The Cybersecurity and Infrastructure Security Agency (CISA) warned in August about three ProxyShell vulnerabilities, CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207, which could allow an attacker to execute arbitrary code on unprotected systems. Microsoft issued updated guidance in late August, alerting customers that security updates from May or July would protect their systems. 
However, by September researchers at Sophos warned Conti affiliates were using ProxyShell exploits to target organizations during ransomware attacks. Mandiant researchers reported webshell uploads linked to threat actor UNC2980 against a U.S.-based university in August.
Now, Mandiant researchers say they have observed threat actors using new methods after some of the prior methods of attack were blocked through the prior security updates. 
“For example, in the case of exporting web shells, various antivirus solutions have detected web shells exported from mailboxes when they were written to disk via inspection and blocking of web files written with mailbox (PST) file headers,” Josh Goddard, a consultant with Mandiant’s Incident Response Group, told Cybersecurity Dive via email. “However, web shells exported from the certificate store did not contain these headers, so in some cases, these were not detected and the attack was therefore successful.”
In other situations, threat actors created their own mailboxes and accessed them via Outlook Web Access (OWA), in a move that targets the email service directly, rather than targeting the operating system of the email servers, according to Goddard.
CISA, the FBI, the U.K. National Cyber Security Centre and Australian Cyber Security Centre earlier this week issued a joint advisory about advanced persistent threat activity from actors sponsored by Iran. That warning involved exploitation of vulnerabilities from Fortinet FortiOS and Microsoft Exchange, CVE-2021-34473 in order to target various critical infrastructure facilities.  
The Fortinet vulnerabilities were used to target a U.S. children’s hospital in June and a municipal government in May. 
“Joint advisories exemplify our commitment to working with international and interagency partners to share timely and actionable information so we can build collective resilience against cyberthreats,” said Matt Hartman, deputy executive assistant director for cybersecurity at CISA. “This alert provides a comprehensive view into Iranian government sponsored threat-actor activity, their tactics and techniques and steps organizations should take to detect, mitigate, and reduce their risk of compromise.”
When asked about the Iranian attacks, Goddard said, “they may have been using some of these new tactics, but we don’t have sufficient data to link them up.”
The agency is encouraging private entities and local governments to monitor the catalog, though its usefulness will depend on a company's resources.
The pandemic created more business opportunity, but malicious actors dogged the company's technology stack. Now, the very same products touted as security defense tools are under fire. 
Subscribe to Cybersecurity Dive for top news, trends & analysis
Want to share a company announcement with your peers?
Get started
The agency is encouraging private entities and local governments to monitor the catalog, though its usefulness will depend on a company's resources.
The pandemic created more business opportunity, but malicious actors dogged the company's technology stack. Now, the very same products touted as security defense tools are under fire. 
Get the free daily newsletter read by industry experts
The free newsletter covering the top industry headlines

source