Cybersecurity News – Exchange Zero-Days Evaded, Fake Email Scam, Report Teams Phishing
As ISPs adopt stricter email policies, senders without authentication will face difficulties with email deliveries; this is especially impactful for smaller businesses that rely on shared IPs. Even with robust email authentication standards, threat actors find workarounds to target businesses through email-borne threats. Here are the latest news headlines to keep you updated on these threats.
Threat Actors Bypass Mitigation For Exchange Zero-Days Vulnerabilities – Microsoft Issues New Workarounds
Microsoft recently updated its mitigation strategies for the Exchange Server’s newly discovered and actively exploited zero-day flaws after discovering that malicious actors trivially bypassed them. The two vulnerabilities, CVE-2022-41040 and CVE-2022-41082, are codenamed ProxyNotShell because they resemble another set of flaws called ProxyShell, which Microsoft resolved last year.
Attackers are abusing the shortcomings and executing in-the-wild attacks to gain remote code execution on victimized servers with elevated privileges. Furthermore, it leads to the deployment of web shells.
The Windows maker, yet to release a fix for the bugs, recently acknowledged that a state-sponsored threat actor might be weaponizing the flaws since August 2022. Consequently, Microsoft revised the URL Rewrite rule (available as a standalone PowerShell script) as a workaround:
- Open IIS Manager
- Select Default WebSite
- Click URL Rewrite in the Feature View
- Click Add Rule(s) in the right-hand side Actions pane
- Click on Request Blocking and click OK
- Add the string .*autodiscover\.json.*Powershell.* (excluding quotes)
- Under “Using”, Select Regular Expression
- Under “How to block”, select Abort Request and then click OK
- Expand the rule, selecting the rule with the pattern: .*autodiscover\.json.*Powershell.*
- Click “Edit” under Conditions
- Change the Condition input – from {URL} to {REQUEST_URI}
Scammers Pose as Singapore Prime Minister in a Fake Email Scam
Scammers are sending out fake emails, reportedly posing as Prime Minister Lee Hsien Loong, as they target high-profile personalities, including government officials, in pushing various scams. On October 3, 2022, PM Lee posted a photo of the email, which the threat actors had designed to look like it came from the Prime Minister’s Office.
“The content of the emails varies – the example in this email thanks the recipient for their valued contributions to Singapore,” Lee added. The scammers are relentless, and Lee advised people who receive such emails to ignore them and not forward them to friends or family. “We must stay extra careful and vigilant. If in doubt, you should check before proceeding,” PM Lee said.
Singapore police had earlier warned the public in June to stay vigilant against fake articles that show the Prime Minister endorsing cryptocurrency auto-trading programs. The articles, usually paid advertisements, act as “clickbait” and redirect users to malicious websites when they click on links embedded in these articles.
Microsoft to Allow Office 365 Users to Report Teams Phishing Messages
Microsoft is actively working on updating Microsoft Defender for Office 365 and allowing employees using Microsoft Teams to alert their organization’s security team if they receive any malicious messages. Microsoft Defender for Office 365 (formerly Office 365 ATP) shields enterprises from malicious threats from email links, messages and collaboration tools.
The in-development feature will allow the admins to filter potentially malicious messages targeting users with payloads or redirecting them to phishing websites. “End users can soon report suspicious Microsoft Teams messages as security threats, similar to emails. Thus, they can help the enterprise to protect itself from attacks through Microsoft Teams,” the team explained on the Microsoft 365 roadmap.
The latest user reporting capability is in preview and might roll out to standard multi-tenants till January 2023, end to web and desktop clients worldwide.
Latest Defender for Office 365 security enhancements:
The latest Defender for Office 365 capability builds upon Microsoft announced improvements in July 2021, enabling Microsoft Teams to block phishing attempts automatically.
Microsoft achieved the milestone when it extended Defender for Office 365 Safe Links protection to Teams to help protect users from malicious URL-based phishing attacks.
Microsoft explained that the “Defender for Office 365’s Safe Links scan URLs when a user clicks on it and ensures they are protected with Microsoft Defender’s latest intelligence.”
Built-In Protection patches gaps in organizational protection coverage and is designed to improve the security posture by drastically reducing the breach risk.
Malicious Actors Put Latin American Security Agencies on Edge
According to Mexico’s President, many emails from Mexico’s Defense Department are among the electronic communications stolen by a group of hackers from police and military agencies across various Latin American countries. President Andrés Manuel López Obrador acknowledged the breach after the Chilean government announced last week that emails were stolen from its Joint Chiefs of Staff.
The Mexican President spoke at the daily news conference, responding to a local media report that the breach revealed details about the President’s health scare in January. López Obrador downplayed the attack, saying, “there’s nothing unknown about me.” He added that the breach occurred during a change in the Defense Department systems.
On the other hand, Chile was so concerned about the breach that it summoned its defense minister back from the US last week, who had gone there to attend the United Nations General Assembly, accompanying President Gabriel Boric.
The ten terabytes of data stolen by the threat actors include emails from Colombia, El Salvador, Peru’s militaries, and El Salvador’s National Police. The Mexican data portion appeared to be the largest.
A group of self-described, anonymous social justice warriors calling themselves Guacamaya say they launch hacking campaigns to expose corruption and injustice in defense of Indigenous people. Hackers with the same name previously attacked and released the emails of a mining company accused of environmental and human rights abuses in Guatemala.
Final Words
The increased significance of email authentication results from the continued use of email by adversaries as a platform for spam, fraud and spoofing. As evident from the stories above, tech giants like Microsoft are taking robust measures to protect their users from phishing and spam emails. The increased necessity for email authentication for successful delivery is a part of that combined effort.
