doublepulsar.com Open in urlscan Pro
52.1.119.170  Public Scan

Submitted URL: https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9/r/n/r/nNote:
Effective URL: https://doublepulsar.com/
Submission: On October 25 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

Open in app

Sign In

Get started


Home
Notifications
Lists
Stories

--------------------------------------------------------------------------------

Write


DoublePulsar

7.2K Followers

Follow

Home

About

Cybersecurity News

Newsletter

Kevin Beaumont

·Sep 29

Member-only


PROXYNOTSHELL— THE STORY OF THE CLAIMED ZERO DAYS IN MICROSOFT EXCHANGE

Yesterday, cybersecurity vendor GTSC Cyber Security dropped a blog saying they
had detected exploitation of a new Microsoft Exchange zero day: Warning: New
attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange
Server | Blog | GTSC — Cung cấp các dịch vụ bảo mật toàn diện (gteltsc.vn) …

Cybersecurity

10 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·May 29

Member-only


FOLLINA — A MICROSOFT OFFICE CODE EXECUTION VULNERABILITY

Two days ago, on May 27th 2022, Nao_sec identified an odd looking Word document
in the wild, uploaded from an IP address in Belarus. This turned out to be a
zero day vulnerability in Office and/or Windows. This caught my attention, as
Defender for Endpoint missed execution: The…

Follina

9 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·May 7

Member-only


BPFDOOR — AN ACTIVE CHINESE GLOBAL SURVEILLANCE TOOL

Recently, PwC Threat Intelligence documented the existence of BPFDoor, a passive
network implant for Linux they attribute to Red Menshen, a Chinese threat actor
group. You can read more in PwC’s great, yearly threat intelligence brief, here.
PwC plan to present their findings in June: BPFDoor is interesting. It…

Bpfdoor

3 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·Aug 21, 2021

Member-only


MULTIPLE THREAT ACTORS, INCLUDING A RANSOMWARE GANG, EXPLOITING EXCHANGE
PROXYSHELL VULNERABILITIES

For nearly a month, I have been watching mass in the wild exploitation of
ProxyShell, a set of vulnerabilities revealed by Orange Tsai at BlackHat. These
vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities revealed
in March — they are more exploitable, and organisations largely haven’t patched.
This post goes…

Proxyshell

7 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·Jul 20, 2021

Member-only


#HIVENIGHTMARE AKA #SERIOUSSAM — ANYBODY CAN READ THE REGISTRY IN WINDOWS 10

This is the story of how all non-admin users can read the registry — and so
elevate privileges and access sensitive credential information — on various
flavours of Windows 10. It appears this vulnerability has existed for years, and
nobody noticed. …

Cybersecurity

4 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·Jul 2, 2021

Member-only


KASEYA SUPPLY CHAIN ATTACK DELIVERS MASS RANSOMWARE EVENT TO US COMPANIES

Kaseya VSA is a commonly used solution by MSPs — Managed Service Providers — in
the United States and United Kingdom, which helps them manage their client
systems. Kaseya’s website claims they have over 40,000 customers. Four hours
ago, an apparent auto update in the product has delivered REvil ransomware. …

Cyberattack

8 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·Jun 30, 2021

Member-only


ZERO DAY FOR EVERY SUPPORTED WINDOWS OS VERSION IN THE WILD — PRINTNIGHTMARE

zhiniang peng tweeted out a proof of concept exploit and explainer recently, and
then quickly deleted it. This exploit and discussion contained an unpatched zero
day in all supported and Extended Security Update verrsions of Windows OS.
Unfortunately by this had already been forked on Github by then… and…

Printnightmare

6 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·Jun 8, 2021

Member-only


THE HARD TRUTH ABOUT RANSOMWARE: WE AREN’T PREPARED, IT’S A BATTLE WITH NEW
RULES, AND IT HASN’T NEAR REACHED PEAK IMPACT.

I’ve talked about ransomware and extortion attacks on organizations for about a
decade. I recently spent a year at Microsoft in Threat Intelligence in Redmond,
which included tracking ransomware gangs. …

Ransomware

21 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·Dec 4, 2020

Member-only


TRICKBOOT — DEFENDING AGAINST AND MONITORING FOR UEFI FIRMWARE TAMPERING

Eclypsium and AdvIntel recently published some superb research on a Trickbot
module, PermaDLL (they’re dubbing Trickboot), which allows the troublesome
malware to read and — theocratically — tamper with UEFI firmware, the bit of
software that loads before the operating system (in this case, Windows). It was
added to Trickbot…

Trickboot

4 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·Oct 16, 2020

Member-only


SECOND ZEROLOGON ATTACKER SEEN EXPLOITING INTERNET HONEYPOT

About three weeks I detected an attacker exploiting Zerologon on my personal
honeypot: In the wild exploitation of ZeroLogon detected over the internet on
honeypot. So the title there is exactly as it reads — a few weeks ago I set up a
honeypot vulnerable to CVE-2020–1472 aka…doublepulsar.com There is more activity
today, which shows proof of attackers using Zerologon for remote code execution
on random internet endpoints.

Honeypot

3 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·Sep 26, 2020

Member-only


IN THE WILD EXPLOITATION OF ZEROLOGON DETECTED OVER THE INTERNET ON HONEYPOT.

So the title there is exactly as it reads — a few weeks ago I set up a honeypot
vulnerable to CVE-2020–1472 aka ZeroLogon. It is an Active Directory server with
port 135 (MS-RPC), 445 (SMB) and RPC high ports available, with everything else
closed down, updated to July 2020’s…

Zerologon

3 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·Jul 31, 2020

Member-only


GRUB “BOOTHOLE” VULNERABILITY PATCHES CAUSE MASS DENIAL OF SERVICE.

When CVE-2020–10713 goes wrong. — A few days ago, the internet received news
that billions of devices are impacted by BootHole, a vulnerability that
theoretically could allow an attacker with existing authenticated administrative
access to a device to tamper with SecureBoot. It’s absolutely valid research,
although a fairly low priority vulnerability for many threat models. …

Cve 2020 10713

3 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·Jul 27, 2020

Member-only


NO, CLOUDFLARE DIDN’T GET HACKED

Pikachu is surprised that everything you read on Twitter isn’t true. — Last year
8chan — the human cesspit of the internet — was booted as a customer from
Cloudflare. 8chan hosted all kinds of problematic content, from multiple
shooters who murdered people, to allegations of being a pedophile network. Cue
yesterday, when 8chan owner CodeMonkeyZ tweeted:

News

2 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·Jul 25, 2020

Member-only


DETECTING DNS CVE-2020–1350 EXPLOITATION ATTEMPTS IN AZURE SENTINEL

Alerting on potential DNS service exploitation — Introduction In my personal
honeypot, BluePot, I’ve built out detection for a wide variety of situations —
from BlueKeep exploitation to SMB MS17–010 abuse that lead to WannaCry. I
recently expanded this out to CVE-2020–1350, a DNS vulnerability detailed a few
weeks ago. …

Cve 2020 1350

4 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·Jul 24, 2020

Member-only


EMOTET BEING HIJACKED BY ANOTHER ACTOR

Emotet is a malware distribution system, which has been involved in multiple
human operated ransomware campaigns (for example, Ryuk). It’s a pretty common
point of entry for threat actors. I’ve flagged a few times over the years, the
last time in 2019, that Emotet uses an insecure malware distribution system.

Emotet

2 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·Mar 24, 2020


I’M AN EXPERT AT CORONAVIRUS HEALTHCARE AND I’M HERE TO EXPLAIN TO YOU HOW TO
FIX THIS.

Just kidding, I play on computers for a living. Please go here for information
and facts, not some random on the internet (or a President) (or Elon):
gov.uk/coronavirus and who.int

Coronavirus

1 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·Mar 2, 2020


I’M JOINING MICROSOFT’S THREAT PROTECTION DIVISION TO BRING WHAT’S NEEDED TO
THREAT INTELLIGENCE: SCALE-Y PORGS.

I’m incredibly grateful, and a little scared, to say that soon I will be joining
Microsoft Threat Protection as a Senior Threat Intelligence Analyst, working
with the team in Redmond. I just wanted to outline a few of the reasons why I’m
making this move, as long time readers will…

Microsoft Defender

6 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·Jan 4, 2020


BIG GAME RANSOMWARE BEING DELIVERED TO ORGANISATIONS VIA PULSE SECURE VPN

A security vulnerability in a popular enterprise remote access product is being
used to deliver ransomware into organisations, with targeted delivery to also
delete backups and disable endpoint security controls. The 2019 backstory Back
in April 2019, Pulse Secure issued an advisory for their Zero Trust VPN product,
warning organisations of an out…

Security

4 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·Nov 3, 2019

Member-only


BLUEKEEP EXPLOITATION ACTIVITY SEEN IN THE WILD

Back in May 2019, Microsoft released at patch for CVE-2019–0708, a Remote
Desktop vulnerability I nicknamed BlueKeep — as exploitation would likely cause
‘blue screen of death’ (Windows to crash reboot) and a worm would lead to the
Game of Thrones ‘Red Keep’ moment. People worked to reverse engineer…

Security

6 min read






--------------------------------------------------------------------------------

Kevin Beaumont

·Mar 21, 2019


HOW LOCKERGOGA TOOK DOWN HYDRO — RANSOMWARE USED IN TARGETED ATTACKS AIMED AT
BIG BUSINESS

This week Norsk Hydro, a large multinational manufacturer with 35,000 staff and
over 100 years of history, had the nightmare scenario of a worldwide apparent
ransom attempt — their systems began to malfunction, and attackers had placed
the following ransom note on their business and some production systems across
the…

Security

13 min read





Get started

Sign In



Cybersecurity from the trenches, written by Kevin Beaumont. Opinions are of the
author alone, not their employer.

Follow

Connect with DoublePulsar




EDITORS


KEVIN BEAUMONT

Everything here is my personal work and opinions.

Follow


SIGN UP FOR CYBERSECURITY THREAT CONTEXT AND RESPONSE


BY DOUBLEPULSAR

Cyber Threat Content and Response, from porgs, direct to your email box. Take a
look.

By signing up, you will create a Medium account if you don’t already have one.
Review our Privacy Policy for more information about our privacy practices.

Get this newsletter

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Knowable

To make Medium work, we log user data. By using Medium, you agree to our Privacy
Policy, including cookie policy.