Top Vulnerabilities 2023

According to the cybersecurity report in 2023, the previously known vulnerabilities reported over the past three years may cause concern again. Thus, in 24 percent of all cyberattacks, cybercriminals used vulnerabilities known in 2022. In second place are vulnerabilities known in 2021, accounting for 18%. That, by the way, totally repels any opinion that claims uselessness of updating and using security tools. Having all of that onboard, you will cut off over 40% of all possible attack vectors. But now, let’s have a peek into the most widespread exploits.

ProxyShell

ProxyShell, known as CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, and CVSS severity rating of 3.1, is a chain of attacks that exploits three vulnerabilities in Microsoft Exchange Server – ProxyShell, ProxyLogon, and ProxyNotShell. Using these vulnerabilities, attackers who are not authenticated can remotely execute code on vulnerable servers. Although these vulnerabilities were discovered and patched in 2021, they are still the most exploited and often lead to significant security breaches.

Follina in Microsoft Office

Recently, Microsoft has disabled the ability to execute macros in documents from external sources by default. However, attackers have not stopped them, and they use special .docx and .rtf documents to download and execute malicious code. To do this, they exploit the Follina vulnerability (CVE-2022-30190 and CVSS severity rating of 7.8) in unpatched systems to deploy Qbot or other Remote Access Trojans. It allows malicious code to run even if macros are disabled or the document is protected, making Follina one of the most commonly used vulnerabilities discovered in 2022.

Fortinet

Two critical bugs were reported in Fortinet products in October and December 2022 (CVSS score: 9.6 and 9.3). These bugs allow attackers who fail authentication to execute arbitrary code using specially crafted queries. However, even though the company has issued updates and CISA has warned of significant risk to federal organizations, as of early 2023, 18% of organizations were victims of the CVE-2022-40684 vulnerability exploit attack.

Causes

Experts note that attackers often exploit Remote Code Execution (RCE) vulnerabilities and Remote Desktop Protocol services left open to gain access to the network and deploy malicious code. However, many organizations do not use protections on servers for fear of performance degradation. Moreover, security and network equipment vendors often use admin/password as the default login combination. Even worse, some users keep this combination the same the first time they configure it, which makes life easier for an intruder.

How to prevent

Fortunately, you can fix that. Therefore, I’ve put together some tips below that you can follow to reduce the chance of negative consequences:

• Install the latest updates. Since Microsoft regularly releases patches vulnerabilities as part of its monthly security updates, we strongly recommend that you do not ignore these updates. This also applies to other products like Microsoft Office and Fortinet software.
• Change server settings. To restrict access to Exchange virtual directories, you can change server settings to limit access to virtual directories from the internal network only.
• Review the audit log. This will help you detect attempted attacks and take quick action to prevent them. Also, ensure that the audit logs are correctly configured to record enough information about events on the server.
• Train your employees. Educating users on security fundamentals is equally important, such as recognizing phishing and never opening suspicious links or email attachments. It’s also important not to share sensitive data upon request.
• Implement strict security policies and enforce them. This may include prohibiting using personal devices for work, including smartphones, tablets, and laptops unless they meet your security standards.
• Limit access to the configuration interface to only authenticated users with the necessary permissions. It will help prevent unauthorized access to the device settings.
• Use additional security measures such as multi-factor authentication (MFA) to protect access to the device. This will add an extra layer of security.
• Use solutions like Secure Access Service Edge (SASE). SASE allows multiple security features such as authentication, authorization, threat protection, and network and application access features such as virtual private networks (VPNs) and routing to combine into a single system to provide more effective and convenient security for the corporate network.

Conclusion

In the digital age, the security of software applications and systems has become increasingly crucial as malicious actors constantly look for vulnerabilities to exploit. News of cyberattacks is in the spotlight, and the severity of attacks continues to grow, so everyone needs to strengthen their organization’s security through education, awareness, and training. Cybersecurity threats permeate new environments as technology evolves, but many threats will remain the same. Therefore, continuous assessment of processes, people, and systems is necessary for organizations to be prepared and operationally resilient. By using the knowledge of ethical hackers, conducting regular testing, and using automation, organizations can be better ready for potential threats.

The post Top 3 Vulnerabilities of 2023: How to Block and Prevent appeared first on Gridinsoft Blog.

Initially, the problem was discovered by a VNPT ISC specialist, who reported it to Trend Micro Zero-Day Initiative (ZDI) experts back in March 2021.

As I mentioned, over 2000 Exchange Servers Hacked Using ProxyShell Exploit.

ProxyToken received the identifier CVE-2021-33766 and gives unauthenticated attackers access to user mailbox settings, where they can create a mail forwarding rule. As a result, all messages will be delivered not only to the user, but also to the account controlled by the attacker.

As it turns out, the root of the problem is that the Microsoft Exchange front-end site (Outlook Web Access, Exchange Control Panel) basically acts as a proxy for the Exchange Back End to which it passes authentication requests.

In Exchange installations where Delegated Authentication is enabled, the frontend forwards requests requiring authentication to the backend, and the backend identifies them by the presence of a SecurityToken cookie. If a non-empty SecurityToken cookie is present in the /ecp request, the frontend delegates the authentication decision to the backend.

However, the default Microsoft Exchange configuration does not load the ECP module responsible for delegating the validation process (DelegatedAuthModule) for the backend.

As a result, requests containing a non-empty cookie named SecurityToken that are redirected from the frontend to the backend are not authenticated, and responses with an HTTP 500 error expose the Exchange Control Panel canary token.

Microsoft released a patch for the ProxyToken problem back in July, and even then the vulnerability was recognized as non-critical, because for a successful attack an attacker needs an account on the same Exchange server where the victim is located.

However, the Zero-Day Initiative has now revealed the technical details of the issue and note that some Exchange administrators configure their servers in such a way that it is possible to create a rule to forward mail to an arbitrary location, and in such cases an attacker would not need credentials.

Although the technical details of ProxyToken were only released now, attempts to exploit the vulnerability were recorded three weeks ago. Rich Warren of the NCC Group said he witnessed many attempts to exploit the problem on August 10.

Let me remind you that I also reported that LockFile ransomware adopts ProxyShell and PetitPotam vulnerabilities.

The post ProxyToken Vulnerability Allows Stealing Mail Through Microsoft Exchange appeared first on Gridinsoft Blog.

Experts from TG Soft and well-known information security researcher Kevin Beaumont reported about the new threat. They write that LockFile operators are using recently discovered vulnerabilities, collectively known as ProxyShell, to attack Microsoft Exchange servers, from where the attack eventually spreads to the internal networks of companies.

According to Symantec, after infiltrating the victim’s network, LockFile exploits another recent vulnerability, PetitPotam, to take control of the company’s domain controller, and then deploy payloads to encrypt the data on all available workstations.

Symantec writes that the hack group has already attacked at least ten organizations, most of which are located in the United States and Asia. Organizations from the following sectors have already become victims of hackers: financial services, manufacturing, mechanical engineering, law, business services, travel and tourism.

At the same time, experts note the similarity of the ransom notes that LockFile leaves behind with the notes that the LockBit ransomware used.

In addition, the hackers’ contact email hints at a possible connection with the Conti ransomware: contact @contipauper[.]com. Bleeping Computer recalls that recently one of Conti’s disgruntled partners has leaked manuals and technical manuals used by hackers to train their accomplices. Journalists believe that the appearance of LockFile may be associated with this person.

Let me also remind you that I recently talked about how Over 2000 Exchange Servers Hacked Using ProxyShell Exploit.

The post LockFile ransomware adopts ProxyShell and PetitPotam vulnerabilities appeared first on Gridinsoft Blog.

Let me remind you that the vulnerabilities, which were collectively called ProxyShell, were discussed at the Black Hat conference in early August. ProxyShell combines three vulnerabilities that allow remote code execution without authentication on Microsoft Exchange servers.

Microsoft Exchange Client Access Service (CAS) exploits these vulnerabilities running on port 443.

• CVE-2021-34473: Path Confusion without authentication leading to ACL bypass (fixed in April in KB5001779);
• CVE-2021-34523: Privilege Escalation in Exchange PowerShell Backend (fixed in April in KB5001779);
• CVE-2021-31207: Writing arbitrary files after authentication, leading to remote code execution (fixed in May in KB5003435).

An exploit for ProxyShell was used during the Pwn2Own 2021 hacker contest in April this year, and then the successful compromise of the server brought the researchers $200,000.

Although Microsoft patched the vulnerabilities, not all administrators installed these patches on time.

For example, a scan conducted on August 8 by ISC SANS (two days after the publication of the PoC exploit) showed that more than 30,400 Exchange servers are still vulnerable to attacks. Moreover, a list of all 100,000 Exchange servers accessible via the Internet was soon published on a well-known hacker forum, which further simplified the task for cybercriminals.

Researchers have already warned that scans have begun in search of vulnerable servers and attempts to hack them. In the past week, these attacks have become more frequent, and the LockFile ransomware was noticed, which has already started using a ProxyShell exploit to penetrate corporate networks.

Huntress Labs researchers who studied Microsoft Exchange servers that were compromised with ProxyShell now report that they have found more than 140 different web shells on more than 1,900 compromised Exchange servers.

Let me remind you that I also wrote that US and UK accused China for attacks on Microsoft Exchange servers.

The post Over 2000 Exchange Servers Hacked Using ProxyShell Exploit appeared first on Gridinsoft Blog.