Connect with us

Tech

High-severity Microsoft Exchange 0-day under attack threatens 220,000 servers – Ars Technica

Published

 on


Microsoft late Thursday confirmed the existence of two critical vulnerabilities in its Exchange application that have already compromised multiple servers and pose a serious risk to an estimated 220,000 more around the world.

The currently unpatched security flaws have been under active exploit since early August, when Vietnam-based security firm GTSC discovered customer networks had been infected with malicious webshells and that the initial entry point was some sort of Exchange vulnerability. The mystery exploit looked almost identical to an Exchange zero-day from 2021 called ProxyShell, but the customers’ servers had all been patched against the vulnerability, which is tracked as CVE-2021-34473. Eventually, the researchers discovered the unknown hackers were exploiting a new Exchange vulnerability.

Genius Dog 336 x 280 - Animated

Webshells, backdoors, and fake sites

“After successfully mastering the exploit, we recorded attacks to collect information and create a foothold in the victim’s system,” the researchers wrote in a post published on Wednesday. “The attack team also used various techniques to create backdoors on the affected system and perform lateral movements to other servers in the system.”

On Thursday evening, Microsoft confirmed that the vulnerabilities were new and said it was scrambling to develop and release a patch. The new vulnerabilities are: CVE-2022-41040, a server-side request forgery vulnerability, and CVE-2022-41082, which allows remote code execution when PowerShell is accessible to the attacker.

“​​At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems,” members of the Microsoft Security Response Center team wrote. “In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082.” Team members stressed that successful attacks require valid credentials for at least one email user on the server.

The vulnerability affects on-premises Exchange servers and, strictly speaking, not Microsoft’s hosted Exchange service. The huge caveat is that many organizations using Microsoft’s cloud offering choose an option that uses a mix of on-premises and cloud hardware. These hybrid environments are as vulnerable as standalone on-premises ones.

Searches on Shodan indicate there are currently more than 200,000 on-premises Exchange servers exposed to the Internet and more than 1,000 hybrid configurations.

Wednesday’s GTSC post said the attackers are exploiting the zero-day to infect servers with webshells, a text interface that allows them to issue commands. These webshells contain simplified Chinese characters, leading the researchers to speculate the hackers are fluent in Chinese. Commands issued also bear the signature of the China Chopper, a webshell commonly used by Chinese-speaking threat actors, including several advanced persistent threat groups known to be backed by the People’s Republic of China.

GTSC went on to say that the malware the threat actors eventually install emulates Microsoft’s Exchange Web Service. It also makes a connection to the IP address 137[.]184[.]67[.]33, which is hardcoded in the binary. Independent researcher Kevin Beaumont said the address hosts a fake website with only a single user with one minute of login time and has been active only since August.

Kevin Beaumont

The malware then sends and receives data that’s encrypted with an RC4 encryption key that’s generated at runtime. Beaumont went on to say that the backdoor malware appears to be novel, meaning this is the first time it has been used in the wild.

People running on-premises Exchange servers should take immediate action. Specifically, they should apply a blocking rule that prevents servers from accepting known attack patterns. The rule can be applied by going to “IIS Manager -> Default Web Site -> URL Rewrite -> Actions.” For the time being, Microsoft also recommends people block HTTP port 5985 and HTTPS port 5986, which attackers need to exploit CVE-2022-41082.

Microsoft’s advisory contains a host of other suggestions for detecting infections and preventing exploits until a patch is available.

Adblock test (Why?)



Source link

Continue Reading

Tech

Fortnite Chapter 4 Season 1: Every Battle Pass Skin Ranked

Published

 on

Source link

Continue Reading

Tech

Redmi Note 12 Pro vs Redmi Note 12 Pro Plus: Comparing their specs and price

Published

 on

The brand Xiaomi is quite popular in the Indian smartphone market. Xiaomi Redmi is hyping its new phone series namely the Redmi Note 12 series. This upcoming series will include the Redmi Note 12 Pro and Redmi Note 12 Pro Plus. Today, we will be comparing their specs and price. Let’s have a look.

The Redmi Note 12 Pro will be powered by the Snapdragon 732G processor. It will have 6 GB RAM. It will have 128 GB ROM. This will have a 6.67 inches OLED display. The main rear camera will be 50 MP. It will have a 16 MP front camera. It will have a 5000 mAh battery. This will be compatible with 4G network connectivity in India.

The expected price of this phone is INR 14,999 in India.

The Redmi Note 12 Pro Plus will be powered by a MediaTek processor. It will have a 200 MP main rear camera. It will have 8 GB RAM. This will have 256 GB ROM. It will have dual-color LED Flash. It will have a 5000 mAh battery.

The expected price of this phone is INR 25,090 in India.

In comparison to their specs and price, the Xiaomi Redmi Note 12 Pro Plus definitely wins. Although it is priced higher than the Note 12 Pro, it justifies its price with greater memory space and a stunning camera setup.

Genius Dog 336 x 280 - Animated

Be on the lookout for this upcoming launch as well as keep a tab on introductory offers if any. Stay connected with us for more such tech-related news as well as the latest updates in the world of technology and innovation.

Source link

Continue Reading

Tech

WhatsApp starts rolling out 3D avatars

Published

 on

WhatsApp has started rolling out 3D avatars for its users around the globe that can be used as profile photos or custom stickers — months after their debut on Instagram, Facebook and Messenger.

On Wednesday, Meta CEO Mark Zuckerberg wrote on Facebook that avatars are coming to WhatsApp. The announcement follows a months-long beta testing that was first reported by WhatsApp beta tracker WABetaInfo in June.

In a blog post, WhatsApp said that users could use personalized avatars as their profile photo or choose from one of 36 custom stickers reflecting different emotions and actions. Avatar stickers on WhatsApp look similar to Snap’s Bitmoji or Apple’s Memoji stickers.

“Your avatar is a digital version of you that can be created from billions of combinations of diverse hair styles, facial features, and outfits,” the company behind the popular instant messaging app said.

Genius Dog 336 x 280 - Animated

WhatsApp also said that users would get style enhancements including lighting, shading and hair style textures over time.

Users will be able to create their avatars on WhatsApp — once rolled out — by going to the Settings menu. The messaging app will also get a ‘Use Avatar’ option in the profile photo settings to let users make their virtual lookalike as a profile photo, per the details available on an FAQ page.

In 2019, Meta introduced Bitmoji-style 3D avatars to Facebook and Messenger. The initial rollout was limited to markets including Australia, New Zealand, Europe and Canada, though the social networking giant later expanded its presence to the U.S. in 2020. Instagram also received avatars in late January.

WhatsApp confirmed to TechCrunch that, at the moment, you cannot use your WhatsApp’s avatar on Instagram or Facebook, nor can you use your Meta avatar from Instagram or Facebook on WhatsApp. This means that to use an avatar on WhatsApp, you need to create a new avatar within WhatsApp only.

Source link

Continue Reading

Trending