A malware is discovered to have been used in the wild at least since March 2021 to backdoor Microsoft Exchange servers belonging to a wide range of entities worldwide, with infections lingering in 20 organizations as of June 2022. Dubbed SessionManager, the malicious tool masquerades as a module for Internet Information Services (IIS), a web server software for Windows systems, after exploiting one of the ProxyLogon flaws within Exchange servers.
Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure of a targeted organization by collecting emails, update further malicious access, or clandestinely manage compromised servers that can be leveraged as malicious infrastructure. The Russian cybersecurity firm attributed the intrusions with medium-to-high confidence to an adversary tracked as Gelsemium, citing overlaps in the malware samples linked to the two groups and victims targeted.
ProxyLogon, since its disclosure in March 2021, has attracted the repeated attention of several threat actors, and the latest attack chain is no exception, with the Gelsemium crew exploiting the flaws to drop SessionManager, a backdoor coded in C++ and is engineered to process HTTP requests sent to the server. The findings come as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged government agencies and private sector entities using the Exchange platform to switch from the legacy Basic Authentication method to Modern Authentication alternatives prior to its deprecation on October 1, 2022.
The findings come as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged government agencies and private sector entities using the Exchange platform to switch from the legacy Basic Authentication method to Modern Authentication alternatives prior to its deprecation on October 1, 2022.
CTRL Group recommends using the Exchange platform to switch from the legacy Basic Authentication method to Modern Authentication alternatives.
Cisco Patches Severe Vulnerabilities in Nexus Dashboard
Cisco recently announced the availability of patches for multiple vulnerabilities in Nexus Dashboard, including a critical-severity issue that could lead to the execution of arbitrary commands. The most severe of the newly resolved vulnerabilities affecting the console is CVE-2022-20857 (CVSS score of 9.8), which could allow a remote, unauthenticated attacker to access a specific API and execute arbitrary commands. In its advisory, Cisco also details CVE-2022-20861 and CVE-2022-20858, two high-severity security bugs in Nexus Dashboard that could lead to cross-site request forgery (CSRF) attacks and to the uploading of malicious container images, respectively.
This week, Cisco also resolved a high-severity security issue in the SSL / TLS implementation of Nexus Dashboard, which could allow a remote, unauthenticated attacker to tamper with the communication with associated controllers or access sensitive information. Tracked as CVE-2022-20860, the vulnerability has been resolved with the release of Nexus Dashboard 2.2(1h).
CTRL Group urges users of Nexus Dashboard 1.1, 2.0, and 2.1 to upgrade to the new version as soon as possible. Users should upgrade to Nexus Dashboard 2.2(1h)
New UEFI Firmware Vulnerabilities Impact Several Lenovo Notebook Models
Lenovo has released patches for three new security flaws that affect over 70 product models, with the vulnerabilities affecting the UEFI firmware within. These vulnerabilities target arbitrary code execution early in the platform boot phase of the laptops. This would possibly allow the attacker to hijack the OS execution flow, which could lead to important security features being disabled and allow for privilege escalation.
All Three, now patched bugs, rely on buffer overflow vulnerabilities to execute arbitrary code which then leads to privilege escalation on the systems:
CVE-2022-1890 – A buffer overflow has been identified in the ReadyBootDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.
CVE-2022-1891 – A buffer overflow has been identified in the SystemLoadDefaultDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.
CVE-2022-1892 – A buffer overflow has been identified in the SystemBootManagerDxe driver in some Lenovo notebook products which may allow an attacker with local privileges to execute arbitrary code.
CTRL Group recommends updating all Lenovo devices in your organization to their latest patch. A list of affected products can be found here, with Lenovo also recommending updating system firmware to the version specified, or newer, for affected products.