Cyber Security Weekly Briefing, 18 – 25 November

Telefónica Tech    25 November, 2022

Exploit for ProxyNotShell vulnerabilities published

The first publications about new critical vulnerabilities in Microsoft Exchange Server, CVE-2022-41040 and CVE-2022-41082, which were named ProxyNotShell, were published at the end of September.

However, it was not until this November’s Patch Tuesday that Microsoft released patches for these security flaws, even though the company had confirmed that it was aware that malicious actors had actively exploited these vulnerabilities on 30 September through limited targeted attacks.

Security researcher Janggggg published an exploit for these vulnerabilities last week, which would be functional in Exchange Server versions 2016 and 2019, and even against 2013 with some modifications, according to confirmations made by security researcher Will Dormann.

Microsoft recommends its users to apply the patches as soon as possible to prevent possible future attacks against these vulnerabilities.

More info →  

Atlassian fixes vulnerabilities in Crowd and Bitbucket

The Atlassian team has released a new update in its Crowd Server and Data Center identity management platforms, as well as in Bitbucket Server and Data Center. This update is meant to fix two vulnerabilities considered serious by the company itself and which affected several versions of the aforementioned software.

These vulnerabilities are CVE-2022-43781 and CVE-2022-43782. In the first case, it is a command injection vulnerability in Bitbucket that allows the attacker to control the session in order to execute code under certain conditions and permissions. In the case of Crowd the flaw allows an attacker to bypass password checking during Crowd’s authentication process and gain privileges to make API calls to endpoints.

Regarding Bitbucket all versions from 7.0 to 7.21 are affected, as well as versions 8.0 to 8.4, unless they are instances running PostgreSQL or hosted on Bitbucket’s domain. In the case of Crowd affected versions range from 3.0.0 to 3.7.2 (which will not be fixed) and 5.0.0 to 5.0.2.

More info

Cisco Secure Email Gateway Anti-Malware Protection Failure

The Cisco team confirmed today the existence of a filtering flaw in its Secure Email Gateway and IronPort Email Security Appliance Software versions 14.2.0, as reported by an anonymous researcher earlier last week after allegedly receiving no response from the company.

The researcher’s discovery consisted of several attack methods that can be used to bypass certain filters within Secure Email Gateway to send malware via specially crafted emails. This would be done via three different attack vectors that exploit a bug in the identification of emails and attachments, if they include malicious MIME Content-Type headers. The attack would be relatively easy to carry out and, according to the anonymous researcher, exploits exploiting the flaw have already been observed.

However, the company has denied that this is a vulnerability in its products and blames the flaw on a problem in the anti-malware scanning engines of Sophos and McAfee.

More info

Activity analysis of the Quantum Locker group

The Belgian company Computerland has shared information on the Tactics, Techniques and Procedures of the malicious actor Quantum Locker. The data comes as a result of the analysis conducted by the organisation during the latest attacks perpetrated by Quantum Locker against geolocated companies in Central Europe.

The researchers note that the actor’s targets include the complete takeover of Azure cloud services through root account compromise (T1531). In addition, the actor also focuses on locating and deleting all of the victim’s Azure blob storage in order to delete backups (T1485).

Computerland also warns that the main targets of its attacks are IT administrators and network personnel, so that it can gain access to their resources to collect credentials from the victim’s network and extend its attack (T1530).

Finally, it is worth noting that Quantum combines new and old techniques to distribute ransomware, such as modifying domain group policies (T1484.001) and exploiting the Any Desk tool as a remote access tool (T1219).

More info →  

Kaspersky researchers have identified a phishing campaign that uses Google Translate links to spread phishing pages.

The links are sent by email under various pretexts and end up leading to the attacker’s pages, but these are served via Google’s translation services which allow full web pages to be translated by entering the URL address.

The recipient will see a link to an apparently legitimate Google service ( the translate.goog domain) that translates the website on the fly and serves the content, in this case malicious content, through an apparently innocuous connection, but which could have the same unwanted effects as a conventional phishing scam.

More info

Leave a Reply

Your email address will not be published.