Share this page!

Volexity Profile picture
Twitter logo
Oct 5 8 tweets 5 min read
A recent post by Vietnamese cybersecurity company GTSC detailed findings from a #MicrosoftExchange breach that stemmed from CVE-2022-41040 and CVE-2022-41082. @Volexity ties this to a CN threat actor it tracks that targets organizations using #OWA and #Zimbra.
#volexintel 1/7
Specifically the post highlights IP 206.188.196.77, which hosted the domain rkn-redirect[.]net. @Volexity previously identified this domain as a phishing domain targeting #OWA users. Note some subdomains offer clues about the likely targeting.
2/7
.@Volexity has linked the rkn-redirect[.]net domain to several others through domain registration patterns & banner data patterns.
3/7
Examples of domains @Volexity has linked to rkn-redirect[.]net include:
•tr-redirect[.]net
•webmail.sanayi[.]gov.tr-redirect[.]net (imitates Turkish Ministry of Industry and Technology)
•mail.ticaret[.]gov.tr-redirect[.]net (imitates Turkish Ministry of Trade)
4/7
Pivoting further, this infrastructure can be linked to exploitation of a #Zimbra #vulnerability @Volexity discovered late last year that allows email theft from #Zimbra users by exploiting CVE-2022-24682. Specifically, the following file: virustotal.com/gui/file/100f5…
5/7
This is a particularly unusual case. Like the #Zimbra “mail theft” code, the attacker used an almost 1:1 copy of example marked-up code previously shared by @Volexity relating to exploitation of CVE-2022-24682.
6/7
In summary, @Volexity links at least some of the recent #MicrosoftExchange exploitation activity described by GTSC to a known CN attacker conducting various webmail attacks against organizations in Asia for the past 12 months.
7/7
UPDATE: Working with different partners, Volexity no longer links the Exchange 0day to the threat actor described in this thread. Two different threat actors used the same infra (206.188.196.77) in close proximity but the two events should not be linked to the same group.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Volexity

Volexity Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

Email the whole thread instead of just a link!

Separate emails with commas

:(