Headline
Threat Source newsletter (Oct. 6, 2022) — Continuing down the Privacy Policy rabbit hole
By Jon Munshaw.
Welcome to this week’s edition of the Threat Source newsletter.
As I wrote about last week, I’ve been diving a lot into apps’ privacy policies recently. And I was recently made aware of a new type of app I never knew existed — family trackers.
There are countless mobile apps for parents to track their children or other family members based on their location, phone usage, and even driving speed. As an anxious soon-to-be-parent, this sounds intriguing to me — it’d be a supped-up version of Find my Friends on Apple devices so I’d never have to ask my teenager (granted, I’m many years away from being at that stage of my life) when they were coming home or where they were.
Just as with all other types of mobile apps, there are pitfalls, though.
Life360, one of the most popular of these types of apps and even tells users what their maximum driving speed was on a given trip, was found in December 2021 to be selling precise location data on its users, potentially affecting millions of people. Once that precise location data is out there, there is no telling who could eventually get a hold of it. Even if Life360 doesn’t intend to let adversaries see this information, they don’t have direct control over how those third parties handle the information once it’s sold off.
The app’s current and updated privacy policy states that it "may also share location information with our partners, such as Cuebiq and its Partners, for tailored advertising, attribution, analytics, research and other purposes.” However, users do have the ability to opt out of this inside the app.
There is hardware that offers this same type of tracking. Jealous, angry or paranoid spouses and parents have used Apple’s AirTags in the past to unknowingly track people, eventually to the point that Apple had to address the issue directly and provide several updates to AirTags’ security and precise location alerts to make it easier for users to find potentially unwanted AirTags on their cars or personal belongings.
This is truthfully just an area of concern I had never considered before. Many parents would do anything for their children’s safety, which is certainly understandable. But just like personal health apps, we need to consider the security trade-offs here, too. As we’ve said before, no one truly has “nothing to hide,” especially when it comes to minors or vulnerable populations. I’m not saying using any of these apps is inherently wrong, or that AirTags do not have their legitimate purposes. But any time we welcome this software and hardware into our homes and on our devices, it’s worth considering what sacrifices we might be making elsewhere.
The one big thing Microsoft warned last week of the exploitation of two recently disclosed vulnerabilities collectively referred to as “ProxyNotShell,” affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers.
Why do I care?
Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.
So now what?
While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. While Microsoft continues to update their mitigations, some security researchers posit they can be bypassed. Talos has released several Snort rules to detect the exploitation of these vulnerabilities and associate malware families used in these attacks.
Top security headlines from the week
More than 2 million Australians’ personal information is at risk after a data breach at telecommunications giant Optus. More than 1.2 million customers have had at least one ID number from a current and valid form of identification, along with other personal data, according to an update from the company’s CEO. Adding to the confusion, the company told many residents in New South Wales that it would need to replace their driver’s license, only to later backtrack to say that would not be the case for everyone affected. Optus says it enlisted a third party to complete a thorough review of the compromise to identify security gaps and any other potential fallout. (ABC News, Nine News) The Vice Society ransomware group leaked more than 500 GB worth of data on employees and students at the unified Los Angeles School District after the district refused to pay a requested extortion payment after a ransomware attack several weeks ago. Officials said the leak was less extensive than originally expected and limited to attendance and academic records from 2013 - 2016. The district declined to pay the ransom because there was no guarantee that the actors would not leak the information anyway. Threat actors have commonly targeted the education sector with ransomware attacks as the school year started and their networks were particularly vulnerable. (Axios, Los Angeles Times) The infamous Lazarus Group threat actor continues to ramp up its activity, recently exploiting open-source software and Dell hardware to target companies all over the globe. A recent report from Microsoft found that the group was impersonating contributors to open-source projects and injecting malicious updates for that software to users. In a separate campaign, the APT also used an exploit in a Dell firmware driver to deliver a Windows rootkit targeting an aerospace company and high-profile journalist in Belgium. Lazarus Group is known for operating with North Korean state interests, often stealing cryptocurrency or finding other ways to earn money. (Bleeping Computer, Security Affairs)
Can’t get enough Talos?
Developer account body snatchers pose risks to the software supply chain Researcher Spotlight: Globetrotting with Yuri Kramarz Threat Roundup for Sept. 23 - 30 Talos Takes Ep. #115: An “insider threat” doesn’t always have to know they’re a threat Cobalt Strike malware campaign targets job seekers Government, Union-Themed Lures Used to Deliver Cobalt Strike Payloads
Upcoming events where you can find Talos
Cisco Security Solution Expert Sessions (Oct. 11 & 13) Virtual
GovWare 2022 (Oct. 18 - 20) Sands Expo & Convention Centre, Singapore
Conference On Applied Machine Learning For Information Security (Oct. 20 - 21) Sands Capital Management, Arlington, Virginia
Most prevalent malware files from Talos telemetry over the past week
SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
MD5: 8c69830a50fb85d8a794fa46643493b2
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681
MD5: f1fe671bcefd4630e5ed8b87c9283534
Typical Filename: KMSAuto Net.exe
Claimed Product: KMSAuto Net
Detection Name: PUA.Win.Tool.Hackkms::1201
SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201
SHA 256: 63d543945e33b4b6088dc34d0550213dc73ea6acce248d8353c63039e8fa284f
MD5: a779d230c944ef200bce074407d2b8ff
Typical Filename: mediaget.exe
Claimed Product: MediaGet
Detection Name: W32.File.MalParent
By Jon Munshaw.
Welcome to this week’s edition of the Threat Source newsletter.
There are countless mobile apps for parents to track their children or other family members based on their location, phone usage, and even driving speed. As an anxious soon-to-be-parent, this sounds intriguing to me — it’d be a supped-up version of Find my Friends on Apple devices so I’d never have to ask my teenager (granted, I’m many years away from being at that stage of my life) when they were coming home or where they were.
Just as with all other types of mobile apps, there are pitfalls, though.
Life360, one of the most popular of these types of apps and even tells users what their maximum driving speed was on a given trip, was found in December 2021 to be selling precise location data on its users, potentially affecting millions of people. Once that precise location data is out there, there is no telling who could eventually get a hold of it. Even if Life360 doesn’t intend to let adversaries see this information, they don’t have direct control over how those third parties handle the information once it’s sold off.
The app’s current and updated privacy policy states that it "may also share location information with our partners, such as Cuebiq and its Partners, for tailored advertising, attribution, analytics, research and other purposes.” However, users do have the ability to opt out of this inside the app.
There is hardware that offers this same type of tracking. Jealous, angry or paranoid spouses and parents have used Apple’s AirTags in the past to unknowingly track people, eventually to the point that Apple had to address the issue directly and provide several updates to AirTags’ security and precise location alerts to make it easier for users to find potentially unwanted AirTags on their cars or personal belongings.
This is truthfully just an area of concern I had never considered before. Many parents would do anything for their children’s safety, which is certainly understandable. But just like personal health apps, we need to consider the security trade-offs here, too. As we’ve said before, no one truly has “nothing to hide,” especially when it comes to minors or vulnerable populations. I’m not saying using any of these apps is inherently wrong, or that AirTags do not have their legitimate purposes. But any time we welcome this software and hardware into our homes and on our devices, it’s worth considering what sacrifices we might be making elsewhere.
**The one big thing **
Microsoft warned last week of the exploitation of two recently disclosed vulnerabilities collectively referred to as “ProxyNotShell,” affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers.
**Why do I care? **Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year. So now what?
While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. While Microsoft continues to update their mitigations, some security researchers posit they can be bypassed. Talos has released several Snort rules to detect the exploitation of these vulnerabilities and associate malware families used in these attacks.
Top security headlines from the week
More than 2 million Australians’ personal information is at risk after a data breach at telecommunications giant Optus. More than 1.2 million customers have had at least one ID number from a current and valid form of identification, along with other personal data, according to an update from the company’s CEO. Adding to the confusion, the company told many residents in New South Wales that it would need to replace their driver’s license, only to later backtrack to say that would not be the case for everyone affected. Optus says it enlisted a third party to complete a thorough review of the compromise to identify security gaps and any other potential fallout. (ABC News, Nine News)
The Vice Society ransomware group leaked more than 500 GB worth of data on employees and students at the unified Los Angeles School District after the district refused to pay a requested extortion payment after a ransomware attack several weeks ago. Officials said the leak was less extensive than originally expected and limited to attendance and academic records from 2013 - 2016. The district declined to pay the ransom because there was no guarantee that the actors would not leak the information anyway. Threat actors have commonly targeted the education sector with ransomware attacks as the school year started and their networks were particularly vulnerable. (Axios, Los Angeles Times)
The infamous Lazarus Group threat actor continues to ramp up its activity, recently exploiting open-source software and Dell hardware to target companies all over the globe. A recent report from Microsoft found that the group was impersonating contributors to open-source projects and injecting malicious updates for that software to users. In a separate campaign, the APT also used an exploit in a Dell firmware driver to deliver a Windows rootkit targeting an aerospace company and high-profile journalist in Belgium. Lazarus Group is known for operating with North Korean state interests, often stealing cryptocurrency or finding other ways to earn money. (Bleeping Computer, Security Affairs)
**Can’t get enough Talos? **
- Developer account body snatchers pose risks to the software supply chain
- Researcher Spotlight: Globetrotting with Yuri Kramarz
- Threat Roundup for Sept. 23 - 30
- Talos Takes Ep. #115: An “insider threat” doesn’t always have to know they’re a threat
- Cobalt Strike malware campaign targets job seekers
- Government, Union-Themed Lures Used to Deliver Cobalt Strike Payloads
**Upcoming events where you can find Talos **
Sands Expo & Convention Centre, Singapore
Sands Capital Management, Arlington, Virginia
**Most prevalent malware files from Talos telemetry over the past week **
MD5: 8c69830a50fb85d8a794fa46643493b2
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201
MD5: f1fe671bcefd4630e5ed8b87c9283534
Typical Filename: KMSAuto Net.exe
Claimed Product: KMSAuto Net
Detection Name: PUA.Win.Tool.Hackkms::1201
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201
MD5: a779d230c944ef200bce074407d2b8ff
Typical Filename: mediaget.exe
Claimed Product: MediaGet
Detection Name: W32.File.MalParent
Related news
The threat actors behind the Play ransomware are estimated to have impacted approximately 300 entities as of October 2023, according to a new joint cybersecurity advisory from Australia and the U.S. "Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North
By Waqas Cybercriminals are leveraging two exploit chains (ProxyNotShell/OWASSRF) to target Microsoft Exchange servers, as warned by Bitdefender Labs. This is a post from HackRead.com Read the original post: New Wave of Cyberattacks Targeting MS Exchange Servers
Organizations often defer patching because of business disruption fears — but that didn't work out very well for Rackspace's Hosted Exchange service.
The hosting provider had not applied Microsoft's new patch due to publicly reported issues with the update.
Threat actors affiliated with a ransomware strain known as Play are leveraging a never-before-seen exploit chain that bypasses blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) through Outlook Web Access (OWA). "The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint," CrowdStrike researchers Brian Pitchford,
Hello everyone! This episode will be about Microsoft Patch Tuesday for November 2022, including vulnerabilities that were added between October and November Patch Tuesdays. As usual, I use my open source Vulristics project to create the report. Alternative video link (for Russia): https://vk.com/video-149273431_456239107 The most important news of this Patch Tuesday was a release of patches […]
By Deeba Ahmed Microsoft has urged Windows Administrators to install the updates urgently so make sure you have the latest patches installed! This is a post from HackRead.com Read the original post: Microsoft Issues Patches to Fix 6 Active 0-Day Windows Vulnerabilities
Microsoft's latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days. 12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by OpenSSL the previous week. Also separately
Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: Apple Tags: Google Tags: Android Tags: Samsung Tags: Xiaomi Tags: Adobe Tags: SAP Tags: VMWare Tags: Fortinet Tags: CVE-2022-41033 Tags: CVE-2022-41040 Tags: zero-day No fix for ProxyNotShell (Read more...) The post Update now! October patch Tuesday fixes actively used zero-day...but not the one you expected appeared first on Malwarebytes Labs.
Microsoft on Friday disclosed it has made more improvements to the mitigation method offered as a means to prevent exploitation attempts against the newly disclosed unpatched security flaws in Exchange Server. To that end, the tech giant has revised the blocking rule in IIS Manager from ".*autodiscover\.json.*Powershell.*" to "(?=.*autodiscover\.json)(?=.*powershell)." The list of
Any time we welcome this software and hardware into our homes and on our devices, it’s worth considering what sacrifices we might be making elsewhere.
Microsoft has revised its mitigation measures for the newly disclosed and actively exploited zero-day flaws in Exchange Server after it was found that they could be trivially bypassed. The two vulnerabilities, tracked as CVE-2022-41040 and CVE-2022-41082, have been codenamed ProxyNotShell due to similarities to another set of flaws called ProxyShell, which the tech giant resolved last year.
Microsoft has revised its mitigation measures for the newly disclosed and actively exploited zero-day flaws in Exchange Server after it was found that they could be trivially bypassed. The two vulnerabilities, tracked as CVE-2022-41040 and CVE-2022-41082, have been codenamed ProxyNotShell due to similarities to another set of flaws called ProxyShell, which the tech giant resolved last year.
Nicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers. Based on ProxyShell, this new zero-day abuse risk leverage a chained attack similar to
‘ProxyNotShell’ abuse less severe than 2021 attack wave due to authentication requirement
Microsoft Exchange Server Elevation of Privilege Vulnerability.
Microsoft on Friday disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining the two newly disclosed zero-day flaws in a limited set of attacks aimed at less than 10 organizations globally. "These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory
Microsoft on Friday disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining the two newly disclosed zero-day flaws in a limited set of attacks aimed at less than 10 organizations globally. "These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory
While organizations wait for an official patch for the two zero-day flaws in Microsoft Exchange, they should scan their networks for signs of exploitation and apply these mitigations.
Cisco Talos has released new coverage to detect and prevent the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for securit...
Cisco Talos has released new coverage to detect and prevent the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for securit...
Even organizations that use Exchange Online may still be affected if they run a hybrid server.
By Deeba Ahmed The latest attack against Exchange servers utilizes at least two new flaws (CVE-2022-41040, CVE-2022-41082) that have been assigned CVSS scores of 6.3 and 8.8. This is a post from HackRead.com Read the original post: Microsoft Confirms Two 0-Days Being Exploited Against Exchange Servers
Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.
The "ProxyNotShell" security vulnerabilities can be chained for remote code execution and total takeover of corporate email platforms.
The "ProxyNotShell" security vulnerabilities can be chained for remote code execution and total takeover of corporate email platforms.
Categories: Exploits and vulnerabilities Categories: News Tags: Exchange Tags: ProxyShell Tags: remote PowerShell Tags: web shell Tags: CVE-2022-41040 Tags: CVE-2022-41082 Tags: SSRF Tags: RCE Two ProxyShell-like vulnerabilities are being used to exploit Microsoft Exchange Servers (Read more...) The post Two new Exchange Server zero-days in the wild appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: Exchange Tags: ProxyShell Tags: remote PowerShell Tags: web shell Tags: CVE-2022-41040 Tags: CVE-2022-41082 Tags: SSRF Tags: RCE Two ProxyShell-like vulnerabilities are being used to exploit Microsoft Exchange Servers (Read more...) The post Two new Exchange Server zero-days in the wild appeared first on Malwarebytes Labs.
Microsoft officially disclosed it investigating two zero-day security vulnerabilities impacting Exchange Server 2013, 2016, and 2019 following reports of in-the-wild exploitation. "The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is
Microsoft officially disclosed it investigating two zero-day security vulnerabilities impacting Exchange Server 2013, 2016, and 2019 following reports of in-the-wild exploitation. "The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is
November 8, 2022 update - Microsoft released security updates for CVE-2022-41040 and CVE-2022-41082. We recommend that customers protect their organizations by applying the updates immediately to affected systems. The options described in the Mitigations section are no longer recommended. For more information, review the Exchange Team blog. Summary Summary On November 8 Microsoft released security updates for two zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.
Summary Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. At this time, Microsoft is aware of limited … Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server Read More »
Summary Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. At this time, Microsoft is aware of limited … Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server Read More »