is the fact that multiple backend services run as Exchange Server itself, which comes with SYSTEM privileges, and that the exploits could grant the attacker malicious access to the remote PowerShell service, effectively paving the way for the execution of malicious commands.

To that end, attacks weaponizing the ProxyNotShell and OWASSRF flaws have targeted arts and entertainment, consulting, law, manufacturing, real estate, and wholesale industries located in Austria, Kuwait, Poland, Turkey, and the U.S.

“These types of server-side request forgery (SSRF) attacks allow an adversary to send a crafted request from a vulnerable server to other servers to access resources or information that are otherwise not directly accessible,” the Romanian cybersecurity company said.

Most of the attacks are said to be opportunistic rather than focused and targeted, with the infections culminating in the attempted deployment of web shells and remote monitoring and management (RMM) software such as ConnectWise Control and GoTo Resolve.

Web shells not only offer a persistent remote access mechanism, but also allow the criminal actors to conduct a wide range of follow-on activities and even sell the access to other hacker groups for profit.

In some cases, the staging servers used to host the payloads were compromised by Microsoft Exchange servers themselves, suggesting that the same technique may have been applied to expand the scale of the attacks.

Also observed were unsuccessful efforts undertaken by adversaries to download Cobalt Strike as well as a Go-based implant codenamed GoBackClient that comes with capabilities to gather system information and spawn reverse shells.

The abuse of Microsoft Exchange vulnerabilities has also been a recurring tactic employed by UNC2596 (aka Tropical Scorpius), the operators of Cuba (aka COLDDRAW) ransomware, with one attack leveraging the ProxyNotShell exploit sequence to drop the BUGHATCH downloader.

“While the initial infection vector keeps evolving and threat actors are quick to exploit any new opportunity, their post-exploitation activities are familiar,” Zugec said. “The best protection against modern cyber-attacks is a defense-in-depth architecture.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
Previous Post

Tool That Helps Blue Teams Pinpoint The Security Issues That Actually Matter

Next Post

VPN을 이용하여 어디서나 Netflix의 스튜디오 지브리 시청하는 방법

Next Post

VPN을 이용하여 어디서나 Netflix의 스튜디오 지브리 시청하는 방법

Recommended

How to watch Naoya Inoue vs Paul Butler online

4 months ago

Critical Vulnerability Discovered in Atlassian Bitbucket Server and Data Center

7 months ago

© 2022 Ethical Hacking News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Ethical Hackers
  • Contact

Newsletter Sign Up.

No Result
View All Result
  • Home
  • News
  • Ethical Hackers
  • Contact

© 2022 Ethical Hacking News Hubb All rights reserved.