doublepulsar.com
Open in
urlscan Pro
52.1.119.170
Public Scan
Submitted URL: https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9/r/n/r/nNote:
Effective URL: https://doublepulsar.com/
Submission: On October 25 via api from US — Scanned from DE
Effective URL: https://doublepulsar.com/
Submission: On October 25 via api from US — Scanned from DE
Form analysis
0 forms found in the DOMText Content
Open in app Sign In Get started Home Notifications Lists Stories -------------------------------------------------------------------------------- Write DoublePulsar 7.2K Followers Follow Home About Cybersecurity News Newsletter Kevin Beaumont ·Sep 29 Member-only PROXYNOTSHELL— THE STORY OF THE CLAIMED ZERO DAYS IN MICROSOFT EXCHANGE Yesterday, cybersecurity vendor GTSC Cyber Security dropped a blog saying they had detected exploitation of a new Microsoft Exchange zero day: Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server | Blog | GTSC — Cung cấp các dịch vụ bảo mật toàn diện (gteltsc.vn) … Cybersecurity 10 min read -------------------------------------------------------------------------------- Kevin Beaumont ·May 29 Member-only FOLLINA — A MICROSOFT OFFICE CODE EXECUTION VULNERABILITY Two days ago, on May 27th 2022, Nao_sec identified an odd looking Word document in the wild, uploaded from an IP address in Belarus. This turned out to be a zero day vulnerability in Office and/or Windows. This caught my attention, as Defender for Endpoint missed execution: The… Follina 9 min read -------------------------------------------------------------------------------- Kevin Beaumont ·May 7 Member-only BPFDOOR — AN ACTIVE CHINESE GLOBAL SURVEILLANCE TOOL Recently, PwC Threat Intelligence documented the existence of BPFDoor, a passive network implant for Linux they attribute to Red Menshen, a Chinese threat actor group. You can read more in PwC’s great, yearly threat intelligence brief, here. PwC plan to present their findings in June: BPFDoor is interesting. It… Bpfdoor 3 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Aug 21, 2021 Member-only MULTIPLE THREAT ACTORS, INCLUDING A RANSOMWARE GANG, EXPLOITING EXCHANGE PROXYSHELL VULNERABILITIES For nearly a month, I have been watching mass in the wild exploitation of ProxyShell, a set of vulnerabilities revealed by Orange Tsai at BlackHat. These vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities revealed in March — they are more exploitable, and organisations largely haven’t patched. This post goes… Proxyshell 7 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jul 20, 2021 Member-only #HIVENIGHTMARE AKA #SERIOUSSAM — ANYBODY CAN READ THE REGISTRY IN WINDOWS 10 This is the story of how all non-admin users can read the registry — and so elevate privileges and access sensitive credential information — on various flavours of Windows 10. It appears this vulnerability has existed for years, and nobody noticed. … Cybersecurity 4 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jul 2, 2021 Member-only KASEYA SUPPLY CHAIN ATTACK DELIVERS MASS RANSOMWARE EVENT TO US COMPANIES Kaseya VSA is a commonly used solution by MSPs — Managed Service Providers — in the United States and United Kingdom, which helps them manage their client systems. Kaseya’s website claims they have over 40,000 customers. Four hours ago, an apparent auto update in the product has delivered REvil ransomware. … Cyberattack 8 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jun 30, 2021 Member-only ZERO DAY FOR EVERY SUPPORTED WINDOWS OS VERSION IN THE WILD — PRINTNIGHTMARE zhiniang peng tweeted out a proof of concept exploit and explainer recently, and then quickly deleted it. This exploit and discussion contained an unpatched zero day in all supported and Extended Security Update verrsions of Windows OS. Unfortunately by this had already been forked on Github by then… and… Printnightmare 6 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jun 8, 2021 Member-only THE HARD TRUTH ABOUT RANSOMWARE: WE AREN’T PREPARED, IT’S A BATTLE WITH NEW RULES, AND IT HASN’T NEAR REACHED PEAK IMPACT. I’ve talked about ransomware and extortion attacks on organizations for about a decade. I recently spent a year at Microsoft in Threat Intelligence in Redmond, which included tracking ransomware gangs. … Ransomware 21 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Dec 4, 2020 Member-only TRICKBOOT — DEFENDING AGAINST AND MONITORING FOR UEFI FIRMWARE TAMPERING Eclypsium and AdvIntel recently published some superb research on a Trickbot module, PermaDLL (they’re dubbing Trickboot), which allows the troublesome malware to read and — theocratically — tamper with UEFI firmware, the bit of software that loads before the operating system (in this case, Windows). It was added to Trickbot… Trickboot 4 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Oct 16, 2020 Member-only SECOND ZEROLOGON ATTACKER SEEN EXPLOITING INTERNET HONEYPOT About three weeks I detected an attacker exploiting Zerologon on my personal honeypot: In the wild exploitation of ZeroLogon detected over the internet on honeypot. So the title there is exactly as it reads — a few weeks ago I set up a honeypot vulnerable to CVE-2020–1472 aka…doublepulsar.com There is more activity today, which shows proof of attackers using Zerologon for remote code execution on random internet endpoints. Honeypot 3 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Sep 26, 2020 Member-only IN THE WILD EXPLOITATION OF ZEROLOGON DETECTED OVER THE INTERNET ON HONEYPOT. So the title there is exactly as it reads — a few weeks ago I set up a honeypot vulnerable to CVE-2020–1472 aka ZeroLogon. It is an Active Directory server with port 135 (MS-RPC), 445 (SMB) and RPC high ports available, with everything else closed down, updated to July 2020’s… Zerologon 3 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jul 31, 2020 Member-only GRUB “BOOTHOLE” VULNERABILITY PATCHES CAUSE MASS DENIAL OF SERVICE. When CVE-2020–10713 goes wrong. — A few days ago, the internet received news that billions of devices are impacted by BootHole, a vulnerability that theoretically could allow an attacker with existing authenticated administrative access to a device to tamper with SecureBoot. It’s absolutely valid research, although a fairly low priority vulnerability for many threat models. … Cve 2020 10713 3 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jul 27, 2020 Member-only NO, CLOUDFLARE DIDN’T GET HACKED Pikachu is surprised that everything you read on Twitter isn’t true. — Last year 8chan — the human cesspit of the internet — was booted as a customer from Cloudflare. 8chan hosted all kinds of problematic content, from multiple shooters who murdered people, to allegations of being a pedophile network. Cue yesterday, when 8chan owner CodeMonkeyZ tweeted: News 2 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jul 25, 2020 Member-only DETECTING DNS CVE-2020–1350 EXPLOITATION ATTEMPTS IN AZURE SENTINEL Alerting on potential DNS service exploitation — Introduction In my personal honeypot, BluePot, I’ve built out detection for a wide variety of situations — from BlueKeep exploitation to SMB MS17–010 abuse that lead to WannaCry. I recently expanded this out to CVE-2020–1350, a DNS vulnerability detailed a few weeks ago. … Cve 2020 1350 4 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jul 24, 2020 Member-only EMOTET BEING HIJACKED BY ANOTHER ACTOR Emotet is a malware distribution system, which has been involved in multiple human operated ransomware campaigns (for example, Ryuk). It’s a pretty common point of entry for threat actors. I’ve flagged a few times over the years, the last time in 2019, that Emotet uses an insecure malware distribution system. Emotet 2 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Mar 24, 2020 I’M AN EXPERT AT CORONAVIRUS HEALTHCARE AND I’M HERE TO EXPLAIN TO YOU HOW TO FIX THIS. Just kidding, I play on computers for a living. Please go here for information and facts, not some random on the internet (or a President) (or Elon): gov.uk/coronavirus and who.int Coronavirus 1 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Mar 2, 2020 I’M JOINING MICROSOFT’S THREAT PROTECTION DIVISION TO BRING WHAT’S NEEDED TO THREAT INTELLIGENCE: SCALE-Y PORGS. I’m incredibly grateful, and a little scared, to say that soon I will be joining Microsoft Threat Protection as a Senior Threat Intelligence Analyst, working with the team in Redmond. I just wanted to outline a few of the reasons why I’m making this move, as long time readers will… Microsoft Defender 6 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jan 4, 2020 BIG GAME RANSOMWARE BEING DELIVERED TO ORGANISATIONS VIA PULSE SECURE VPN A security vulnerability in a popular enterprise remote access product is being used to deliver ransomware into organisations, with targeted delivery to also delete backups and disable endpoint security controls. The 2019 backstory Back in April 2019, Pulse Secure issued an advisory for their Zero Trust VPN product, warning organisations of an out… Security 4 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Nov 3, 2019 Member-only BLUEKEEP EXPLOITATION ACTIVITY SEEN IN THE WILD Back in May 2019, Microsoft released at patch for CVE-2019–0708, a Remote Desktop vulnerability I nicknamed BlueKeep — as exploitation would likely cause ‘blue screen of death’ (Windows to crash reboot) and a worm would lead to the Game of Thrones ‘Red Keep’ moment. People worked to reverse engineer… Security 6 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Mar 21, 2019 HOW LOCKERGOGA TOOK DOWN HYDRO — RANSOMWARE USED IN TARGETED ATTACKS AIMED AT BIG BUSINESS This week Norsk Hydro, a large multinational manufacturer with 35,000 staff and over 100 years of history, had the nightmare scenario of a worldwide apparent ransom attempt — their systems began to malfunction, and attackers had placed the following ransom note on their business and some production systems across the… Security 13 min read Get started Sign In Cybersecurity from the trenches, written by Kevin Beaumont. Opinions are of the author alone, not their employer. Follow Connect with DoublePulsar EDITORS KEVIN BEAUMONT Everything here is my personal work and opinions. Follow SIGN UP FOR CYBERSECURITY THREAT CONTEXT AND RESPONSE BY DOUBLEPULSAR Cyber Threat Content and Response, from porgs, direct to your email box. Take a look. By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices. Get this newsletter Help Status Writers Blog Careers Privacy Terms About Knowable To make Medium work, we log user data. By using Medium, you agree to our Privacy Policy, including cookie policy.