March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Alert – NJRAT – Active IOCs
August 22, 2021
Rewterz Threat Alert – Vidar Malware – Active IOCs
August 23, 2021
Rewterz Threat Alert – NJRAT – Active IOCs
August 22, 2021
Rewterz Threat Alert – Vidar Malware – Active IOCs
August 23, 2021
Severity
High
Analysis Summary
CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass.
CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend
CVE-2021-34473 – Post-auth Arbitrary-File-Write leads to RCE
After complete exploitation of Microsoft exchange Servers, attackers are setting down web shells that are helping them to execute other malicious programs for the elevation of privileges LockFile ransomware manipulates Microsoft Exchange ProxyShell and Windows PetitPotam vulnerabilities to take over Windows domains and encrypt devices. This LockFile ransomware encrypts all user’s data on the PC (photos, documents, excel tables, music, videos, etc), adds its specific extension to every file, and creates the Recovery_Instructions.html files in every folder which contains encrypted files.
Impact
- Bypass Security
- Code Execution
- Privilege Escalation
Affected Vendors
Microsoft
Affected Products
Microsoft Exchange Servers
Indicators of Compromise
MD5
- bc70a7b384558cafbbc04f00a59cbe8d
- 8ed32ace2fbce50296d3a1a16d963ba7
- 8d17765168677ef76400b497fb0c0fd3
- 335b9a537a380ec5936a7210ad64d955
SHA-256
- 36e8bb8719a619b78862907fd49445750371f40945fefd55a9862465dc2930f9
- 5a08ecb2fad5d5c701b4ec42bd0fab7b7b4616673b2d8fbd76557203c5340a0f
- 1091643890918175dc751538043ea0743618ec7a5a9801878554970036524b7
- 7bcb25854ea2e5f0b8cfca7066a13bc8af8e7bac6693dea1cdad5ef193b052fd
SHA1
- b8d1b1b4b759c4380293537fc4cc3622fffbd52e
- 11ce3d5e6e3451d059f65c4676145020d42c3835
- 32f7064bd6f740041ddd1d819a667b12d6c24a28
- c17b605ad2630869e063ffc575c36c5b6c8f853a
Remediation
Microsoft has issued an update to correct this vulnerability. More details can be found at:
For CVE-2021-31207
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207
For CVE-2021-34523
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523
For CVE-2021-34473
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473