NSA Identifies New Vulnerabilities in Microsoft Exchange Servers

April 14, 2021

In its April update, Microsoft addressed a total of 114 security vulnerabilities, including one actively exploited zero-day flaw and four remote code execution issues within Exchange Server. Among these vulnerabilities, 19 are classified as Critical, 88 as Important, and one as Moderate. Notably, CVE-2021-28310 is a privilege escalation vulnerability within Win32k, currently under active exploitation, allowing attackers to execute malicious code and gain elevated privileges on affected systems. Cybersecurity firm Kaspersky, which reported the flaw to Microsoft in February, connected the zero-day exploit to the Bitter APT group, known for utilizing a similar vulnerability (CVE-2021-1732) in attacks last year. “This is an escalation of privilege (EoP) exploit likely used in conjunction with other browser exploits to bypass sandboxes or obtain system privileges for further access,” explained Kaspersky researcher Boris Larin.

NSA Uncovers New Vulnerabilities Impacting Microsoft Exchange Servers

April 14, 2021

In a recent wave of updates, Microsoft addressed a total of 114 security vulnerabilities, prominent among them being a zero-day exploit and multiple remote code execution issues affecting Microsoft Exchange Servers. This April patch release is significant, as it reveals critical weaknesses that malicious actors could leverage. Of the identified vulnerabilities, 19 are classified as Critical, 88 as Important, and one as Moderate in severity.

Central to the list is CVE-2021-28310, a privilege escalation flaw within the Win32k component. Reports suggest this vulnerability is currently being actively exploited, granting attackers the ability to elevate their privileges by executing malicious code on affected systems. Kaspersky, a leading cybersecurity firm that identified this flaw earlier this year, has indicated a connection to a threat actor known as Bitter APT. This group previously exploited a similar vulnerability, CVE-2021-1732, in targeted attacks late last year.

The Bitter APT group’s operations serve as a reminder of the evolving threats facing organizations that utilize Microsoft Exchange Servers. Kaspersky researcher Boris Larin indicates that the escalating privilege exploit may be employed in conjunction with other vulnerabilities, particularly browser exploits, to escape sandbox environments and gain system-level access. This critical step not only highlights the potential for unauthorized system access but also raises concerns about the implications for sensitive data and operational integrity.

Targets of these vulnerabilities predominantly include businesses and organizations relying on Microsoft Exchange for email and communication, signifying the potential for widespread disruption. The primary focus of these attacks appears to center around entities in the United States, reflecting a broader trend of cyber threats aimed at compromising organizational security within this region.

From the perspective of the MITRE ATT&CK framework, various adversary tactics could apply to these incidents. Notably, initial access techniques may be used to infiltrate systems, followed by persistence mechanisms to maintain footholds within compromised environments. Furthermore, the privilege escalation techniques are crucial to advancing attackers’ capabilities, allowing them to exert greater control over the target systems.

As organizations navigate the complex landscape of cybersecurity threats, the latest findings from the NSA and Microsoft underscore the imperative for stringent security measures. Continuous monitoring, timely patch management, and a robust incident response strategy are vital components in mitigating the risks associated with these vulnerabilities. With the ever-evolving nature of cyber threats, business owners must remain vigilant and proactive in safeguarding their digital assets against potential exploitation.

Source link

Related Posts

Urgent: Critical RCE Vulnerability Discovered in F5 Big-IP Platform—Immediate Patching Required!

On March 11, 2021, F5 Networks issued an advisory highlighting four severe vulnerabilities across various products that could lead to denial of service (DoS) attacks and unauthenticated remote code execution on affected networks. The advisory addresses a total of seven related flaws (CVE-2021-22986 through CVE-2021-22992), including two identified by Felix Wilhelm of Google Project Zero in December 2020. The four critical vulnerabilities impact BIG-IP versions 11.6, 12.x, and newer, with a notable pre-auth remote code execution issue (CVE-2021-22986) also affecting BIG-IQ versions 6.x and 7.x. F5 has stated that it is not currently aware of any public exploitation of these vulnerabilities. If successfully exploited, these flaws could lead to complete system compromise, enabling remote code execution and potential buffer overflow, resulting in DoS conditions. Customers are strongly urged to apply updates immediately.

Released ProxyLogon Exploit PoC: A Potential Catalyst for Increased Cyber Attacks

March 11, 2021

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint advisory on Wednesday, highlighting ongoing exploitation of vulnerabilities in Microsoft Exchange on-premises products by both nation-state actors and cybercriminals. “CISA and FBI assess that adversaries could exploit these vulnerabilities to compromise networks, steal sensitive information, encrypt data for ransom, or conduct destructive attacks,” the agencies stated. They also noted that compromised networks might be sold on the dark web. Recent attacks have mainly targeted local governments, academic institutions, NGOs, and businesses across various sectors such as agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceuticals—consistent with previous activities linked to Chinese cyber threats. Tens of thousands of entities, including the Eur…

Vulnerabilities in Two Major WordPress Plugins Impact Over 7 Million Sites

On March 18, 2021, researchers revealed security flaws in several WordPress plugins, which, if exploited, could enable attackers to execute arbitrary code and potentially take control of affected websites. The vulnerabilities were found in Elementor, a widely-used website builder plugin installed on more than seven million sites, and WP Super Cache, a popular tool for serving cached pages on WordPress. According to Wordfence, which identified the weaknesses in Elementor, the issue involves a series of stored cross-site scripting (XSS) vulnerabilities (CVSS score: 6.4). This occurs when malicious scripts are injected directly into a vulnerable web application. Specifically, the lack of server-side validation for HTML tags allows an attacker to inject executable JavaScript into posts or pages through crafted requests. “Since posts created by contributors are usually reviewed by editors or administrators before publication, any JavaScript added to one of the…

Urgent: High-Severity RCE Vulnerability Discovered in Apache OFBiz ERP Software – Immediate Patch Required

On March 22, 2021, the Apache Software Foundation disclosed a critical vulnerability in Apache OFBiz that poses a significant risk. Tracked as CVE-2021-26295, this flaw allows unauthenticated attackers to potentially take remote control of the open-source enterprise resource planning (ERP) system. It impacts all versions prior to 17.12.06 and involves an “unsafe deserialization” vulnerability that enables remote code execution on susceptible servers.

Apache OFBiz is a Java-based web framework designed for automating various enterprise processes, including accounting, customer relationship management, manufacturing, order management, supply chain fulfillment, and warehouse management. By exploiting this vulnerability, an attacker can manipulate serialized data to introduce arbitrary code. Once deserialized, this code can lead to unauthorized remote execution. It is crucial for users to implement the necessary patches immediately.