One Article Review
| Source |  CISCO Talos |
|---|---|
| Identifiant | 7232588 |
| Date de publication | 2022-09-30 17:16:47 (vue: 2022-09-30 22:07:45) |
| Titre | Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server |
| Texte |  Cisco Talos has released new coverage to detect and prevent the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for security patches for these vulnerabilities. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.Vulnerability details and ongoing exploitationExploit requests for these vulnerabilities look similar to previously discovered ProxyShell exploitation attempts:autodiscover/autodiscover.json?@evil.com/&Email=autodiscover/autodiscover.json%3f@evil.comSuccessful exploitation of the vulnerabilities observed in the wild leads to preliminary information-gathering operations and the persistence of WebShells for continued access to compromised servers. Open-source reporting indicates that webShells such as Antsword, a popular Chinese language-based open-source webshell, SharPyShell an ASP.NET-based webshell and China Chopper have been deployed on compromised systems consisting of the following artifacts:C:\inetpub\wwwroot\aspnet_client\Xml.ashxC:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspxC:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashxC:\Program Files\Microsoft\Exchange Server\V15 |
| Envoyé | Oui |
| Condensat | 0asp 0iocsips 101 11137 113103 118 119 134185 140 150 155 167 174 1747 180 182194 184 186122 188 188125 196 1asp 2013 2016 2019 2021 2022 208103 211104 212 220 241 242 244 27966 27968 28323 33206 37245 3f@evil 41040 41082 42834 42838 485 4894 60637 60641 60642 6112 6494 6986 77:8080/themes 77hxxp://206 8586 88212 9261 9972727 9972728 9972729 @evil access accessible actively activities activity actor actors adaptive addition additional advisory: affected affecting against all allow amp analytics antsword appliance appliances are artifacts artifacts:c: ashxc: asp aspnet aspx aspxc: aspxthis associated attacker attackers attacks attempts attempts:autodiscover/autodiscover auth automatically available awen backdoor based become been before begin below binaries block blocks builds campaign campaigns can center certutil change china chinese chopper cisco clamav client closely code collectively com/&email=autodiscover/autodiscover compromised comsuccessful connecting consistent consisting context continued corporate could coverage coverageways customers cve dangerous data date day defense deliver deployed deployment detailed details detect detects disclosed discovered domains download downloading during effective email emails enables endpoint endpoints environment environments erroree even exchange execute execution existing exploitation exploitationexploit exploited exploiting exposed facilitate files firepower firewall fixes followed following forgery formerly four free from frontend gateway gathering generation grid hafnium has have here however httpproxy hybrid ideally identifies implants implement incident increasingly indicates inetpub infected information initial internet ips issues json language last latest leads leveraging limited listed look malicious malspam malware management may meraki microsoft mitigation mitigations monitoring more most net network new next ngfw observed off often one ongoing online open operations org organizations owa own pack part patches persistence phishing popular post potentially powershell preliminary premises prevent prevents previously products program protect protection protections provide provided proxynotshell proxyshell purchase pxh4hg1v ransomware rce recent recently recommends redirsuiteserviceproxy referred related released releasing remote reported reporting reports request requests response rule run saw scanning secure security sent sept server servers set several sharpyshell sid side sids sig sign signatures similar sites snort source specific ssrf start stay steps strongly subscriber such suited suspicious systems talos targeted tests them these threat threat:asp trial try ttps two typically umbrella unpatched urls urls125 use used users using v15 virtual vulnerabilities vulnerability vulnerable waiting warns web webshell webshells websites what when whether wild wwwroot xml year yet your zero |
| Tags | Malware Threat Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.