Based on data collected by the US government, most of the attacked vulnerabilities were discovered after early 2020, and many of the bugs are clearly related to the widespread transition to remote work. As a result, the four vulnerabilities most commonly exploited in 2020 were related to remote work, VPN and cloud services.

As a result, the list of the most “popular” bugs of 2021 looks like this:

• Microsoft Exchange Server: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 (ProxyLogon vulnerabilities);
• Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899 and CVE-2021-22900;
• Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103 and CVE-2021-27104;
• VMware: CVE-2021-21985;
• Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.

Let me remind you that I also wrote that the FBI and NSA release a statement about attacks by Russian hackers.

The post Experts published a list of the most attacked vulnerabilities in 2020-2021 appeared first on Gridinsoft Blog.

LemonDuck is capable of attacking Windows and Linux, exploits old vulnerabilities and uses various distribution mechanisms to improve the effectiveness of its campaigns.

LemonDuck activity was first discovered in China in May 2019. Later, in 2020, malware began to use decoys related to COVID-19 for its attacks, and most recently exploited ProxyLogon vulnerabilities fixed in Microsoft Exchange to access unprotected systems.

In general, LemonDuck looks for devices vulnerable to issues such as CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon) and CVE-2021-27065 (ProxyLogon).

One of the hallmarks of LemonDuck is the malware’s ability to remove “other attackers from a compromised device, thus getting rid of competing malware and preventing new infections, as well as fixing vulnerabilities that were used to gain access.”

LemonDuck attacks typically targets the manufacturing sector and IoT, with the largest number of incidents reported in the US, Russia, China, Germany, UK, India, Korea, Canada, France, and Vietnam.

Microsoft also describes another LemonDuck-related campaign dubbed LemonCat in its report. Experts believe LemonCat is being used for other purposes and has been active since January 2021. In particular, LemonCat was used in attacks against vulnerable Microsoft Exchange servers, and these incidents led to the installation of a backdoor, theft of credentials and information, and the installation of the Ramnit Trojan.

Let me remind you that we talked about LemonDuck malware operators attack IoT vendors.

The post Microsoft reported about activity of the LemonDuck malware appeared first on Gridinsoft Blog.

China is reported to have used Microsoft’s “zero-day Exchange Server vulnerabilities disclosed in early March 2021 for cyber espionage operations.”

In early March 2021, Microsoft engineers released unscheduled patches for four vulnerabilities in the Exchange mail server, which the researchers gave the general name ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065).

These vulnerabilities can be linked together and exploited allowing an attacker to authenticate on the Exchange server, gain administrator rights, install malware, and steal data.

Already in March, attacks on vulnerable servers were carried out by more than 10 hack groups, deploying web shells, miners and ransomware on the servers.

The UK also added that China’s Ministry of State Security is behind “government hacker groups” such as APT40 and APT31.

The Department of Justice, NSA, CISA and the FBI have already released technical guidance on breaks detection and activity of Chinese hack groups targeting networks of the United States and its allies. Also, American law enforcement officers have published indicators of compromise APT40, so that companies can detect the presence of hackers on their networks.

It is worth noting that almost simultaneously with the accusations against China, the US Department of Justice announced the initiation of a criminal case against four Chinese citizens who are allegedly members of the aforementioned hacker group APT40.

Chinese representatives have already reacted to the accusations against them. Thus, the spokesman for the Foreign Ministry of the country Zhao Lijian said at a press conference that it is the United States that is “the largest source of cyber-attacks in the world”; attacks Chinese aerospace, scientific and research institutions, the oil industry, government agencies and Internet companies for the past 11 years (this was the conclusion of researchers from the Chinese company Qihoo 360 last year); listening to the conversations of both their competitors and allies; and pressure NATO and other allies to create a military alliance in cyberspace that “could provoke a [race] of cyber weapons and undermine international peace and security.”

The post US and UK accused China for attacks on Microsoft Exchange servers appeared first on Gridinsoft Blog.

Experts write that the malware is based on many different scripts, and Epsilon Red operators use a commercial remote access utility in attacks.

Epsilon Red was discovered last week while investigating an attack on an unnamed US hospitality company. Attackers entered the corporate network using vulnerabilities in the local Microsoft Exchange server. The talk is about, of course, about the sensational ProxyLogon problems discovered in early 2021.

It is reported that Epsilon Red is written in the Golang (Go) language, and the launch of the malware itself precedes the work of a whole set of PowerShell scripts that set the stage for encryption. Most of the scripts are numbered from 1 to 12, but there are several that are named with the same letter. One of them, c.ps1, appears to be a clone of the Copy-VSS pentester tool.

Scripts have specific purposes:

• eliminate the processes and services of security mechanisms, databases, backup programs, Office applications, mail clients;
• remove shadow copies;
• steal the Security Account Manager (SAM) file containing password hashes;
• delete Windows event logs;
• disable Windows Defender;
• suspend processes;
• remove security products (Sophos, Trend Micro, Cylance, MalwareBytes, Sentinel One, Vipre, Webroot);
  extend privileges in the system.

Once on the network, hackers reach other machines using RDP and Windows Management Instrumentation (WMI), and then install software and PowerShell scripts on them, which ultimately leads to the launch of the Epsilon Red executable.

Analysts point out that attackers are installing a copy of Remote Utilities, a commercial remote desktop tool, and the Tor browser on compromised machines. This is done to maintain a stable presence in the system.

The Epsilon Red attack can provoke real chaos in the company, since the ransomware has no restrictions on encrypting certain types of files and folders. The malware encrypts any files by adding the .epsilonred extension to them, and makes no exceptions even for executable files and DLLs, which can disrupt the operation of important programs and the OS itself.

The malware generally uses the godirwalk open source library to browse the directory tree.

In this way, Epsilon Red scans the hard drive and adds directory paths to the list of destinations for child processes that encrypt subfolders individually. As a result, many copies of the ransomware process are launched on the infected machines.

The ransom note is an updated version of the ransom note used by the ransomware REvil. However, the authors of Epsilon Red have tried to correct grammatical and spelling errors in the text.

According to Sophos, at least one victim of the ransomware has already paid the attackers a ransom of 4.28 BTC (about $210,000).

Although experts have not yet written anything about the attribution of malware, it is worth noting that Epsilon Red is a character in the Marvel Universe, a Russian super-soldier with tentacles who can breathe in space.

Let me remind you that I also wrote that Prometei botnet attacks vulnerable Microsoft Exchange servers.

The post Epsilon Red ransomware threatens Microsoft Exchange servers appeared first on Gridinsoft Blog.

The proposed changes imply that GitHub will establish clearer rules about what counts as code that is used to investigate vulnerabilities and what counts as code that attackers misuse for real attacks. The problem is that now this line is blurred. Anyone can upload malware or exploits to GitHub with the tag “for security research,” and the GitHub staff most likely will permit posting of such code.

GitHub now asks project owners to clearly state the meaning of their code and whether it can be used to harm others. Also, GitHub employees want to be able to intervene in the situation in certain cases, in particular, limit or remove the code intended for information security research, if it is already used for real attacks.

Hanley and GitHub are asking the community to provide feedback (here) on this initiative to work together to determine where the line between security research and actual malicious code lies.

What is happening is a direct consequence of the scandal that began last month. Let me remind you that in early March 2021, Microsoft, which owns GitHub, announced a series of ProxyLogon vulnerabilities that were used by hacker groups to attack Exchange servers around the world.

Then the OS manufacturer released patches, and a week later, a Vietnamese cybersecurity researcher reversed these fixes and created a PoC exloit for ProxyLogon based on them, which was then uploaded to GitHub. Within hours of uploading the code to GitHub, the Microsoft security team stepped in and removed the expert’s PoC, sparking industry outrage and criticism towards Microsoft.

Although back then Microsoft was simply trying to protect Exchange server owners from attacks, and GitHub eventually allowed the researcher and others to re-upload the exploit code to the site, now GitHub still wants to eliminate all ambiguities in the policies of their platform so that such situations do not happen again.

It is unclear if GitHub plans to listen to the feedback it receives from people, or if the company will approve the proposed changes anyway, thus gaining the opportunity to intervene if it believes that certain code can be used for attacks.

The company’s proposal has already sparked a heated debate on the web, and opinions are divided. Some agree with the proposed changes, while others are happy with the current state of affairs, when users can report malicious code to GitHub for removal, but the platform allows posting PoC exploits, even if they are already abused.

The fact is that exploits are often re-posted on other platforms, so removing PoC from GitHub does not mean that attackers will not be able to take advantage of them.

The post GitHub Developers Review Exploit Posting Policy Due to Recent Scandal appeared first on Gridinsoft Blog.

Researchers from Cybereason Nocturnus discovered Prometei malware, which mines Monero cryptocurrency on vulnerable machines.

In early March 2021, Microsoft engineers released unscheduled patches for four vulnerabilities in the Exchange mail server, which the researchers collectively named ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).

These vulnerabilities can be chained together and exploited to allow an attacker to authenticate on the Exchange server, gain administrator rights, install malware and steal data.

In early March 2021, attacks on vulnerable servers were carried out by more than 10 hack groups, deploying web shells, miners and ransomware on the servers.

According to statistics released by Microsoft last month, approximately 92% of all Internet-connected Exchange servers have already received patches.

This modular malware was first detected last year. It is capable of infecting Windows and Linux systems, and has previously used the EternalBlue exploit to spread across compromised networks and compromise vulnerable machines.

Cybereason Nocturnus experts write that Prometei is active at least since 2016 (judging by the samples uploaded to VirusTotal). The botnet was recently updated and “learned” how to exploit ProxyLogon vulnerabilities.

Thus, now Prometei attacks Exchange servers, and then installs payloads for mining on them, and also tries to spread further along the infected network using the EternalBlue and BlueKeep exploits, detected credentials and modules for SSH or SQL.

The updated malware has backdoor capabilities with support for an extensive set of commands, including downloading and executing files, searching for files on infected systems, and executing programs or commands on behalf of the attackers.

Let me remind you that I also talked about the fact that FBI removed web shells from vulnerable Microsoft Exchange servers without informing owners.

The post Prometei botnet attacks vulnerable Microsoft Exchange servers appeared first on Gridinsoft Blog.

The FBI did not say how many web shells were removed, but “the operation was successful”

Let me remind you that the root of the problem lies in the fact that in early March 2021, Microsoft engineers released unscheduled patches for four vulnerabilities, which the researchers gave the general name ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065).

These vulnerabilities can be chained together and exploited to allow an attacker to authenticate on the Exchange server, gain administrator rights, install malware, and steal data. As a result, attacks on vulnerable servers were carried out by more than 10 hacker groups, deploying web shells, miners and ransomware on the servers.

According to the US authorities and information security experts, Chinese “government” hackers actively used ProxyLogon bugs back in January and February 2021, and after the vulnerabilities were made public, other criminals also joined them.

As reported now, some of these web shells were not properly secured and reused the same password. The FBI officers took advantage of this circumstance to remove the malware.

It is emphasized that during the operation, the FBI did not patch vulnerable Exchange servers and did not try to detect and remove other malicious programs that could have been installed on the system using web shells.

The FBI is currently notifying victims whose Exchange servers were compromised and discovered during the operation.

The post FBI removed web shells from vulnerable Microsoft Exchange servers without informing owners appeared first on Gridinsoft Blog.

The fact is that Krebs is famous for his investigations and revelations, and over the long years of his career, he helped find and de-anonymize more than a dozen criminals, which the latter, of course, do not like at all.

Criminals have been taking revenge on the journalist for many years. So, criminals have been already sent a SWAT team to Krebs home, they took a loan on his behalf for $20,000, transferred $1,000 to his PayPal account from a stolen payment card, and the PayPal account itself was compromised more than once. They even tried to transfer money from Krebs’ account to the terrorist the ISIS subsidiary. After disclosure of the Mirai IoT malware authors, Krebs’ website suffered one of the most powerful DDoS attacks in history at that time.

A couple of years ago, users of the German imageboard Pr0gramm (pr0gramm.com), with which the operators of the Coinhive cryptojacking service were associated, standed against the journalist. Offended by the Krebs investigation, users launched the #KrebsIsCancer campaign on social networks (“Krebs is cancer”). The fact is that in German the surname of the journalist, Krebs, translates as “cancer”, and on Pr0gramm they decided to literally “fight cancer”: they trolled Krebs and eventually donated more than $120,000 to this fight.

It is also worth noting that malware authors often mention Brian Krebs in the code of their programs as a kind of “hello”. According to the journalist, a complete list of such cases would consist of hundreds of pages.

Yesterday there was a post on KrebsOnSecurity titled “No, I Didn’t Hack Your MS Exchange Server“. In it, Krebs says that now “on his behalf” attacks are taking place on servers that are vulnerable to ProxyLogon problems.

The researcher writes that the Shadowserver Foundation found that Microsoft Exchange servers are being attacked by the KrebsOnSecurity and Yours Truly malware.

For example, the attackers first host the Babydraco web shell on the vulnerable server at /owa/auth/babydraco.aspx. The malicious file krebsonsecurity.exe is then loaded via PowerShell, which transfers data between the victim server and the attacker’s domain – Krebsonsecurity[.]top.

Shadowserver has found more than 21,000 Exchange servers running the Babydraco backdoor, although they do not know how many of those systems were downloading secondary payloads from a rogue version of Krebsonsecurity.

The researcher cites the December post of one of the website visitors:

Krebs explains that instead of “XXX-XX-XXX”, that address was his social security number. “I was killed through DNS,” he sums up.

Let me also remind you that we reported that Researcher Published PoC Exploit for ProxyLogon Vulnerabilities in Microsoft Exchange.

The post Hackers attack Microsoft Exchange servers on behalf of Brian Krebs appeared first on Gridinsoft Blog.

The utility is already available for download on the company’s GitHub.

In early March 2021, Microsoft engineers released unscheduled patches for four vulnerabilities in the Exchange mail server, which the researchers dubbed ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).

Experts from Palo Alto Networks and Microsoft estimate that there are still about 80,000 vulnerable Exchange servers available on the network that could be compromised.

Currently, attacks on vulnerable servers are carried out by about 10 hack groups, deploying web shells, miners and ransomware on the servers.

First of all, EOMT is intended for companies without their own IT specialists who could understand the ProxyLogon problem and correctly install the necessary updates.

The fact is that there can be problems installing patches too. For example, it was previously reported that updates for Microsoft Exchange can be installed without many necessary patches if UAC is enabled. As a result, you need to install updates only on behalf of the administrator.

Microsoft now hopes that anyone in the company can handle the EOMT download and update by simply clicking on EOMT.ps1. The script will install the URL Rewrite configuration on the server, which will be enough to fix the CVE-2021-26855 bug, which is the starting point for the exploit chain, known collectively as ProxyLogon.

The tool also includes a copy of Microsoft Safety Scanner, which will scan Exchange servers for known web shells that were previously seen attacking ProxyLogon. If necessary, Microsoft Safety Scanner will remove the backdoor and block access to cybercriminals.

Let me also remind you that recently Researcher Published PoC Exploit for ProxyLogon Vulnerabilities in Microsoft Exchange, though after a while GitHub removed ProxyLogon exploit and has been criticized.

The post Microsoft Introduces One-Click ProxyLogon Fix Tool appeared first on Gridinsoft Blog.

Yesterday we wrote that an independent information security researcher from Vietnam published on GitHub the first real PoC exploit for a serious set of ProxyLogon vulnerabilities recently discovered in Microsoft Exchange. This exploit has been confirmed by renowned experts, including Marcus Hutchins from Kryptos Logic, Daniel Card from PwnDefend, and John Wettington from Condition Black.

At the same time, many experts noted that the public release of the PoC exploit now is an extremely dubious step. For example, recently, Praetorian was severely criticized for much less harmful; “misconduct”: its specialists only published a detailed overview of ProxyLogin vulnerabilities, although they refrained from releasing their exploit.

The point is that at least ten hack groups are exploiting ProxyLogon bugs to install backdoors on Exchange servers worldwide. According to various estimates, the number of affected companies and organizations has already reached 30,000-100,000, and their number continues to grow, as well as the number of attackers.

Given the seriousness of the situation, within a few hours after the publication of the exploit, it was removed from GitHub by the administration of the service. Because of this, some information security community members were furious and immediately accused Microsoft of censoring the content of vital interest to security professionals worldwide.

For example, many researchers say that GitHub adheres to a double standard that allows a company to use PoC exploits to fix vulnerabilities that affect software from other companies but that similar PoCs for Microsoft products are being removed.

On the same social network, Google Project Zero expert Tavis Ormandy argues with Marcus Hutchins. The latter says that he does not quite understand what benefits could bring publishing a working RCE exploit to at least someone, to which Ormandy replies:

In turn, Hutchins writes that the argument about the already fixed vulnerabilities is untenable since about 50,000 servers worldwide are still vulnerable.

GitHub told reporters that the exploit certainly had educational and research value for the community, but the company has to maintain a balance and be mindful of the need to keep the broader ecosystem safe. Therefore, in accordance with the rules of the service, the exploit for a recently discovered vulnerability, which is currently being actively used for attacks, has nevertheless been removed from the public domain.

The post GitHub removed ProxyLogon exploit and has been criticized appeared first on Gridinsoft Blog.