MalwareBytes cybersecurity experts find 4 campaigns to spread a RAT with different baits but the same custom malware.
The US CISA: Update Microsoft Exchange Now! Many state sponsored APTs are exploiting the four vulnerabilities, despite Microsoft patched them
Update Microsoft Exchange now! It’s the alert spread by the US Cybersecurity & Infrastructure Security Agency (CISA). According the infosec community, multiple state-sponsored hacking groups are still actively exploiting the four vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065), just patched by the company. ESET, quoted by Bleeping Computer, reports that many APTs are involved in the attacks campaign. Three are Chinese: APT27, Bronze Butler (aka Tick), and Calypso. However, there are several other state-sponsored groups the researchers couldn’t identify. Most targets are located in the US but there have been attacks against servers in Europe, Asia and the Middle East. Targeted verticals include governments, law firms, private companies and medical facilities.
The four Microsoft Exchange vulnerabilities
According to the cybersecurity experts, the four Microsoft Exchange vulnerabilities are caused by gaps in the handling of user requests in the OWA components, reachable on ports 80/443, which can allow an unauthenticated remote attacker to compromise the mail server. In particular, they can be exploited in a chained manner to execute arbitrary code at a privileged level on the target services.