norm. threat bulletin: 23rd November 2022

Norm threat bulletin

World Cup password trend

It has long been recommended that passwords should not expire or rotate unless there is clear evidence of credential breach. Instead, passwords should be long and complex enough to resist common brute force techniques, such as dictionary attacks, complemented by secondary factors of authentication.  

The reasoning for this could not be more clearly illustrated than by a great piece of analysis done by SpecOps. 

As part of their software services, SpecOps maintain a database of more than three billion leaked passwords from confirmed data breaches. Using this datastore, they can draw some intriguing insights into user password choices.   

As the world is gearing up for a controversial 4 weeks of World Cup entertainment, the use of football related passwords has soared according to SpecOps.  

Unfortunately, attackers know this and regularly include topical phrases in their dictionaries. 

The risk of dictionary attacks is best mitigated through length and complexity requirements that ensure that the passwords with topical phrases in them are still too entropic to crack with brute force. Password rotation only enforces this unconscious reliance by having users make these decisions more frequently. 


SpecOps Article:
Passwords this World Cup – Specops Software 

“Soccer tops the related terms list with over 140,000 inclusions” 
“Grzegorz Lato of Poland’s golden generation topped the list appearing over 174,000 times” 

Password Advice:  
Password policy: updating your approach – NCSC.GOV.UK 
NIST’s New Password Rule Book: Updated Guidelines Offer Benefits and Risk ( 

Proof-of-concept exploit code for two actively exploited Microsoft Exchange ProxyNotShell flaws released online

Proof-of-concept exploit code has been released online for two actively exploited vulnerabilities in Microsoft Exchange, known as ProxyNotShell. This week the popular researcher Will Dormann confirmed that the PoC exploit code released by security researcher Janggggg, works against Exchange Server 2016 and 2019, and even against 2013 with some modifications. 

The two vulnerabilities are: 

  • CVE-2022-41040 – Microsoft Exchange Server Elevation of Privilege Vulnerability 
  • CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution Vulnerability 

They impact Exchange Server 2013, 2016, and 2019, where an authenticated attacker can trigger them to elevate privileges to run PowerShell and gain arbitrary or remote code execution on the vulnerable servers. 

Cybersecurity firm GreyNoise confirmed that threat actors are attempting to exploit the flaws since late September. 

Microsoft released a statement with their recommendation to install an update where they addressed both vulnerabilities with the release of their Patch Tuesday updates for November 2022 security updates. This in combination with Vulnerability Patch Management from norm. delivers the aforementioned update, protecting customers from ProxyNotShell attacks. 

Further reading:

Exploit released for actively abused ProxyNotShell Exchange bug

CVE-2022-41040 – Security Vulnerability

CVE-2022-41082 – Security Vulnerability

ProxyNotShell (CVE-2022-41040 / CVE-2022-41082) vulnerability in Microsoft Exchange

Twitter verifications

Twitter has changed its “blue check mark” verification, previously it was a means to distinguish notable account holders such as organisations or celebrities from imposter or parody accounts. Now however, anyone can get a verified account by paying $8 a month for Twitter Blue. This has led to a raft of fraudulent accounts spreading through Twitter impersonating global brands after spending $8 to get verified, which has led to serious ramifications.

Pharmaceutical firm Eli Lilly was subject to a fraudulent account impersonation, on 10th November an account called “@EliLillyandCo” tweeted out a message saying ““We are excited to announce insulin is free now.” This message achieved more then 1,500 retweets and 11,000 likes in just a few hours, this resulted in the share price of Eli Lilly to drop 4.67% causing billions to be lost from the share price.

This is far from the only occurrence of this happening, and with misinformation rife on Twitter at the moment, it is advisable to keep an eye out for imposter accounts and to report them if they are found. For now, there is no obvious solution in sight while changes are occurring at Twitter

Further reading:

A Verifiable Mess: Twitter Users Create Havoc by Impersonating Brands

Eli Lilly issues rare apology as fake Twitter Blue account proclaims free insulin for all

Threat Actor exploits Log4j in VMware Horizon

The Cybersecurity & Infrastructure Security Agency (CISA) conducted an investigation and found that a threat actor had compromised a US Federal Civilian Executive Branch (FCEB) organization over a period of months.

The threat actor had exploited vulnerable versions of VMware Horizon

  • VMware Horizon lower than version 8 2111
  • VMware Horizon lower than version 7.13.1

As a result of the compromise, they were able to install an XMRig crypto mining software, they then shifted laterally into the domain controller, compromising credentials and implanted Ngrok reverse proxies on several hosts to establish persistence in the environment.

CISA are advising anyone who is running an unpatched version of VMware Horizon to assume they have been breached by the threat actor and to begin threat hunting activities after patching the systems.

Should anyone suspect they have been affected by this, and require further assistance in mitigating the situation please contact the norm. Cyber Security Incident Response Team.

Further reading: 

Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester

Log4j2 In The Wild | Iranian-Aligned Threat Actor “TunnelVision” Actively Exploiting VMware Horizon

9th November 2022 Threat Bulletin

Get norm.’s threat bulletin direct to your inbox

norm. tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.

You can receive this bulletin for free, every fortnight, by entering your business email address below: