norm. threat bulletin: 11th October 2022

Unpatched Zero-Day vulnerabilities in Microsoft Exchange Server

There are two zero-day vulnerabilities in on premise Microsoft Exchange Servers

• CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability.
• CVE-2022-41082 allows remote code execution (RCE) when PowerShell is accessible to the attacker.

The vulnerabilities do require an attacker to have authenticated network access for a successful exploit, attacks appear to be a variant of the “ProxyShell” exploits seen last year. As a result, this vulnerability is being called “ProxyNotShell”. If an Exchange Server has not been patched, or been incorrectly patched against “ProxyShell”, it will give threat actors an easy way to exploit these two vulnerabilities.

Microsoft have stated that customers who use Exchange Online are not affected by these vulnerabilities, however anyone who utilises a hybrid Exchange environment will need to follow the same guidance to mitigate these vulnerabilities.

At present there are no patches available for the vulnerabilities however Microsoft has published a series of mitigations that are available here. In addition to this it is critical to apply security patches to infrastructure to mitigate the threat from older vulnerabilities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) have added both vulnerabilities to their list of known actively exploited vulnerabilities.

norm. are actively monitoring the threat and customers who have taken EDR and deployed on their Exchange Servers our service has detection coverage for post-exploitation activities.

Further reading can be found here:

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

Exchange On-premises Mitigation Tool v2 (EOMTv2)

PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers

Known Exploited Vulnerabilities Catalog

Business Email Compromise attacks on the rise

The second quarter of 2022 has seen a significant rise in Business Email Compromise (BEC) attacks. Multiple security firms have reported seeing an increase in BEC attacks. This has been attributed to the ease it takes to perform these attacks, compared with host based compromises, along with misconfigured systems that don’t enforce MFA.

Two firms, Abnormal and Arctic wolf have recorded 84% and 99% increases respectively in BEC attacks over since H1 2021 and Q2 2022 compared to Q1 2022.

norm. has recorded an increase of 120% of BEC CSIRT engagements for 2022 so far, compared to 2021.

Further reading can be found here:

Cybercriminals See Allure in BEC Attacks Over Ransomware

US security agencies released report outlining how threat actors compromise OT devices

The NSA and CISA have released a new report that outlines the steps owners of operation technology “OT” can take to secure their infrastructure, and common steps that threat actors take to compromise these devices.

The 5 key mitigations that they have identified are:

• Limit exposure of system information, this will disrupt intelligence gathering by threat actors utilised in
• Identify and secure remote access points, this reduces the available attack surface.
• Restrict tools and scripts, only allowing whitelisting of specific users for tools for legitimate tasks.
• Conduct regular security audits, specifically for third party vendor access points and systems.
• Implement a dynamic network environment to limit the ability of threat actors to gain persistent knowledge of an estate.

norm. recommends that any customers operating OT devices read the report to help them understand the threats faced when operating devices in an unsecured fashion. Please contact us to discuss further how we can further assist in implementing these controls across your estate.

Further reading:

NSA, CISA: How Cyber Actors Compromise OT/ICS and How to Defend Against It

Report: Control System Defense: Know the Opponent

Atlassian Bitbucket Server and Data Centre critical vulnerability actively exploited

In August Atlassian published an advisory for Bitbucket Server and Data Centre advising of vulnerability CVE-2022-36804. The advisory told about a critical command injection vulnerability that allowed an attacker with access to public repository or with read permissions to a private repository to execute arbitrary code by sending a malicious HTTP request. The vulnerability was given a CVSS score of 9.8 and is easily exploitable.

Affected products:

• Bitbucket Server and Data Center 7.6 prior to 7.6.17
• Bitbucket Server and Data Center 7.17 prior to 7.17.10
• Bitbucket Server and Data Center 7.21 prior to 7.21.4
• Bitbucket Server and Data Center 8.0 prior to 8.0.3
• Bitbucket Server and Data Center 8.1 prior to 8.1.3
• Bitbucket Server and Data Center 8.2 prior to 8.2.2
• Bitbucket Server and Data Center 8.3 prior to 8.3.1

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) have recently added the vulnerabilities to their list of known actively exploited vulnerabilities.

If customers are running Bitbucket Server and Data Centre and have not already patched, it is now imperative that a patch is applied as the risk of compromise is high.

Bitbucket Server and Data Center Advisory 2022-08-24

Known Exploited Vulnerabilities Catalog

Microsoft SQL Servers being targeted by new malware: Maggie

There is a new piece of malware designed specifically to attack Microsoft SQL Servers, at present several details are unknown such as the post-infection usage of Maggie, how the malware is installed in the first place and any association to a known threat actor.

The malware disguises itself as “Extended Stored Procedure” which are designed to offer extended functionality to SQL queries for use in an MSSQL server. Once installed “Maggie” offers several commands to query system information, interact with files and folders, execute programs, running a Socks5 proxy server or setting up port forwarding to allow “Maggie” to act as a bridge head into the server’s network environment.

At present the malware is most commonly seen within the APAC region but has been seen across the globe.

norm. is actively monitoring this threat as it evolves, and more information becomes available. There is a list of IOCs provided and we are loading them into our security tooling to provide detection for presence of this malware.

Maggie IOCs

Maggie ESP DLLs
f29a311d62c54bbb01f675db9864f4ab0b3483e6cfdd15a745d4943029dcdf14
a375ae44c8ecb158895356d1519fe374dc99c4c6b13f826529c71fb1d47095c3
eb7b33b436d034b2992c4f40082ba48c744d546daa3b49be8564f2c509bd80e9
854bb57bbd22b64679b3574724fafd7f9de23f5f71365b1dd8757286cec87430

RAR SFX with Maggie
4311c24670172957b4b0fb7ca9898451878faeb5dcec75f7920f1f7ad339d958
d0bc30c940b525e7307eca0df85f1d97060ccd4df5761c952811673bc21bc794

ITW URLs
http://58.180.56.28/sql64.dll
http://106.251.252.83/sql64.dll
http://183.111.148.147/sql64.dll
http://xw.xxuz.com/VV61599.exe
http://58.180.56.28/vv61599.exe

Hardcoded User-Agent
Mozilla/4.0 (compatible)

File paths
C:\ProgramData\Success.dat
Success.dat
Failure.dat
AccessControl.Dat

Further reading:

MSSQL, meet Maggie

Microsoft SQL Servers Infected by the New Malware: Maggie

Hundreds of Microsoft SQL servers backdoored with new malware

22nd March 2023 Threat Bulletin