Vulnerable Microsoft Exchange Servers Actively Scanned for ProxyShell

Read Time:2 Minute, 45 Second

FortiGuard Labs is aware of a report that Microsoft Exchange servers are actively being scanned to determine which ones are prone to ProxyShell. ProxyShell is an exploit attack chain involving three Microsoft exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. When used in chain on a vulnerable Microsoft Exchange server, the attack allows the attacker to remotely run malicious code on the targeted system as a result. Microsoft patched all three vulnerabilities as part of Microsoft Patch Tuesday in April and May 2021.When was the Issue Disclosed?Security researcher Orange Tsai presented ProxyShell at the recent BlackHat, DefFon and the Pwn2Own contest.Were CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 Disclosed as Part of the ProxyShell presentation?No, Microsoft disclosed CVE-2021-31207 in May and CVE-2021-34473 and CVE-2021-34523 in July as part of Patch Tuesday.How Significant is ProxyShell?MEDIUM-HIGH. While ProxyShell allows remote code execution on the compromised machine, patches are available for all three vulnerabilities, which lower the severity. According to security researcher Kevin Beaumont in relation to CVE-2021-34473, “about 50% of internet exposed boxes aren’t patched yet,” which somewhat raises severity.What is the Workflow of ProxyShell?In simple workflow, the attacker first exploits CVE-2021-34473 (Microsoft Exchange Server Remote Code Execution Vulnerability) on the vulnerable Microsoft Exchange server to gain Exchange backend access. Then CVE-2021-34523 (Microsoft Exchange Server Elevation of Privilege Vulnerability) is used to gain admin privilege, then CVE-2021-31207 (Microsoft Exchange Server Security Feature Bypass Vulnerability) is used to perform remote code execution.Has Microsoft released a patch for the vulnerabilities?Yes. Microsoft released a patch for CVE-2021-31207 in May.While CVE-2021-34473 and CVE-2021-34523 were disclosed in July 2021, Microsoft released a patch in April 2021 without disclosing them.Has any Malware been Deployed as a Result of the ProxyShell Exploit Attack Chain?FortiGuard Labs is not aware of any malware being deployed to the affected servers. However, earlier in the year, DearCry ransomware was delivered to the machines that were compromised using another Microsoft Exchange server exploit chain “ProxyLogon”. As such, ransomware payload off ProxyShell is always a possibility. FortiGuard Labs is closely monitoring the situation and will update this Threat Signal when actual payload becomes available.What is the Status of Coverage?FortiGuard Labs provides the following IPS coverage against CVE-2021-34473:MS.Exchange.Server.Autodiscover.Remote.Code.ExecutionFortiEDR detects and blocks ProxyShell attacks out of the box without any prior knowledge or special configuration beforehand. Currently, there is not enough information available for us to develop protection for CVE-2021-31207 and CVE-2021-34523. FortiGuard Labs is closely monitoring the situation and will update this Threat Signal when additional coverage becomes available.Any Other Suggested Mitigation?Disconnect vulnerable Exchange servers from the internet until a patch can be applied.Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.

Read More

Brand New LockFile Ransomware Distributed Through ProxyShell and PetitPotam

Read Time:2 Minute, 36 Second

FortiGuard Labs is aware of reports that previously unseen ransomware “LockFile” is being distributed using ProxyShell and PetitPotam. The attacker gains a foothold into the victim’s network using ProxyShell, then uses PetitPotam to gain access to the domain controller which then enables them to deploy the LockFile ransomware onto the network.What is The Issue?A new ransomware dubbed LockFile is being distributed using ProxyShell and PetitPotam, which Microsoft recently released fixes for. Proof-of-Concept code for ProxyShell is publicly available as such attacks are getting increasingly popular.How does the Attack Work?The attacker gains a foothold into the victim’s network using ProxyShell, then uses PetitPotam to gain access to the domain controller, which then enables the release of the LockFile ransomware onto the network.What is ProxyShell and PetitPotam?ProxyShell is a name for a Microsoft Exchange exploit chain (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that allows the attacker to bypass ACL controls, elevate privileges and execute remote code on the compromised system.PetitPotam (CVE-2021-36942) is a NTLM (NT LAN Manager) relay attack that allows the attacker to take control of a Windows domain with the Active Directory Certificate Service (AD CS) running.FortiGuard Labs previously posted Threat Signals on ProxyShell and PetitPotam. See the Appendix for the links to the relevant Threat Signals.Are the Patches Available for ProxyShell and PetitPotam?Three vulnerabilities that consists ProxyShell are already patched as the following: CVE-2021-34473 and CVE-2021-34523: Microsoft released a patch as part of April 2021 MS Tuesday.CVE-2021-31207: Microsoft released a patch as part of May 2021 MS Tuesday.CVE-2021-36942 is dubbed PetitPotam and is patched by Microsoft as part of August 2021 MS Tuesday.Microsoft has also provided mitigation for PetitPotam. See the Appendix for a link to “KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services”.What is LockFile ransomware?LockFile is a previously unseen ransomware that first appeared in late July, 2021.Just like any other ransomware, LockFile encrypts files on the compromised system, asks the victim to access the attacker’s onion site and demands ransom in order to recover the encrypted files.What is the Status of Coverage?FortiGuard Labs have the following AV coverage against the attack:W64/KillProc.M!trW32/Agent.QH!exploitW32/PetitPotam.A!exploitRiskware/KernelDrUtil.ERiskware/KDUFortiGuard Labs have the following IPS coverage against ProxyShell and PetitPotam:MS.Exchange.Server.Autodiscover.Remote.Code.ExecutionMS.Windows.Server.NTLM.Relay.Spoofing (initial action is set to “pass”)FortiEDR detects and blocks Proxyshell attacks out of the box without any prior knowledge or special configuration beforehand. All known network IOC’s are blocked by the FortiGuard WebFiltering Client.Any Other Suggested Mitigation?Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.

Read More

New Threat Actor Leverages ProxyShell Exploit to Serve Ransomware

Read Time:2 Minute, 25 Second

FortiGuard Labs is aware of a report that a new threat actor, “Tortillas,” is leveraging the ProxyShell exploit to deliver ransomware. Based on the traits, the ransomware served by tortillas appears to be a Babuk ransomware variant. ProxyShell consists of three Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) used in a chain that enables the attacker to remotely run malicious code on the targeted system as a result. The security flaws were patched by Microsoft in April and May 2021. Why is this Significant?This is significant because a previously undocumented threat actor “tortillas” is now taking advantage of the Proxyshell exploit chain to deliver a ransomware. While Microsoft released a fix for all three vulnerabilities used in ProxyShell in April and May 2021, more and more threat actors have since adopted ProxyShell in their attacks. In late August of this year, Lockfile ransomware was delivered through the ProxyShell and PetitPotam vulnerabilities. In September, the Conti ransomware gang reportedly added ProxyShell to their modus operandi.FortiGuard Labs previously released two Threat Signals associated with ProxyShell. See the Appendix for a link to “Vulnerable Microsoft Exchange Servers Actively Scanned for ProxyShell” and “Brand New LockFile Ransomware Distributed Through ProxyShell and PetitPotam.”What is the Ransomware that is Deployed by Tortillas in this Attack?The deployed ransomware appears to be a Babuk ransomware variant based on traits. For example, this particular ransomware adds .babyk file extension, typical of Babuk ransomware, to the files it encrypts. FortiGuard Labs also observed that this malware shares similar mutexes to Babuk.The Babuk variant also steals data as part of a double extortion tactic. Upon encrypting the files and stealing data from the compromised machine, the Babuk variant instructs the victim to pay US $10,000 worth of Monero cryptocurrency to the attacker’s wallet address for file decryption and for not releasing the stolen data to the public.What is the Tortillas Threat Actor?Tortillas appears to be a new threat actor whose activities have not been previously documented. FortiGuard Labs will monitor the threat actor and provide updates if any significant activities are observed.Has Microsoft Released a Patch for ProxyShell?Yes. Microsoft released a patch for CVE-2021-31207 in May. While CVE-2021-34473 and CVE-2021-34523 were disclosed in July 2021, Microsoft released a patch in April 2021 without disclosing them.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage for the Babuk variant sample used in this attack:MSIL/Agent.JBV!trFortiGuard Labs provide the following IPS coverage for this attack:MS.Exchange.Server.Autodiscover.Remote.Code.ExecutionMS.Exchange.MailboxExportRequest.Arbitrary.File.WriteMS.Exchange.Server.Common.Access.Token.Privilege.ElevationFortiEDR detects and blocks ProxyShell attacks out of the box without any prior knowledge or special configuration beforehand.All known network IOC’s related to this threat are blocked by the FortiGuard WebFiltering Client.

Read More

seamonkey-2.53.14-3.el7

Read Time:23 Second

FEDORA-EPEL-2022-66467c33ea

Packages in this update:

seamonkey-2.53.14-3.el7

Update description:

Some stability fixes.

Update to 2.53.14

Note that besides the ordinary builds for the current Fedora and EPEL branches, there is an additional distro-independed build available at https://buc.fedorapeople.org/seamonkey . So if you have friends who use other Linux distro, but that distro does not provide SeaMonkey yet, you can recommend it for them.

Read More

seamonkey-2.53.14-3.el8

Read Time:23 Second

FEDORA-EPEL-2022-0dc9b5c110

Packages in this update:

seamonkey-2.53.14-3.el8

Update description:

Some stability fixes.

Update to 2.53.14

Note that besides the ordinary builds for the current Fedora and EPEL branches, there is an additional distro-independed build available at https://buc.fedorapeople.org/seamonkey . So if you have friends who use other Linux distro, but that distro does not provide SeaMonkey yet, you can recommend it for them.

Read More