At a glance.
- Microsoft warns of Exchange Server vulnerabilities.
- Hacktivists compromise Mexican government data.
- New Lazarus activity: bring-your-own-vulnerable-driver.
- Software supply chain attack reported.
- API protection report describes malicious transactions.
- Analysis of cyber risk in relation to SaaS applications.
- Data stolen from US "Defense Industrial Base organization."
- Mechanisms of fraud.
- Credential theft in the name of Zoom.
- Top CVEs exploited by China.
- COVID-19-themed social engineering.
- Criminals turn to malicious HTML file attachments.
- LAUSD says ransomware operators missed most sensitive PII.
- Major sideloading cryptojacking campaign in progress.
- Killnet hits networks of US state governments.
Microsoft warns of Exchange Server vulnerabilities.
Late last Friday Microsoft disclosed that two zero-days afflicted three versions of its widely used Exchange Server. One, CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability; the second, CVE-2022-41082, is a remote-code execution (RCE) exploit that can be initiated when an attacker has access to PowerShell. Redmond is working on a fix, but until then users may follow mitigations Microsoft's Security Response Center shared in its "Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server." Late Sunday Microsoft added additional advice: "We strongly recommend Exchange Server customers to disable remote PowerShell access for non-admin users in your organization."
Hanoi-based security firm GTSC discovered the zero-days in the course of its monitoring and remediation activity. GTSC sees strong circumstantial evidence that the threat actor or actors behind it are Chinese. "We suspect these exploits come from Chinese attack groups, based on the webshell codepage of 936, a Microsoft character encoding for simplified Chinese.”
The US Cybersecurity and Infrastructure Security Agency (CISA) added both CVE-2022-41082 and CVE-2022-41040 to its Known Exploited Vulnerabilities Catalog. In both cases CISA advises organizations to apply the mitigations Microsoft has provided. US Federal executive civilian agencies have until October 21st to take action. For more information on the Microsoft Exchange zero-days, see CyberWire Pro.