Microsoft confirms two Exchange Server zero days are being used in cyberattacks
Acting on reports from Vietnamese cybersecurity firm GTSC, Microsoft has confirmed it is now investigating two zero days affecting its Exchange Server software, whose vulnerabilities are being exploited in the wild. GTSC discovered the problems in August and then reported the issue to Microsoft’s Zero Day Initiative, which confirmed the bugs. The issue includes two vulnerabilities. According to The Record, “one is a server-side request forgery vulnerability designated as CVE-2022-41040, that can allow an attacker with credentials for a user account on the mail server to gain unauthorized levels of access. The second vulnerability, identified as CVE-2022-41082, allows remote code execution similar to the 2021 ProxyShell issues that caused chaos for many companies according to GTSC, although the firm wrote it was not yet comfortable releasing the technical details.”
Lazarus hackers abuse Dell driver bug using new FudModule rootkit
The North Korean hacking group has been observed installing a Windows rootkit that “abuses a Dell hardware driver in a Bring Your Own Vulnerable Driver attack.” This involved a spear-phishing campaign deployed the autumn of 2021. Its targets included an aerospace expert in the Netherlands and a political journalist in Belgium who were emailed fake job offers at Amazon. ESET reports that among the tools deployed in this campaign, the most interesting is a new FudModule rootkit that abuses a BYOVD (Bring Your Own Vulnerable Driver) technique to exploit a vulnerability in a Dell hardware driver for the first time.
Ex-NSA employee charged with violating Espionage Act, selling U.S. cyber secrets
The former employee, Jareh Sebastian Dalke, appeared in federal court Thursday on charges that he attempted to transmit classified “national defense information” to an FBI agent he believed was a Russian operative, in exchange for $85,000, according to the Justice Department. He had allegedly told the undercover agent that he had access to information “relating to foreign targeting of U.S. systems and information on cyber operations,” according to the affidavit. Dalke was only employed by the NSA for about three weeks before quitting on July 1, but while there he had a top-secret clearance in his role as an “information systems security designer,” according to the FBI.
Microsoft to let Office 365 users report Teams phishing messages
Microsoft’s upgrade to Microsoft Defender for Office 365 will to allow Microsoft Teams users to alert security if they receive suspicious messages. Microsoft Defender for Office 365, which used to be called Office 365 Advanced Threat Protection. This feature, which is still in development, seeks to allow admins to filter dangerous messages that carry malicious payloads or that point users to phishing websites. “End users will be able to report suspicious Microsoft Teams messages as a security threat just like they do for emails ,” Microsoft explains on the Microsoft 365 roadmap. The feature is expected to be generally available by January.
And now thanks to this week’s episode sponsor, Hunters
ingestion and normalization at a predictable cost, Hunters helps SOC teams mitigate real
threats faster and more reliably than SIEM. Visit Hunters.ai to learn more.
BlackCat ransomware gang claims to have hacked US defense contractor NJVC
The ALPHV/BlackCat ransomware gang has announced a breach of the IT firm NJVC, a supplier to federal government and the United States Department of Defense, that supports intelligence, defense, and geospatial organizations. BlackCat added NJVC to its Tor leak site and is threatening to release the allegedly stolen data. The claims are still in some doubt since the group’s Tor leak site has since removed the listing.
Steganography alert: Backdoor spyware stashed in Microsoft logo
A group called the Witchetty gang has allegedly been concealing spyware in an old Windows logo attack governments in the Middle East. The gang used steganography to conceal backdoor Windows malware named – dubbed Backdoor.Stegmap – in the bitmap image. “Although rarely used by attackers, if successfully executed, steganography can be leveraged to disguise malicious code in seemingly innocuous-looking image files,” said researchers at Symantec’s Threat Hunter Team last week. They added, “Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service.”
German police identifies gang that stole €4 million via phishing attacks
The phishing campaigns, which were conducted between October, 2020, and May, 2021, involved messages purportedly coming from German banks. A statement released by the Bundeskriminalamt, The Federal Criminal Police Office of Germany, said, the e-mails were visually and linguistically believable, and informed recipients of changes in the bank’s security system and asked them to click on an embedded link that redirected them to a landing page that asked them to enter their credentials and TAN (transaction authentication number). One of the accomplices now faces 124 charges of computer fraud.