There has been a recent uptick in attacks leveraging the Microsoft Exchange ProxyShell vulnerabilities to deploy ransomware and other malware. Although ProxyShell, an attack combining three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) for unauthenticated remote code execution (RCE), has had a patch since Mid-April, there are still 20,000+ vulnerable servers currently discoverable by Shodan.
The persistence of remotely accessible and exploitable servers has led to hackers incorporating ProxyShell into their tactics. In the last month, we have seen:
Months after patches were made available, ProxyShell is still a very real threat to organizations. We advise all NetWitness customers to review the Microsoft Exchange Team's Security Advisory on ProxyShell and, if vulnerable, apply the May 2021 or July 2021 Security Updates. We are tracking any new developments and will update our content offerings appropriately.
Microsoft Graph is a Microsoftdeveloper platform that enables integration with multiple services in Microsoft cloud. It provides a unified programmability model that you can use to access the tremendous amount of data in Microsoft 365, Windows 10, and Enterprise Mobility + Security. Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources.
Companies and their employees are slowly returning to in-person work, with many organizations maintaining their hybrid workforce model. And this shift to remote work has resulted in an increasing reliance on web-based collaborative tools. In fact, a Gartner studyfound that usage of collaboration tools has nearly doubled over the last two years, going from 55%to80% among workers.
Many of these tools, such as Microsoft Teams, Slack, and Zoom, have been integral components of organizational productivity for years, but the change to a highly remote workforce has more deeply embedded these types of applications into business operating procedures.
Realizing this opportunity, hackers and cybercriminals have altered some of their own tactics to take advantage of this new cybersecurity reality.
Collaborative tools are a more viable attack vector than they have ever been, due to their relatively new introduction to many corporate environments and a general lack of sufficient logging from these applications.
Stops Diagtrack Service (Endpoint)
An adversary may attempt to block indicators or events, typically captured by sensors from being gathered and analyzed. DiagTrack (Microsoft Windows Diagnostics Tracking) is a service used by Microsoft ATP Sensor to communicate to the cloud.
Potential Abuse of Odbcconf (Endpoint)
Adversaries may abuse odbcconf.exe to proxy execution of malicious DLL files and other payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.
Addition of "domain" meta.
Updated to address defect in the customHeaders option whereby decoder versions 11.6 and below may not have registered meta from headers listed in the customHeaders option.
TLD_lua enhancement: "domain" meta
The TLD_lua parser is responsible for creating meta for tld, cctld, and sld from hostname meta such as alias.host and fqdn.
Meta for tld is the "Top Level Domain". These are values such as "com", "org", and "co.uk".
Meta for cctld is "Country Code TLD". These are values such as "uk", "de", "cn".
Meta for sld is "Second Level Domain". This is domain regardless of tld and cctld. Note that in all the examples below, sld meta is "amazon".
This makes it easy to look for a domain across all top level domains, without resorting to something like "alias.host contains 'amazon'". If you want to see all sessions containing a host with an amazon domain, just look for "sld = 'amazon'". This is especially useful for feeds.
However, sometimes for example you really do need just "amazon.co.uk" and not any other amazon domains. So you had to do something like "alias.host ends '.amazon.co.uk'" or "sld = 'amazon' and tld = 'co.uk'".
With the addition of domain meta, which concatenates the sld and tld, you'll now be able to query directly "domain = 'amazon.co.uk'",