Share this page!

BleepingComputer Profile picture
Twitter logo
12 Aug, 12 tweets, 5 min read
Hackers now backdoor Microsoft Exchange using ProxyShell exploits - @LawrenceAbrams
bleepingcomputer.com/news/microsoft…
We knew exploits would be coming when we reported about active ProxyShell scans last week.
bleepingcomputer.com/news/microsoft…
Well it's begun today - threat actors are now actively exploiting Microsoft Exchange server with the ProxyShell vulnerability to drop webshells and backdoors.
First spotted by @GossiTheDog, @buffaloverflow, and @bad_packets, threat actors are chaining together vulnerabilities discovered by @orange_8361 (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) in an RCE attack known as ProxyShell.
Initial scans for vulnerable devices are targeting Microsoft Exchange's AutoDiscover service.

Note: the email address does not need to be valid and change between threat actors.
The attacks are currently dropping webshells that are being used by threat actors to upload various executables and other webshells.

@buffaloverflow told us that one attack is creating a scheduled task that launches a .NET backdoor that is currently pulling down a benign payload
For those familiar with March's ProxyLogon attacks, the webshells look similar (but not exactly the same) to the China Chopper shells used in that campaign.
bleepingcomputer.com/news/security/…
As more servers are compromised, it is expected that the threat actors will replace the current payload with a malicious one.
Bad Packets (@bad_packets) said that they have seen scans from 3.15.221.32 and 194.147.142.0/24 located in the USA, Iran, and the Netherlands.
To check if your Exchange server is being scanned for ProxyShell, you can use this Azure Sentinel query shared by @GossiTheDog.

W3CIISLog
| where csUriStem == "/autodiscover/autodiscover.json"
| where csUriQuery has "PowerShell" | where csMethod == "POST"
If you manage an Exchange server and have not installed April cumulative updates or later, get to it or you will likely be targeted.
Forgot to add that files initially uploaded via the ProxyShell exploit will be a minimum of 265 KB.

This is due to the ProxyShell exploit abusing the Mailbox Export function of Exchange Powershell.

PSTs have a minimum size of 265KB.

Thx to @testanull for the info!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with BleepingComputer

BleepingComputer Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @BleepinComputer

BleepingComputer Profile picture
11 Aug
Kaseya's universal REvil decryption key leaked on a hacking forum - @LawrenceAbrams
bleepingcomputer.com/news/security/…
Yesterday, @pancak3lullz noticed someone posted a link to a screenshot on the XSS forum of an alleged REvil decryptor for ransomware victims.

The person said the decryptor could be used to decrypt all Kaseya victims.
When REvil victims pay a ransom, they are given either a decryptor for a single extension, or a decryptor for the whole campaign.

The screenshot on GitHub was for an REvil universal decryptor that contained the master key for the entire campaign.
github.com/Fr3akaLmaTT3r/…
Read 7 tweets
BleepingComputer Profile picture
10 Aug
Microsoft fixes Windows Print Spooler PrintNightmare vulnerability - @LawrenceAbrams
bleepingcomputer.com/news/microsoft…
As part of today's Patch Tuesday updates, Microsoft has released an update to fix the recent PrintNightmare elevation of privileges vulnerabilities released by @gentilkiwi and others.
bleepingcomputer.com/news/microsoft…
To exploit the bug, a print server would be created with a specially crafted printer driver.

A low-privileged users could connect to the print server, and using Point and Print, the driver would be installed with a DLL that opens a SYSTEM-level console.
bleepingcomputer.com/news/microsoft…
Read 5 tweets
BleepingComputer Profile picture
10 Aug
Over $600 million reportedly stolen in cryptocurrency hack - @Ax_Sharma
bleepingcomputer.com/news/security/…
@Ax_Sharma Attack on Poly Network ended with the hacker transferring Binance Chain, Ethereum, and Polygon assets to three wallets they control:

Ethereum tokens: $273 million
Binance Smart Chain: $253 million
Polygon Network (in USDC): $85 million
@Ax_Sharma The hacker's three wallets have been reported to exchanges to prevent the attacker from converting the assets and splitting with the money. Image
Read 5 tweets
BleepingComputer Profile picture
4 Aug
New Cobalt Strike bugs allow takedown of attackers’ servers - @serghei
bleepingcomputer.com/news/security/…
@serghei SentinelLabs found the DoS vulnerabilities tracked as CVE-2021-36798 and dubbed Hotcobalt in the latest versions of Cobalt Strike's server.

bleepingcomputer.com/news/security/…
The Hotcobalt bugs can be exploited by registering fake beacons which help crash Cobalt Strike C2 servers, blocking C2 comms and new beacon deployments.

Law enforcement and researchers can also use Hotcobalt to take down malicious infrastructure.

bleepingcomputer.com/news/security/…
Read 4 tweets
BleepingComputer Profile picture
2 Aug
BlackMatter ransomware pretending they are not DarkSide.

Interesting read.
therecord.media/an-interview-w…
As a refresher.
bleepingcomputer.com/news/security/…
Read 4 tweets
BleepingComputer Profile picture
2 Aug
Windows PetitPotam attacks can be blocked using new method - @LawrenceAbrams
bleepingcomputer.com/news/microsoft…
Last month, @topotam77 discovered a new unauthenticated vector in the Microsoft Encrypting File System Remote Protocol (EFSRPC) API to perform Windows NTLM relay attacks.
bleepingcomputer.com/news/microsoft…
It was quickly illustrated how easily these attacks could be conducted to take over a Windows domain.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @BleepinComputer has new unrolls!

Check out other threads from @BleepinComputer!

Read all threads by @BleepinComputer

:(