Ransomware gang uses PrintNightmare to breach Windows servers
Ukraine shuts down money laundering cryptocurrency exchanges
Notorious AlphaBay darknet market comes back to life
Microsoft Exchange servers are getting hacked via ProxyShell exploits
GitHub deprecates account passwords for authenticating Git operations
Microsoft Exchange servers are getting hacked via ProxyShell exploits
Microsoft: Evasive Office 365 phishing campaign active since July 2020
Windows 11 gets new versions of Snipping Tool, Mail, and Calculator
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Microsoft Exchange
Threat actors are actively exploiting Microsoft Exchange servers using the ProxyShell vulnerability to install backdoors for later access.
ProxyShell is the name of an attack that uses three chained Microsoft Exchange vulnerabilities to perform unauthenticated, remote code execution.
The three vulnerabilities, listed below, were discovered by Devcore Principal Security Researcher Orange Tsai, who chained them together to take over a Microsoft Exchange server in April’s Pwn2Own 2021 hacking contest.
Last week, Orange Tsai gave a Black Hat talk about recent Microsoft Exchange vulnerabilities he discovered when targeting the Microsoft Exchange Client Access Service (CAS) attack surface.
Tsai revealed that the ProxyShell exploit uses Microsoft Exchange’s AutoDiscover feature to perform an SSRF attack as part of the talk.
After watching the talk, security researchers PeterJson and Nguyen Jang published more detailed technical information about successfully reproducing the ProxyShell exploit.
Soon after, security researcher Kevin Beaumont began seeing threat actors scan for Microsoft Exchange servers vulnerable to ProxyShell.
Today, Beaumont and NCC Group’s vulnerability researcher Rich Warren disclosed that threat actors have exploited their Microsoft Exchange honeypots using the ProxyShell vulnerability.
Tweet from Rich Warren
Tweet from Kevin Beaumont
When exploiting Microsoft Exchange, the attackers are using an initial URL like:
Note: The email address listed in the URL does not have to exist and change between attackers.
The exploit is currently dropping a webshell that is 265KB in size to the ‘c:inetpubwwwrootaspnet_client’ folder.
Last week, Jang explained to BleepingComputer that 265KB is the minimum files size that can be created using the ProxyShell exploit due to its abuse of the Mailbox Export function of Exchange Powershell to create PST files.
From a sample shared by Warren with BleepingComputer, the webshells consist of a simple authentication-protected script that the threat actors can use to upload files to the compromised Microsoft Exchange server.
Warren said the threat actors use the first webshell to upload an additional webshell to a remotely accessible folder and two executables to the C:WindowsSystem32 folders, listed below:
If the two executables can’t be found, another webshell will be created in the following folder as random-named ASPX files.
The attackers use the second webshell to launch the ‘createhidetask.exe,’ which creates a scheduled task named ‘PowerManager’ that launches the ‘ApplicationUpdate.exe’ executable at 1 AM every day.
Warren told BleepingComputer that the ApplicationUpdate.exe executable is a custom .NET loader used as a backdoor.
«ApplicationUpdate.exe is the .NET loader which fetches another .NET binary from a remote server (which is currently serving a benign payload),» explained Warren.
While the current payload is benign, it is expected to be swapped out with a malicious payload once enough servers are compromised.
Cybersecurity intelligence firm Bad Packets told BleepingComputer that they currently see threat actors scan for vulnerable ProxyShell devices from IP addresses in the USA, Iran, and the Netherlands.
The known addresses are:
BadPackets also said that the email domains used in the scans have been from @abc.com and @1337.com, as shown below.
Now that threat actors are actively exploiting vulnerable Microsoft Exchange servers, Beaumont advises admins to perform Azure Sentinel queries to check if their devices have been scanned.
For those who have not updated their Microsoft Exchange server recently, it is strongly recommended to do so immediately.
As the previous ProxyLogon attacks led to ransomware, malware, and data theft on exposed servers, we will likely see similar attacks using ProxyShell.
Microsoft Exchange servers scanned for ProxyShell vulnerability, Patch Now
Microsoft fixes Windows Print Spooler PrintNightmare vulnerability
Microsoft August 2021 Patch Tuesday fixes 3 zero-days, 44 flaws
Microsoft’s incomplete PrintNightmare patch fails to fix vulnerability
Microsoft confirms another Windows print spooler zero-day bug
Not a member yet? Register Now
Accenture confirms hack after LockBit ransomware data leak threats
Microsoft confirms another Windows print spooler zero-day bug
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


Por redditxxx