Posts

Cybersecurity Updates For Week 13 of 2022

Spring Core on JDK9+ is vulnerable to remote code executio

Spring Core on JDK9+ is vulnerable to remote code execution due to a bypass for CVE-2010-1622. At the time of writing, this vulnerability is unpatched in Spring Framework and there is a public proof-of-concept available. As we have remediation advice for customers (see below), we have elected to share this information publicly.

Read more:
https://www.praetorian.com/blog/spring-core-jdk9-rce/

Microsoft Exchange targeted for IcedID reply-chain hijacking attacks

The distribution of the IcedID malware has seen a spike recently due to a new campaign that hijacks existing email conversation threads and injects malicious payloads that are hard to spot.

Read more:
https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/amp/

Critical Sophos Security Bug Allows RCE on Firewalls

Cybersecurity stalwart Sophos has plugged a critical vulnerability in its firewall product, which could allow remote code-execution.

Read More:
https://threatpost.com/critical-sophos-security-bug-rce-firewalls/179127/

Other news worth mentioning:

Apple Issues Patches for 2 Actively Exploited Zero-Days in iPhone, iPad and Mac Devices
Critical hijacking bugs that took months to patch in Microsoft Azure Defender for IoT
Cybercriminals Fighting Over Cloud Workloads for Cryptomining
New Version of PCI DSS Designed to Tackle Emerging Payment Threats

Cybersecurity Updates For Week 8 of 2022

New Data-Wiping Malware Discovered on Systems in Ukraine

Researchers were scrambling to analyze a newly discovered piece of data-wiping malware found in the wild.

Read more:
https://www.darkreading.com/attacks-breaches/new-data-wiping-malware-discovered-on-systems-in-ukraine

Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure

The modular Windows crimeware platform known as TrickBot formally shuttered its infrastructure on Thursday after reports emerged of its imminent retirement amid a lull in its activity for almost two months, marking an end to one of the most persistent malware campaigns in recent years.

Read more:
https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html

Microsoft Exchange Bugs Exploited by ‘Cuba’ Ransomware Gang

The ransomware gang known as “Cuba” is increasingly shifting to exploiting Microsoft Exchange vulnerabilities – including ProxyShell and ProxyLogon – as initial infection vectors, researchers have found.

Read More:
https://threatpost.com/microsoft-exchange-exploited-cuba-ransomware/178665/

Other news worth mentioning:

Russia Sanctions May Spark Escalating Cyber Conflict
Redcar and Cleveland Council: Four serious data breaches reported
How to Use Google Chrome’s Enhanced Safety Mode
Social Media Hijacking Malware Spreading Through Gaming Apps on Microsoft Store

0-days in Microsoft exchange servers


Published: 2021-03-02
CVE-2021-26855
CVE-2021-26857
CVE-2021-26858 
CVE-2021-27065 

“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.”

As these vulnerabilities are currently being exploited and used in targeted attacks, patching should be done as soon as possible.
Along with attack details and information about these vulnerabilities, Microsoft also published how to scan exchange log files for indicators of compromise, which is also recommended to do.

Update 2020-03-07: There are currently many published exploits for this vulnerability. Patching this vulnerability is not enough, one must also investigate for potential breaches.

Internally this is being tracked in BF-VLN-2229454.