Unpatched Zero-Day vulnerabilities in Microsoft Exchange Server
There are two zero-day vulnerabilities in on premise Microsoft Exchange Servers
- CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability.
- CVE-2022-41082 allows remote code execution (RCE) when PowerShell is accessible to the attacker.
The vulnerabilities do require an attacker to have authenticated network access for a successful exploit, attacks appear to be a variant of the “ProxyShell” exploits seen last year. As a result, this vulnerability is being called “ProxyNotShell”. If an Exchange Server has not been patched, or been incorrectly patched against “ProxyShell”, it will give threat actors an easy way to exploit these two vulnerabilities.
Microsoft have stated that customers who use Exchange Online are not affected by these vulnerabilities, however anyone who utilises a hybrid Exchange environment will need to follow the same guidance to mitigate these vulnerabilities.
At present there are no patches available for the vulnerabilities however Microsoft has published a series of mitigations that are available here. In addition to this it is critical to apply security patches to infrastructure to mitigate the threat from older vulnerabilities.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) have added both vulnerabilities to their list of known actively exploited vulnerabilities.
norm. are actively monitoring the threat and customers who have taken EDR and deployed on their Exchange Servers our service has detection coverage for post-exploitation activities.
Further reading can be found here:
Business Email Compromise attacks on the rise
The second quarter of 2022 has seen a significant rise in Business Email Compromise (BEC) attacks. Multiple security firms have reported seeing an increase in BEC attacks. This has been attributed to the ease it takes to perform these attacks, compared with host based compromises, along with misconfigured systems that don’t enforce MFA.
Two firms, Abnormal and Arctic wolf have recorded 84% and 99% increases respectively in BEC attacks over since H1 2021 and Q2 2022 compared to Q1 2022.
norm. has recorded an increase of 120% of BEC CSIRT engagements for 2022 so far, compared to 2021.
Further reading can be found here:
US security agencies released report outlining how threat actors compromise OT devices
The NSA and CISA have released a new report that outlines the steps owners of operation technology “OT” can take to secure their infrastructure, and common steps that threat actors take to compromise these devices.
The 5 key mitigations that they have identified are:
- Limit exposure of system information, this will disrupt intelligence gathering by threat actors utilised in
- Identify and secure remote access points, this reduces the available attack surface.
- Restrict tools and scripts, only allowing whitelisting of specific users for tools for legitimate tasks.
- Conduct regular security audits, specifically for third party vendor access points and systems.
- Implement a dynamic network environment to limit the ability of threat actors to gain persistent knowledge of an estate.
norm. recommends that any customers operating OT devices read the report to help them understand the threats faced when operating devices in an unsecured fashion. Please contact us to discuss further how we can further assist in implementing these controls across your estate.
Atlassian Bitbucket Server and Data Centre critical vulnerability actively exploited
In August Atlassian published an advisory for Bitbucket Server and Data Centre advising of vulnerability CVE-2022-36804. The advisory told about a critical command injection vulnerability that allowed an attacker with access to public repository or with read permissions to a private repository to execute arbitrary code by sending a malicious HTTP request. The vulnerability was given a CVSS score of 9.8 and is easily exploitable.
- Bitbucket Server and Data Center 7.6 prior to 7.6.17
- Bitbucket Server and Data Center 7.17 prior to 7.17.10
- Bitbucket Server and Data Center 7.21 prior to 7.21.4
- Bitbucket Server and Data Center 8.0 prior to 8.0.3
- Bitbucket Server and Data Center 8.1 prior to 8.1.3
- Bitbucket Server and Data Center 8.2 prior to 8.2.2
- Bitbucket Server and Data Center 8.3 prior to 8.3.1
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) have recently added the vulnerabilities to their list of known actively exploited vulnerabilities.
If customers are running Bitbucket Server and Data Centre and have not already patched, it is now imperative that a patch is applied as the risk of compromise is high.
Microsoft SQL Servers being targeted by new malware: Maggie
There is a new piece of malware designed specifically to attack Microsoft SQL Servers, at present several details are unknown such as the post-infection usage of Maggie, how the malware is installed in the first place and any association to a known threat actor.
The malware disguises itself as “Extended Stored Procedure” which are designed to offer extended functionality to SQL queries for use in an MSSQL server. Once installed “Maggie” offers several commands to query system information, interact with files and folders, execute programs, running a Socks5 proxy server or setting up port forwarding to allow “Maggie” to act as a bridge head into the server’s network environment.
At present the malware is most commonly seen within the APAC region but has been seen across the globe.
norm. is actively monitoring this threat as it evolves, and more information becomes available. There is a list of IOCs provided and we are loading them into our security tooling to provide detection for presence of this malware.
Maggie ESP DLLs
RAR SFX with Maggie
Get norm.’s threat bulletin direct to your inbox
Norm. tracks and monitors the latest security trends and latest cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below: