Microsoft has released fixes for more than 100 security flaws including 19 rated ‘critical’ and actively exploited zero-day vulnerabilities in its latest round of patches.
Security researchers at Kaspersky have already spotted hackers using one of the zero-day vulnerabilities – an out-of-bounds write vulnerability in a Desktop Window Manager .dll file – for privilege escalation in the wild.
In a blog post, the Russian security firm said this exploit was “likely used together with other browser exploits to escape sandboxes or get system privileges for further access”.
Higher privileges could give attackers the opportunity to execute code, install malware, or create extra accounts to remain in the network undetected.
Four new Microsoft Exchange Server vulnerabilities were also patched in the update round, two of which require no authentication in the server for exploitation.
Microsoft said it was “not aware of any active exploits in the wild” but recommended affected systems get immediately fixed as the vulnerabilities have a high likelihood of exploitation.
The Australian Cyber Security Centre (ACSC) published an advisory on Thursday morning once again warning administrators to keep their Exchange Servers updated after Microsoft’s revelation last month that a series of zero-day vulnerabilities were being exploited by a Chinese hacking group known as Hafnium.
“These vulnerabilities could be exploited by attackers to gain and persist access to Microsoft Exchange deployments,” the ACSC.
“The patches previously released by Microsoft in March 2021 do not remediate these new vulnerabilities and organisations must apply Microsoft’s 13 April 2021 updates to prevent potential compromise.”
More new Exchange Server attacks
Exchange Server vulnerabilities have been such a problem that the US Federal Bureau of Investigation (FBI) recently started secretly removing web shells on affected private systems.
Public disclosure of the widespread vulnerability, while necessary for public awareness, has also led to different threat actors using the security flaws to deliver payloads like ransomware.
This week, security firm Sophos discovered attackers using the ProxyLogon exploit to install a cryptocurrency miner on unsuspecting servers.
Using a Powershell command, the attackers quietly inject a miner into a Windows system process – with a forged certificate so it looks legitimate – then deletes the evidence while it mines privacy coin Monero (which is used by dark web marketplaces).
Andrew Brandt, a researcher at Sophos, said the attack was unique in the way it used already-infected Exchange Servers to spread the crypto miner.
“The attackers implemented a range of standard anti-detection techniques, installing the malicious miner in memory to keep it hidden from security scans, deleting the installation and configuration files after use, and using the traffic encryption of Transport Layer Security to communicate with their Monero wallet,” he said.
“As a result, for most victims the first sign of compromise is likely to be a significant drop in processing power. Servers that remain unpatched could be compromised for quite some time before this becomes clear.”
Sophos observed the miner operating through the Monero blockchain and noted spikes where it gained and lost infected servers.