norm. threat bulletin: 11th October 2022

Norm threat bulletin

Unpatched Zero-Day vulnerabilities in Microsoft Exchange Server

There are two zero-day vulnerabilities in on premise Microsoft Exchange Servers

  • CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability.
  • CVE-2022-41082 allows remote code execution (RCE) when PowerShell is accessible to the attacker.

The vulnerabilities do require an attacker to have authenticated network access for a successful exploit, attacks appear to be a variant of the “ProxyShell” exploits seen last year. As a result, this vulnerability is being called “ProxyNotShell”. If an Exchange Server has not been patched, or been incorrectly patched against “ProxyShell”, it will give threat actors an easy way to exploit these two vulnerabilities.

Microsoft have stated that customers who use Exchange Online are not affected by these vulnerabilities, however anyone who utilises a hybrid Exchange environment will need to follow the same guidance to mitigate these vulnerabilities.

At present there are no patches available for the vulnerabilities however Microsoft has published a series of mitigations that are available here. In addition to this it is critical to apply security patches to infrastructure to mitigate the threat from older vulnerabilities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) have added both vulnerabilities to their list of known actively exploited vulnerabilities.

norm. are actively monitoring the threat and customers who have taken EDR and deployed on their Exchange Servers our service has detection coverage for post-exploitation activities.

Further reading can be found here:

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

Exchange On-premises Mitigation Tool v2 (EOMTv2)

PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers

Known Exploited Vulnerabilities Catalog

Business Email Compromise attacks on the rise

The second quarter of 2022 has seen a significant rise in Business Email Compromise (BEC) attacks. Multiple security firms have reported seeing an increase in BEC attacks. This has been attributed to the ease it takes to perform these attacks, compared with host based compromises, along with misconfigured systems that don’t enforce MFA.

Two firms, Abnormal and Arctic wolf have recorded 84% and 99% increases respectively in BEC attacks over since H1 2021 and Q2 2022 compared to Q1 2022.

norm. has recorded an increase of 120% of BEC CSIRT engagements for 2022 so far, compared to 2021.

Further reading can be found here:

Cybercriminals See Allure in BEC Attacks Over Ransomware

US security agencies released report outlining how threat actors compromise OT devices

The NSA and CISA have released a new report that outlines the steps owners of operation technology “OT” can take to secure their infrastructure, and common steps that threat actors take to compromise these devices.

The 5 key mitigations that they have identified are:

  • Limit exposure of system information, this will disrupt intelligence gathering by threat actors utilised in
  • Identify and secure remote access points, this reduces the available attack surface.
  • Restrict tools and scripts, only allowing whitelisting of specific users for tools for legitimate tasks.
  • Conduct regular security audits, specifically for third party vendor access points and systems.
  • Implement a dynamic network environment to limit the ability of threat actors to gain persistent knowledge of an estate.

norm. recommends that any customers operating OT devices read the report to help them understand the threats faced when operating devices in an unsecured fashion. Please contact us to discuss further how we can further assist in implementing these controls across your estate.

Further reading:

NSA, CISA: How Cyber Actors Compromise OT/ICS and How to Defend Against It

Report: Control System Defense: Know the Opponent

Atlassian Bitbucket Server and Data Centre critical vulnerability actively exploited

In August Atlassian published an advisory for Bitbucket Server and Data Centre advising of vulnerability CVE-2022-36804. The advisory told about a critical command injection vulnerability that allowed an attacker with access to public repository or with read permissions to a private repository to execute arbitrary code by sending a malicious HTTP request. The vulnerability was given a CVSS score of 9.8 and is easily exploitable.

Affected products:

  • Bitbucket Server and Data Center 7.6 prior to 7.6.17
  • Bitbucket Server and Data Center 7.17 prior to 7.17.10
  • Bitbucket Server and Data Center 7.21 prior to 7.21.4
  • Bitbucket Server and Data Center 8.0 prior to 8.0.3
  • Bitbucket Server and Data Center 8.1 prior to 8.1.3
  • Bitbucket Server and Data Center 8.2 prior to 8.2.2
  • Bitbucket Server and Data Center 8.3 prior to 8.3.1

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) have recently added the vulnerabilities to their list of known actively exploited vulnerabilities.

If customers are running Bitbucket Server and Data Centre and have not already patched, it is now imperative that a patch is applied as the risk of compromise is high.

Bitbucket Server and Data Center Advisory 2022-08-24

Known Exploited Vulnerabilities Catalog

Microsoft SQL Servers being targeted by new malware: Maggie

There is a new piece of malware designed specifically to attack Microsoft SQL Servers, at present several details are unknown such as the post-infection usage of Maggie, how the malware is installed in the first place and any association to a known threat actor.

The malware disguises itself as “Extended Stored Procedure” which are designed to offer extended functionality to SQL queries for use in an MSSQL server. Once installed “Maggie” offers several commands to query system information, interact with files and folders, execute programs, running a Socks5 proxy server or setting up port forwarding to allow “Maggie” to act as a bridge head into the server’s network environment.

At present the malware is most commonly seen within the APAC region but has been seen across the globe.

norm. is actively monitoring this threat as it evolves, and more information becomes available. There is a list of IOCs provided and we are loading them into our security tooling to provide detection for presence of this malware.

Maggie IOCs

Maggie ESP DLLs

RAR SFX with Maggie


Hardcoded User-Agent
Mozilla/4.0 (compatible)

File paths

Further reading:

MSSQL, meet Maggie

Microsoft SQL Servers Infected by the New Malware: Maggie

Hundreds of Microsoft SQL servers backdoored with new malware

22nd March 2023 Threat Bulletin

Get norm.’s threat bulletin direct to your inbox

Norm. tracks and monitors the latest security trends and latest cyber threats and collates these into a fortnightly threat bulletin.

You can receive this bulletin for free, every fortnight, by entering your business email address below: