SlideShare a Scribd company logo

ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx

Download as PPTX, PDF
SecPod
SecPod

On December 10, 2020, Orange Tsai, a Taiwanese security researcher, discovered a pre-authentication proxy vulnerability (CVE-2021-26855) in Microsoft Exchange Servers that allows a remote actor to bypass authentication and receive admin server privileges. On March 2, Microsoft released critical security updates for four crucial zero-day vulnerabilities discovered in Exchange Servers. Within one week, at least 30,000 U.S. organizations and hundreds of thousands of organizations worldwide had fallen victim to an automated campaign run by HAFNIUM that provides the attackers with remote control over the affected systems. In this session of SecPod Labs Intelligence Series, Veerendra GG and Pooja Shetty, will discuss: 1. What is Proxyogon Vulnerability and how can it impact your security 2. What made ProxyLogon so contagious and spread like a wildfire 3. Steps you can take to remediate the risk of being attacked

Technology
1 of 19
SecPod Labs Intelligence Series PROXYLOGON: MS EXCHANGE SERVER VULNERABILITIES Webcasts 27th May 2021 Pooja Shetty Security Intelligence Team Lead Jagsir Director - Marketing Veerendra Director - Security Intelligence
2 TODAY'S AGENDA Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY What are MS Exchange Vulnerabilities? Proxylogon Vulnerability and it’s impact on businesses Building Defence using SanerNow Questions and Answers
3 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY Read and copy all emails Install Backdoors Install Ransomware, Keyloggers, etc Install Web Shell, Reverse Shell, etc Advanced social engineering attacks MS Exchange Server Vulnerabilities' Real impact on email server compromise
4 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY MS Exchange Server Vulnerability Stats - Last 5 Year 7 11 10 6 4 2 1 6 4 4 8 11 2 2 2 4 0 2 4 6 8 10 12 14 16 18 2016 2017 2018 2019 2020 2021 Medium Severity High Severity Critical Severity
5 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY MS Exchange Server Vulnerability Stats - Severity Growth 4 4 8 11 2 2 2 4 0 2 4 6 8 10 12 2018 2019 2020 2021 High Severity Critical Severity
6 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY DEVCORE Started Research on MS Exchange 01 Oct 2020 DEVCORE Discovered First Vulnerability - CVE-2021-26855 10 Dec 2020 DEVCORE Discovered Second Vulnerability - CVE-2021-27065 30 Dec 2020 First Observer Exploitation by Volexity 03 Jan 2021 MSRC Acknowledged the Bugs (MSRC Case: 62899 & 63835) 06 Jan 2021 Widespread Scanning and Possible Exploitation of Exchange 27 Feb 2021 Nation-state Group HAFNIUM Activity Disclosed by Microsoft 02 Mar 2021 MSRC Published the Out of-Band- Patch and Advisory and Acknowledged DEVCORE officially 02 Mar 2021 DEVCORE has confirmed the in- the-wild exploit was the same one reported to MSRC 04 Mar 2021 First Public PoC available 09 Mar 2021 MS Exchange Server - ProxyLogon Vulnerability Disclosure Timeline
7 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY Exchange Server Exploit Chain
8 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY Common themes being used in different attacks Web Shells – Mainly implanted on victim machines to gain access in future Human Operated Ransomware –They exhibit extensive knowledge of systems administration and common network security misconfigurations, they adapt to what they discover in a compromised network. Stealing Credentials - Access to Exchange servers allowed attackers to access and potentially steal credentials present on the system.
9 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY Tactics Techniques and Procedures (TTPs) used in exploiting MS Exchange Vulnerabilities DEJOCRYPT/DEARCRY RANSOMWARE New ransomware campaign trying to exploit exchange vulnerabilities
1 0 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY Encrypts victim files and changes file headers to include string ‘DEARCRY’ The web shell then creates a batch file, chopper that allows attackers to move laterally in, and steal credentials from the compromised system. Ransomware creates a windows service named msupdate and is later removed when it finishes the encryption process. TTPs of the Exchange Vulnerabilities DEJOCRYPT/DEARCRY RANSOMWARE New ransomware campaign trying to exploit exchange vulnerabilities
1 1 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY Continued… Uses direct shell command execution against most other attacks that dropped web shells Operators have previously employed exploits for SMB GHOST, ETERNAL BLUE vulnerabilities Downloads Cobalt Strike DNS beacons Cobalt Strike is a commercially-available penetration-testing tool Sends out beacons to detect network flaws, and has historically been utilized by attackers to exfiltrate data and deliver malware. LEMON DUCK BOTNET
1 2 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY Continued… LEMON DUCK BOTNET Cryptocurrency miner and a malware loader
1 3 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY TTPs of the Exchange Vulnerabilities PYDOMER RANSOMWARE Ransomware family previously seen attacking Pulse VPN vulnerabilities
1 4 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY TTPs of the Exchange Vulnerabilities PYDOMER RANSOMWARE Human-operated ransomware – manually installed, extorts targets by threatening to release stolen data Non encryption extortion techniques are also being used Web-shells have been spotted on around 1500 targets Python script compiled into a windows executable encrypts the file using .demon extension
1 5 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY Building Defense: Complete response for exchange vulnerabilities PERFORM FULL INVESTIGATION Scan the system with security software, Install security updates available from Microsoft Investigate for known IOC’s, IOA’s available from Microsoft Look for unknown persistence items like unexpected services, scheduled tasks, startup items, unknown RAT, Shadow IT Tools Reset all admin credentials(randomize them), check for any new admin or password less accounts Windows Event ID 1102: The Audit Log Was Cleared Practise principle of least privilege and mitigate lateral movement Check email forwarding settings to identify if mailbox data is being exfiltrated
1 6 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY Impact on Businesses organizations have been breached through the exploitation of these vulnerabilities 30,000-60,000 Government/Defense 17% Banking 11% Manufacturing 14% Healthcare 8% More attacks since Microsoft released a patch on March 2nd 10 Times Unpatched exchange servers across the world vulnerable to exploitation as per Palo Alto Networks as on March 8th 125,000 Hackers are already exploiting ProxyLogon vulnerabilities to install DearCry ransomware on Exchange servers from US, CA, AU $50,000-$100,000
1 7 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY “Exchange server vulnerabilities are used as part of an attack chain; the initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.” - Microsoft On March 15th, Microsoft released Exchange On-premises Mitigation Tool (EOMT.ps1) designed to automate detection and patching of Exchange servers to help customers install security updates.
18 Copyright © 2008 - 2020 SecPod Technologies - AUTHORISED USE ONLY QUESTIONS?
KEEP YOUR ENDPOINTS SECURE FROM ATTACKERS! TRY SANERNOW FREE. For enquiries, contact us at: Email: info@secpod.com | Tech Support: support@secpod.com Phone: (+1) 918 625 3023 (US) | (+91) 80 4121 4020 (IN) 30-DAY UNLIMITED ACCESS ON 10 DEVICES WWW.SECPOD.COM

Recommended

01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linuxHammad Ahmed Khawaja
 
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingThe Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingMuhammad FAHAD
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry moreBHack Conference
 
Code protection
Code protectionCode protection
Code protectionwhitecryption
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011Ashwin Patil, GCIH, GCIA, GCFE
 

Recommended

01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linuxHammad Ahmed Khawaja
 
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingThe Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingMuhammad FAHAD
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry moreBHack Conference
 
Code protection
Code protectionCode protection
Code protectionwhitecryption
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011Ashwin Patil, GCIH, GCIA, GCFE
 
IRJET- Detection and Isolation of Zombie Attack under Cloud Computing
IRJET- Detection and Isolation of Zombie Attack under Cloud ComputingIRJET- Detection and Isolation of Zombie Attack under Cloud Computing
IRJET- Detection and Isolation of Zombie Attack under Cloud ComputingIRJET Journal
 
Uncovering Vulnerabilities Beyond Software Vulnerabilities
Uncovering Vulnerabilities Beyond Software VulnerabilitiesUncovering Vulnerabilities Beyond Software Vulnerabilities
Uncovering Vulnerabilities Beyond Software VulnerabilitiesSecPod
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudMarkAnnati
 
Advanced Threats In The Enterprise
Advanced Threats In The EnterpriseAdvanced Threats In The Enterprise
Advanced Threats In The EnterprisePriyanka Aash
 
APT - Project
APT - Project APT - Project
APT - Project Dev Lavaniya
 
OS-Anatomy-Article
OS-Anatomy-ArticleOS-Anatomy-Article
OS-Anatomy-ArticleCondition Zebra (CONZebra)
 
Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...
Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...
Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...IRJET Journal
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesSymantec
 
The Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) AttackThe Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) AttackPrathan Phongthiproek
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927Todd Deshane
 
The Media Access Control Address
The Media Access Control AddressThe Media Access Control Address
The Media Access Control AddressAngie Lee
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
Open port vulnerability
Open port vulnerabilityOpen port vulnerability
Open port vulnerabilitySamaresh Debbarma
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismGlobal Micro Solutions
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3IJERA Editor
 
Backdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerBackdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerIRJET Journal
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptschwarz10
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.pptshreyng
 
Cybersecurity Strategies for Effective Attack Surface Reduction
Cybersecurity Strategies for Effective Attack Surface ReductionCybersecurity Strategies for Effective Attack Surface Reduction
Cybersecurity Strategies for Effective Attack Surface ReductionSecPod
 
Annual Vulnerability Report Insights - 2022
Annual Vulnerability Report Insights - 2022Annual Vulnerability Report Insights - 2022
Annual Vulnerability Report Insights - 2022SecPod
 

More Related Content

Similar to ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx

IRJET- Detection and Isolation of Zombie Attack under Cloud Computing
IRJET- Detection and Isolation of Zombie Attack under Cloud ComputingIRJET- Detection and Isolation of Zombie Attack under Cloud Computing
IRJET- Detection and Isolation of Zombie Attack under Cloud ComputingIRJET Journal
 
Uncovering Vulnerabilities Beyond Software Vulnerabilities
Uncovering Vulnerabilities Beyond Software VulnerabilitiesUncovering Vulnerabilities Beyond Software Vulnerabilities
Uncovering Vulnerabilities Beyond Software VulnerabilitiesSecPod
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudMarkAnnati
 
Advanced Threats In The Enterprise
Advanced Threats In The EnterpriseAdvanced Threats In The Enterprise
Advanced Threats In The EnterprisePriyanka Aash
 
Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...
Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...
Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...IRJET Journal
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesSymantec
 
The Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) AttackThe Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) AttackPrathan Phongthiproek
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927Todd Deshane
 
The Media Access Control Address
The Media Access Control AddressThe Media Access Control Address
The Media Access Control AddressAngie Lee
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismGlobal Micro Solutions
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3IJERA Editor
 
Backdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerBackdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerIRJET Journal
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptschwarz10
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.pptshreyng
 

Similar to ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx (20)

IRJET- Detection and Isolation of Zombie Attack under Cloud Computing
IRJET- Detection and Isolation of Zombie Attack under Cloud ComputingIRJET- Detection and Isolation of Zombie Attack under Cloud Computing
IRJET- Detection and Isolation of Zombie Attack under Cloud Computing
 
Uncovering Vulnerabilities Beyond Software Vulnerabilities
Uncovering Vulnerabilities Beyond Software VulnerabilitiesUncovering Vulnerabilities Beyond Software Vulnerabilities
Uncovering Vulnerabilities Beyond Software Vulnerabilities
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
 
Advanced Threats In The Enterprise
Advanced Threats In The EnterpriseAdvanced Threats In The Enterprise
Advanced Threats In The Enterprise
 
APT - Project
APT - Project APT - Project
APT - Project
 
OS-Anatomy-Article
OS-Anatomy-ArticleOS-Anatomy-Article
OS-Anatomy-Article
 
Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...
Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...
Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
 
The Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) AttackThe Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) Attack
 
Ece seminar 20070927
Ece seminar 20070927Ece seminar 20070927
Ece seminar 20070927
 
The Media Access Control Address
The Media Access Control AddressThe Media Access Control Address
The Media Access Control Address
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanan
 
Open port vulnerability
Open port vulnerabilityOpen port vulnerability
Open port vulnerability
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivism
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
 
Backdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerBackdoor Entry to a Windows Computer
Backdoor Entry to a Windows Computer
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.ppt
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 

More from SecPod

Cybersecurity Strategies for Effective Attack Surface Reduction
Cybersecurity Strategies for Effective Attack Surface ReductionCybersecurity Strategies for Effective Attack Surface Reduction
Cybersecurity Strategies for Effective Attack Surface ReductionSecPod
 
Annual Vulnerability Report Insights - 2022
Annual Vulnerability Report Insights - 2022Annual Vulnerability Report Insights - 2022
Annual Vulnerability Report Insights - 2022SecPod
 
Closing Often Missed Vulnerabilities that Leave Organizations Exposed
Closing Often Missed Vulnerabilities that Leave Organizations ExposedClosing Often Missed Vulnerabilities that Leave Organizations Exposed
Closing Often Missed Vulnerabilities that Leave Organizations ExposedSecPod
 
Align Your ITSM and SecOps Strategy for Unstoppable IT
Align Your ITSM and SecOps Strategy for Unstoppable ITAlign Your ITSM and SecOps Strategy for Unstoppable IT
Align Your ITSM and SecOps Strategy for Unstoppable ITSecPod
 
Uncover Vulnerabilities Beyond Software Vulnerabilities
Uncover Vulnerabilities Beyond Software VulnerabilitiesUncover Vulnerabilities Beyond Software Vulnerabilities
Uncover Vulnerabilities Beyond Software VulnerabilitiesSecPod
 
How can SMEs combat cyberattacks through automated vulnerability management?
How can SMEs combat cyberattacks through automated vulnerability management?How can SMEs combat cyberattacks through automated vulnerability management?
How can SMEs combat cyberattacks through automated vulnerability management?SecPod
 
Security automation architecture principles for effective vulnerability manag...
Security automation architecture principles for effective vulnerability manag...Security automation architecture principles for effective vulnerability manag...
Security automation architecture principles for effective vulnerability manag...SecPod
 
How to Implement Organization Wide Cyber Hygiene?
How to Implement Organization Wide Cyber Hygiene?How to Implement Organization Wide Cyber Hygiene?
How to Implement Organization Wide Cyber Hygiene?SecPod
 
How to Achieve NIST Compliance using SanerNow?
How to Achieve NIST Compliance using SanerNow?How to Achieve NIST Compliance using SanerNow?
How to Achieve NIST Compliance using SanerNow?SecPod
 
How Mid Size Enterprises Can Automate Vulnerability Management and Prevent Cy...
How Mid Size Enterprises Can Automate Vulnerability Management and Prevent Cy...How Mid Size Enterprises Can Automate Vulnerability Management and Prevent Cy...
How Mid Size Enterprises Can Automate Vulnerability Management and Prevent Cy...SecPod
 
How to effectively monitor and manage IT assets in real-time using SanerNow
How to effectively monitor and manage IT assets in real-time using SanerNowHow to effectively monitor and manage IT assets in real-time using SanerNow
How to effectively monitor and manage IT assets in real-time using SanerNowSecPod
 
How to securely manage endpoints using SanerNow
How to securely manage endpoints using SanerNowHow to securely manage endpoints using SanerNow
How to securely manage endpoints using SanerNowSecPod
 
How to implement security compliance with SanerNow
How to implement security compliance with SanerNowHow to implement security compliance with SanerNow
How to implement security compliance with SanerNowSecPod
 
How to detect, assess, prioritize, and remediate vulnerabilities using SanerNow?
How to detect, assess, prioritize, and remediate vulnerabilities using SanerNow?How to detect, assess, prioritize, and remediate vulnerabilities using SanerNow?
How to detect, assess, prioritize, and remediate vulnerabilities using SanerNow?SecPod
 
The Art of Managing and Securing Endpoints with SanerNow Patch Management
The Art of Managing and Securing Endpoints with SanerNow Patch ManagementThe Art of Managing and Securing Endpoints with SanerNow Patch Management
The Art of Managing and Securing Endpoints with SanerNow Patch ManagementSecPod
 
The Art of Managing and Securing Endpoints
The Art of Managing and Securing EndpointsThe Art of Managing and Securing Endpoints
The Art of Managing and Securing EndpointsSecPod
 
Cybersecurity Strategies for Effective Attack Surface Reduction
Cybersecurity Strategies for Effective Attack Surface ReductionCybersecurity Strategies for Effective Attack Surface Reduction
Cybersecurity Strategies for Effective Attack Surface ReductionSecPod
 
Closing Often Missed Vulnerabilities that Leave Organizations Exposed
Closing Often Missed Vulnerabilities that Leave Organizations ExposedClosing Often Missed Vulnerabilities that Leave Organizations Exposed
Closing Often Missed Vulnerabilities that Leave Organizations ExposedSecPod
 

More from SecPod (18)

Cybersecurity Strategies for Effective Attack Surface Reduction
Cybersecurity Strategies for Effective Attack Surface ReductionCybersecurity Strategies for Effective Attack Surface Reduction
Cybersecurity Strategies for Effective Attack Surface Reduction
 
Annual Vulnerability Report Insights - 2022
Annual Vulnerability Report Insights - 2022Annual Vulnerability Report Insights - 2022
Annual Vulnerability Report Insights - 2022
 
Closing Often Missed Vulnerabilities that Leave Organizations Exposed
Closing Often Missed Vulnerabilities that Leave Organizations ExposedClosing Often Missed Vulnerabilities that Leave Organizations Exposed
Closing Often Missed Vulnerabilities that Leave Organizations Exposed
 
Align Your ITSM and SecOps Strategy for Unstoppable IT
Align Your ITSM and SecOps Strategy for Unstoppable ITAlign Your ITSM and SecOps Strategy for Unstoppable IT
Align Your ITSM and SecOps Strategy for Unstoppable IT
 
Uncover Vulnerabilities Beyond Software Vulnerabilities
Uncover Vulnerabilities Beyond Software VulnerabilitiesUncover Vulnerabilities Beyond Software Vulnerabilities
Uncover Vulnerabilities Beyond Software Vulnerabilities
 
How can SMEs combat cyberattacks through automated vulnerability management?
How can SMEs combat cyberattacks through automated vulnerability management?How can SMEs combat cyberattacks through automated vulnerability management?
How can SMEs combat cyberattacks through automated vulnerability management?
 
Security automation architecture principles for effective vulnerability manag...
Security automation architecture principles for effective vulnerability manag...Security automation architecture principles for effective vulnerability manag...
Security automation architecture principles for effective vulnerability manag...
 
How to Implement Organization Wide Cyber Hygiene?
How to Implement Organization Wide Cyber Hygiene?How to Implement Organization Wide Cyber Hygiene?
How to Implement Organization Wide Cyber Hygiene?
 
How to Achieve NIST Compliance using SanerNow?
How to Achieve NIST Compliance using SanerNow?How to Achieve NIST Compliance using SanerNow?
How to Achieve NIST Compliance using SanerNow?
 
How Mid Size Enterprises Can Automate Vulnerability Management and Prevent Cy...
How Mid Size Enterprises Can Automate Vulnerability Management and Prevent Cy...How Mid Size Enterprises Can Automate Vulnerability Management and Prevent Cy...
How Mid Size Enterprises Can Automate Vulnerability Management and Prevent Cy...
 
How to effectively monitor and manage IT assets in real-time using SanerNow
How to effectively monitor and manage IT assets in real-time using SanerNowHow to effectively monitor and manage IT assets in real-time using SanerNow
How to effectively monitor and manage IT assets in real-time using SanerNow
 
How to securely manage endpoints using SanerNow
How to securely manage endpoints using SanerNowHow to securely manage endpoints using SanerNow
How to securely manage endpoints using SanerNow
 
How to implement security compliance with SanerNow
How to implement security compliance with SanerNowHow to implement security compliance with SanerNow
How to implement security compliance with SanerNow
 
How to detect, assess, prioritize, and remediate vulnerabilities using SanerNow?
How to detect, assess, prioritize, and remediate vulnerabilities using SanerNow?How to detect, assess, prioritize, and remediate vulnerabilities using SanerNow?
How to detect, assess, prioritize, and remediate vulnerabilities using SanerNow?
 
The Art of Managing and Securing Endpoints with SanerNow Patch Management
The Art of Managing and Securing Endpoints with SanerNow Patch ManagementThe Art of Managing and Securing Endpoints with SanerNow Patch Management
The Art of Managing and Securing Endpoints with SanerNow Patch Management
 
The Art of Managing and Securing Endpoints
The Art of Managing and Securing EndpointsThe Art of Managing and Securing Endpoints
The Art of Managing and Securing Endpoints
 
Cybersecurity Strategies for Effective Attack Surface Reduction
Cybersecurity Strategies for Effective Attack Surface ReductionCybersecurity Strategies for Effective Attack Surface Reduction
Cybersecurity Strategies for Effective Attack Surface Reduction
 
Closing Often Missed Vulnerabilities that Leave Organizations Exposed
Closing Often Missed Vulnerabilities that Leave Organizations ExposedClosing Often Missed Vulnerabilities that Leave Organizations Exposed
Closing Often Missed Vulnerabilities that Leave Organizations Exposed
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx

  • 1. SecPod Labs Intelligence Series PROXYLOGON: MS EXCHANGE SERVER VULNERABILITIES Webcasts 27th May 2021 Pooja Shetty Security Intelligence Team Lead Jagsir Director - Marketing Veerendra Director - Security Intelligence
  • 2. 2 TODAY'S AGENDA Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY What are MS Exchange Vulnerabilities? Proxylogon Vulnerability and it’s impact on businesses Building Defence using SanerNow Questions and Answers
  • 3. 3 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY Read and copy all emails Install Backdoors Install Ransomware, Keyloggers, etc Install Web Shell, Reverse Shell, etc Advanced social engineering attacks MS Exchange Server Vulnerabilities' Real impact on email server compromise
  • 4. 4 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY MS Exchange Server Vulnerability Stats - Last 5 Year 7 11 10 6 4 2 1 6 4 4 8 11 2 2 2 4 0 2 4 6 8 10 12 14 16 18 2016 2017 2018 2019 2020 2021 Medium Severity High Severity Critical Severity
  • 5. 5 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY MS Exchange Server Vulnerability Stats - Severity Growth 4 4 8 11 2 2 2 4 0 2 4 6 8 10 12 2018 2019 2020 2021 High Severity Critical Severity
  • 6. 6 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY DEVCORE Started Research on MS Exchange 01 Oct 2020 DEVCORE Discovered First Vulnerability - CVE-2021-26855 10 Dec 2020 DEVCORE Discovered Second Vulnerability - CVE-2021-27065 30 Dec 2020 First Observer Exploitation by Volexity 03 Jan 2021 MSRC Acknowledged the Bugs (MSRC Case: 62899 & 63835) 06 Jan 2021 Widespread Scanning and Possible Exploitation of Exchange 27 Feb 2021 Nation-state Group HAFNIUM Activity Disclosed by Microsoft 02 Mar 2021 MSRC Published the Out of-Band- Patch and Advisory and Acknowledged DEVCORE officially 02 Mar 2021 DEVCORE has confirmed the in- the-wild exploit was the same one reported to MSRC 04 Mar 2021 First Public PoC available 09 Mar 2021 MS Exchange Server - ProxyLogon Vulnerability Disclosure Timeline
  • 7. 7 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY Exchange Server Exploit Chain
  • 8. 8 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY Common themes being used in different attacks Web Shells – Mainly implanted on victim machines to gain access in future Human Operated Ransomware –They exhibit extensive knowledge of systems administration and common network security misconfigurations, they adapt to what they discover in a compromised network. Stealing Credentials - Access to Exchange servers allowed attackers to access and potentially steal credentials present on the system.
  • 9. 9 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY Tactics Techniques and Procedures (TTPs) used in exploiting MS Exchange Vulnerabilities DEJOCRYPT/DEARCRY RANSOMWARE New ransomware campaign trying to exploit exchange vulnerabilities
  • 10. 1 0 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY Encrypts victim files and changes file headers to include string ‘DEARCRY’ The web shell then creates a batch file, chopper that allows attackers to move laterally in, and steal credentials from the compromised system. Ransomware creates a windows service named msupdate and is later removed when it finishes the encryption process. TTPs of the Exchange Vulnerabilities DEJOCRYPT/DEARCRY RANSOMWARE New ransomware campaign trying to exploit exchange vulnerabilities
  • 11. 1 1 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY Continued… Uses direct shell command execution against most other attacks that dropped web shells Operators have previously employed exploits for SMB GHOST, ETERNAL BLUE vulnerabilities Downloads Cobalt Strike DNS beacons Cobalt Strike is a commercially-available penetration-testing tool Sends out beacons to detect network flaws, and has historically been utilized by attackers to exfiltrate data and deliver malware. LEMON DUCK BOTNET
  • 12. 1 2 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY Continued… LEMON DUCK BOTNET Cryptocurrency miner and a malware loader
  • 13. 1 3 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY TTPs of the Exchange Vulnerabilities PYDOMER RANSOMWARE Ransomware family previously seen attacking Pulse VPN vulnerabilities
  • 14. 1 4 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY TTPs of the Exchange Vulnerabilities PYDOMER RANSOMWARE Human-operated ransomware – manually installed, extorts targets by threatening to release stolen data Non encryption extortion techniques are also being used Web-shells have been spotted on around 1500 targets Python script compiled into a windows executable encrypts the file using .demon extension
  • 15. 1 5 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY Building Defense: Complete response for exchange vulnerabilities PERFORM FULL INVESTIGATION Scan the system with security software, Install security updates available from Microsoft Investigate for known IOC’s, IOA’s available from Microsoft Look for unknown persistence items like unexpected services, scheduled tasks, startup items, unknown RAT, Shadow IT Tools Reset all admin credentials(randomize them), check for any new admin or password less accounts Windows Event ID 1102: The Audit Log Was Cleared Practise principle of least privilege and mitigate lateral movement Check email forwarding settings to identify if mailbox data is being exfiltrated
  • 16. 1 6 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY Impact on Businesses organizations have been breached through the exploitation of these vulnerabilities 30,000-60,000 Government/Defense 17% Banking 11% Manufacturing 14% Healthcare 8% More attacks since Microsoft released a patch on March 2nd 10 Times Unpatched exchange servers across the world vulnerable to exploitation as per Palo Alto Networks as on March 8th 125,000 Hackers are already exploiting ProxyLogon vulnerabilities to install DearCry ransomware on Exchange servers from US, CA, AU $50,000-$100,000
  • 17. 1 7 Copyright © 2008 - 2021 SecPod Technologies - AUTHORISED USE ONLY “Exchange server vulnerabilities are used as part of an attack chain; the initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.” - Microsoft On March 15th, Microsoft released Exchange On-premises Mitigation Tool (EOMT.ps1) designed to automate detection and patching of Exchange servers to help customers install security updates.
  • 18. 18 Copyright © 2008 - 2020 SecPod Technologies - AUTHORISED USE ONLY QUESTIONS?
  • 19. KEEP YOUR ENDPOINTS SECURE FROM ATTACKERS! TRY SANERNOW FREE. For enquiries, contact us at: Email: info@secpod.com | Tech Support: support@secpod.com Phone: (+1) 918 625 3023 (US) | (+91) 80 4121 4020 (IN) 30-DAY UNLIMITED ACCESS ON 10 DEVICES WWW.SECPOD.COM

Editor's Notes

  1. 1) Jagsir: Brief about agenda and intro. 2) Jagsir: What is ProxyLogon?
  2. 3) Jagsir: Q: Why email servers being targeted 4) Veeru: a. Brief on why email server are critical, what is the impact etc (1 Slide) b. MS Exchange Stats (2 slides)
  3. 2) Veeru: Quick intro, Brief about ProxyLogon(Time line slide?) 5) Jagsir: How threat actors are using ProxyLogon vulnerability
  4. 6) Pooja: a. Quick intro, ProxyLogon Technical details b. Malwares being deployed during ProxyLogon attack + (Veeru: if required add points)
  5. 7) Jagsir: How we can defend against ProxyLogon Attacks 8) Pooja: a. Solution: Patching and deploying Mitigation b. Saner demo
  6. 9) Jagsir: Will applying solution solve all problems caused by ProxyLogon 10) Pooja : No. Full investigation is required and brief about what can go wrong if not done properly and few points on what things to be checked. (Slide?)
  7. 11) Jagsir: Business Impact Questions? Veeru + Pooja: Depending on the questions
  8. 10) Veeru : No. Full investigation is required and brief about what can go wrong if not done properly and few points on what things to be checked. (Slide?) It is PoC code that is also reportedly the subject of Microsoft's latest investigation. Microsoft is examining whether concept attack code sent privately by the company to partners of the Microsoft Active Protections Program (Mapp) was leaked, whether deliberately or accidentally.
  9. 12) Jagsir: Questions from audience: Veeru + Pooja: Depending on the questions