As part of its patch program, Microsoft in April released patches for a total of 114 security flaws, including one actively exploited zero-day and four remote code execution bugs on Exchange Server. Of the 114 failures, 19 were classified as critical, 88 as major bugs and one, classified as of moderate severity.
The main one, referred to as CVE-2021-28310, is a privilege escalation vulnerability in Win32k that is under active exploitation, allowing attackers to elevate privileges by running malicious code on a system.
Cybersecurity company Kaspersky, which discovered and reported the flaw to Microsoft in February, linked the zero-day exploit to a group that operates advanced persistent threats called Bitter, which was discovered exploiting a similar flaw (CVE-2021-1732) in last year.
“It is an exploration that allows you to elevate privileges [escalation of privilege ou EoP, em inglês] which is probably used in conjunction with other browser exploits to escape sandboxes or obtain system privileges for later access, ”said Boris Larin, a researcher at Kaspersky.
New bugs affect Exchange Server
Also corrected by Microsoft are four remote code execution failures (RCE) – CVE-2021-28480 through CVE-2021-28483 – that affect Exchange Servers on premises, versions 2013, 2016 and 2019, which were reported to the company by the Agency of National Security (NSA) of the USA. Two of the code execution bugs are not authenticated and do not require user interaction, in addition to having a score of 9.8 on the CVSS (common vulnerability scoring system).
Although Microsoft said it found no evidence of active exploits, it is recommended that customers install these updates as soon as possible to protect the environment, in light of widespread attacks on Exchange Server last month and the new findings that attackers are attempting to take advantage of the ProxyLogon exploit to deploy malicious cryptominerers on Exchange servers, with the payload being hosted on a compromised Exchange Server.
The United States Cybersecurity and Infrastructure Agency (CISA) also revised the emergency policy issued last month, stating that “these vulnerabilities pose an unacceptable risk to the federal company and require immediate and emergency action”, while warning that the underlying flaws can be turned into weapons by reverse engineering the patch to create an exploit.
FBI removes backdoors from Exchange Server
In addition, the FBI carried out a “successful action” to “copy and remove” web projectiles planted by opponents on hundreds of victim computers using ProxyLogon flaws. The US federal police are said to have cleaned up the web casings that were installed by the hacking group Hafnium that could have been used to maintain and gain persistent, unauthorized access to US networks.
“The FBI performed the removal by issuing a command through the web shell to the server, which was designed to cause the server to exclude only the web shell (identified by its unique file path),” said the Department of Justice in a statement detailing the operation authorized by the court.
See the original post at: https://www.cisoadvisor.com.br/novas-falhas-voltam-a-por-em-risco-servidores-exchange/?rand=59039