10.04.22

Corvus Threat Intel

New Microsoft Exchange Vulnerability, LockBit Freebie, & Brute Ratel Leaks

Microsoft Exchange vulnerabilities discovered, threat actors pick up a LockBit freebie, and Brute Ratel isn't just for penetration testers anymore. 


New Microsoft Exchange Vulnerabilities Discovered

Researchers from Vietnam-based cybersecurity company GTSC published a report detailing two new flaws in Microsoft Exchange Servers CVE-2022-41040 and CVE-2022-41082. In security parlance these would be called “Zero-Days” since these are previously undiscovered flaws. The Microsoft Security Response Center acknowledged the vulnerabilities but confirmed that they are primarily for on-premises servers and require an attacker to be authenticated with a valid user account to be exploitable. These flaws are another in a string of vulnerabilities to affect Microsoft Exchange servers over the years. In 2021, attackers began widely exploiting a series of Exchange vulnerabilities which are still a boon to threat actors, particularly ransomware operations.

Why This Matters

Even though this feels like déjà vu of the worst kind, it’s not the time to panic. The vulnerabilities do grant an attacker the ability to execute remote code, but to be exploitable, requires a threat actor be authenticated to an existing email account. There are a number of mitigations organizations can take while awaiting a patch such as blocking known attack patterns and disabling remote PowerShell access for non-admin users in an organization.

Additional Information: 


New Ransomware Groups Already Using Leaked LockBit Software 

Threat actors picked up a freebie after the LockBit ransomware software leaked last week. The relatively new BlooDy ransomware gang has already started using LockBit’s tool to carry out its own attacks. Similar to many other ransomware groups, BlooDy gains access to corporate networks, steals data, then encrypts systems. BlooDy was first seen in May 2022 and seems to prefer using leaked software rather than developing its own. The group previously used another gang, Conti’s, leaked software. The typical Ransomware-as-a-Service (RaaS) agreement requires that a percentage of the ransom be shared between affiliates who carry out the attack and the tool’s developers. So for groups like BlooDy, using a leaked tool saves a lot of money. Due to LockBit’s customization features and ease of use, it’s likely additional gangs will follow BlooDy’s lead.

Why This Matters

It didn’t take long for the leaked LockBit tool to be used for nefarious ends. This will undoubtedly continue. Organizations should prepare by regularly patching, implementing strong MFA, and building secure and resilient backups.

Additional Information: 


Brute Ratel Hacking Tool Also Leaked Online

Brute Ratel is gaining traction among cybercriminals after leaked versions started circulating on the dark web. Brute Ratel is a tool used by penetration testers. Think of it like an advanced toolkit to help hackers after they’ve gained access to a target, allowing them to further exploit a system. Previously, Cobalt Strike was a cybercriminal favorite, but years of heavy use has given security teams time to develop detection capabilities. Brute Ratel was designed to be more advanced and more evasive, but not just anyone could get a copy. That is, until now. A free, fully functional version is now making its way around the criminal underground. Combined with the leaked LockBit builder, a would-be threat actor now has access to enough free tools to carry out a fairly robust independent attack.

Why This Matters

When the barrier-to-entry is lowered, even novice attackers can do serious damage. There is no doubt that Brute Ratel will be more widely deployed in attacks now. While this tool is one way attackers try to sneak past defenses, it’s not unstoppable. Endpoint Detection and Response (EDR) is powerful but isn't a “set and forget” solution. EDR needs active monitoring and tuning to stop advanced threats, especially those designed to evade detection like Brute Ratel.

Additional Information:


 

This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.