adplus-dvertising
Connect with us

Tech

Two Microsoft Exchange zero-days exploited in the wild. – The CyberWire

Published

 on


Microsoft warns of Exchange Server vulnerabilities.

Late Friday Microsoft disclosed that two zero-days afflicted three versions of its widely used Exchange Server. Redmond’s initial disclosure said:

“Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.  

“Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.

300x250x1

“We are working on an accelerated timeline to release a fix. Until then, we’re providing mitigations and the detections guidance below to help customers protect themselves from these attacks.”

Microsoft’s Security Response Center shared an initial set of mitigations and tools to evaluate the risk, including indicators of compromise, in its “Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server.” Late Sunday the Microsoft Security Response Center added this caution: “We strongly recommend Exchange Server customers to disable remote PowerShell access for non-admin users in your organization.”

GTSC initially discovered the zero-days (and their exploitation).

In the course of security monitoring and incident response services its SOC team was performing early in August, Hanoi-based GTSC “discovered that a critical infrastructure was being attacked” through its Microsoft Exchange application. They shared their discovery with the Zero Day Initiative and Microsoft, which led to the fixes Redmond released Friday.

GTSC summarized the attackers’ activity as follows: “We recorded attacks to collect information and create a foothold in the victim’s system. The attack team also used various techniques to create backdoors on the affected system and perform lateral movements to other servers in the system. We detected webshells, mostly obfuscated, being dropped to Exchange servers. Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based opensource cross-platform website administration tool that supports webshell management.” The company provided its customers with temporary containment measures they could use to protect themselves until Microsoft was able to make a patch available.

Who’s responsible for the observed exploitation isn’t clear, but GTSC sees strong circumstantial evidence that the threat actor or actors behind it are Chinese. “We suspect these exploits come from Chinese attack groups, based on the webshell codepage of 936, a Microsoft character encoding for simplified Chinese.”

Sophos points out what those temporary measures might amount to, and sees this as a kind of “silver lining” in the cloud the incident casts over Exchange;

“The bugs can’t be triggered by just anyone.” That is, only an authenticated attacker can initiate them. “Sure, any remote user who has already logged into their email account over the internet, and whose computer is infected by malware, could in theory have their account subverted to launch an attack that exploits these bugs. But just having your Exchange server accessible over the internet is not enough on its own to expose you to attack, because so-called unauthenticated invocation of these bugs is not possible.

“Blocking PowerShell Remoting can limit attacks. According to Microsoft, blocking TCP ports 5985 and 5986 on your Exchange server will limit (if not actually prevent) attackers from chaining from the first vulnerability to the second. Although attacks might be possible without relying on triggering PowerShell commands, intrusion reports so far seem to suggest that PowerShell execution was a necessary part of the attack.”

The zero-days are first cousin to ProxyShell; organizations that found themselves vulnerable to ProxyShell should be especially on their guard.

CISA adds both issues to its Known Exploited Vulnerabilities Catalog.

Late Friday the US Cybersecurity and Infrastructure Security Agency (CISA) added both CVE-2022-41082 and CVE-2022-41040 to its Known Exploited Vulnerabilities Catalog. It characterized CVE-2022-41082 as follows: “Microsoft Exchange Server contains an unspecified vulnerability which allows for authenticated remote code execution. Dubbed “ProxyNotShell,” this vulnerability is chainable with CVE-2022-41040 which allows for the remote code execution.” CVE-2022-41040, a server-side request forgery vulnerability, is described thusly: “Microsoft Exchange Server allows for server-side request forgery. Dubbed “ProxyNotShell,” this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.” In both cases CISA advises organizations to apply the mitigations Microsoft has provided. US Federal executive civilian agencies have until October 21st to take action.

Michael Assraf CEO & Co-founder of Vicarius, was struck by how quick CISA was to add the two vulnerabilities to its Catalog. “CISA is typically late to the party for many of the KEV additions, but it seems like the invitation was delivered early,” he wrote, and went on to offer his summary of the vulnerabilities and their implications:

“Two zero-days in Microsoft Exchange servers were discovered that when chained together, can allow remote code execution. However, the advisory states that authenticated access to the servers are necessary in order to exploit. Thus, it is likely attackers will first run a phishing/social engineering campaign to gain authorization. So if you have Exchange servers, it is important to place all of the suggested mitigations in effect from Microsoft’s guidance. But what’s equally, if not more, important is to double down on efforts to recognize and report phishing in your organization.

“The other vulnerability is a command injection flaw in Atlassian Bitbucket reported back in August. A patch is available for this CVE, and a PoC exploit is also circulating out in the wild. As Bitbucket is a code repository, some sensitive intellectual property could be at risk as well as other components connected to the larger Jira/Trello framework. A malicious actor leveraging this kind of attack is most likely after admin-level control so they can sink their teeth further into the network.”

Adblock test (Why?)

728x90x4

Source link

Continue Reading

Tech

Apple announces Worldwide Developers Conference dates, in-person event – CityNews Toronto

Published

 on


Apple has announced their annual developers conference will take place June 10 through June 14.

The big summer event will be live-streamed, but some select developers have been invited to attend in-person events at Apple’s campus in Cupertino, California, on June 10.

The company typically showcases their latest software and product updates — including the iPhone, iPad, Apple Watch, AppleTV and Vision Pro headset — during a keynote address on the first day.

300x250x1

Contributing to a drop in Apple’s stock price this year is concern it lags behind Microsoft and Google in the push to develop products powered by artificial intelligence technology. While Apple tends to keep its product development close to the vest, CEO Tim Cook signaled at the company’s annual shareholder meeting in February that it has been making big investments in generative AI and plans to disclose more later this year.

The week-long conference will have opportunities for developers to connect with Apple designers and engineers to gain insight into new tools, frameworks and features, according to the company’s announcement.

The Associated Press

Adblock test (Why?)

728x90x4

Source link

Continue Reading

Tech

iPhone 16 Rumors Point to Action Button and New, Vertical Camera Layout – CNET

Published

 on


The upcoming iPhone 16 and iPhone 16 Pro are still months away from their expected launch this fall, but a new set of images published online may give us a better sense of their potential features. Among the revelations, the iPhone 16 may include an action button, similar to the one on last year’s iPhone 15 Pro, and it may have redesigned cameras in a vertical stack.

AppleInsider published a series of photos it says show dummy 3D prints of the upcoming iPhone 16 and iPhone 16 Pro from an unnamed leaker. Aside from the action button and reworked cameras on the iPhone 16, AppleInsider also said its source found the iPhone 16 Pro to be “slightly larger” than its predecessor. Analysts had earlier said they expect the Pro model screens will grow somewhat.

Read more: iPhone 16: All the Major Rumors on Apple’s Next iPhone

300x250x1

The new details suggest that a series of expected hardware updates are likely for this year’s new iPhones. Apple typically announces new iPhones around September, and the company tends to offer incremental upgrades to each new phone, introducing, over the period of several years, better cameras, screens and battery life, features that end up seeming like major upgrades when people get around to buying a new phone

Last year, Apple added a new titanium frame, action button and USB-C charging to its iPhone 15 Pro, which starts at $999. For its entry-level iPhone, Apple followed its well-worn strategy of trickling pro features down to the mainstream, adding the iPhone 14 Pro’s well-received Dynamic Island to the $799 iPhone 15, along with USB-C charging.

AppleInsider didn’t indicate whether its leaker had divined a reason for the iPhone 16’s shifted camera placements, but the two lenses will now reportedly be stacked one on top of the other, instead of diagonally. Apple has previously said it uses stacked lenses on the iPhone 15 Pro for spatial video capture, a key new technology the company highlighted as part of its $3,499 Apple Vision Pro headset, released in February.

Though AppleInsider’s leaks appear to confirm many previous rumors, not all renders and 3D prints are accurate, something the rumor blog notes itself in its report. Apple didn’t immediately respond to a request for comment about the veracity of the leaks.

Watch this: What Google Gemini AI on the iPhone Could Look Like

08:16

I Took 600+ Photos With the iPhone 15 Pro and Pro Max. Look at My Favorites

See all photos

Adblock test (Why?)

728x90x4

Source link

Continue Reading

Tech

Leaked iPhone 16 dummy units hint at larger sizes and new buttons

Published

 on

The iPhone 15 Pro Max, with a 6.7-inch screen
(Image credit: Future)

We’re already counting down to the arrival of the iPhone 16 series – most probably sometime in September – and a leak showing dummy units of the upcoming phones has revealed a few of the changes we can expect to see later this year.

These dummy units are usually based on supply chain information, and have various business uses – like helping case manufacturers get their wares ready for new phones before they’re launched, for example. In this case, the images were posted to Chinese social network Weibo, as spotted by MacRumors.

Perhaps the most interesting reveal from these blocks of plastic and metal is that they show the previously rumored increase in size for the iPhone 16 Pro and iPhone 16 Pro Max displays – up to 6.3 inches (from 6.1 inches) and 6.9 inches (from 6.7 inches) respectively.

That’s not a huge jump of course, but it does mean more screen space for apps and media. The bezels are apparently shrinking down to accommodate the larger screens, which means the increase in the physical size of these handsets is only a slight one.

300x250x1

On the button

iPhone 16 dummy units leak

The next iPhones might look a bit like this, but less blue (Image credit: Weibo)

Further reveals from this leak match up with what we’ve heard before: that all four models are going to get the Action button that replaced the Ring/Silent switch on the 2023 Pro models, as well as a brand-new Capture button for getting more creative with photos.

Also of note is the redesigned rear camera module that we think is coming to the back of the iPhone 16 and iPhone 16 Plus. The new vertical, pill-shaped look has been leaked already, but this is more evidence that it’s on the way – taking us back to a design that’s more reminiscent of the iPhone 12, which came out in 2020.

As always with such rumors, be somewhat cautious about reading too much into the look of these dummy units. That said, as more and more similar leaks pile up, it becomes more likely that they’re based on accurate information.

The next big Apple date for your calendar is WWDC 2024 – its Worldwide Developers Conference starts on June 10, at which time we should hear much more about what’s coming this year with iOS 18 and Apple’s other software platforms.

You might also like

Freelance Contributor

Dave is a freelance tech journalist who has been writing about gadgets, apps and the web for more than two decades. Based out of Stockport, England, on TechRadar you’ll find him covering news, features and reviews, particularly for phones, tablets and wearables. Working to ensure our breaking news coverage is the best in the business over weekends, David also has bylines at Gizmodo, T3, PopSci and a few other places besides, as well as being many years editing the likes of PC Explorer and The Hardware Handbook.

Leaked iPhone 16 dummy units hint at larger sizes and new buttons

Adblock test (Why?)

728x90x4

Source link

Continue Reading

Trending