News of APA Center of Arak University

Threat actors affiliated with a ransomware variant called Play use a never-before-seen exploit chain that blocks the ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) via [1] Outlook Web Access ( OWA) bypasses. Brian Pitchford, Erik Iker, and Nicolas Zilio, researchers at CrowdStrike, said in a technical report published on Tuesday, December 20, 2022[2]: “This new exploit exploits URL rewriting inhibitors[3] for endpoint [4] Bypasses Autodiscover. The Play ransomware, which first appeared in June 2022, [5] has been shown to adopt many of the tactics employed by other ransomware families such as [6] Hive and [7] Nokoyawa, the latter in September 2022 upgraded to Rust[8]. A cybersecurity firm's investigations into several Play ransomware intrusions revealed that initial access to target environments was not achieved by exploiting CVE-2022-41040[9] directly, but through the OWA endpoint. This technique, called OWASSRF, is likely to use another critical flaw tracked as [10]CVE-2022-41080 (score 8.8 on the CVSS scale) to achieve the score increase, followed by [11]CVE- 2022-41082 uses remote code execution. Play It's worth noting that both CVE-2022-41040 and CVE-2022-41080 stem from a server-side request forgery (SSRF[12]) case that allows an attacker to access unauthorized internal resources, in this case a remote service PowerShell to access [13]. CrowdStrike said successful initial access would allow an adversary to remove legitimate Plink and AnyDesk executables to maintain permanent access, as well as take steps to clean up Windows event logs on infected servers to hide malicious activity. All three vulnerabilities were addressed by Microsoft as part of Patch Tuesday updates for November 2022[14]. However, it is unclear whether CVE-2022-41080 was exploited as a zero-day flaw alongside CVE-2022-41040 and CVE-2022-41082. The Windows maker, in turn, has labeled CVE-2022-41080 with a "highly exploitable" rating, meaning an attacker could create exploitable code that could reliably exploit the flaw. CrowdStrike also noted that a proof-of-claim (PoC) Python script discovered and leaked last week by Huntress Lab researcher Dray Agha[15] may have been used by Play ransomware actors to gain early access. This is evidenced by the fact that running a Python script made it possible to "reproduce reports generated in recent Play ransomware attacks." "Organizations should apply the November 8, 2022 patches for Exchange to prevent the exploit, as URL rewriting inhibitors for ProxyNotShell are not effective against this exploit method," the researchers said. Update Cyber security firm Rapid7, in a related report on Wednesday, December 21, 2022, announced that it has observed "an increase in the number of Microsoft Exchange server vulnerabilities" through the OWASSRF exploit chain for remote code execution. Rapid7 researcher Glenn Thorpe noted[16]: "Patched servers do not appear to be vulnerable, servers using only Microsoft's blockers appear to be vulnerable". Threat actors use this issue to deploy ransomware. "The reported method exploits vulnerable systems that have not applied our latest security updates," a Microsoft spokesperson said in a statement shared with The Hacker News, adding, "Customers should install the latest updates, specifically the November 2022 updates for [17 [Prioritize Exchange Server]. Those interested in this field are invited to send their articles to the website of this magazine.

Notable executive bodies and private companies who wish to receive expert advice on securing their website, network and software.

Summary: Cisco has published a new security advisory about a critical flaw affecting the IP Phone 7800 and 8800 series firmware that could lead to remote code execution or a denial of service (DoS) condition. Networking equipment specialist Cisco said it is working on a patch to address the vulnerability, which is identified as CVE-2022-20968 (CVSS score: 8.1). This vulnerability is caused by an ingress invalidation event in Cisco Discovery Protocol (CDP) packets received. CDP is a proprietary network-independent protocol that is used to collect information about nearby connected devices such as hardware, software, and device name, etc. Enabled by default. "An attacker could exploit this vulnerability by sending Cisco Discovery Protocol traffic to an affected device," the company said in an alert published on December 8, 2022. "A successful exploit could allow an attacker to cause a stack overflow that could lead to remote code execution or a denial of service (DoS) condition on the affected device." Cisco IP Phones running OS version 14.2 and earlier are affected by this vulnerability. A patch is scheduled for release in January 2023, and the company says there are no updates or fixes to fix the problem. However, in deployments that support both LLDP or Link Layer Discovery Protocol and CDP for neighbor discovery, users can disable CDP to allow affected devices to advertise their identities and capabilities to LLDP to communicate directly with neighbors on a network. Change location. "This change is not trivial and requires effort on the part of the company to evaluate any potential impact on devices, as well as the best approach to deploying this change in their company," the company says. It also warned that it was aware of the availability of a proof-of-concept (PoC) exploit and that the flaw had been publicly disclosed. There is no evidence that this vulnerability has been actively exploited to date. Qian Chen of the Codesafe Legendsec team at Qi'anxin Group is responsible for discovering and reporting this vulnerability.