fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Chile’s Bank Regulator Shares IOCs After Microsoft Exchange Hack

Chile’s Bank Regulator Shares IOCs After Microsoft Exchange Hack

Chile’s Comisión para el Mercado Financiero (CMF) has disclosed that their Microsoft Exchange server was compromised through the recently disclosed ProxyLogon vulnerabilities.

The CMF operates under the Ministry of Finance and is the regulator and inspector for banks and financial institutions in Chile.

This week, CMF disclosed that they suffered a cyberattack after threat actors exploited the recently disclosed ProxyLogon vulnerabilities in their Microsoft Exchange servers to install web shells and attempt to steal credentials.

“The Commission for the Financial Market (CMF) updates information on the operational incident reported yesterday, caused by vulnerabilities in the Microsoft Exchange email platform.”

“The analyzes carried out by the information security and technology area of the CMF, together with external specialized support, have so far dismissed the presence of a ransomware and indicate that the incident would be limited to the Microsoft Exchange platform,” disclosed the Comisión para el Mercado Financiero.

CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance.

Also Read: The DNC Singapore: Looking At 2 Sides Better

CMF shares IOCs of their attack

To aid security professionals and other Microsoft Exchange administrators, the CMF has released IOCs of web shells and a batch file found on their compromised server.

  • 0b15c14d0f7c3986744e83c208429a78769587b5: error_page.aspx (China Chopper web shell)
  • bcb42014b8dd9d9068f23c573887bf1d5c2fc00e: supp0rt.aspx (China Chopper web shell)
  • 0aa3cda37ab80bbe30fa73a803c984b334d73894: test.bat (batch file to dump lsass.exe)

While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same.

Web shells using the names ‘error_page.asp’ and ‘supp0rt.aspx’ have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim.

These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.

Microsoft Exchange Offline Address Books (OAB) with web shell

The batch file, test.bat, is also commonly seen in ProxyLogon attacks and is used to dump the LSASS process’s memory to harvest Windows domain credentials. The batch file also exports a list of users on the Windows domain.

The command shown below will use the comsvcs.dll LOLBin to dump LSASS’ memory to a file in the IIS server’s wwwroot. It then uses dsquery to export a list of users in the Windows domain to a file.

These files are then zipped up in the wwwroot to be downloaded remotely by the threat actors.

Dumping the memory of the LSASS process

While most Microsoft Exchange attacks have been deploying web shells, harvesting credentials, and stealing mailboxes, some attacks are also installing cryptominers, and more recently, the DearCry ransomware on exploited servers.

Also Read: 4 Best Practices On How To Use SkillsFuture Credit

To help administrators find malicious files dropped in these attacks, Microsoft has released a script that searches Microsoft Exchange logs for IOCs and has updated their Microsoft Safety Scanner (MSERT) to detect known web shells.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us