• Published on:

  • Author:

    Figo Kolsteren

September 2021 Security Alerts: Stormshield’s product response

Vulnerabilities are continuing to appear at the end of September: CVE-2021-22005, a flaw in Microsoft Exchange and a new version of the StealBit malware. Here is an update on Stormshield protection.


StealBit malware: a variant to watch out for

StealBit 2.0 is a “stealers” family tool, used by Lockbit group to exfiltrate victim’s data to a Command & Control server. It starts after the exploit phase of the attack. To hide its activity from signature-based security solutions, the studied tool variant charge specific function through a non-official DLL call to network library.

Stormshield Endpoint Security Evolution solution is able, by default, to detect and block this kind of non-standard behavior before any damaged occurred. A protection built in the default policy since SES Evolution 2.1.0.

Microsoft Exchange flaw: a critical misimplementation

The Autodiscover service of Microsoft Exchange is used to automatically connect a new client to the mail by sending credentials through a specific URL like autodiscover.example[.]com. If it fails, the back-off procedure suppresses the middle domain, the URL becomes autodiscover[.]com. But this domain is public and it can be bought by a malicious person who might then be able to receive credential of domain mail users.

Stormshield protects from this Microsoft Exchange Autodiscover vulnerability leak with the SNS signatures http:client:header.215 (please note that this one requires that SSL proxy must be activated) and ssl:client:sni.27 (that does not required SSL proxy).

It is also possible to configure the SNS URL filtering to block autodiscover domains*: