Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

LockBit affiliates compromise Microsoft Exchange servers to deploy ransomware

Lockbit ransomware affiliates are compromising Microsoft Exchange servers to deploy their ransomware, experts warn. South-Korean cybersecurity firm AhnLab reported that Lockbit ransomware affiliates are distributing their malware via compromised Microsoft Exchange servers. In July 2022, two servers operated by a customer of the security firm were infected with LockBit 3.0 ransomware.  Threat actors initially deployed […]

Microsoft Exchange server Lockbit zero-day

Lockbit ransomware affiliates are compromising Microsoft Exchange servers to deploy their ransomware, experts warn.

South-Korean cybersecurity firm AhnLab reported that Lockbit ransomware affiliates are distributing their malware via compromised Microsoft Exchange servers.

In July 2022, two servers operated by a customer of the security firm were infected with LockBit 3.0 ransomware. 

Threat actors initially deployed web shell on a compromised Exchange server, then it took just 7 days to escalate privileges to Active Directory admin and stole roughly 1.3 TB of data before encrypting systems hosted in the network.

According to the researchers, the attackers allegedly exploited a zero-day vulnerability in Microsoft Exchange Server. 

“Looking at the Microsoft Exchange Server vulnerability history, the remote code execution vulnerability was disclosed on December 16, 2021 (CVE-2022-21969), the privilege escalation vulnerability was disclosed in February 2022, and the most recent vulnerability was on June 27. Information Disclosure Vulnerability vulnerability. That is, among the vulnerabilities disclosed after May, there were no reports of vulnerabilities related to remote commands or file creation.” reads the report published by AhnLab. “Therefore, considering that WebShell was created on July 21, it is expected that the attacker used an undisclosed zero-day vulnerability. 

The experts argued that the attackers likely did not exploit recently disclosed CVE-2022-41040 and CVE-2022-41082 vulnerabilities.

Some prominent experts, including the popular Kevin Beaumont said that he is not convinced it’s a zero-day.

https://twitter.com/GossiTheDog/status/1579799118779514882

The vulnerability researcher Will Dormann pointed out that the report doesn’t include evidence of exploiting of a new zero-day vulnerability.

Bleeping Computer pointed out that at least three vulnerabilities in Microsoft Exchange, discovered by Zero Day Initiative vulnerability researcher Piotr Bazydlo, have yet to be patched.

The three issues, tracked by ZDI as ZDI-CAN-18881ZDI-CAN-18882, and ZDI-CAN-18932, were reported on September 20, 2022.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lockbit)

[adrotate banner=”5″]

[adrotate banner=”13″]