The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: Vulnerability

Microsoft on Friday disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining the  two newly disclosed zero-day flaws  in a limited set of attacks aimed at less than 10 organizations globally. "These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration," the Microsoft Threat Intelligence Center (MSTIC)  said  in a new analysis. The weaponization of the vulnerabilities is expected to ramp up in the coming days, Microsoft further warned, as malicious actors co-opt the exploits into their toolkits, including deploying ransomware, due to the "highly privileged access Exchange systems confer onto an attacker." The tech giant attributed the ongoing attacks with medium confidence to a state-sponsored organization, adding it was already investigating these attacks when the Zero Day Initiative d

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday  added  a recently disclosed critical flaw impacting Atlassian's Bitbucket Server and Data Center to the Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. Tracked as  CVE-2022-36804 , the issue relates to a command injection vulnerability that could allow malicious actors to gain arbitrary code execution on susceptible installations by sending a specially crafted HTTP request. Successful exploitation, however, banks on the prerequisite that the attacker already has access to a public repository or possesses read permissions to a private Bitbucket repository. "All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," Atlassian  noted  in a late August 2022 advisory. CISA did

A social engineering campaign leveraging job-themed lures is weaponizing a years-old remote code execution flaw in Microsoft Office to deploy Cobalt Strike beacons on compromised hosts. "The payload discovered is a leaked version of a Cobalt Strike beacon," Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer  said  in a new analysis published Wednesday. "The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic." The malicious activity, discovered in August 2022, attempts to exploit the vulnerability  CVE-2017-0199 , a remote code execution issue in Microsoft Office, that allows an attacker to take control of an affected system. The entry vector for the attack is a phishing email containing a Microsoft Word attachment that employs job-themed lures for roles in the U.S. government and Publ

Microsoft officially disclosed it investigating two zero-day security vulnerabilities impacting Exchange Server 2013, 2016, and 2019 following  reports of in-the-wild exploitation . "The first vulnerability, identified as  CVE-2022-41040 , is a Server-Side Request Forgery ( SSRF ) vulnerability, while the second, identified as  CVE-2022-41082 , allows remote code execution (RCE) when PowerShell is accessible to the attacker," the tech giant  said . The company also confirmed that it's aware of "limited targeted attacks" weaponizing the flaws to obtain initial access to targeted systems, but emphasized that authenticated access to the vulnerable Exchange Server is required to achieve successful exploitation. The attacks detailed by Microsoft show that the two flaws are stringed together in an exploit chain, with the SSRF bug enabling an authenticated adversary to remotely trigger arbitrary code execution. The Redmond-based company further emphasized that it

Security researchers are warning of previously undisclosed flaws in fully patched Microsoft Exchange servers being exploited by malicious actors in real-world attacks to achieve remote code execution on affected systems. The advisory comes from Vietnamese cybersecurity company GTSC, which discovered the shortcomings as part of its security monitoring and incident response efforts in August 2022. The two vulnerabilities, which are formally yet to be assigned CVE identifiers, are being  tracked  by the Zero Day Initiative as  ZDI-CAN-18333  (CVSS score: 8.8) and  ZDI-CAN-18802  (CVSS score: 6.3). GTSC said that successful exploitation of the flaws could be abused to gain a foothold in the victim's systems, enabling adversaries to drop web shells and carry out lateral movements across the compromised network. "We detected web shells, mostly obfuscated, being dropped to Exchange servers," the company  noted . "Using the user-agent, we detected that the attacker use