SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft warns of “ProxyNotShell” vulnerabilities in Exchange Server
Description: Microsoft warned of two Exchange Server vulnerabilities collectively referred to as "ProxyNotShell” that had been actively exploited in the wild. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns.
References:
- https://blog.talosintelligence.com/2022/09/threat-advisory-exchange-server-vulns.html
Snort SIDs: 27966-27968, 28323, 37245 and 42834 - 42838
ClamAV signatures: Asp.Backdoor.AntSword-9972727-1, Asp.Backdoor.Awen-9972728-0 and Asp.Backdoor.AntSword-9972729-0
Title: New malware builder used to deliver updated version of Agent Tesla
Description: Security researchers recently discovered a malware builder being sold on the dark web known as “Quantum Builder.” Attackers are using the new builder to deliver an updated version of the Agent Tesla trojan, which is known for stealing and spying on user interactions and keystrokes. Quantum Builder can create malicious shortcut files, and has previously been linked to the Lazarus Group APT. The attackers in this campaign send a spearphishing email to targets that contains a malicious GZIP attachment that holds a malicious shortcut to execute PowerShell code.
Snort SIDs: 60638, 60639