#1 Trusted Cybersecurity News Platform
The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: Microsoft Exchange

Microsoft Issues Improved Mitigations for Unpatched Exchange Server Vulnerabilities

Microsoft Issues Improved Mitigations for Unpatched Exchange Server Vulnerabilities

October 08, 2022Ravie Lakshmanan
Microsoft on Friday  disclosed  it has made more improvements to the  mitigation method  offered as a means to prevent exploitation attempts against the newly disclosed unpatched security flaws in Exchange Server. To that end, the tech giant has revised the blocking rule in IIS Manager from ".*autodiscover\.json.*Powershell.*" to "(?=.*autodiscover\.json)(?=.*powershell)." The list of updated steps to add the URL Rewrite rule is below - Open IIS Manager Select Default Web Site In the Feature View, click URL Rewrite In the Actions pane on the right-hand side, click Add Rule(s)… Select Request Blocking and click OK Add the string "(?=.*autodiscover\.json)(?=.*powershell)" (excluding quotes) Select Regular Expression under Using Select Abort Request under How to block and then click OK Expand the rule and select the rule with the pattern: (?=.*autodiscover\.json)(?=.*powershell) and click Edit under Conditions Change the Condition input from {U
Mitigation for Exchange Zero-Days Bypassed! Microsoft Issues New Workarounds

Mitigation for Exchange Zero-Days Bypassed! Microsoft Issues New Workarounds

October 05, 2022Ravie Lakshmanan
Microsoft has updated its mitigation measures for the newly disclosed and actively exploited zero-day flaws in Exchange Server after it was found that they could be trivially bypassed. The two vulnerabilities, tracked as CVE-2022-41040 and CVE-2022-41082, have been codenamed  ProxyNotShell  due to similarities to another set of flaws called  ProxyShell , which the tech giant resolved last year. In-the-wild attacks abusing the  shortcomings  have chained the two flaws to gain remote code execution on compromised servers with elevated privileges, leading to the deployment of web shells. The Windows maker, which is yet to release a fix for the bugs, has acknowledged that a single state-sponsored threat actor may have been weaponizing the flaws since August 2022 in limited targeted attacks. In the meantime, the company has made available temporary workarounds to reduce the risk of exploitation by restricting known attack patterns through a rule in the IIS Manager. However, accordin
State-Sponsored Hackers Likely Exploited MS Exchange 0-Days Against ~10 Organizations

State-Sponsored Hackers Likely Exploited MS Exchange 0-Days Against ~10 Organizations

October 01, 2022Ravie Lakshmanan
Microsoft on Friday disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining the  two newly disclosed zero-day flaws  in a limited set of attacks aimed at less than 10 organizations globally. "These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration," the Microsoft Threat Intelligence Center (MSTIC)  said  in a new analysis. The weaponization of the vulnerabilities is expected to ramp up in the coming days, Microsoft further warned, as malicious actors co-opt the exploits into their toolkits, including deploying ransomware, due to the "highly privileged access Exchange systems confer onto an attacker." The tech giant attributed the ongoing attacks with medium confidence to a state-sponsored organization, adding it was already investigating these attacks when the Zero Day Initiative d
WARNING: New Unpatched Microsoft Exchange Zero-Day Under Active Exploitation

WARNING: New Unpatched Microsoft Exchange Zero-Day Under Active Exploitation

September 30, 2022Ravie Lakshmanan
Security researchers are warning of previously undisclosed flaws in fully patched Microsoft Exchange servers being exploited by malicious actors in real-world attacks to achieve remote code execution on affected systems. The advisory comes from Vietnamese cybersecurity company GTSC, which discovered the shortcomings as part of its security monitoring and incident response efforts in August 2022. The two vulnerabilities, which are formally yet to be assigned CVE identifiers, are being  tracked  by the Zero Day Initiative as  ZDI-CAN-18333  (CVSS score: 8.8) and  ZDI-CAN-18802  (CVSS score: 6.3). GTSC said that successful exploitation of the flaws could be abused to gain a foothold in the victim's systems, enabling adversaries to drop web shells and carry out lateral movements across the compromised network. "We detected web shells, mostly obfuscated, being dropped to Exchange servers," the company  noted . "Using the user-agent, we detected that the attacker use
New 'SessionManager' Backdoor Targeting Microsoft IIS Servers in the Wild

New 'SessionManager' Backdoor Targeting Microsoft IIS Servers in the Wild

July 01, 2022Ravie Lakshmanan
A newly discovered malware has been put to use in the wild at least since March 2021 to backdoor Microsoft Exchange servers belonging to a wide range of entities worldwide, with infections lingering in 20 organizations as of June 2022. Dubbed  SessionManager , the malicious tool masquerades as a module for Internet Information Services ( IIS ), a web server software for Windows systems, after exploiting one of the ProxyLogon flaws within Exchange servers.  Targets included 24 distinct NGOs, government, military, and industrial organizations spanning Africa, South America, Asia, Europe, Russia and the Middle East. A total of 34 servers have been compromised by a SessionManager variant to date. This is far from the first time the technique has been  observed in real-world attacks . The use of a rogue IIS module as a means to distribute stealthy implants has its echoes in an Outlook credential stealer called  Owowa  that came to light in December 2021. "Dropping an IIS module a
APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor

APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor

June 28, 2022Ravie Lakshmanan
Entities located in Afghanistan, Malaysia, and Pakistan are in the crosshairs of an attack campaign that targets unpatched Microsoft Exchange Servers as an initial access vector to deploy the ShadowPad malware. Russian cybersecurity firm Kaspersky, which first detected the activity in mid-October 2021,  attributed  it to a previously unknown Chinese-speaking threat actor. Targets include organizations in the telecommunications, manufacturing, and transport sectors. "During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated  building automation systems  of one of the victims," the company said. "By taking control over those systems, the attacker can reach other, even more sensitive systems of the attacked organization." ShadowPad , which emerged in 2015 as the successor to PlugX, is a privately sold modular malware platform that has been put to use by many Chinese espionage actors over the years.  W
New Incident Report Reveals How Hive Ransomware Targets Organizations

New Incident Report Reveals How Hive Ransomware Targets Organizations

April 21, 2022Ravie Lakshmanan
A recent Hive ransomware attack carried out by an affiliate involved the exploitation of "ProxyShell" vulnerabilities in the Microsoft Exchange Server that were disclosed last year to encrypt an unnamed customer's network. "The actor managed to achieve its malicious goals and encrypt the environment in less than 72 hours from the initial compromise," Varonis security researcher, Nadav Ovadia,  said  in a post-mortem analysis of the incident.  Hive, which was  first observed  in June 2021, follows the lucrative ransomware-as-a-service (RaaS) scheme adopted by other cybercriminal groups in recent years, enabling affiliates to deploy the file-encrypting malware after gaining a foothold into their victims' networks. ProxyShell  — tracked as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 — involves a combination of security feature bypass, privilege escalation, and remote code execution in the Microsoft Exchange Server, effectively granting the attacker
Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities

Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities

April 13, 2022Ravie Lakshmanan
Microsoft's Patch Tuesday updates for the month of April have addressed a  total of 128 security vulnerabilities  spanning across its software product portfolio, including Windows, Defender, Office, Exchange Server, Visual Studio, and Print Spooler, among others. 10 of the 128 bugs fixed are rated Critical, 115 are rated Important, and three are rated Moderate in severity, with one of the flaws listed as publicly known and another under active attack at the time of the release. The updates are in addition to  26 other flaws  resolved by Microsoft in its Chromium-based Edge browser since the start of the month. The actively exploited flaw ( CVE-2022-24521 , CVSS score: 7.8) relates to an elevation of privilege vulnerability in the Windows Common Log File System (CLFS). Credited with reporting the flaw are the U.S. National Security Agency (NSA) and CrowdStrike researchers Adam Podlosky and Amir Bazine. The second publicly-known zero-day flaw ( CVE-2022-26904 , CVSS score: 7.0)
Moses Staff Hackers Targeting Israeli Organizations for Cyber Espionage

Moses Staff Hackers Targeting Israeli Organizations for Cyber Espionage

February 17, 2022Ravie Lakshmanan
The politically motivated Moses Staff hacker group has been observed using a custom multi-component toolset with the goal of carrying out espionage against its targets as part of a new campaign that exclusively singles out Israeli organizations. First  publicly documented  in late 2021, Moses Staff is believed to be sponsored by the Iranian government, with attacks reported against entities in Israel, Italy, India, Germany, Chile, Turkey, the U.A.E., and the U.S. Earlier this month, the hacker collective was observed incorporating a previously undocumented remote access trojan (RAT) called " StrifeWater " that masquerades as the Windows Calculator app to evade detection. "Close examination reveals that the group has been active for over a year, much earlier than the group's first official public exposure, managing to stay under the radar with an extremely low detection rate," findings from FortiGuard Labs show . The latest threat activity involves an atta
Hackers Using Malicious IIS Server Module to Steal Microsoft Exchange Credentials

Hackers Using Malicious IIS Server Module to Steal Microsoft Exchange Credentials

December 15, 2021Ravie Lakshmanan
Malicious actors are deploying a previously undiscovered binary, an Internet Information Services ( IIS ) webserver module dubbed " Owowa ," on Microsoft Exchange Outlook Web Access servers with the goal of stealing credentials and enabling remote command execution. "Owowa is a C#-developed .NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also exposes Exchange's Outlook Web Access (OWA)," Kaspersky researchers Paul Rascagneres and Pierre Delcher  said . "When loaded this way, Owowa will steal credentials that are entered by any user in the OWA login page, and will allow a remote operator to run commands on the underlying server." The idea that a rogue IIS module can be fashioned as a backdoor is not new. In August 2021, an exhaustive study of the IIS threat landscape by Slovak cybersecurity company ESET revealed  as many as 14 malware families that were developed as native IIS modules in an attempt to interc
Microsoft Issues Patches for Actively Exploited Excel, Exchange Server 0-Day Bugs

Microsoft Issues Patches for Actively Exploited Excel, Exchange Server 0-Day Bugs

November 10, 2021Ravie Lakshmanan
Microsoft has released security updates as part of its monthly  Patch Tuesday  release cycle to address 55 vulnerabilities across Windows, Azure, Visual Studio, Windows Hyper-V, and Office, including fixes for two actively exploited zero-day flaws in Excel and Exchange Server that could be abused to take control of an affected system. Of the 55 glitches, six are rated Critical and 49 are rated as Important in severity, with four others listed as publicly known at the time of release.  The most critical of the flaws are  CVE-2021-42321  (CVSS score: 8.8) and  CVE-2021-42292  (CVSS score: 7.8), each concerning a  post-authentication remote code execution flaw  in Microsoft Exchange Server and a security bypass vulnerability impacting Microsoft Excel versions 2013-2021 respectively. The Exchange Server issue is also one of the bugs that was demonstrated at the  Tianfu Cup  held in China last month. However, the Redmond-based tech giant did not provide any details on how the two aforem
Microsoft Exchange Bug Exposes ~100,000 Windows Domain Credentials

Microsoft Exchange Bug Exposes ~100,000 Windows Domain Credentials

September 23, 2021Ravie Lakshmanan
An unpatched design flaw in the implementation of Microsoft Exchange's Autodiscover protocol has resulted in the leak of approximately 100,000 login names and passwords for Windows domains worldwide. "This is a severe security issue, since if an attacker can control such domains or has the ability to 'sniff' traffic in the same network, they can capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire," Guardicore's Amit Serper  said  in a technical report. "Moreover, if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically syphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs [top-level domains]." The Exchange  Autodiscover  service enables users to configure applications such as Microsoft Outlook with minimal user input, allowing just a combination of email addresses and pas
New Microsoft Exchange 'ProxyToken' Flaw Lets Attackers Reconfigure Mailboxes

New Microsoft Exchange 'ProxyToken' Flaw Lets Attackers Reconfigure Mailboxes

August 31, 2021Ravie Lakshmanan
Details have emerged about a now-patched security vulnerability impacting Microsoft Exchange Server that could be weaponized by an unauthenticated attacker to modify server configurations, thus leading to the disclosure of Personally Identifiable Information (PII). The issue, tracked as  CVE-2021-33766  (CVSS score: 7.3) and coined " ProxyToken ," was discovered by Le Xuan Tuyen, a researcher at the Information Security Center of Vietnam Posts and Telecommunications Group (VNPT-ISC), and reported through the Zero-Day Initiative (ZDI) program in March 2021. "With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users," the ZDI  said  Monday. "As an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker." Microsoft addressed the issue as part of its  Patch Tuesday updates  for July 2021
WARNING: Microsoft Exchange Under Attack With ProxyShell Flaws

WARNING: Microsoft Exchange Under Attack With ProxyShell Flaws

August 22, 2021Ravie Lakshmanan
The U.S. Cybersecurity and Infrastructure Security Agency is warning of active exploitation attempts that leverage the latest line of " ProxyShell " Microsoft Exchange vulnerabilities that were patched earlier this May, including deploying LockFile ransomware on compromised systems. Tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, the vulnerabilities enable adversaries to bypass ACL controls, elevate privileges on the Exchange PowerShell backend, effectively permitting the attacker to perform unauthenticated, remote code execution. While the former two were addressed by Microsoft on April 13, a patch for CVE-2021-31207 was shipped as part of the Windows maker's May Patch Tuesday updates. "An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine," CISA  said . The development comes a little over a week after cybersecurity researchers sounded the alarm on  opportunistic scanning and exploitation  of unpat
Hackers Actively Searching for Unpatched Microsoft Exchange Servers

Hackers Actively Searching for Unpatched Microsoft Exchange Servers

August 13, 2021Ravie Lakshmanan
Threat actors are actively carrying out opportunistic  scanning  and  exploitation  of Exchange servers using a new exploit chain leveraging a trio of flaws affecting on-premises installations, making them the latest set of bugs after ProxyLogon vulnerabilities were exploited en masse at the start of the year. The remote code execution flaws have been collectively dubbed "ProxyShell." At least 30,000 machines are affected by the vulnerabilities,  according  to a Shodan scan performed by Jan Kopriva of SANS Internet Storm Center. "Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities," NCC Group's Richard Warren  tweeted , noting that one of the intrusions resulted in the deployment of a "C# aspx webshell in the /aspnet_client/ directory." Patched in early March 2021,  ProxyLogon  is the moniker for CVE-2021-26855, a server-side request forgery vulnerability in Exchange Server tha
US and Global Allies Accuse China of Massive Microsoft Exchange Attack

US and Global Allies Accuse China of Massive Microsoft Exchange Attack

July 20, 2021Ravie Lakshmanan
The U.S. government and its key allies, including the European Union, the U.K., and NATO, formally attributed the massive cyberattack against Microsoft Exchange email servers to state-sponsored hacking crews working affiliated with the People's Republic of China's Ministry of State Security (MSS). In a  statement  issued by the White House on Monday, the administration said, "with a high degree of confidence that malicious cyber actors affiliated with PRC's MSS conducted cyber-espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021. The U.K. government  accused  Beijing of a "pervasive pattern of hacking" and "systemic cyber sabotage." The  sweeping espionage campaign  exploited four previously undiscovered vulnerabilities in Microsoft Exchange software and is believed to have hit at least 30,000 organizations in the U.S. and hundreds of thousands more worldwide. Microsoft identified
Prometei Botnet Exploiting Unpatched Microsoft Exchange Servers

Prometei Botnet Exploiting Unpatched Microsoft Exchange Servers

April 23, 2021Ravie Lakshmanan
Attackers are exploiting the ProxyLogon Microsoft Exchange Server flaws to co-opt vulnerable machines to a cryptocurrency botnet named Prometei, according to new research. "Prometei exploits the recently disclosed Microsoft Exchange vulnerabilities associated with the HAFNIUM attacks to penetrate the network for malware deployment, credential harvesting and more," Boston-based cybersecurity firm Cybereason  said  in an analysis summarizing its findings. First documented by Cisco Talos in July 2020,  Prometei  is a multi-modular botnet, with the actor behind the operation employing a wide range of specially-crafted tools and known exploits such as EternalBlue and BlueKeep to harvest credentials, laterally propagate across the network and "increase the amount of systems participating in its Monero-mining pool." "Prometei has both Windows-based and Linux-Unix based versions, and it adjusts its payload based on the detected operating system, on the targeted in
Deals — IT Courses and Software

Sign up for our cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.