Top Vulnerabilities 2023

According to the cybersecurity report in 2023, the previously known vulnerabilities reported over the past three years may cause concern again. Thus, in 24 percent of all cyberattacks, cybercriminals used vulnerabilities known in 2022. In second place are vulnerabilities known in 2021, accounting for 18%. That, by the way, totally repels any opinion that claims uselessness of updating and using security tools. Having all of that onboard, you will cut off over 40% of all possible attack vectors. But now, let’s have a peek into the most widespread exploits.

ProxyShell

ProxyShell, known as CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, and CVSS severity rating of 3.1, is a chain of attacks that exploits three vulnerabilities in Microsoft Exchange Server – ProxyShell, ProxyLogon, and ProxyNotShell. Using these vulnerabilities, attackers who are not authenticated can remotely execute code on vulnerable servers. Although these vulnerabilities were discovered and patched in 2021, they are still the most exploited and often lead to significant security breaches.

Follina in Microsoft Office

Recently, Microsoft has disabled the ability to execute macros in documents from external sources by default. However, attackers have not stopped them, and they use special .docx and .rtf documents to download and execute malicious code. To do this, they exploit the Follina vulnerability (CVE-2022-30190 and CVSS severity rating of 7.8) in unpatched systems to deploy Qbot or other Remote Access Trojans. It allows malicious code to run even if macros are disabled or the document is protected, making Follina one of the most commonly used vulnerabilities discovered in 2022.

Fortinet

Two critical bugs were reported in Fortinet products in October and December 2022 (CVSS score: 9.6 and 9.3). These bugs allow attackers who fail authentication to execute arbitrary code using specially crafted queries. However, even though the company has issued updates and CISA has warned of significant risk to federal organizations, as of early 2023, 18% of organizations were victims of the CVE-2022-40684 vulnerability exploit attack.

Causes

Experts note that attackers often exploit Remote Code Execution (RCE) vulnerabilities and Remote Desktop Protocol services left open to gain access to the network and deploy malicious code. However, many organizations do not use protections on servers for fear of performance degradation. Moreover, security and network equipment vendors often use admin/password as the default login combination. Even worse, some users keep this combination the same the first time they configure it, which makes life easier for an intruder.

How to prevent

Fortunately, you can fix that. Therefore, I’ve put together some tips below that you can follow to reduce the chance of negative consequences:

• Install the latest updates. Since Microsoft regularly releases patches vulnerabilities as part of its monthly security updates, we strongly recommend that you do not ignore these updates. This also applies to other products like Microsoft Office and Fortinet software.
• Change server settings. To restrict access to Exchange virtual directories, you can change server settings to limit access to virtual directories from the internal network only.
• Review the audit log. This will help you detect attempted attacks and take quick action to prevent them. Also, ensure that the audit logs are correctly configured to record enough information about events on the server.
• Train your employees. Educating users on security fundamentals is equally important, such as recognizing phishing and never opening suspicious links or email attachments. It’s also important not to share sensitive data upon request.
• Implement strict security policies and enforce them. This may include prohibiting using personal devices for work, including smartphones, tablets, and laptops unless they meet your security standards.
• Limit access to the configuration interface to only authenticated users with the necessary permissions. It will help prevent unauthorized access to the device settings.
• Use additional security measures such as multi-factor authentication (MFA) to protect access to the device. This will add an extra layer of security.
• Use solutions like Secure Access Service Edge (SASE). SASE allows multiple security features such as authentication, authorization, threat protection, and network and application access features such as virtual private networks (VPNs) and routing to combine into a single system to provide more effective and convenient security for the corporate network.

Conclusion

In the digital age, the security of software applications and systems has become increasingly crucial as malicious actors constantly look for vulnerabilities to exploit. News of cyberattacks is in the spotlight, and the severity of attacks continues to grow, so everyone needs to strengthen their organization’s security through education, awareness, and training. Cybersecurity threats permeate new environments as technology evolves, but many threats will remain the same. Therefore, continuous assessment of processes, people, and systems is necessary for organizations to be prepared and operationally resilient. By using the knowledge of ethical hackers, conducting regular testing, and using automation, organizations can be better ready for potential threats.

The post Top 3 Vulnerabilities of 2023: How to Block and Prevent appeared first on Gridinsoft Blog.

China is reported to have used Microsoft’s “zero-day Exchange Server vulnerabilities disclosed in early March 2021 for cyber espionage operations.”

In early March 2021, Microsoft engineers released unscheduled patches for four vulnerabilities in the Exchange mail server, which the researchers gave the general name ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065).

These vulnerabilities can be linked together and exploited allowing an attacker to authenticate on the Exchange server, gain administrator rights, install malware, and steal data.

Already in March, attacks on vulnerable servers were carried out by more than 10 hack groups, deploying web shells, miners and ransomware on the servers.

The UK also added that China’s Ministry of State Security is behind “government hacker groups” such as APT40 and APT31.

The Department of Justice, NSA, CISA and the FBI have already released technical guidance on breaks detection and activity of Chinese hack groups targeting networks of the United States and its allies. Also, American law enforcement officers have published indicators of compromise APT40, so that companies can detect the presence of hackers on their networks.

It is worth noting that almost simultaneously with the accusations against China, the US Department of Justice announced the initiation of a criminal case against four Chinese citizens who are allegedly members of the aforementioned hacker group APT40.

Chinese representatives have already reacted to the accusations against them. Thus, the spokesman for the Foreign Ministry of the country Zhao Lijian said at a press conference that it is the United States that is “the largest source of cyber-attacks in the world”; attacks Chinese aerospace, scientific and research institutions, the oil industry, government agencies and Internet companies for the past 11 years (this was the conclusion of researchers from the Chinese company Qihoo 360 last year); listening to the conversations of both their competitors and allies; and pressure NATO and other allies to create a military alliance in cyberspace that “could provoke a [race] of cyber weapons and undermine international peace and security.”

The post US and UK accused China for attacks on Microsoft Exchange servers appeared first on Gridinsoft Blog.

Researchers from Cybereason Nocturnus discovered Prometei malware, which mines Monero cryptocurrency on vulnerable machines.

In early March 2021, Microsoft engineers released unscheduled patches for four vulnerabilities in the Exchange mail server, which the researchers collectively named ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).

These vulnerabilities can be chained together and exploited to allow an attacker to authenticate on the Exchange server, gain administrator rights, install malware and steal data.

In early March 2021, attacks on vulnerable servers were carried out by more than 10 hack groups, deploying web shells, miners and ransomware on the servers.

According to statistics released by Microsoft last month, approximately 92% of all Internet-connected Exchange servers have already received patches.

This modular malware was first detected last year. It is capable of infecting Windows and Linux systems, and has previously used the EternalBlue exploit to spread across compromised networks and compromise vulnerable machines.

Cybereason Nocturnus experts write that Prometei is active at least since 2016 (judging by the samples uploaded to VirusTotal). The botnet was recently updated and “learned” how to exploit ProxyLogon vulnerabilities.

Thus, now Prometei attacks Exchange servers, and then installs payloads for mining on them, and also tries to spread further along the infected network using the EternalBlue and BlueKeep exploits, detected credentials and modules for SSH or SQL.

The updated malware has backdoor capabilities with support for an extensive set of commands, including downloading and executing files, searching for files on infected systems, and executing programs or commands on behalf of the attackers.

Let me remind you that I also talked about the fact that FBI removed web shells from vulnerable Microsoft Exchange servers without informing owners.

The post Prometei botnet attacks vulnerable Microsoft Exchange servers appeared first on Gridinsoft Blog.

Last week, Microsoft engineers released unscheduled patches for four vulnerabilities in the Exchange mail server. Four patches united by the name ProxyLogon.

In fact, these vulnerabilities can be chained together, and their exploitation would allow an attacker to authenticate on the Exchange server, gain administrator rights, install malware, and steal data.

Many information security companies have warned of massive attacks on this chain of vulnerabilities. At first, ProxyLogon was exploited only by the Chinese hacker group Hafnium, but when information about the problems was published publicly, other attackers joined the case.

According to ESET analysts, at least ten hack groups are currently using ProxyLogon bugs to install backdoors on Exchange servers around the world.

What is worse, researchers at the Dutch non-profit organization DIVD scanned the Internet for vulnerable Microsoft Exchange servers and concluded that quite a few of the 250,000 available servers are still unsecured and running without patches. As a result of the audit, the researchers and volunteers assisting them tried to alert vulnerable companies and organizations of the problems by contacting local CERTs, providers, and company representatives directly.

Several PoC exploits have been posted on GitHub since the vulnerability was disclosed, but most of them turned out to be trolling or didn’t work as expected.

Now an independent cybersecurity researcher from Vietnam has presented a real PoC exploit, whose performance has already been confirmed by such well-known experts as Markus Hutchins from Kryptos Logic, Daniel Card from PwnDefend and John Whittington from Condition Black.

PoC combines the vulnerabilities CVE-2021-26855 and CVE-2021-27065 to authenticate to the Exchange server and then launch malicious code. Hutchins writes that the code provided by the researcher cannot be used out of the box, but it can be easily modified to become a full-fledged RCE tool.

It is also worth noting that Praetorian recently released a detailed overview of ProxyLogin vulnerabilities, although it refrained from publishing its own exploit. However, many researchers criticized this report because, in their opinion, it would only speed up the development of exploits, which would attract even more attackers to attacks.

Let me also remind you that Hackers attacked Microsoft Exchange servers of the European Banking Authority.

The post Researcher Published PoC Exploit for ProxyLogon Vulnerabilities in Microsoft Exchange appeared first on Gridinsoft Blog.