22 Dec / 2022
Cyber Security
Microsoft Exchange Server (On-Premises) 2013, 2016, 2019 devices that have not applied update KB5019758 released on November 8.
There has been an increase of attacks against On-Prem Exchange Servers that are utilising Microsofts URL Rewrite mitigiations as a defence against CVE-2022-41080 and CVE-2022-41082.
Threat actors are chaining vulnerabilities CVE-2022-41080 and CVE-2022-41082 to infiltrate networks and deploy ransomware.
Attackers are using SSRF vulnerability CVE-2022-41040 to target the backend PowerShell service through Outlook Web Access.
Once the PowerShell service has been reached, vulnerability CVE-2022-41082 is exploited to execute arbitrary commands on the device.
System Administrators are advised to:
Attacker Technique - PowerShell Registry Cradle
Suspicious Process - PowerShell System.Net.Sockets.TcpClient
Suspicious Process - Exchange Server Spawns Process
PowerShell - Obfuscated Script
Webshell - IIS Spawns PowerShell
Attacker Technique - Plink Redirecting RDP
Attacker Technique - Renamed Plink
Suspicious Process - Started From Users Music Directory
Further information on the vulnerability is available Microsoft, Rapid7, CrowdStrike
Cythera Vulnerability Management Clients are actively being scanned for any vulnerable instances of Microsoft Exchange.
PaperCut Vulnerability - CVE-2023-27350, CVE-2023-27351
PaperCut MF & PaperCut NG VulnerabilitiesCVE: CVE-2023-27350, CVE-2023-27351 WHAT IS VULNERABLE? PaperCut MF or NG version 8.0 or later, on a…
Read MoreRansomware attacks are on the rise in Australia. Here’s how to prepare for them.
It's a rare occasion these days that you open up the Australian business news and DON’T see anything about a cybersecurity attack. Whisper the…
Read MorePartnerships should help build capability
Individuals and companies like to use the term ‘partnership’ when trying to build rapport and relationships. This creates a sense of cooper…
Read More