DailyPost 2208

Hacking is the new normal, is the war cry in the cyber battle the globe over. It is so strange that more often than not, it is falling on deaf years. Most of the cyber security tasks are outsourced in a variety of ways and at various levels of dependency. Dependency built on ignorance can bring unwarranted criticality into business. Companies small and big have their own ways of handling this nature of business. Companies who have not found the magic sauce, at times struggle in a big way and when bigger tragedy strikes, they are likely to get wiped out. This has happened as well. The IT biggie Microsoft has always taken the hits in its stride.

The logic is with the nature of mass usage of its products, it happens to provide largest threat surface compared to any other company. Microsoft office suite remains to be the most hacked product. Ironical as it may sound Microsoft products are the most selling ones. Now the latest news is that Microsoft exchange servers have been hacked deploy LockBit ransomware. Currently, Microsoft is investigating reports of a new zero-day bug being abused to hack Exchange servers. This was later used to launch LockBit ransomware attacks.

At least in one such incident the attackers used a previously deployed web shell on a compromised Exchange server to escalate privileges to Active Directory Admin, enabling them to steal roughly 1.3 TB of data and encrypt network systems. South Korean cyber security firm AhnLab, hired to support investigation, feels that it took the hackers only a week to hijack the AD admin account from when the web shell was uploaded. They said it was an ”undisclosed zero-day vulnerability” as the victim had received technical support with patches after a recent attack. Post May reported vulnerabilities don’t relate to remote command or file creation. WebShell was created on July 21, so it is expected used an undisclosed zero vulnerability.

Microsoft is currently working on patches for zero-days CVE-2022-41040 and CVE-2022-41082. It is possible these could have been used, but there is a difference in delivery method. ”It is presumed that a different attacker used a different zero-day vulnerability.” There is at least one more security vendor who knows of three other undisclosed Exchange flaws and provides “vaccines” to block exploitation attempts. The three zero-days were detected by Zero Day Initiative and the company has also added detection signatures to it. Microsoft has not disclosed any information regarding these three security flaws since they were reported and is yet to assign a CVE ID to track them.

Sanjay Sahay

Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.

Scroll to Top