top of page
  • Kathleen Maxted

Cyber Weekly Digest - 2022 Week #40

Updated: Oct 14, 2022

Take a look at this week’s Cyber Weekly Digest for a round-up of the biggest cyber security news for the week including the latest mitigation update from Microsoft for the ProxyNotShell zero-days as well as Uber’s former chief security officer being convicted after the 2016 data breach. Keep reading to stay up to date on the latest cyber security news from across the world.

Microsoft has updated the mitigations for the latest Exchange zero-day vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082, referred to as ProxyNotShell. CVE-2022-41040 is a server-side request forgery that enables privilege escalation and works with CVE-2022-41082 to trigger remote code execution on on-premise Exchange server deployments, both are rated critical. The initial recommendations were insufficient as researchers showed that they can be easily bypassed to allow new attacks exploiting the two bugs. The second improvement was still not enough as the mitigation could still allow ProxyNotShell attacks. Microsoft has since released a third update for mitigating ProxyNotShell.

Uber's former chief security officer, Joe Sullivan has been convicted of federal charges for illegally covering up the theft of Uber drivers' and customers' personal information in 2016. In 2016 threat actors had broken into Uber’s infrastructure and stole 57 million customer and driver records. A year later, in 2017, court documents showed Sullivan had learned of the theft in November 2016 but tried to cover up that theft by trying to disguise the ransom payment made to the threat actors to recover the data as a bug bounty award.

The Vice Society Ransomware gang published data and documents Sunday morning that was stolen from the Lost Angeles Unified School District during a cyberattack earlier in September 2022. LAUSD superintendent Alberto M. Carvalho confirmed the release of stolen data in a statement posted to Twitter, along with a hotline for concerned parents to ask questions about the data leak. The public release of data comes after the school system announced Friday that they would not be giving in to the ransom demands of the hacking group and that the school district could better use the money for students and their education. The Vice Society Ransomware gang have reportedly leaked sensitive information in files named “ssn”, “Secret and Confidential”, “Passport” and “Incident.” Some of these documents according to a source for NBC Los Angeles warned that the leaked documents include “confidential psychological assessments of students, contract and legal documents, business records, and numerous database entries.”

A new phishing technique that uses Chrome Application Mode as a feature allows threat actors to display local login forms that appear as desktop applications, making it easier to steal credentials. The Application Mode feature is available in all Chromium-based browsers, including Google Chrome, Microsoft Edge and Brave Browser. It can generate realistic-looking login screens that are hard to differentiate from a legitimate login prompt. Depending on the attack use case, a threat actor could also use the Browser-in-the-Browser technique to insert a fake address bar by adding the required HTML/CSS, and creating clones of software, E.G: Microsoft 365, Microsoft Teams, or even VPN login prompts. The phishing window can also receive action commands from JavaScript, like closing after the user enters their login credentials, accepting window resize requests, or rendering on a specific position on the screen. However, this phishing technique requires local access on the victim’s machine.

A new malware found by security researchers targets Microsoft SQL servers, called Maggie. The backdoor has already infected hundreds of machines all around the globe. Its capabilities are brute-forcing administrator logins to other Microsoft SQL servers and doubling as a bridgehead into the server’s network environment. The backdoor was discovered by German analysts Johann Aydinbas and Axel Wauer of the DCSO CyTec. Telemetry data of the malware shows that Maggie is more prevalent in South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the United States. Maggie abuses the Extended Stored Procedure functionality that accepts remote user arguments and responds with unstructured data. At this time some details remain unknown, like the post-infection use of Maggie, how the malware is planted in the servers in the first place, and who is behind these attacks.



bottom of page