Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   May 12th,   2021

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Microsoft Exchange attack IOCs shared by bank regulator in Chile

CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance. While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same. Web shells using the names 'error_page.asp' and 'supp0rt.aspx' have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim. These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.

Demo Free Trial MSSP
Program