Microsoft Updates Mitigations For Unpatched Microsoft Exchange Zero-Days
Read also: Comm100 chat provider hacked in a supply chain attack, a teen used leaked Optus data in a data extortion scam, and more.
Thursday, October 6, 2022
Microsoft updates MS Exchange zero-day guidance after researchers bypass mitigations
Microsoft has revised the guidance for the two unpatched Microsoft Exchange zero-day vulnerabilities after security researchers found original mitigations to be insufficient and easy to bypass.
The two bugs (CVE-2022-41040 and CVE-2022-41082) collectively known as “ProxyNotShell,” were publicly disclosed last week, and are said to have been exploited in an attack by a threat actor linked to China to deploy China Chopper webshells on compromised servers.
CVE-2022-41040 is a server-side request forgery (SSRF) bug, while the CVE-2022-41082 issue could be leveraged by a remote attacker with access to PowerShell Remoting to achieve remote code execution on vulnerable Exchange servers. The flaws impact Microsoft Exchange Server 2013, 2016, and 2019. Microsoft said it observed less than 10 organizations being affected, but warned of a potential rise in attacks.
Cybersecurity authorities detail how multiple threat actors targeted US military contractor
The US National Security Agency, the Cybersecurity and Infrastructure Security Agency and the FBI released a joint security alert detailing advanced persistent threat (APT) activity observed on a Defense Industrial Base (DIB) Sector organization's corporate network.
The observed attacks took place between November 2021 and January 2022 and likely involved multiple APTs, with some of them maintaining a long-term access to the victim’s environment.
The alert highlights how malicious actors deployed the open–source framework Impacket to gain a foothold into the victim’s network and then leveraged the data exfiltration tool called CovalentStealer to steal sensitive data. The advisory also contains Indicators of Compromise related to the attacks and mitigations to help organizations to strengthen defence against such attacks.
NetWalker ransomware affiliate gets 20 years in prison
A Canadian national was sentenced to 20 years in the US prison for his role in the NetWalker ransomware scheme that targeted multiple organizations all around the globe, including businesses, municipalities, healthcare organizations, law enforcement agencies, emergency services, and education institutions.
The man, Sebastien Vachon-Desjardins, 35, of Gatineau, Quebec, was arrested in late January 2021 following a police operation that took down NetWalker’s dark web payment websites. In March 2022, Vachon-Desjardins was extradited from Canada to the US. According to the authorities, the convicted obtained at least over $27.6 million as a result of the illicit activities. In addition to the prison sentence, Vachon-Desjardins was ordered to forfeit $21.5 million.
Scammer arrested for using leaked Optus data in SMS blackmail
A 19-year old man has been arrested in Sydney, Australia, for allegedly using customer information leaked in the last month’s Optus data breach in an SMS blackmailing scheme.
The suspect allegedly used 10,200 records briefly posted on an internet crime forum last month to carry out data extortion scam demanding from victims that they transfer $2000 to his bank account or risk their personal data being used for financial crimes. The scam messages were sent to 93 Optus customers who had their data published on the hacker forum, but none of them succumbed to ransom demand.
The teen was charged with using a telecommunication network with the intent to commit a serious offense and dealing with identification information. Both the crimes carry a maximum penalty of 10 and 7 years in prison respectively.
Suspected Chinese threat actors hacked popular commercial chat provider in supply chain attack
The infrastructure of Canadian commercial chat provider Comm100 was compromised in what appears to be a supply chain attack. The hackers hijacked the installer for Comm100’s Live Chat software and modified it to deliver malware on victims’ systems.
While the compromise lasted only three days - from September 27 through September 29 - trojanized file was found at organizations in the industrial, healthcare, technology, manufacturing, insurance and telecommunications sectors in North America and Europe. The exact number of victims currently remains unknown.
The attack is believed to have been carried out by a threat group linked to China.
What’s next:
- Follow ImmuniWeb on Twitter and LinkedIn
- Explore 20 use cases how ImmuniWeb can help
- Browse open positions to join our great Team
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Application Security Weekly is a weekly review of the most important news and events in cybersecurity, privacy and compliance. We cover innovative cyber defense technologies, new hacking techniques, data breaches and evolving cyber law. 
