#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter

ProxyShell | Breaking Cybersecurity News | The Hacker News

Worok Hackers Abuse Dropbox API to Exfiltrate Data via Backdoor Hidden in Images

Worok Hackers Abuse Dropbox API to Exfiltrate Data via Backdoor Hidden in Images

Nov 14, 2022
A recently discovered cyber espionage group dubbed  Worok  has been found hiding malware in seemingly innocuous image files, corroborating a crucial link in the threat actor's infection chain. Czech cybersecurity firm Avast said the purpose of the PNG files is to conceal a payload that's used to facilitate information theft. "What is noteworthy is data collection from victims' machines using Dropbox repository, as well as attackers using Dropbox API for communication with the final stage," the company  said . The development comes a little over two months after ESET disclosed details of attacks carried out by  Worok  against high-profile companies and local governments located in Asia and Africa. Worok is believed to share tactical overlaps with a Chinese threat actor tracked as  TA428 . The Slovak cybersecurity company also documented Worok's compromise sequence, which makes use of a C++-based loader called CLRLoad to pave the way for an unknown PowerS
Mitigation for Exchange Zero-Days Bypassed! Microsoft Issues New Workarounds

Mitigation for Exchange Zero-Days Bypassed! Microsoft Issues New Workarounds

Oct 05, 2022
Microsoft has updated its mitigation measures for the newly disclosed and actively exploited zero-day flaws in Exchange Server after it was found that they could be trivially bypassed. The two vulnerabilities, tracked as CVE-2022-41040 and CVE-2022-41082, have been codenamed  ProxyNotShell  due to similarities to another set of flaws called  ProxyShell , which the tech giant resolved last year. In-the-wild attacks abusing the  shortcomings  have chained the two flaws to gain remote code execution on compromised servers with elevated privileges, leading to the deployment of web shells. The Windows maker, which is yet to release a fix for the bugs, has acknowledged that a single state-sponsored threat actor may have been weaponizing the flaws since August 2022 in limited targeted attacks. In the meantime, the company has made available temporary workarounds to reduce the risk of exploitation by restricting known attack patterns through a rule in the IIS Manager. However, accordin
New Incident Report Reveals How Hive Ransomware Targets Organizations

New Incident Report Reveals How Hive Ransomware Targets Organizations

Apr 21, 2022
A recent Hive ransomware attack carried out by an affiliate involved the exploitation of "ProxyShell" vulnerabilities in the Microsoft Exchange Server that were disclosed last year to encrypt an unnamed customer's network. "The actor managed to achieve its malicious goals and encrypt the environment in less than 72 hours from the initial compromise," Varonis security researcher, Nadav Ovadia,  said  in a post-mortem analysis of the incident.  Hive, which was  first observed  in June 2021, follows the lucrative ransomware-as-a-service (RaaS) scheme adopted by other cybercriminal groups in recent years, enabling affiliates to deploy the file-encrypting malware after gaining a foothold into their victims' networks. ProxyShell  — tracked as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 — involves a combination of security feature bypass, privilege escalation, and remote code execution in the Microsoft Exchange Server, effectively granting the attacker
Moses Staff Hackers Targeting Israeli Organizations for Cyber Espionage

Moses Staff Hackers Targeting Israeli Organizations for Cyber Espionage

Feb 17, 2022
The politically motivated Moses Staff hacker group has been observed using a custom multi-component toolset with the goal of carrying out espionage against its targets as part of a new campaign that exclusively singles out Israeli organizations. First  publicly documented  in late 2021, Moses Staff is believed to be sponsored by the Iranian government, with attacks reported against entities in Israel, Italy, India, Germany, Chile, Turkey, the U.A.E., and the U.S. Earlier this month, the hacker collective was observed incorporating a previously undocumented remote access trojan (RAT) called " StrifeWater " that masquerades as the Windows Calculator app to evade detection. "Close examination reveals that the group has been active for over a year, much earlier than the group's first official public exposure, managing to stay under the radar with an extremely low detection rate," findings from FortiGuard Labs show . The latest threat activity involves an atta
Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns

Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns

Nov 22, 2021
Threat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers as part of an ongoing spam campaign that leverages stolen email chains to bypass security software and deploy malware on vulnerable systems. The findings come from Trend Micro following an investigation into a number of intrusions in the Middle East that culminated in the distribution of a never-before-seen loader dubbed SQUIRRELWAFFLE. First publicly  documented  by Cisco Talos, the attacks are believed to have commenced in mid-September 2021 via laced Microsoft Office documents. "It is known for sending its malicious emails as replies to pre-existing email chains, a tactic that lowers a victim's guard against malicious activities," researchers Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar  said  in a report published last week. "To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits." ProxyLo
WARNING: Microsoft Exchange Under Attack With ProxyShell Flaws

WARNING: Microsoft Exchange Under Attack With ProxyShell Flaws

Aug 22, 2021
The U.S. Cybersecurity and Infrastructure Security Agency is warning of active exploitation attempts that leverage the latest line of " ProxyShell " Microsoft Exchange vulnerabilities that were patched earlier this May, including deploying LockFile ransomware on compromised systems. Tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, the vulnerabilities enable adversaries to bypass ACL controls, elevate privileges on the Exchange PowerShell backend, effectively permitting the attacker to perform unauthenticated, remote code execution. While the former two were addressed by Microsoft on April 13, a patch for CVE-2021-31207 was shipped as part of the Windows maker's May Patch Tuesday updates. "An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine," CISA  said . The development comes a little over a week after cybersecurity researchers sounded the alarm on  opportunistic scanning and exploitation  of unpat
Hackers Actively Searching for Unpatched Microsoft Exchange Servers

Hackers Actively Searching for Unpatched Microsoft Exchange Servers

Aug 13, 2021
Threat actors are actively carrying out opportunistic  scanning  and  exploitation  of Exchange servers using a new exploit chain leveraging a trio of flaws affecting on-premises installations, making them the latest set of bugs after ProxyLogon vulnerabilities were exploited en masse at the start of the year. The remote code execution flaws have been collectively dubbed "ProxyShell." At least 30,000 machines are affected by the vulnerabilities,  according  to a Shodan scan performed by Jan Kopriva of SANS Internet Storm Center. "Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities," NCC Group's Richard Warren  tweeted , noting that one of the intrusions resulted in the deployment of a "C# aspx webshell in the /aspnet_client/ directory." Patched in early March 2021,  ProxyLogon  is the moniker for CVE-2021-26855, a server-side request forgery vulnerability in Exchange Server tha
More Resources

Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.