Cyber Security Headlines: Microsoft Zero days, Lazarus attacks Dell, NSA employee caught

Microsoft confirms two Exchange Server zero days are being used in cyberattacks

Microsoft confirmed it is investigating two zero days affecting its Exchange Server software late Thursday following a report from Vietnamese cybersecurity firm GTSC that the vulnerabilities are being exploited in the wild. GTSC said it discovered the issues in August while doing security incident monitoring and response, then reported the issue to Microsoft’s Zero Day Initiative, which confirmed the bugs. The attacks GTSC reported chain together the two vulnerabilities. One is a server-side request forgery vulnerability designated as CVE-2022-41040, that can allow an attacker with credentials for a user account on the mail server to gain unauthorized levels of access. The second vulnerability, identified as CVE-2022-41082, allows remote code execution similar to the 2021 ProxyShell issues that caused chaos for many companies according to GTSC, although the firm wrote it was not yet comfortable releasing the technical details. 

(The Record)

Lazarus hackers abuse Dell driver bug using new FudModule rootkit

The notorious North Korean hacking group has been observed installing a Windows rootkit that abuses a Dell hardware driver in a Bring Your Own Vulnerable Driver attack. The spear-phishing campaign unfolded in the autumn of 2021, and the confirmed targets, an aerospace expert in the Netherlands and a political journalist in Belgium, were emailed fake job offers at Amazon. ESET reports that among the tools deployed in this campaign, the most interesting is a new FudModule rootkit that abuses a BYOVD (Bring Your Own Vulnerable Driver) technique to exploit a vulnerability in a Dell hardware driver for the first time.

(Bleeping Computer)

Ex-NSA employee charged with violating Espionage Act, selling U.S. cyber secrets

The former employee, Jareh Sebastian Dalke, appeared in federal court Thursday on charges that he attempted to transmit classified “national defense information” to an FBI agent he believed was a Russian operative, in exchange for $85,000, according to the Justice Department. He had allegedly told the undercover agent that he had access to information “relating to foreign targeting of U.S. systems and information on cyber operations,” according to the affidavit. Dalke was only employed by the NSA for about three weeks before quitting on July 1, but while there he had a top-secret clearance in his role as an “information systems security designer,” according to the FBI.


Microsoft to let Office 365 users report Teams phishing messages

Microsoft is working on updating Microsoft Defender for Office 365 to allow Microsoft Teams users to alert their organization’s security team of any dodgy messages they receive. Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection or Office 365 ATP) protects organizations from malicious threats from email messages, links, and collaboration tools. This in-development feature aims to allow admins to filter potentially dangerous messages targeting employees with malicious payloads or trying to redirect them to phishing websites. “End users will be able to report suspicious Microsoft Teams messages as a security threat just like they do for emails ,” Microsoft explains on the Microsoft 365 roadmap. The feature is expected to be generally available by January.

(Bleeping Computer)

And now thanks to this week’s episode sponsor, Hunters

Hunters is a SaaS platform, purpose built for Security Operation teams. Providing unlimited data
ingestion and normalization at a predictable cost, Hunters helps SOC teams mitigate real
threats faster and more reliably than SIEM. Visit to learn more.

BlackCat ransomware gang claims to have hacked US defense contractor NJVC

The ALPHV/BlackCat ransomware gang claims to have breached the IT firm NJVC, which supports the federal government and the United States Department of Defense. The company supports intelligence, defense, and geospatial organizations and has more than 1,200 employees in locations worldwide. BlackCat added NJVC to the list of victims on its Tor leak site and is threatening to release the allegedly stolen data if the company will not pay the ransom. The claims are still in some doubt since the group’s Tor leak site has since removed the listing..

(Security Affairs)

Steganography alert: Backdoor spyware stashed in Microsoft logo

Internet snoops have been caught concealing spyware in an old Windows logo in an attack on governments in the Middle East. The Witchetty gang used steganography to stash backdoor Windows malware – dubbed Backdoor.Stegmap – in the bitmap image. “Although rarely used by attackers, if successfully executed, steganography can be leveraged to disguise malicious code in seemingly innocuous-looking image files,” said researchers at Symantec’s Threat Hunter Team last week. They added, “Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service.”

(The Register)

German police identifies gang that stole €4 million via phishing attacks

The phishing campaigns were conducted between October 3, 2020, and May 29, 2021, the gang sent to the victims messaging posing as coming from German banks. A statement released by the Bundeskriminalamt, The Federal Criminal Police Office of Germany, said, the e-mails were visually and linguistically believable, and informed recipients of changes in the bank’s security system and asked them to click on an embedded link that redirected them to a landing page that asked them to enter their credentials and TAN (transaction authentication number). One of the accomplices now faces 124 charges of computer fraud.

(Security Affairs)

Last week in ransomware

As expected, threat actors now use the leaked LockBit 3.0 ransomware builder for their ransomware operations. For example, the Bl00Dy Ransomware Gang, who previously used Babuk and Conti encryptors, has now switched to a LockBit 3.0 encryptor in an attack on a Ukrainian business. Researchers also reported that TargetCompany ransomware affiliates are now targeting publicly exposed Microsoft SQL servers. New research predicts that ransomware gangs may move away from encrypting altogether and switch to pure data exfiltration and file deletion to cut out the ransomware developer. This idea stems from a new file deletion/corruption feature in a data theft tool used by a BlackMatter affiliate. Finally, this week we learned about Royal Ransomware, which has been quietly working from the shadows since February but has, more recently, ramped up attacks.

(Bleeping Computer)