Security News

Microsoft has announced that Exchange, SharePoint, and Skype for Business on-premises are now part of the Applications and On-Premises Servers Bounty Program starting today. With the expansion of this bug bounty program, security researchers who find and report vulnerabilities affecting on-premises servers are eligible for awards ranging from $500 up to $26,000.

The ever-evolving banking trojan IcedID is back again with a phishing campaign that uses previously compromised Microsoft Exchange servers to send emails that appear to come from legitimate accounts. The actors behind IcedID - as well as other spearphishers - have previously used phishing emails that "Reuse previously stolen emails to make the lure more convincing," researchers wrote.

A threat actor is exploiting vulnerable on-prem Microsoft Exchange servers and using hijacked email threads to deliver the IceID trojan without triggering email security solutions. The threat actor - believe to be an initial access broker - compromises vulnerable on-prem Microsoft Exchange servers and existing email accounts, then hijacks email threads by replying to them.

Cyber-criminals are using compromised Microsoft Exchange servers to spam out emails designed to infect people's PCs with IcedID,. It popped up last year when crooks hijacked a BP Chargemaster domain to spam out emails to spread IcedID. On Monday, Fortinet's FortiGuard Labs said it observed an email sent to a Ukrainian fuel company with a.zip containing a file that when opened drops IcedID on the PC. Security vendor Intezer also on Monday said it had seen unsecured Microsoft Exchange servers spamming out IcedID emails.

The distribution of the IcedID malware has seen a spike recently due to a new campaign that hijacks existing email conversation threads and injects malicious payloads that are hard to spot.The ongoing IcedID campaign was discovered this month by researchers at Intezer, who have shared their findings with Bleeping Computer prior to publication.

A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IceID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers. "The emails use a social engineering technique of conversation hijacking," Israeli company Intezer said in a report shared with The Hacker News.

Microsoft has addressed 71 security flaws, including three critical remote code execution vulnerabilities, in its monthly Patch Tuesday update. Yes, an attacker needs to be authenticated, though Sophos Lab threat researcher Christopher Budd noted: "Given what we've seen recently around attacks against Exchange vulnerabilities, the critical severity rating and the nature of the vulnerability makes this an issue that should be patched as soon as possible."

Microsoft marks March 2022 Patch Tuesday with patches for 71 CVE-numbered vulnerabilities, including three previously unknown "Critical" ones and three "Important" ones that were already public. "If an attacker can lure an affected RDP client to connect to their RDP server, the attacker could trigger code execution on the targeted client," says Dustin Childs, with Trend Micro's Zero Day Initiative.

The ransomware gang known as "Cuba" is increasingly shifting to exploiting Microsoft Exchange vulnerabilities - including ProxyShell and ProxyLogon - as initial infection vectors, researchers have found. At the time, the FBI noted that the Cuba ransomware is distributed using a first-stage implant that acts as a loader for follow-on payloads: the Hancitor malware, which has been around for at least five years.

The Cuba ransomware operation is exploiting Microsoft Exchange vulnerabilities to gain initial access to corporate networks and encrypt devices. Cybersecurity firm Mandiant tracks the ransomware gang as UNC2596 and the ransomware itself as COLDDRAW. However, the ransomware is more commonly known as Cuba, which is how BleepingComputer will reference them throughout this article.