Security News

The US government is reportedly investigating Kraken, a massive cryptocurrency exchange suspected of violating sanctions against Iran, and is expected to slap the crypto behemoth with a fine in the near future. Allowing users in Iran to buy and sell tokens would put Kraken in violation of the sanctions, which has drawn the attention of federal investigators, the Times reported, citing five people affiliated with the company or with knowledge of the inquiry.

Microsoft says attackers increasingly use malicious Internet Information Services web server extensions to backdoor unpatched Exchange servers as they have lower detection rates compared to web shells. Microsoft previously saw custom IIS backdoors installed after threat actors exploited ZOHO ManageEngine ADSelfService Plus and SolarWinds Orion vulnerabilities.

Microsoft says attackers increasingly use malicious Internet Information Services web server extensions to backdoor unpatched Exchange servers as they have lower detection rates compared to web shells. "In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection," the Microsoft 365 Defender Research Team said Tuesday.

Admins were also told that they could find more information regarding these ongoing problems in the admin center under EX401976 and OL401977. While Redmond did not reveal the scale of the issue, thousands of reports have been submitted in the past 24 hours on DownDetector by Outlook and Exchange Online users who have either been unable or experienced difficulties when trying to log in or email.

Unidentified cyber threat actors have started using Brute Ratel C4, an adversary simulation tool similar to Cobalt Strike, to try to avoid detection by endpoint security solutions and gain a foothold on target networks, Palo Alto Networks researchers have found. Their line of attack is apparently successful, as one of the files delivering the Brute Ratel C4 "Badger" - a payload for remote access similar to Cobalt Strike's Beacon - has initially not been flagged as malicious by security tools leveraged by VirusTotal.

Attackers used a newly discovered malware to backdoor Microsoft Exchange servers belonging to government and military organizations from Europe, the Middle East, Asia, and Africa. In late April 2022, while still investigating the attacks, Kaspersky found that most of the malware samples identified earlier were still deployed on 34 servers of 24 organizations.

The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October. "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote.

CISA has urged government agencies and private sector organizations using Microsoft's Exchange cloud email platform to expedite the switch from Basic Authentication legacy authentication methods without multifactor authentication support to Modern Authentication alternatives. Basic Auth is an HTTP-based auth scheme used by apps to send credentials in plain text to servers, endpoints, or online services.

A Chinese-speaking threat actor has hacked into the building automation systems of several Asian organizations to backdoor their networks and gain access to more secured areas in their networks. The APT group, whose activity was spotted by Kaspersky ICS CERT researchers, focused on devices unpatched against CVE-2021-26855, one of the Microsoft Exchange vulnerabilities collectively known as ProxyLogon.

Microsoft has reminded customers that the Exchange Server 2013 mail and calendaring platform will reach its extended end-of-support date roughly nine months from now, on April 11, 2021.Released in January 2013, Exchange Server 2013 entered its ninth year of service and has already reached the mainstream end date more than four years ago, on April 10, 2018.