SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Exchange Server critical vulnerabilities included in Patch Tuesday
Description: Microsoft released its monthly security update Tuesday, disclosing 108 vulnerabilities across its suite of products, the most in any month so far this year. Four new remote code execution vulnerabilities in Microsoft Exchange Server are included in Tuesday’s security update. Microsoft disclosed multiple zero-day vulnerabilities in Exchange Server earlier this year that attackers were exploiting in the wild. The new vulnerabilities Microsoft disclosed are identified as CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483 — all of which are critical, and the highest of which has a CVSS severity score of 9.8 out of 10. There are 20 critical vulnerabilities as part of this release and one considered of “moderate” severity. The remainder are all “important.” Twelve of the critical vulnerabilities exist in the remote procedure call runtime.
References: https://blog.talosintelligence.com/2021/04/microsoft-patch-tuesday-for-april-2021.html
Snort SIDs: 57403, 57404, 57411, 57414
Title: Attackers infiltrate collaboration app servers to spread spam, malware
Description: As telework has become the norm throughout the COVID-19 pandemic, attackers are modifying their tactics to take advantage of the changes to employee workflows. Attackers are leveraging collaboration platforms, such as Discord and Slack, to stay under the radar and evade organizational defenses. Collaboration platforms enable adversaries to conduct campaigns using legitimate infrastructure that may not be blocked in many network environments. RATs, information stealers, internet-of-things malware and other threats are leveraging collaboration platforms for delivery, component retrieval and command and control communications.
Reference: https://blog.talosintelligence.com/2021/04/collab-app-abuse.html
ClamAV signatures: Win.Trojan.AgentTesla-9846789-0, Js.Trojan.Downloader-9846867-0, Win.Dropper.Agent-9847178-0, Win.Trojan.Vebzenpak-9847193-0, Win.Trojan.Bulz-9847194-1, Win.Malware.Predator-9850360-1, Win.Trojan.Taskun-9850631-0, Win.Packed.Trojanx-9850692-0