Welcome to the next episode of the Xopero Security Center. Race against time – that’s the best description of the ProxyLogon situation. First Microsoft has released emergency patches for vulnerable systems. No more than a week later researchers spotted the first ransomware actively exploiting these vulnerabilities. Now users got a one-click ProxyLogon mitigation tool (details below). The keyword is „mitigation” – it mitigates the risk of exploit until the update will be applied. This is not an alternative. The good news – tens of thousands of Microsoft Exchange servers have been patched already. Experts have never seen patch rates this high for any system before. Still, there are about 82k devices vulnerable to the attack. Hence the new tool. Need to find out more? Check the rest of the article.
With this new one-click mitigation tool you can check if ProxyLogon vulnerabilities got to you too
Microsoft has released a one-click Exchange On-premises Mitigation Tool (EOMT) tool to allow small business owners to easily check if their servers are vulnerable to the ProxyLogon vulnerabilities. Recent statistics show that at least 82,000 internet-facing servers are still unpatched and vulnerable to attack. There is still work to do, hence the new tool. The EOMT has been designed to help customers that might not have security or IT staff on hand to help and has been tested across Exchange Server 2013, 2016, and 2019.
It is important to note the tool is not an alternative to patching but should be considered a means to mitigate the risk of exploit until the update has been applied as quickly as possible.
The ‘EOMT.ps1’ script can be downloaded from Microsoft’s GitHub repository, and when executed, will automatically perform the following tasks:
Mitigates the CVE-2021-26855 Server-Side Request Forgery (SSRF) vulnerability by installing the IIS URL Rewrite module and a regular expression rule that aborts any connections containing the ‘X-AnonResource-Backend’ and ‘X-BEResource’ cookie headers.
Downloads and runs the Microsoft Safety Scanner to remove known web shells and other malicious scripts installed via these vulnerabilities. The script will then remove any malicious files found.
Additionally, admins are advised to also check for indicators of compromise (IOC) in Exchange HttpProxy logs, Exchange log files, and Windows Application event logs.
New Mirai variant targets SonicWall, D-Link, Netgear and IoT devices
A new variant of the Mirai botnet has been discovered targeting a slew of vulnerabilities in unpatched D-Link, Netgear and SonicWall devices — as well as never-before-seen flaws in unknown internet-of-things (IoT) gadgets.
The attacks leverage a number of vulnerabilities. The known vulnerabilities exploited include: A SonicWall SSL-VPN exploit; a D-Link DNS-320 firewall exploit (CVE-2020-25506); Yealink Device Management remote code-execution (RCE) flaws (CVE-2021-27561 and CVE-2021-27562); a Netgear ProSAFE Plus RCE flaw (CVE-2020-26919); an RCE flaw in Micro Focus Operation Bridge Reporter (CVE-2021-22502); and a Netis WF2419 wireless router exploit (CVE-2019-19356 ).
Patches are available for all of these flaws; the botnet is targeting devices that have not yet applied the available updates.
After successfully compromising a device, the attacker dropped various binaries that let them schedule jobs, create filter rules, run brute-force attacks, or propagate the botnet malware.
The variant is only the latest to rely on Mirai’s source code, which has proliferated into more than 60 variants since bursting on the scene with a massive distributed denial of service (DDoS) takedown of DNS provider Dyn in 2016.
The curious case of disappearing/deleting Microsoft Teams and SharePoint files
On Monday, Microsoft suffered a massive outage that affected almost all cloud services, including Microsoft 365, Microsoft Teams, Xbox Live, Exchange Online, Outlook.com, and SharePoint. The outage was caused by a configuration issue in the Azure Active Directory service.
That was on Monday… Since Tuesday, numerous Microsoft SharePoint administrators face a new problem – missing files in their clients SharePoint folders. The SharePoint folder structure is still intact, but most or sometimes all of the files are missing. Missing were? Short investigation has shown that these files have been deleted and are now located in SharePoint’s cloud recycle bin, or in some cases, a local PC’s Recycle Bin.
The root of the problem
Microsoft confirmed that the issues are related to its advisories SP244708 (SharePoint) and OD244709 (OnDrive). Both advisories are essentially the same and state that local copies of OneDrive for Business or SharePoint files will be restored after initiating a resync. The cause for both issues is the same as well – Monday’s Azure Active Directory (AAD) outage.
While each advisory states that the outage has caused local data to become unavailable, neither advisory explains why the files are being deleted from SharePoint’s cloud folders and why users continue to see this happening after the outage has been resolved.
And… it is still not the end. To make matters worse numerous Microsoft Teams Free users report that files shared on their channels are no longer accessible on either the desktop or web client.
According to Microsoft Teams Engineering PM Sam Cosby, his team found the cause for the missing files and would be applying mitigations as soon as they can. He did not share what was causing the users’ files to go missing in the first place.
New CopperStealer malware hijacks social media accounts
Researchers with Proofpoint released details on new undocumented malware called CopperStealer. It steals social media logins and spreads more malware.
CopperStealer has many of the same targeting and delivery methods as SilentFade, a Chinese-sourced malware family first reported by Facebook in 2019.
The Copperstealer malware attempts to steal the account passwords to Facebook, Instagram, Google, and other major service providers, according to Proofpoint. The stolen passwords are used to run malicious ads for profit and spread more malware.
Researchers were first alerted to the malware sample in late January. The earliest discovered samples date back to July 2019.
According to Proofpoint they also identified additional versions that target other major service providers, including Apple, Amazon, Bing, Google, PayPal, Tumblr and Twitter.
How to protect your social media accounts against CopperStealer? Better turn on two-factor authentication as soon as possible.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Xopero began in 2009, founded as a company serving primarily SMB users. Our goal was to create more accessible and affordable secure data protection solution for any businesses. In 2015, Xopero started cooperation with QNAP Inc. – one of the key global NAS providers. This addition expanded our portfolio to include a true backup appliance, In 2017, Xopero fully extended into global market thanks to cooperation with ESET. Our company took the place previously occupied by StorageCraft in the ESET Technological Alliance.