Application Security , Cybercrime , Cybercrime as-a-service
Strikes Surged After ProxyLogon Proof-of-Concept Released
There has been a spike in TR/Downloader.Gen Trojan web shell detection, as ransomware gangs and other threat groups increasingly target vulnerable Microsoft Exchange Servers following publication of proof-of-concept attacks using ProxyLogon - one of four zero-days patched by Microsoft in March.
See Also: Live Webinar | Mitigating the Risks Associated with Remote Work
A new report by security firm F-Secure says that since the free-to-use ProxyLogon proof-of-concept file was released on March 13, it is being exploited by criminal gangs, state-backed threat actors and script kiddies globally.
One such malicious activity is the spike in TR/Downloader.Gen Trojan web shell detection, which F-Secure says peaked following the release of the free exploit tool. The security firms adds the increase in TR/Downloader.Gen Trojan was detected from Italy, Germany, France, the United Kingdom, the United States, Belgium, Kuwait, Sweden, the Netherlands, and Taiwan.
"Although it peaked last Wednesday, (F-Secure) continues to detect significant amounts of activity, in the tens of thousands," the report notes.
Assume Breach
Although patches for the flaw have been released by Microsoft, F-Secure notes half of Exchange servers are still unpatched. As a result, thousands of Exchange servers are at risk of potential compromise. In addition, Antti Laatikainen, senior security consultant at F-Secure, notes patching alone does not guarantee server security, as attackers could have breached networks before the update was installed.
"Because ProxyLogon allows access to the lower layers of the server - and from there to the rest of the organization’s network - this makes an extensive series of silent network intrusions possible," says F-Secure. "These breaches could be occurring in the background, completely unnoticed. Only after months or years will it become clear what was stolen. If an attacker knows what they are doing, the data has most likely already been stolen or is being stolen right now."
Therefore, Laatikainen says organizations should assume they have been breached and take necessary security measures such as deploying endpoint detection and effective network monitoring to mitigate the threat. Urgency is advised, with Laatikainen saying, “We’re nearing the end of the period of time when we can influence how much data is stolen. There are a ton of things they (companies using MS Exchange) can do manually to prevent a full disaster. I just encourage them to do them immediately.”
"Never in the past 20 years that I’ve been in the industry has it been as justified to assume that there has been at least a digital knock at the door for every business with Exchange Outlook Web Access installed in the world," he says. "Because access is so easy, you can assume that majority of these environments have been breached."
Ransomware Threats
Since the zero days were disclosed, security experts have been warning of ransomware threats using the ProxyLogon.
ProxyLogon, tracked CVE-2021-26855, is a vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication and impersonate as the admin. Earlier in March, Microsoft warned that attackers are exploiting the flaws in the wild (see: Microsoft Exchange: Server Attack Attempts Skyrocket).
On Friday, BleepingComputer reported that ransomware group REvil targeted Taiwanese PC-maker Acer likely using ProxyLogon flaw. The criminal group accessed the company's financial spreadsheets, bank balances and bank communications and leaked the images of these documents to extort a ransom of $50 million, the largest sum ever known to be demanded by a ransomware group.
Earlier this month, Microsoft said a new ransomware group called DearCry was exploiting ProxyLogon in unpatched versions of Microsoft Exchange Servers running on premises to access vulnerable servers, crypto-locking files and demand a ransom from victims in return for the promise of a decryption tool (see: DearCry Ransomware Targets Unpatched Exchange Servers).
When Microsoft first began releasing security updates, it warned that a Chinese APT group called Hafnium appeared to have been exploiting the flaws in recent months. But security firm ESET reported that subsequently at least 10 APT groups have been exploiting the flaws.
"exchange" - Google News
March 20, 2021 at 08:38PM
https://ift.tt/3tEDqz7
Microsoft Exchange Server Flaw Causes Spike in Attacks - GovInfoSecurity.com
"exchange" - Google News
https://ift.tt/3c55nbe
https://ift.tt/3b2gZKy
Exchange
Bagikan Berita Ini
0 Response to "Microsoft Exchange Server Flaw Causes Spike in Attacks - GovInfoSecurity.com"
Post a Comment