WARNING: Microsoft Exchange Under Attack With ProxyShell Flaws

The U.S. Cybersecurity and Infrastructure Security Agency is warning of active exploitation attempts that leverage the latest line of “ProxyShell” Microsoft Exchange vulnerabilities that were patched earlier this May, including deploying LockFile ransomware on compromised systems.

Tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, the vulnerabilities enable adversaries to bypass ACL controls, elevate privileges on the Exchange PowerShell backend, effectively permitting the attacker to perform unauthenticated, remote code execution. While the former two were addressed by Microsoft on April 13, a patch for CVE-2021-31207 was shipped as part of the Windows maker’s May Patch Tuesday updates.

“An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine,” CISA said.

The development comes a little over a week after cybersecurity researchers sounded the alarm on opportunistic scanning and exploitation of unpatched Exchange servers by taking advantage of the ProxyShell attack chain.

Image Source: Huntress Labs

Originally demonstrated at the Pwn2Own hacking contest in April this year, ProxyShell is part of a broader trio of exploit chains discovered by DEVCORE security researcher Orange Tsai that includes ProxyLogon and ProxyOracle, the latter of which concerns two remote code execution flaws that could be employed to recover a user’s password in plaintext format.

“They’re backdooring boxes with webshells that drop other webshells and also executables that periodically call out,” researcher Kevin Beaumont noted last week.

Now according to researchers from Huntress Labs, at least five distinct styles of web shells have been observed as deployed to vulnerable Microsoft Exchange servers, with over over 100 incidents reported related to the exploit between August 17 and 18. Web shells grant the attackers remote access to the compromised servers, but it isn’t clear exactly what the goals are or the extent to which all the flaws were used.

More than 140 web shells have been detected across no fewer than 1,900 unpatched Exchanger servers to date, Huntress Labs CEO Kyle Hanslovan tweeted, adding “impacted [organizations] thus far include building manufacturing, seafood processors, industrial machinery, auto repair shops, a small residential airport and more.”

Source: https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29

 

More than 6,700 VMware servers exposed online and vulnerable to major new bug

More than 6,700 VMware vCenter servers are currently exposed online and vulnerable to a new attack that can allow hackers to take over unpatched devices and effectively take over companies’ entire networks.

Image: VMware, ZDNet

Scans for VMware vCenter devices are currently underway, according to threat intelligence firm Bad Packets.

The scans have started earlier today after a Chinese security researcher published proof-of-concept code on their blog for a vulnerability tracked as CVE-2021-21972.

This vulnerability impacts vSphere Client (HTML5), a plugin of VMware vCenter, a type of server usually deployed inside large enterprise networks as a centralized management utility through which IT personnel manage VMware products installed on local workstations.

Last year, security firm Positive Technologies discovered that an attacker could target the HTTPS interface of this vCenter plugin and execute malicious code with elevated privileges on the device without having to authenticate.

Because of the central role of a vCenter server inside corporate networks, the issue was classified as highly critical and privately reported to VMware, which released official patches yesterday, on February 23, 2021.

Due to the large number of companies that run vCenter software on their networks, Positive Technologies initially planned to keep details about this bug secret until system administrators had enough time to test and apply the patch.

However, the proof-of-concept code posted by the Chinese researcher, and others, effectively denied companies any grace period to apply the patch and also started a free-for-all mass-scan for vulnerable vCenter systems left connected online, with hackers hurrying to compromise systems before rival gangs.

Making matters worse, the exploit for this bug is also a one-line cURL request, which makes it easy even for low-skilled threat actors to automate attacks.

According to a Shodan query, more than 6,700 VMware vCenter servers are currently connected to the internet. All these systems are now vulnerable to takeover attacks if administrators failed to apply yesterday’s CVE-2021-21972 patches.

VMware has taken this bug very seriously and has assigned a severity score of 9.8 out of a maximum of 10 and is now urging customers to update their systems as soon as possible.

Due to the critical and central role that VMware vCenter servers play in enterprise networks, a compromise of this device could allow attackers access to any system that’s connected or managed through the central server.

These are the types of devices that threat actors (known as “network access brokers”) like to compromise and then sell on underground cybercrime forums to ransomware gangs, which then encrypt victims’ files and demand huge ransoms. Furthermore, ransomware gangs like Darkside and RansomExx have already started going after VMware systems last year, showing just how effective targeting these VM-based enterprise networks can be.

Since a PoC is now out in the open, Positive Technologies has also decided to publish an in-depth technical report on the bug, so network defenders can learn how the exploit work and prepare additional defenses or forensics tools to detect past attacks.

Source: zdnet.com

Fortinet Recognized as Visionary in the 2020 Gartner Magic Quadrant for Wired and Wireless LAN Access Infrastructure

Gartner defines visionary as, “A vendor in the Visionaries Quadrant demonstrates an ability to increase features in its offering to provide a unique and differentiated approach to the market. A Visionary will have innovated in one or more of the key areas of access layer technologies within the enterprise (for example, security, management or operational efficiency). The ability to apply differentiating functionality across the entire access layer will affect its position.”

We believe our Security-Driven Networking approach to wired and wireless networking is engineered for a secure LAN Edge. It reflects a vision that increases features, not licensing and is secure by design, not by add on.  Further, it is integrated into a platform that addresses digital transformation from LAN Edge to WAN Edge to Cloud Edge, and beyond.

Gartner 2020 Magic Quadrant for Web Application Firewalls

Fortinet a Challenger in the 2020 Gartner Magic Quadrant for Web Application Firewalls.

We believe Fortinet delivers an effective, easy-to-manage, high-performance web application firewall (WAF) that protects web applications and APIs against both known and unknown threats.

Backed by threat intelligence from FortiGuard Labs and enhanced with machine learning, FortiWeb provides the full protection your web-facing applications and APIs need. The combination of high performance and flexible deployment options makes Fortinet an easy choice for security leaders.

Click the learn more to see

  • Gartner’s view of the WAF market
  • A comprehensive survey of enterprise web application firewall vendors
  • Why Fortinet has been recognized as a Challenger

Fortinet is a Leader in the 2020 Gartner Magic Quadrant for Network Firewalls

Recognized in the Gartner Magic Quadrant for Network Firewalls for the 11th time

FortiGate Network Firewalls, also known as Next-Generation Firewalls or NGFWs, enable our Security-Driven Networking approach, which protects any edge at any scale. Using FortiGate Network Firewalls as part of the Fortinet Security Fabric, customers realize the following key benefits:

  • Manage Operational & Security Risks. Keep operations running with full visibility and best-of-breed protection across the entire attack surface.
  • Reduce Cost & Complexity. Achieve best TCO and defense in depth with segmentation and trusted application access.
  • Improve Operational Efficiency. Streamline operations with simplified enterprise-wide workflows using single pane of glass management

Fortinet Named a Leader in the 2020 Gartner Magic Quadrant for WAN Edge Infrastructure

Fortinet Secure SD-WAN is the heart of true Security-Driven Networking

Placed in the Leaders Quadrant for 2020

Fortinet Secure SD-WAN:

  • Delivers a world-class user experience. Fortinet customers can overcome WAN impairments at all edges using our comprehensive self-healing SD-WAN, achieve high performance thanks to our purpose-built ASIC and architecture, and maximize application performance with AI/ML-powered application learning.
  • Reduces costs and complexity. Fortinet converges networking and security into a unified SD-WAN solution with centralized orchestration, enabling customers to reduce operational complexity, and achieve the most desirable TCO.
  • Provides a path for protecting all edges. Fortinet customers future-proof their investments by extending SD-WAN with cloud-delivered security innovations that provide flexible, secure access for a diverse and distributed workforce—anytime and anywhere. Unified orchestration capabilities further provide end-to-end visibility and control of the network environment.