doublepulsar.com
Open in
urlscan Pro
52.1.119.170
Public Scan
Submitted URL: https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9/n/nNote:
Effective URL: https://doublepulsar.com/
Submission: On February 24 via api from US — Scanned from DE
Effective URL: https://doublepulsar.com/
Submission: On February 24 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Open in app Sign up Sign In Write Sign up Sign In DoublePulsar 7.3K Followers Follow Home About Cybersecurity News Newsletter Kevin Beaumont ·Feb 9 Member-only UK GOVERNMENT DECLARES RANSOMWARE A “TIER 1” NATIONAL SECURITY THREAT — ON PAR WITH TERRORISM AND MILITARY CRISIS BETWEEN STATES. Those who have known me for a long time will know I’ve been banging on about ransomware for years. On here, on Twitter, in person. Here, I documented things like the emergence of Locky 7 years ago, one of the first big single endpoint ransomware incidents. I worked with the… Ransomware 4 min read Ransomware 4 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Dec 8, 2022 Member-only MICROSOFT’S GITHUB FACILITATING UKRAINE GOVERNMENT IN DENIAL OF SERVICE OF RUSSIAN GOVERNMENT INFRASTRUCTURE Back in February 2022, Mykhailo Fedorov — Ukraine’s Deputy Prime Minister — launched the IT Army of Ukraine: The army, which has grown to 300,000 people at peak, has been fighting a digital war with the Russian government and private enterprise. It has been incredibly successful — I have… Cybersecurity 4 min read Cybersecurity 4 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Dec 3, 2022 Member-only RACKSPACE CLOUD OFFICE SUFFERS DESTRUCTIVE SECURITY BREACH Thousands of small to medium size businesses are suffering as Rackspace have suffered a security breach on their Hosted Exchange service. Rackspace have now confirmed this is a ransomware incident. Yesterday, 2nd December 2022, Rackspace announced an outage to their Hosted Exchange Server: Updated followed through the day, but… Cybersecurity 9 min read Cybersecurity 9 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Sep 29, 2022 Member-only PROXYNOTSHELL— THE STORY OF THE CLAIMED ZERO DAYS IN MICROSOFT EXCHANGE Yesterday, cybersecurity vendor GTSC Cyber Security dropped a blog saying they had detected exploitation of a new Microsoft Exchange zero day: Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server | Blog | GTSC — Cung cấp các dịch vụ bảo mật toàn diện (gteltsc.vn) … Cybersecurity 10 min read Cybersecurity 10 min read -------------------------------------------------------------------------------- Kevin Beaumont ·May 29, 2022 Member-only FOLLINA — A MICROSOFT OFFICE CODE EXECUTION VULNERABILITY Two days ago, on May 27th 2022, Nao_sec identified an odd looking Word document in the wild, uploaded from an IP address in Belarus. This turned out to be a zero day vulnerability in Office and/or Windows. This caught my attention, as Defender for Endpoint missed execution: The… Follina 9 min read Follina 9 min read -------------------------------------------------------------------------------- Kevin Beaumont ·May 7, 2022 Member-only BPFDOOR — AN ACTIVE CHINESE GLOBAL SURVEILLANCE TOOL Recently, PwC Threat Intelligence documented the existence of BPFDoor, a passive network implant for Linux they attribute to Red Menshen, a Chinese threat actor group. You can read more in PwC’s great, yearly threat intelligence brief, here. PwC plan to present their findings in June: BPFDoor is interesting… Bpfdoor 3 min read Bpfdoor 3 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Aug 21, 2021 Member-only MULTIPLE THREAT ACTORS, INCLUDING A RANSOMWARE GANG, EXPLOITING EXCHANGE PROXYSHELL VULNERABILITIES For nearly a month, I have been watching mass in the wild exploitation of ProxyShell, a set of vulnerabilities revealed by Orange Tsai at BlackHat. These vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities revealed in March — they are more exploitable, and organisations largely haven’t patched. This post goes… Proxyshell 7 min read Proxyshell 7 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jul 20, 2021 Member-only #HIVENIGHTMARE AKA #SERIOUSSAM — ANYBODY CAN READ THE REGISTRY IN WINDOWS 10 This is the story of how all non-admin users can read the registry — and so elevate privileges and access sensitive credential information — on various flavours of Windows 10. It appears this vulnerability has existed for years, and nobody noticed. In this post I made an exploit to test… Cybersecurity 4 min read Cybersecurity 4 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jul 2, 2021 Member-only KASEYA SUPPLY CHAIN ATTACK DELIVERS MASS RANSOMWARE EVENT TO US COMPANIES Kaseya VSA is a commonly used solution by MSPs — Managed Service Providers — in the United States and United Kingdom, which helps them manage their client systems. Kaseya’s website claims they have over 40,000 customers. Four hours ago, an apparent auto update in the product has delivered REvil ransomware. … Cyberattack 8 min read Cyberattack 8 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jun 30, 2021 Member-only ZERO DAY FOR EVERY SUPPORTED WINDOWS OS VERSION IN THE WILD — PRINTNIGHTMARE zhiniang peng tweeted out a proof of concept exploit and explainer recently, and then quickly deleted it. This exploit and discussion contained an unpatched zero day in all supported and Extended Security Update verrsions of Windows OS. Unfortunately by this had already been forked on Github by then… and… Printnightmare 6 min read Printnightmare 6 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jun 8, 2021 Member-only THE HARD TRUTH ABOUT RANSOMWARE: WE AREN’T PREPARED, IT’S A BATTLE WITH NEW RULES, AND IT HASN’T NEAR REACHED PEAK IMPACT. I’ve talked about ransomware and extortion attacks on organizations for about a decade. I recently spent a year at Microsoft in Threat Intelligence in Redmond, which included tracking ransomware gangs. … Ransomware 21 min read Ransomware 21 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Dec 4, 2020 Member-only TRICKBOOT — DEFENDING AGAINST AND MONITORING FOR UEFI FIRMWARE TAMPERING Eclypsium and AdvIntel recently published some superb research on a Trickbot module, PermaDLL (they’re dubbing Trickboot), which allows the troublesome malware to read and — theocratically — tamper with UEFI firmware, the bit of software that loads before the operating system (in this case, Windows). It was added to Trickbot… Trickboot 4 min read Trickboot 4 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Oct 16, 2020 Member-only SECOND ZEROLOGON ATTACKER SEEN EXPLOITING INTERNET HONEYPOT About three weeks I detected an attacker exploiting Zerologon on my personal honeypot: In the wild exploitation of ZeroLogon detected over the internet on honeypot. So the title there is exactly as it reads — a few weeks ago I set up a honeypot vulnerable to CVE-2020–1472 aka…doublepulsar.com There is more activity today, which shows proof of attackers using Zerologon for remote code execution on random internet endpoints. Honeypot 3 min read Honeypot 3 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Sep 26, 2020 Member-only IN THE WILD EXPLOITATION OF ZEROLOGON DETECTED OVER THE INTERNET ON HONEYPOT. So the title there is exactly as it reads — a few weeks ago I set up a honeypot vulnerable to CVE-2020–1472 aka ZeroLogon. It is an Active Directory server with port 135 (MS-RPC), 445 (SMB) and RPC high ports available, with everything else closed down, updated to July 2020’s… Zerologon 3 min read Zerologon 3 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jul 31, 2020 Member-only GRUB “BOOTHOLE” VULNERABILITY PATCHES CAUSE MASS DENIAL OF SERVICE. When CVE-2020–10713 goes wrong. — A few days ago, the internet received news that billions of devices are impacted by BootHole, a vulnerability that theoretically could allow an attacker with existing authenticated administrative access to a device to tamper with SecureBoot. It’s absolutely valid research, although a fairly low priority vulnerability for many threat models. … Cve 2020 10713 3 min read Cve 2020 10713 3 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jul 27, 2020 Member-only NO, CLOUDFLARE DIDN’T GET HACKED Pikachu is surprised that everything you read on Twitter isn’t true. — Last year 8chan — the human cesspit of the internet — was booted as a customer from Cloudflare. 8chan hosted all kinds of problematic content, from multiple shooters who murdered people, to allegations of being a pedophile network. Cue yesterday, when 8chan owner CodeMonkeyZ tweeted: News 2 min read News 2 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jul 25, 2020 Member-only DETECTING DNS CVE-2020–1350 EXPLOITATION ATTEMPTS IN AZURE SENTINEL Alerting on potential DNS service exploitation — Introduction In my personal honeypot, BluePot, I’ve built out detection for a wide variety of situations — from BlueKeep exploitation to SMB MS17–010 abuse that lead to WannaCry. I recently expanded this out to CVE-2020–1350, a DNS vulnerability detailed a few weeks ago. … Cve 2020 1350 4 min read Cve 2020 1350 4 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jul 24, 2020 Member-only EMOTET BEING HIJACKED BY ANOTHER ACTOR Emotet is a malware distribution system, which has been involved in multiple human operated ransomware campaigns (for example, Ryuk). It’s a pretty common point of entry for threat actors. I’ve flagged a few times over the years, the last time in 2019, that Emotet uses an insecure malware distribution system. Emotet 2 min read Emotet 2 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Mar 24, 2020 I’M AN EXPERT AT CORONAVIRUS HEALTHCARE AND I’M HERE TO EXPLAIN TO YOU HOW TO FIX THIS. Just kidding, I play on computers for a living. Please go here for information and facts, not some random on the internet (or a President) (or Elon): gov.uk/coronavirus and who.int Coronavirus 1 min read Coronavirus 1 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Mar 2, 2020 I’M JOINING MICROSOFT’S THREAT PROTECTION DIVISION TO BRING WHAT’S NEEDED TO THREAT INTELLIGENCE: SCALE-Y PORGS. I’m incredibly grateful, and a little scared, to say that soon I will be joining Microsoft Threat Protection as a Senior Threat Intelligence Analyst, working with the team in Redmond. I just wanted to outline a few of the reasons why I’m making this move, as long time readers will… Microsoft Defender 6 min read Microsoft Defender 6 min read Cybersecurity from the trenches, written by Kevin Beaumont. Opinions are of the author alone, not their employer. Follow Connect with DoublePulsar EDITORS KEVIN BEAUMONT Everything here is my personal work and opinions. Follow SIGN UP FOR CYBERSECURITY THREAT CONTEXT AND RESPONSE BY DOUBLEPULSAR Cyber Threat Content and Response, from porgs, direct to your email box. Take a look. By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices. Get this newsletter Help Status Writers Blog Careers Privacy Terms About Text to speech To make Medium work, we log user data. By using Medium, you agree to our Privacy Policy, including cookie policy.