Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Exchange Servers Compromised For Spamming

Microsoft is warning of an attack which compromises cloud-hosted Exchange servers by installing a malicious OAuth application which then enables the attacker to send spam emails which appear to be from the victim's domain.

Initial access is achieved by a credential stuffing attack, based on a dump of existing credentials, in order to gain access to an admin account which did not have multi-factor authentication enabled (which would have prevented the attack). Once this was achieved, the attacker probably ran a PowerShell script to register a new application, grant it the Exchange.ManageAsApp permission with admin consent, give it global admin and Exchange admin roles and then add some credentials which will allow them to maintain control.

This app was then used to create a new inbound connector and transport rules in Exchange. This allowed the threat actor to then conduct a high-volume spam campaign, intended to trick recipients into providing credit card details and signing up for a recurring subscription service - a fairly obvious scam, but one that still works well enough.

Microsoft 365 Defender Research Team, Malicious OAuth application used to compromise email servers and spread spam, blog article, 22 September 2022. Available online at https://www.microsoft.com/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/.

NSA, CISA Advise on OT & ICS Defence

The National Security Agency and Cybersecurity & Infrastructure Security Agency have issued a joint alert providing guidance on security for Operational Technology (OT) and Industrial Control Systems (ICS). These systems monitor and control industrial processes - power stations, refineries, steel mills, but also air conditioning plant for office buildings, ovens for small bakeries and water treatment plants - which collectively are essential to . . . everything. Disrupting their operation can lead to outcomes from mild annoyance through political and economic gains to physical destruction and loss of life.

The alert provides guidance on the TTP's and overall game plan of threat actors targeting OT/ICS, as well as a suggested approach to the development of mitigation strategies.

NSA/CISA, Control System Defense: Know the Opponent, Alert AA22-265A, 22 September 2022. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa22-265a.

Zoho ManageEngine Exploit in the Wild

A remote command execution vulnerability (CVE-2022-35405) in Zoho ManageEngine Access Manager Plus (version 4302 and earlier), Password Manager Pro (version 12100 and earlier) and PAM360 (version 5500 and earlier) is being actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities Catalog.

The insecure object deserialization vulnerability, in a Java XMLRPC parser, is of critical severity, and customers are advised to updated their installations as soon as possible.

Uncredited, ManageEngine PAM360, Password Manager Pro, and Access Manager Plus remote code execution vulnerability, security advisory, September 2022. Available online at https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html.

Metador Mystery Threat Actor

Researchers at SentinelLabs have discovered a previously-unseen threat actor which is primarily targeting telcos, ISP's and universities in the Middle East and Africa. The group, which they christened 'Metador', has deployed sophisticated malware which makes use of antiforensics techniques to evade detection and LOLbins to deploy malware directly into memory.

The origin of the malware is unclear - linguistic analysis points to multiple developers speaking both English and Spanish, with references to British pop punk lyrics and Argentinian political cartoons - but since the cyberespionage is focused on the Middle East and Africa, it is possible the development of the malware was contracted out by a state agency.

Guerrero-Saade, Juan Andrés et. al., The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities, technical report, 22 September 2022. Available online at https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.