EMERGENCY PATCH UPDATE: MS EXCHANGE SERVERS UNDER ACTIVE EXPLOIT

Microsoft just issued 4 patches for security issues (see alert here) being actively exploited by a Chinese APT group, Hafnium. Exchange versions 2013-2019 are affected. The vulnerabilities are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. The description per Microsoft is:

These vulnerabilities are used as part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.

Hafnium’s targets are US based, in various sectors which include infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. They exploit vulnerabilities found in internet-facing servers and exfiltrate data to file sharing sites. They are stealthy and operate from virtual private servers leased in the US.

Hide in plain sight: Updated ObliqueRAT hides in images per ZDNet

ObliqueRAT has evolved from basic functionality to multiple infection vectors and capabilities. The new campaign targets victims in South Asia with tainted sites rather than sending emails which get nabbed. The attacks use steganography to hide malicious payload files within image files on the site. ObliqueRAT is linked to the Transparent Tribe APT and distributions of CrimsonRAT.

RATs are powerful, multi-function tools heavily used by attackers. It’s important to keep in mind that malware operators are constantly enhancing their tools, so what we have defences for won’t cover everything. Kinda like vaccines and variants. You can read the report by Cisco Talos here.

Breach Alert: Oxfam Australia is reporting information about supporters on one of its databases was “unlawfully accessed by an external party” in January 2021. The data of 1.8 million accounts was being sold on an underground site. Partial financial details were also exposed. Per Have I Been Pwned

Updates to Jailbreak tool “Unc0ver” for iPhones v 11 – 14.3 per The Hacker News

With the latest release of “unc0ver” 6.0, almost any iPhone can be unlocked and uses one of those 0days from January that was being exploited, CVE-2021-1782, a privilege escalation vulnerability.

Attackers are quick to act on vulnerabilities especially when they mean access into walled-gardens or secure enclaves like Apple’s operating system. While we know about the use of this vulnerability here, we don’t know the full extent of exploits or attackers as Apple has not shared that. Things that will go bump in the night …