Amazon Prime Day: Big Sales, Big Scams

Malicious actors taking advantage of important events is not a new trend. For example, a large number of tax-related scams pops up every tax season in the US, with threats ranging from simple phishing emails to the use of scare tactics that lead to ransomware. More recently,  Covid-19 has led to a surge in pandemic-related malicious campaigns, mostly arriving via email.

For many people, major online shopping events such as the annual Amazon Prime day — which falls on June 21 this year — presents a unique opportunity to purchase goods at heavily discounted prices. However, shoppers are not the only ones looking to benefit — cybercriminals are also looking to prey on unsuspecting victims via social engineering and other kinds of scams. Amazon Prime has experienced tremendous growth over the past two years. According to estimates, there were 150 million Prime members at the end of the fourth quarter of 2019, a number which grew to 200 million by the first quarter of 2021 — with around 105 million users in the US alone. This makes Amazon Prime customers a particularly lucrative target for malicious actors.

As Amazon Prime day approaches, we’d like to build awareness among the shopping public by showing some of the related scams we’ve observed over the past few months.

Amazon Prime Scams

In 2020, Amazon Prime day, which is usually held in June or July, was postponed to October due to Covid-19. That same month, the Australian Communications and Media Authority (ACMA) issued an alert warning the public that they had been receiving reports of scammers — impersonating Amazon Prime staff — calling their targets, claiming that they owed money to Amazon. They also warned the victim that funds would be taken from their bank account if they did not act immediately. Often, the goal of these scammers is to retrieve Amazon account details and personal data from their victims by asking them to go online and enter the relevant information.

A variation of this scam involves swindlers calling their targets and presenting them with a recorded message, allegedly from Amazon, notifying call recipients of an issue with their order — such as a lost package or an unfulfilled order. The victims would then be invited to either press the number “1” button on their phone or provided a number that they would need to call. As with the first scam, the goals are the same: gaining personal information.

Aside from phone call scams, malicious actors also use tried-and-tested email-based phishing tactics. One method uses fake order invoices with corresponding phony order numbers and even a bogus hotline number, which, once called, will prompt the recipient to enter their personal details.

Another technique involves the scammer notifying an Amazon Prime user of problems with their account: For example, a Twitter post from user VZ NRW – Phishing shows fake Amazon Prime message warning the recipient that their Prime benefits have allegedly been suspended due to a problem with the payment. The message also contains a fake phishing link that the user would have to click to resolve the issue.  

Figure 1. An example of an email scam, coming from “Amazon Prime” complete with a fake order ID and hotline number. Note the suspicious email address used by the sender containing a misspelled “Amazon.”

hotline number. Note the suspicious email address used by the sender containing a misspelled “Amazon.”

Malicious actors will also make use of fake websites and online forms — many of which are painstakingly crafted to match the official sites as much as possible. One phishing website asks users to confirm payment details by filling out certain information. However, despite looking authentic, the page contains plenty of red flags — for example, none of the outbound links actually work, and the forms used in the page requests more data than usual, including personal information that companies typically never ask users to provide.

A precursory search in VirusTotal using the strings “Amazon” and “Prime” reveal over a hundred PDF files, many of which contain movie names (membership in Amazon Prime also makes users eligible for Prime Video). These PDF files are hosted on various cloud services, with the link to these files typically distributed via malicious emails.

Figure 2. VirusTotal results using “Amazon” and “Prime” search strings

Upon opening some of these files, a Captcha button appears, which will activate a malicious redirection chain when clicked.

Figure 3. Captcha button that appears when clicking some of the VirusTotal samples.

While it’s easy to assume that most of these scammers are single individuals or small groups looking for a quick buck, there are certain threat actor groups that use sophisticated social engineering techniques for their campaigns, which includes Amazon users as a primary target.

The Heatstroke phishing campaign

We first encountered the phishing campaign known as Heatstroke back in 2019, noting that the group behind the campaign utilized complex techniques for both researching about and luring in their victims, which were primarily Amazon and Paypal users.

For example, compared to the webpage from the previous section, Heatstroke makes use of a phishing website with multiple working screens and subpages to try and mimic a legitimate website as much as possible. In addition, Heatstroke implements various obfuscation techniques such as forwarding the phishing kit content from another location or changing the landing page to bypass content filters.

Figure 4. Heatstroke’s infection chain, which they have been using since 2019

The threat actor has implemented some improvements over the past two years — such as expanded IP ranges and improvements to user agents and the kit’s “self-defense” mechanisms (coverage of scams, anti-bot, and IP protection services), as well as the addition of an API and kill date, after which the kit won’t work anymore. 

Heatstroke remains active with a well-maintained infrastructure in 2021. The threat actor largely uses the same techniques from the past. However, it might be a case of not fixing what isn’t broken, given how effective the previous campaigns proved to be.

Defending against scams

As exciting as Amazon Prime Day (and other similar shopping extravaganzas like Black Friday and Cyber Monday) is, the public should remain vigilant against potential scams, as cybercriminals are looking to capitalize on these types of events.

The following best practices and recommendations can help individuals avoid these kinds of scams:

  • Most reputable organizations will never ask for sensitive financial information over the phone. If a caller allegedly coming from Amazon or another company asks for strangely specific information such as credit card or bank account numbers, this is an automatic red flag.
  • Be wary of out-of-context emails. If you receive an email referencing an item you did not purchase, then it is highly likely that the email is a phishing attempt. Refrain from downloading attachments or clicking links in suspicious emails, as these can lead to malware infections.
  • Scan emails for typographical or grammatical mistakes. Legitimate emails will always be thoroughly checked and edited before being sent, therefore even small errors are possible signs of a malicious email.
  • Always double check the URL of a website to see if it matches up with the real one. For example, Amazon websites and subpages will always have a dot before “amazon.com” (for example, “support.amazon.com” versus “support-amazon.com”), therefore, even if a website copies the design of the legitimate one, a sketchy URL will often give it away as being malicious. In the same vein, email addresses should be scrutinized to see if they look suspicious or have any unusual elements.
  • Organizations are also encouraged to regularly check the awareness of employees on the latest cyberthreats via Trend Micro Phish Insight, a cloud-based security awareness service that is designed to empower employees to protect themselves and their organization from social engineering-based attacks.

Source :
https://www.trendmicro.com/en_us/research/21/f/amazon-prime-day-big-sales–big-scams.html

Wordfence is now a CVE Numbering Authority (CNA)

Today, we are excited to announce that Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA, or CVE Numbering Authority. As a CNA, Wordfence can now assign CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes.

WordPress powers over 40% of the World Wide Web in 2021. By becoming a CNA, Wordfence expands our ability to elevate and accelerate WordPress security research. This furthers our goal of helping to protect the community of WordPress site owners and developers, and the millions of website users that access WordPress every day.

What is a CNA?

The acronym CNA stands for CVE Numbering Authority. A CNA is an organization that has the authority to assign CVE IDs to vulnerabilities for a defined scope. As a CNA, Wordfence can assign CVE IDs to WordPress Plugins, Themes, and Core Vulnerabilities.

What is a CVE?

CVE is an international, community-based effort and relies on the community to discover vulnerabilities. The vulnerabilities are discovered then assigned and published to the CVE List. The mission of the Common Vulnerabilities and Exposures (CVE®) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog.

What does this mean for Wordfence customers?

As the Wordfence Threat Intelligence team continues to produce groundbreaking WordPress security research, Wordfence can more efficiently assign CVE IDs prior to publicly disclosing any vulnerabilities that our team discovers. This means that a CVE ID will be immediately assigned with every vulnerability we discover rather than waiting for an assignment from an external CNA.

To report a vulnerability, even if there is uncertainty about the responsible disclosure process, proof of concept production, or mitigation review procedures, the Wordfence Threat Intelligence team is available to assist. Our highly credentialed team has expertise and experience in proper security disclosure and can assist in ensuring that adequate remediation of vulnerabilities, no matter the severity, are applied and verified. As the original researcher, you receive the CVE ID and public credit for your discovery. You will also receive thanks from the users and community that you have protected through your responsible disclosure. Please reach out to us and we will be happy to assist.

How to report vulnerabilities to Wordfence for CVE assignment and publication?

To report a vulnerability to Wordfence for a WordPress plugin, WordPress theme, or WordPress core, please reach out to security@wordfence.com with the vulnerability information. Please include the following details:

  • A concise description of the vulnerability.
  • A proof of concept – that is, how the vulnerability could potentially be exploited.
  • What software component in our scope is affected – namely, which plugin or theme is affected, or which part of WordPress core.
  • The version number(s) affected.
  • The name(s) of individuals you would like credited for the discovery – or indicate if you would like to remain anonymous.
  • Any other additional information as appropriate.

The Wordfence Threat Intelligence team will review your findings and report back within 1-3 business days with a CVE ID assignment, or a request for additional information.

Community engagement and outreach at Wordfence has helped accelerate our efforts to secure the global WordPress community. Becoming a CNA has helped further this goal. Our team looks forward to expediting our own research and helping to encourage and enable new researchers to join the growing community of people who discover and responsibly disclose WordPress vulnerabilities. Together we can work towards a safer Web for all.

Source :
https://www.wordfence.com/blog/2021/06/wordfence-is-now-a-cve-numbering-authority-cna/

What is a WordPress Firewall and Do You Need One

The word firewall gives the impression that once installed on your WordPress site nothing will be able to attack it and you don’t need any other security measures applied. This is not true.

A firewall can only act on the WordPress site code level, it can not ever affect lower levels on your server such as blocking IP addresses and ports to your server. 

There is no WordPress plugin that can do that. 

So Why Then Have a WordPress Firewall At All?

Let’s break it down for you.

The WordPress firewall detects and blocks responses from malicious data.

What does that mean?

When data is transferred on your site, such as a user logging in or a blog post or image being displayed, the firewall hides this data from prying, malicious, eyes.

It applies a set of rules for incoming and outgoing traffic in order to protect your website.

It’s similar to an SSL, but an SSL only encrypts the data and then the firewall hides it.

A Firewall Has Several Methods To Protect Your Site

  • FIltering
    • This allows the filtering of traffic so that only legitimate users can access your site based upon rules that you set
  • Proxy
    • A proxy is like a security guard. It is the middleman that stops bad traffic from getting to your site
  • Inspection
    • A firewall allows you to set variables for trusted information. It then inspects all data coming in and if the key elements are not found agreeable in comparison to your set variables it doesn’t allow it through.

These methods are an important part of keeping your site secure. It helps drastically reduce the amount of attacks and malicious code injections that your security service/plugin needs to handle. 

What Are The Recommend Settings For Your Firewall

Most firewall and security plugins have a set standard for recommended settings, but there are a few items that are crucial to the success of its application:

  • Firewall Block Response
    • Specify how the security plugin will respond when the firewall detects malicious data.
  • Firewall White Listing and Ignore Options
    • Specify certain factors that completely bypass all Firewall checking.
    • These options should be used sparingly and with caution since you never want to white list anyone, even yourself, unless you really must.
  • Firewall Blocking Options
    • There are 9 firewall options that determine what data is checked on each page request. Depending on certain incompatibilities with other plugins, you may need to disable certain options to ensure maximum compatibility.
    • These firewall options are:
      • Include cookies
      • Directory traversal
      • WordPres terms
      • Field truncation
      • PHP code
      • Exe file uploads
      • Lead schemas

This might all seem overwhelming, but luckily for you our ShieldFREE and ShieldPRO have all of the above and more inside its robust feature list. It’s fully customizable and easy to use.

Keeping your site up and running is crucial for any business and having a reliable firewall plays a major part in that.

If you have any questions about the firewall or wish to request some features, please drop us a message in the comments section below, or contact us in our support center.

Source :
https://getshieldsecurity.com/blog/what-is-a-wordpress-firewall/

Google Chrome to Help Users Identify Untrusted Extensions Before Installation

Google on Thursday said it’s rolling out new security features to Chrome browser aimed at detecting suspicious downloads and extensions via its Enhanced Safe Browsing feature, which it launched a year ago.

To this end, the search giant said it will now offer additional protections when users attempt to install a new extension from the Chrome Web Store, notifying if it can be considered “trusted.”

Currently, 75% of all add-ons on the platform are compliant, the company pointed out, adding “any extensions built by a developer who follows the Chrome Web Store Developer Program Policies, will be considered trusted by Enhanced Safe Browsing.”

Enhanced Safe Browsing involves sharing real-time data with Google Safe Browsing to proactively safeguard users against dangerous sites. The company also noted that its integration with Safe Browsing’s blocklist API helped improve privacy and security, with the number of malicious extensions disabled by the browser jumping by 81%.

Also coming to Chrome is a new download protection feature that scans downloaded files for malware by using metadata about the downloaded file, alongside giving users the option to send the file to be scanned for a more in depth analysis.

“If you choose to send the file, Chrome will upload it to Google Safe Browsing, which will scan it using its static and dynamic analysis classifiers in real time,” Google said. “After a short wait, if Safe Browsing determines the file is unsafe, Chrome will display a warning.”

Despite the file being labeled as potentially dangerous, users still have the option to open the file without scanning. Should users opt to scan the file, the company said the uploaded files are deleted from Safe Browsing a short time after scanning.

While it didn’t specify the exact timeframe for when this removal would happen, in accordance with Google Chrome Privacy Whitepaper, the company “logs the transferred data in its raw form and retains this data for up to 30 days” for all Safe Browsing requests, after which only anonymized statistics are retained.

The new features are available starting with Chrome 91, the version of the browser that was released on May 26. Users can turn on Enhanced Safe Browsing by visiting Settings > Privacy and security > Security > Enhanced protection.

Source :
https://thehackernews.com/2021/06/google-chrome-to-help-users-identify.html

Hackers Breached Colonial Pipeline Using Compromised VPN Password

The ransomware cartel that masterminded the Colonial Pipeline attack early last month crippled the pipeline operator’s network using a compromised virtual private network (VPN) account password, the latest investigation into the incident has revealed.

The development, which was reported by Bloomberg on Friday, involved gaining an initial foothold into the networks as early as April 29 through the VPN account, which allowed employees to access the company’s networks remotely.

The VPN login — which didn’t have multi-factor protections on — was unused but active at the time of the attack, the report said, adding the password has since been discovered inside a batch of leaked passwords on the dark web, suggesting that an employee of the company may have reused the same password on another account that was previously breached.

It’s, however, unclear how the password was obtained, Charles Carmakal, senior vice president at the cybersecurity firm Mandiant, was quoted as saying to the publication. The FireEye-owned subsidiary is currently assisting Colonial Pipeline with the incident response efforts following a ransomware attack on May 7 that led to the company halting its operations for nearly a week.

DarkSide, the cybercrime syndicate behind the attack, has since disbanded, but not before stealing nearly 100 gigabytes of data from Colonial Pipeline in the act of double extortion, forcing the company to pay a $4.4 million ransom shortly after the hack and avoid disclosure of sensitive information. The gang is estimated to have made away with nearly $90 million during the nine months of its operations.

The Colonial Pipeline incident has also prompted the U.S. Transportation Security Administration to issue a security directive on May 28 requiring pipeline operators to report cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours, in addition to mandating facilities to submit a vulnerability assessment identifying any gaps in their existing practices within 30 days.

The development comes amid an explosion of ransomware attacks in recent months, including that of Brazilian meat processing company JBS last week by Russia-linked REvil group, underscoring a threat to critical infrastructure and introducing a new point of failure that has had a severe impact on consumer supply chains and day-to-day operations, leading to fuel shortages and delays in emergency health procedures.

As the ransom demands have ballooned drastically, inflating from thousands to millions of dollars, so have the attacks on high-profile victims, with companies in energy, education, healthcare, and food sectors increasingly becoming prime targets, in turn fueling a vicious cycle that enables cybercriminals to seek the largest payouts possible.

The profitable business model of double extortion — i.e., combining data exfiltration and ransomware threats — have also resulted in attackers expanding on the technique to what’s called triple extortion, wherein payments are demanded from customers, partners, and other third-parties related to the initial breach to demand even more money for their crimes.

Worryingly, this trend of paying off criminal actors has also set off mounting concerns that it could establish a dangerous precedent, further emboldening attackers to single out critical infrastructure and put them at risk.

REvil (aka Sodinokibi), for its part, has begun incorporating a new tactic into its ransomware-as-a-service (RaaS) playbook that includes staging distributed denial-of-service (DDoS) attacks and making voice calls to the victim’s business partners and the media, “aimed at applying further pressure on the victim’s company to meet ransom demands within the designated time frame,” researchers from Check Point disclosed last month.

“By combining file encryption, data theft, and DDoS attacks, cybercriminals have essentially hit a ransomware trifecta designed to increase the possibility of payment,” network security firm NetScout said.

The disruptive power of the ransomware pandemic has also set in motion a series of actions, what with the U.S. Federal Bureau of Investigation (FBI) making the longstanding problem a “top priority.” The Justice Department said it’s elevating investigations of ransomware attacks to a similar priority as terrorism, according to a report from Reuters last week.

Stating that the FBI is looking at ways to disrupt the criminal ecosystem that supports the ransomware industry, Director Christopher Wray told the Wall Street Journal that the agency is investigating nearly 100 different types of ransomware, most of them traced backed to Russia, while comparing the national security threat to the challenge posed by the September 11, 2001 terrorist attacks.

Update: In a Senate committee hearing on June 8, Colonial Pipeline CEO Joseph Blount said that the ransomware attack that disrupted gasoline supply in the U.S. started with the attackers exploiting a legacy VPN profile that was not intended to be in use. “We are still trying to determine how the attackers gained the needed credentials to exploit it,” Blunt said in his testimony.

Besides shutting down the legacy VPN profile, Blunt said extra layers of protection have been implemented across the enterprise to bolster its cyber defenses. “But criminal gangs and nation states are always evolving, sharpening their tactics, and working to find new ways to infiltrate the systems of American companies and the American government. These attacks will continue to happen, and critical infrastructure will continue to be a target,” he added.

Source :
https://thehackernews.com/2021/06/hackers-breached-colonial-pipeline.html

New TLS Attack Lets Attackers Launch Cross-Protocol Attacks Against Secure Sites

Researchers have disclosed a new type of attack that exploits misconfigurations in transport layer security (TLS) servers to redirect HTTPS traffic from a victim’s web browser to a different TLS service endpoint located on another IP address to steal sensitive information.

The attacks have been dubbed ALPACA, short for “Application Layer Protocol Confusion – Analyzing and mitigating Cracks in tls Authentication,” by a group of academics from Ruhr University Bochum, Münster University of Applied Sciences, and Paderborn University.

“Attackers can redirect traffic from one subdomain to another, resulting in a valid TLS session,” the study said. “This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.”

TLS is a cryptographic protocol underpinning several application layer protocols like HTTPS, SMTP, IMAP, POP3, and FTP to secure communications over a network with the goal of adding a layer of authentication and preserving integrity of exchanged data while in transit.

ALPACA attacks are possible because TLS does not bind a TCP connection to the intended application layer protocol, the researchers elaborated. The failure of TLS to protect the integrity of the TCP connection could therefore be abused to “redirect TLS traffic for the intended TLS service endpoint and protocol to another, substitute TLS service endpoint and protocol.”

Given a client (i.e., web browser) and two application servers (i.e., the intended and substitute), the goal is to trick the substitute server into accepting application data from the client, or vice versa. Since the client uses a specific protocol to open a secure channel with the intended server (say, HTTPS) while the substitute server employs a different application layer protocol (say, FTP) and runs on a separate TCP endpoint, the mix-up culminates in what’s called a cross-protocol attack.

At least three hypothetical cross-protocol attack scenarios have been uncovered, which can be leveraged by an adversary to circumvent TLS protections and target FTP and email servers. The attacks, however, hinge on the prerequisite that the perpetrator can intercept and divert the victim’s traffic at the TCP/IP layer.

Put simply, the attacks take the form of a man-in-the-middle (MitM) scheme wherein the malicious actor entices a victim into opening a website under their control to trigger a cross-origin HTTPS request with a specially crafted FTP payload. This request is then redirected to an FTP server that uses a certificate that’s compatible with that of the website, thus spawning a valid TLS sessionn.

Consequently, the misconfiguration in TLS services can be exploited to exfiltrate authentication cookies or other private data to the FTP server (Upload Attack), retrieve a malicious JavaScript payload from the FTP server in a stored XSS attack (Download Attack), or even execute a reflected XSS in the context of the victim website (Reflection Attack).

All TLS servers that have compatible certificates with other TLS services are expected to be affected. In an experimental setup, the researchers found that at least 1.4 million web servers were vulnerable to cross-protocol attacks, with 114,197 of the servers considered prone to attacks using an exploitable SMTP, IMAP, POP3, or FTP server with a trusted and compatible certificate.

To counter cross-protocol attacks, the researchers propose utilizing Application Layer Protocol Negotiation (ALPN) and Server Name Indication (SNI) extensions to TLS that can be used by a client to let the server know about the intended protocol to be used over a secure connection and the hostname it’s attempting to connect to at the start of the handshake process.

The findings are expected to be presented at Black Hat USA 2021 and at USENIX Security Symposium 2021. Additional artifacts relevant to the ALPACA attack can be accessed via GitHub here.

Source :
https://thehackernews.com/2021/06/new-tls-attack-lets-attackers-launch.html

What We Know About the DarkSide Ransomware and the US Pipeline Attack

Updated May 17, 2021, 3:25 a.m. Eastern Time: This article has been updated to add references to the DarkSide victim data.

On May 7, a ransomware attack forced Colonial Pipeline, a company responsible for nearly half the fuel supply for the US East Coast, to proactively shut down operations. Stores of gasoline, diesel, home heating oil, jet fuel, and military supplies had been so heavily affected that the Federal Motor Carrier Safety Administration (FMCSA) declared a state of emergency in 18 states to help with the shortages.

It has been five days since the shutdown prompted by the attack, but Colonial Pipeline is still unable to resume full operations. Outages have already started affecting motorists. In metro Atlanta, 30% of gas stations are without gasoline, and other cities are reporting similar numbers. To keep supplies intact for essential services, the US government has issued advisories against hoarding

The FBI has confirmed that DarkSide, a cybercriminal group believed to have originated in Eastern Europe, is behind the attack. The ransomware used by the group is a relatively new family that was first spotted in August 2020, but the group draws on experience from previous financially successful cybercrime enterprises.

Apart from locking Colonial Pipeline’s computer systems, DarkSide also stole over 100 GB of corporate data. This data theft is all the more relevant in light of the fact that the group has a history of doubly extorting its victims — not only asking for money to unlock the affected computers and demanding payment for the captured data, but also threatening to leak the stolen data if the victims do not pay. As we will cover later, DarkSide shows a level of innovation that sets it apart from its competition, being one of the first to offer what we call “quadruple extortion services.”

The group announced on May 12 that it had three more victims: a construction company based in Scotland, a renewable energy product reseller in Brazil, and a technology services reseller in the US. The DarkSide actors claimed to have stolen a total of 1.9 GB of data from these companies, including sensitive information such as client data, financial data, employee passports, and contracts.   

Since Darkside is a ransomware-as-a-service (RaaS), it is possible that three different affiliate groups are behind these three attacks. Even the DarkSide actors themselves admit that they just buy access to company networks — they have no idea how access was acquired.

Trend Micro Research found dozens of DarkSide ransomware samples in the wild and investigated how the ransomware group operates and what organizations it typically targets. 

The DarkSide ransomware

DarkSide offers its RaaS to affiliates for a percentage of the profits. The group presents a prime example of modern ransomware, operating with a more advanced business model. Modern ransomware identifies high-value targets and involves more precise monetization of compromised assets (with double extortion as an example). Modern ransomware attacks are also typically done by several groups who collaborate and split profits. These attacks may look more like advanced persistent threat (APT) attacks than traditional ransomware events.  

Here is a short timeline of DarkSide activity compiled from publicly available reports:

  •  August 2020: DarkSide introduces its ransomware.
  • October 2020: DarkSide donates US$20,000 stolen from victims to charity.
  • November 2020: DarkSide establishes its RaaS model. The group invites other criminals to use its service. A DarkSide data leak site is later discovered.
  • November 2020: DarkSide launches its content delivery network (CDN) for storing and delivering compromised data.
  • December 2020: A DarkSide actor invites media outlets and data recovery organizations to follow the group’s press center on the public leak site.
  • March 2021: DarkSide releases version 2.0 of its ransomware with several updates.
  • May 2021: DarkSide launches the Colonial Pipeline attack. After the attack, Darkside announces it is apolitical and will start vetting its targets (possibly to avoid raising attention to future attacks).

Initial access

In our analysis of DarkSide samples, we saw that phishing, remote desktop protocol (RDP) abuse, and exploiting known vulnerabilities are the tactics used by the group to gain initial access. The group also uses common, legitimate tools throughout the attack process to remain undetected and obfuscate its attack. 

Throughout the reconnaissance and gaining-entry phases, we saw these legitimate tools used for specific purposes:

  • PowerShell: for reconnaissance and persistence
  • Metasploit Framework: for reconnaissance
  • Mimikatz: for reconnaissance
  • BloodHound: for reconnaissance
  • Cobalt Strike: for installation

For modern ransomware like DarkSide, gaining initial access no longer immediately leads to ransomware being dropped. There are now several steps in between that are manually executed by an attacker.

Lateral movement and privilege escalation

Lateral movement is a key discovery phase in the modern ransomware process. In general, the goal is to identify all critical data within the victim organization, including the target files and locations for the upcoming exfiltration and encryption steps.

In the case of DarkSide, we confirmed reports that the goal of lateral movement is to gain Domain Controller (DC) or Active Directory access, which will be used to steal credentials, escalate privileges, and acquire other valuable assets for data exfiltration. The group then continues its lateral movement through the system, eventually using the DC network share to deploy the ransomware to connected machines. Some of the known lateral movement methods deployed by DarkSide use PSExec and RDP. But as we previously noted, a modern ransomware group behaves with methods more commonly associated with APT groups — it adapts its tooling and methods to the victim’s network defenses.

Exfiltration

As is common practice with double extortion ransomware, critical files are exfiltrated prior to the ransomware being launched. This is the riskiest step so far in the ransomware execution process, as data exfiltration is more likely to be noticed by the victim organization’s security team. It is the last step before the ransomware is dropped, and the attack often speeds up at this point to complete the process before it is stopped.

For exfiltration, we saw the following tools being used:

  • 7-Zip: a utility used for archiving files in preparation for exfiltration
  • Rclone and Mega client: tools used for exfiltrating files to cloud storage
  • PuTTy: an alternative application used for network file transfer

DarkSide uses several Tor-based leak sites to host stolen data. The file-sharing services used by the group for data exfiltration include Mega and PrivatLab.

Execution and impact

The execution of the actual ransomware occurs next. The DarkSide ransomware shares many similarities with REvil in this step of the process, including the structure of ransom notes and the use of PowerShell to execute a command that deletes shadow copies from the network. It also uses the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country.

In addition to PowerShell, which is used to install and operate the malware itself, the group reportedly uses Certutil and Bitsadmin to download the ransomware. It uses two encryption methods, depending on whether the target operating system is Windows or Linux: A ChaCha20 stream cipher with RSA-4096 is used on Linux, and Salsa20 with RSA-1024 is used on Windows.

The following figure shows a sample ransom note from DarkSide.

Figure 1. A Darkside ransom note

It is interesting to note that DarkSide’s ransom note is similar to that of Babuk, which might indicate that these two families share a link.

DarkSide ransomware targets

Based on the group’s Tor leak sites, DarkSide determines whether to pursue targeting a potential victim organization by primarily looking at that organization’s financial records. It also uses this information to determine the amount of ransom to demand, with a typical ransom demand amounting to anywhere between US$200,000 and US$2 million.

Reports say that, based on the leak sites, there are at least 90 victims affected by DarkSide. In total, more than 2 TB of stolen data is currently being hosted on DarkSide sites, and 100% of victims’ stolen files are leaked.

The actors behind Darkside have stated that they avoid targeting companies in certain industries, including healthcare, education, the public sector, and the nonprofit sector. Organizations in manufacturing, finance, and critical infrastructure have been identified in Trend Micro data as targets.

Based on Trend Micro data, the US is by far DarkSide’s most targeted country, at more than 500 detections, followed by France, Belgium, and Canada. As previously mentioned, DarkSide avoids victimizing companies in CIS countries. Part of the ransomware execution code checks for the geolocation of potential victims to avoid companies in these countries, although the group would likely be aware of the location of a target organization long before the ransomware is executed. That the group admittedly spares companies in CIS countries could be a clue to where DarkSide actors are residing. It is possible that they do this to avoid law enforcement action from these countries, since the governments of some of these countries do not persecute criminal acts such as DarkSide’s if they are done on foreign targets.

After the Colonial Pipeline attack, DarkSide released a statement on one of its leak sites clarifying that the group did not wish to create problems for society and that its goal was simply to make money. There is no way to verify this statement, but we know that the group is still quite active. As previously mentioned, DarkSide actors announced that they had stolen data from three more victims since the Colonial Pipeline attack.

MITRE ATT&CK tactics and techniques

The following are the MITRE ATT&CK tactics and techniques associated with DarkSide.

Conclusion

Ransomware is an old but persistently evolving threat. As demonstrated by the recent activities of DarkSide, modern ransomware has changed in many aspects: bigger targets, more advanced extortion techniques, and farther-reaching consequences beyond the victims themselves. 

Ransomware actors are no longer content with simply locking companies out of their computers and asking for ransom. Now they are digging deeper into their victims’ networks and looking for new ways to monetize their activities. For example, a compromised cloud server can go through a complete attack life cycle, from the initial compromise to data exfiltration to resale or use for further monetization. Compromised enterprise assets are a lucrative commodity on underground markets; cybercriminals are well aware of how to make money from attacking company servers

In the Colonial Pipeline attack, DarkSide used double extortion. But some ransomware actors have gone even further. Jon Clay, Director of Global Threat Communications at Trend Micro, outlines the phases of ransomware:

  • Phase 1: Just ransomware. Encrypt the files, drop the ransom note, and wait for the payment.
  • Phase 2: Double extortion. Phase 1 + data exfiltration and threatening data release. Maze was one of the first documented cases of this.
  • Phase 3: Triple extortion. Phase 1 + Phase 2 + threatening DDoS. SunCrypt, RagnarLocker, and Avaddon were among the first groups documented doing this.
  • Phase 4: Quadruple extortion. Phase 1 (+ possibly Phase 2 or Phase 3) + directly emailing the victim’s customer base or having contracted call centers contact customers.

In fact, as detailed in security reports, DarkSide offers both the DDoS and call center options. The group is making quadruple extortion available to its affiliates and showing a clear sign of innovation. In cybercrime, there are no copyright or patent laws for tools and techniques. Innovation is as much about quickly and completely copying others’ best practices as it is about coming up with new approaches. 

Ransomware will only continue to evolve. Organizations therefore need to take the time to put in place an incident response plan focused on the new model of ransomware attacks. Unfortunately, some organizations may be putting cybersecurity on the back burner. For example, some security experts noted that Colonial Pipeline was using a previously exploited vulnerable version of Microsoft Exchange, among other cybersecurity lapses. A successful attack on a company providing critical services will have rippling effects that will harm multiple sectors of society, which is why protecting these services should be a top priority.

In a US Senate hearing on cybersecurity threats, Senator Rob Portman of Ohio described the strike on Colonial Pipeline as “potentially the most substantial and damaging attack on US critical infrastructure ever.” This attack is a call to action for all organizations to harden their networks against attacks and improve their network visibility.

Trend Micro has a multilayered cybersecurity platform that can help improve your organization’s detection and response against the latest ransomware attacks and improve your organization’s visibility. Visit the Trend Micro Vision One™ website for more information. Detailed solutions can be found in our knowledge base article on DarkSide ransomware.

Source :
https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html

Tips to avoid the new wave of ransomware attacks

There have been a lot of changes in ransomware over time. We want to help you protect your organization from this growing attack trend.

The Colonial Pipeline ransomware attack is just part of a new onslaught of ransomware attacks that malicious actors are ramping up against high value victims. Why are we seeing this?

These malicious actors are after extortion money, and as such they are looking to target organizations that are more likely to pay if they can disrupt their business operations. In the past we saw this with targeting of government and education victims. The more pain that these actors can cause an organization, the more likely they will receive an extortion payment.

Ransomware attacks have gone through many iterations and we’re now seeing phase 4 of these types of attacks. To give you context, here are the four phases of ransomware:

  • 1st phase: Just ransomware, encrypt the files and then drop the ransom note … wait for the payment in bitcoin.
  • 2nd phase: Double extortion. Phase 1 + data exfil and threaten for data release. Maze was the first document to do this and the other threat actor groups followed suit
  • 3rd phase: Triple extortion. Phase 1 + Phase 2 and threaten for DDoS. Avaddon was the first documented to do this
  • 4th phase: Quadruple extortion. Phase 1 + (possibly Phase 2 or Phase 3) + directly emailing affected victim’s customer base. Cl0p was first documented doing this, as written by Brian Krebs

The majority of the time now we’re seeing a double extortion model, but the main shift we’re now seeing is the targeting of critical business systems. In this latest case, it does not appear that OT systems were affected but the IT systems associated with the network were likely targeted.

That may change though as many organizations have an OT network that is critical to their operations and could become a target. In this blog post we highlighted how manufacturers are being targeted with modern ransomware and the associated impact.

Taking down the systems that run an organization’s day-to-day business operations can cause financial and reputation damage.

But there could also be unintended consequences of going after victims that are too high profile, and this latest might be one example of this. Bringing down a major piece of critical infrastructure for a nation, even if the motive is only financial gain, might incur major actions against the actors behind this attack. So in the future, malicious actors may need to assess the potential ramifications of their target victim and decide if it makes good business sense to commence with an attack.

We will continue to see ransomware used in the future, and as such organizations need to take the time to put in place an incident response plan focused on the new model of ransomware attacks. Some things to think about as you go about this:

  1. Understand that you will be a target. Every business can likely be on the radar of malicious actors, but those in critical infrastructure need to assess the likelihood of becoming a victim now.
  2. Dedicated attackers will find a way into your network. Access as a Service (usually where another group performs the initial access and sells it to another group) is used regularly now, and whether via a phished employee, a vulnerable system open to the internet, or using a supply chain attack, the criminals will likely find a way in.
  3. The malicious use of legitimate tools are a preferred tactic used across the entire attack lifecycle. Check out our recent blog on this topic.
  4. Your key administrator and application account credentials will be targeted.
  5. Ransomware actors will look to exfiltrate data to be used in the double extortion model.
  6. The ransomware component will be the last option in their malicious activities as it is the most visible part of the attack lifecycle and as such you will then know you’ve been compromised.

For those organizations who have OT networks some key things to think about:

  • Understand your risk if your OT network is taken offline
  • Build a security model that protects the devices within the OT network, especially those that cannot support a security agent
  • Network segmentation is critical
  • If your OT network needs to be taken offline due to the IT network being compromised, you need to identify how to overcome this limitation

This latest attack is another call to action for all organizations to harden their networks against attacks and improve their visibility that malicious actors are in your network. Trend Micro has a multi-layered cybersecurity platform that can help improve your detection and response against the latest ransomware attacks and improve your visibility. Check out our Trend Micro Vision One platform or give us a call to discuss how we can help.

Source :
https://www.trendmicro.com/en_us/research/21/e/tips-to-avoid-new-wave-ransomware-attacks.html

Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities

MSRC / By MSRC Team / March 16, 2021

This guidance will help customers address threats taking advantage of the recently disclosed Microsoft Exchange Server on-premises vulnerabilities CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065, which are being exploited. We strongly urge customers to immediately update systems. Failing to address these vulnerabilities can result in compromise of your on-premises Exchange Server and, potentially, other parts of your internal network.

Mitigating these vulnerabilities and investigating whether an adversary has compromised your environment should be done in parallel. Applying the March 2021 Exchange Server Security Updates is critical to prevent (re)infection, but it will not evict an adversary who has already compromised your server. Based on your investigation, remediation may be required. This guide will help you answer these questions:

Microsoft will continue to monitor these threats and provide updated tools and investigation guidance to help organizations defend against, identify, and remediate associated attacks. We will update this guidance with new details and recommendations as we continue to expand our knowledge of these threats and the threat actors behind them, so come back to this page for updates.

How does the attack work?

Microsoft released security updates for four different on premises Microsoft Exchange Server zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065). These vulnerabilities can be used in combination to allow unauthenticated remote code execution on devices running Exchange Server. Microsoft has also observed subsequent web shell implantation, code execution, and data exfiltration activities during attacks. This threat may be exacerbated by the fact that numerous organizations publish Exchange Server deployments to the internet to support mobile and work-from-home scenarios.

In many of the observed attacks, one of the first steps attackers took following successful exploitation of CVE-2021-26855, which allows unauthenticated remote code execution, was to establish persistent access to the compromised environment via a web shell. A web shell is a piece of malicious code, often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to provide remote access and code execution to server functions. Web shells allow adversaries to execute commands and to steal data from a web server or use the server as launch pad for further attacks against the affected organization. Therefore, it is critical to not only immediately mitigate the vulnerabilities, but also remove any additional backdoors, such as web shells that attackers may have created.

Am I vulnerable to this threat?

If you are running Exchange Server 2010, 2013, 2016, or 2019 you must apply the March 2021 Security Update to protect yourself against these threats.

To determine if your Exchange Servers are vulnerable to this attack, the following methods can be used:

  • Using Microsoft Defender for Endpoint
  • Scanning your Exchange servers using Nmap

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint customers can use the threat analytics article in Microsoft 365 security center to understand their risk. This requires your Exchange Servers to be onboarded to Microsoft Defender for Endpoint. See instructions for onboarding servers that are not currently monitored.

Scanning using Nmap script

For servers not onboarded to Microsoft Defender for Endpoint, use this Nmap script to scan a URL/IP to determine vulnerability: http-vuln-cve2021-26855.nse.

How do I mitigate the threat?

The best and only complete mitigation for these threats is to update to a supported version of Exchange Server and ensure it is fully updated. If it’s not possible to immediately move to the current Exchange Server Cumulative Update and apply security updates, additional strategies for mitigation are provided below. These lesser mitigation strategies are only a temporary measure while you install the latest Cumulative Update and Security Updates.

Immediate temporary mitigations

The following mitigation options can help protect your Exchange Server until the necessary Security Updates can be installed. These solutions should be considered temporary, but can help enhance safety while additional mitigation and investigation steps are being completed.

  • Run EOMT.ps1 (Recommended) – The Exchange On-premises Mitigation Tool (EOMT.ps1) mitigates CVE-2021-26855 and attempts to discover and remediate malicious files. When run, it will first check if the system is vulnerable to CVE-2021-26855 and, if so, installs a mitigation for it. It then automatically downloads and runs Microsoft Safety Scanner (MSERT). This is the preferred approach when your Exchange Server has internet access.
  • Run ExchangeMitigations.ps1 – The ExchangeMitigations.ps1 script applies mitigations but doesn’t perform additional scanning. This is an option for Exchange Servers without internet access or for customers who do not want Microsoft Safety Scanner to attempt removing malicious activity it finds.

Applying the current Exchange Server Cumulative Update

The best, most complete mitigation is to get to a current Cumulative Update and apply all Security Updates. This is the recommended solution providing the strongest protection against compromise.

Apply security hotfixes to older Cumulative Updates

To assist organizations that may require additional time and planning to get to a supported Cumulative Update, security hotfixes have been made available. It’s important to note that applying these security hotfixes to older Cumulative Updates will mitigate against these specific Exchange vulnerabilities, but it will not address other potential security risks your Exchange Server may be vulnerable to. This approach is only recommended as a temporary solution while you move to a supported Cumulative Update.

Isolation of your Exchange Server

To reduce the risk of exploitation of the vulnerabilities, the Exchange Server can be isolated from the public internet by blocking inbound connections over port 443.

  • Blocking port 443 from receiving inbound internet traffic provides temporary protection until Security Updates can be applied, but it reduces functionality as it could inhibit work-from-home or other non-VPN remote work scenarios and does not protect against adversaries who may already be present in your internal network.
  • The most comprehensive way to complete this is to use your perimeter firewalls that are currently routing inbound 443 traffic to block this traffic. You can use Windows Firewall to accomplish this, but you will have to remove all inbound 443 traffic rules prior to blocking the traffic.

Have I been compromised?

To determine if your Exchange Servers have been compromised due to these vulnerabilities, multiple options have been made available:

  • Microsoft Defender for Endpoint
  • Publicly available tools published by Microsoft

If Microsoft Defender for Endpoint is not running, skip directly to the publicly available tools section. If it is running, we recommend that you follow both methods.

Microsoft Defender for Endpoint

  • Check the threat analytics article in Microsoft 365 security center to determine if any indications of exploitation are observed. The Analyst report tab in the Microsoft 365 Security Center threat analytics article contains a continuously updated detailed description of the threat, actor, exploits, and TTPs. On the Overview page, the Impacted assets section lists all impacted devices. The Related incidents section shows any alerts for detected exploitation or post-exploitation activity.
  • If you have devices that are flagged as impacted (see Impacted assets section) and have active alerts and incidents, click the incidents to further understand the extent of the attack.
  • Microsoft Defender for Endpoint blocks multiple components of this threat and has additional detections for associated malicious behaviors. These are raised as alerts in the Microsoft Defender Security Center. Additionally, Microsoft Defender for Endpoint prevents some critical behaviors observed in attacks, such as attempts to exploit the CVE-2021-27065 post-authentication file-write vulnerability that can be combined with CVE-2021-26855 to elevate privileges.
  • Microsoft Defender for Endpoint also detects post-exploitation activity, including some techniques that attackers use to maintain persistence on the machine. Note that alerts marked “Blocked” indicate that the detected threat is also remediated. Alerts marked “Detected” require security analyst review and manual remediation.

Publicly available tools published by Microsoft

The following tools have been made available by Microsoft to aid customers in investigating whether their Microsoft Exchange Servers have been compromised. We recommend customers to run both tools as part of their investigation:

Exchange On-Premises Mitigation Tool

Download and run EOMT.ps1 as an administrator on your Exchange Server to automatically run the latest version of Microsoft Safety Scanner (MSERT). MSERT discovers and remediates web shells, which are backdoors that adversaries use to maintain persistence on your server.

  • After completing the scan, EOMT.ps1 reports any malicious files it discovers and removes. If malicious files are discovered and removed by the tool, follow the web shell remediation workflow. If no malicious files are found, it will report “No known threats detected.”
  • If this initial scan does not find evidence of malicious files, a full scan can be run via “.\EOMT.ps1 -RunFullScan”. This may take a few hours or days, depending on your environment and the number of files on the Exchange Server.
  • If the script is unable to download Microsoft Safety Scanner (MSERT), you can download and copy MSERT manually to your Exchange Server. Run this executable directly as an administrator. Follow the on-screen instructions to run a Quick or Full scan. A new version of MSERT should be downloaded each time it is run to ensure it contains the latest protections

Test-ProxyLogon.ps1

Run the Test-ProxyLogon.ps1 script as administrator to analyze Exchange and IIS logs and discover potential attacker activity.

IMPORTANT: We recommend re-downloading this tool at a minimum of once per day if your investigation efforts span multiple days, as we continue to make updates to improve its usage and output.

Step 1 – Review script output to determine risk:

  • If the script does not find attacker activity, it outputs the message Nothing suspicious detected
  • If attacker activity was found, the script reports the vulnerabilities for which it found evidence of use and collects logs that it stores in the specified output path in the Test-ProxyLogonLogs directory. Continue following these steps for remediation. Below is an example of the output:

Step 2 – Investigate CVE-2021-27065:

  • If CVE-2021-27065 is detected, then investigate the logs specified for lines containing Set-OabVirtualDirectory. This indicates that a file was written to the server.
  • Investigate web server directories for new or recently modified .aspx files or other file types that may contain unusual <script> blocks.
    • This indicates an adversary may have dropped a web shell file. Below is an example of such a <script> block.
    • If yes, continue to continue to the web shell remediation workflow.

Step 3 – Investigate CVE-2021-26857:

  • If CVE-2021-26857 is detected, then investigate the collected logs labeled <servername>Cve-2021-26857.csv.

Step 4 – Investigate CVE-2021-26858:

  • If CVE-2021-26858 is detected, then investigate the collected logs labeled <servername>Cve-2021-26858.log.
  • Does the tool output any path other than *\Microsoft\ExchangeServer\V15\ClientAccess\OAB\Temp\*?

Step 5 – Investigate CVE-2021-26855:

  • If CVE-2021-26855 is detected, then investigate the collected logs labeled <servername>Cve-2021-26855.csv.
  • Does the tool output for AnchorMailbox contain Autodiscover.xml ONLY?
    • This indicates an attacker is scanning your infrastructure as a precursor to additional compromise.
    • If yes, continue to the scan remediation workflow.
  • Does the tool output for AnchorMailbox contain /ews/exchange.asmx?
    • This indicates an attacker may be exfiltrating your email.
    • If yes, inspect the Exchange web services (EWS) logs in \V15\Logging\EWS to verify if the adversary accessed a mailbox, and then proceed to the corresponding remediation workflow.

What remediation steps should I take?

  • The steps in Have I been compromised? section help establish the scope of possible exploitation: scanning, unauthorized email access, establishment of persistence via web shells, or post-exploitation activity.
    • Decide between restoring your Exchange Server or moving your mail services to the cloud. You can engage with FastTrack for data migration assistance for Office 365 customers with tenants of 500+ eligible licenses.
  • Follow applicable remediation workflows:
    • Was post-compromise activity related to credential harvesting or lateral movement detected by Microsoft Defender for Endpoint or during manual investigation?
      • Engage your incident response plan. Share the investigation details to your incident response team.
      • If you are engaging with CSS Security or Microsoft Detection and Response Team (DART), and you are a Microsoft Defender for Endpoint customer, see instructions for onboarding Windows Server to Microsoft Defender for Endpoint.
    • Were web shells detected?
      • Clean and restore your Exchange Server:
        • Preserve forensic evidence if your organization requires evidence preservation.
        • Disconnect the Exchange Server from the network, either physically or virtually via firewall rules.
        • Restart Exchange Server.
        • Stop W3WP services.
        • Remove any malicious ASPX files identified via the investigation steps above.
        • Delete all temporary ASP.NET files on the system using the following script:

iisreset /stop
$tempAspDir = "$env:Windir\Microsoft.NET\Framework64\$([System.Runtime.InteropServices.RuntimeEnvironment]::GetSystemVersion())\Temporary ASP.NET Files"
mkdir 'C:\forensicbackup'
Copy-Item -Recurse -Path $tempAspDir -Destination 'C:\forensicbackup'
rm -r -Force $tempAspDir
iisreset /start

  • Was mailbox access and exfiltration detected?
    • Disconnect Exchange Server from the network.
    • Apply Security Updates.
    • Run a full EOMT.ps1 scan via “.\EOMT.ps1 -RunFullScan”. Have I been compromised? for additional instructions for running EOMT.ps1.
    • Resume operation.
  • Was scan-only adversary behavior detected?
    • Disconnect Exchange Server from the network.
    • Apply Security Updates.
    • Resume operation.

How can I better protect myself and monitor for suspicious activity?

  • Additional protection and investigation capabilities are available if Microsoft Defender Antivirus and Microsoft Defender for Endpoint are running on the Exchange Server. If neither are yet installed, installing both now can provide additional protection moving forward and is strongly advised.
  • If you are an existing Microsoft Defender for Endpoint customer but have Exchange servers that are not onboarded, see instructions for onboarding Windows Server to Microsoft Defender for Endpoint.
  • If you are not an existing Microsoft Defender for Endpoint customer, Microsoft is making publicly available a 90-day Microsoft Defender for Endpoint trial offer exclusively to support commercial on-premises Exchange Server customers that require continuous investigation and additional post-compromise security event detection beyond what MSERT offers. Next, follow the steps for setting up Microsoft Defender for Endpoint and onboarding your Exchange Server.

Microsoft’s Detection and Response Team (DART) 
Microsoft 365 Defender Team

CSS Security Incident Response

This blog and its contents are subject to the Microsoft Terms of Use.  All code and scripts are subject to the applicable terms on Microsoft’s GitHub Repository (e.g., the MIT License).

Source :
https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/

One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021

MSRC / By MSRC Team / March 15, 2021 / CVE-2021-26855CVE-2021-26857CVE-2021-26858CVE-2021-27065partial mitigations

We have been actively working with customers through our customer support teams, third-party hosters, and partner network to help them secure their environments and respond to associated threats from the recent Exchange Server on-premises attacks. Based on these engagements we realized that there was a need for a simple, easy to use, automated solution that would meet the needs of customers using both current and out-of-support versions of on-premises Exchange Server.

Microsoft has released a new, one-click mitigation tool, Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.

By downloading and running this tool, which includes the latest Microsoft Safety Scanner, customers will automatically mitigate CVE-2021-26855 on any Exchange server on which it is deployed. This tool is not a replacement for the Exchange security update but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching.
We recommend that all customers who have not yet applied the on-premises Exchange security update:

  • Download this tool.
  • Run it on your Exchange servers immediately.
  • Then, follow the more detailed guidance here to ensure that your on-premises Exchange is protected.
  • If you are already using Microsoft Safety Scanner, it is still live and we recommend keeping this running as it can be used to help with additional mitigations.

Once run, the Run EOMT.ps1 tool will perform three operations:

Mitigate against current known attacks using CVE-2021-26855 using a URL Rewrite configuration.
Scan the Exchange Server using the Microsoft Safety Scanner.
Attempt to reverse any changes made by identified threats.

Before running the tool, you should understand:

  • The Exchange On-premises Mitigation Tool is effective against the attacks we have seen so far, but is not guaranteed to mitigate all possible future attack techniques. This tool should only be used as a temporary mitigation until your Exchange servers can be fully updated as outlined in our previous guidance.
  • We recommend this script over the previous ExchangeMitigations.ps1 script as it tuned based on the latest threat intelligence. If you have already started with the other script, it is fine to switch to this one.
  • This is a recommended approach for Exchange deployments with Internet access and for those who want to attempt automated remediation.
  • Thus far, we have not observed any impact to Exchange Server functionality when these mitigation methods are deployed.

For more technical information, examples, and guidance please review the GitHub documentation.

Microsoft is committed to helping customers and will continue to offer guidance and updates that can be found at https://aka.ms/exchangevulns.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS GUIDANCE. The Exchange On-premises Mitigation Tool is available through the MIT License, as indicated in the GitHub Repository where it is offered.

Source :
https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/