minute read
Share this article:
The BumbleBee web shell allows APT attackers to upload and download files, and move laterally by running commands.
A webshell called BumbleBee has taken flight in an ongoing xHunt espionage campaign that has targeted Microsoft Exchange servers at Kuwaiti organizations.
According to researchers at Palo Alto Networks’ Unit 42, BumbleBee (so named because of its color scheme) was observed being used to upload and download files to and from a compromised Exchange server back in September.
“We found BumbleBee hosted on an internal Internet Information Services (IIS) web server on the same network as the compromised Exchange server, as well as on two internal IIS web servers at two other Kuwaiti organizations,” researchers explained in a Monday blog.
Microsoft Ups Security of Azure AD, Identity
A roundup of Microsoft s recent security news and updates that focus on protecting identity.
Microsoft s latest security announcements have focused on securing Azure AD and Identity. Updates include stronger compromise prevention for Azure AD, a zero-trust business plan, and some changes to managing user authentication in Azure Portal.
Since it s a lot of news to work through, below is a recap of the highlights:
Related Content:
The updated Azure AD compromise prevention system, released last week, still uses supervised machine learning but expands the features and process used to train the model. This model, Microsoft says, aims to provide more accurate risk assessments by flagging more suspicious activity while reducing the number of false alarms.
SolarWinds Hack Compromised 40-plus Microsoft Customers
A decisive plurality – 44 percent – of the Microsoft customers compromised through SolarWinds are actually in the IT sector, and include software and security firms as well as IT services and equipment providers. By Michael Novinson December 18, 2020, 12:35 PM EST
More than 40 Microsoft customers were precisely targeted and compromised through trojanized updates to SolarWinds’ Orion network monitoring platform, according to President Brad Smith.
The Redmond, Wash.-based software giant said that roughly 80 percent of its compromised customers are located in the United States, with the remainder based out of Canada, Mexico, Belgium, Spain, the United Kingdom, Israel and the United Arab Emirates, Smith wrote in a blog late Thursday. The malicious Orion updates reached organizations in many major national capitals outside Russia, according to Smith.
»
Microsoft says it was hit by the SolarWinds cyberattack but has not found evidence its products or customer data were affected
Microsoft says it was hit by the SolarWinds cyberattack but has not found evidence its products or customer data were affected
Jeff Elder,Ashley StewartDec 18, 2020, 16:59 IST
Microsoft s CEO Satya NadellaTobias Schwarz/Getty Images
Microsoft on Thursday said it was hit by the sweeping
SolarWinds cybersecurity hack, but the company denied a Reuters report indicating its products and services may have been compromised.
Reuters reported that Microsoft s services may have been subverted by the attackers in a way that would make the tech titan s customers vulnerable. We believe the sources for the Reuters report are misinformed or misinterpreting their information, Microsoft said.
email SolarWinds Isn t the Only Way Hackers Entered Networks, CISA Says
The agency warned that ejecting attackers from networks will be tough, especially because they can likely read the email of IT and cybersecurity employees.
The fallout from the SolarWinds breaches will be far more difficult and time-consuming to remediate than originally assumed, as the attackers likely found more ways to enter federal networks than just the SolarWinds Orion product and have been targeting IT and response personnel, according to the government’s lead cybersecurity agency.
The Cybersecurity and Infrastructure Security Agency, or CISA, released an alert Thursday through the U.S. Computer Emergency Readiness Team, or US-CERT, detailing what the agency currently knows about the attack. The alert calls out at least one other attack vector beyond SolarWinds products and identifies IT and security personnel as prime targets of the hacking campaign.