Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us

News

Home  >  News  >  Vulnerabilities  >  LightNeuron malware targets Exchange servers
NextPrevious

LightNeuron malware targets Exchange servers

News, Vulnerabilities | 9 May, 2019 | 0

LightNeuron is a backdoor specifically designed to target Microsoft Exchange mail servers. It permits attackers to read and reroute all email passing through the server and execute commands on the server hidden in incoming email attachments.

A recent paper published by ESET describes how the malware functions and the risks it poses. The researcher says:

“LightNeuron is a piece of malware specifically designed to target Microsoft Exchange servers. It has two facets: spying on emails and acting as a full-feature backdoor. While rootkits and bootkits have an unmatched stealthiness in the malware domain, LightNeuron is uncommonly stealthy for “regular” malware. To our knowledge, leveraging a Microsoft Exchange Transport Agent for persistence is something unique and never before seen. The Command and Control protocol is fully based on emails and uses Steganography to store data in PDF and JPG attachments. Given that, in the Microsoft Exchange architecture, the malware is installed at the same level as anti-spam and other email security solutions, it allows the malware to bypass them easily. Using a nearly undetectable Command and Control channel allows the malware to stay under the radar for a long period.”

Steganography is the practice of concealing a file or message within another file such as an image, video or PDF document. Because the malware does not use HTTP traffic to communicate with its command and control servers, it is not detected by the usual Intrusion Detection Systems deployed on corporate networks.

LightNeuron functions by acting as a Transport Agent within the Exchange Server. Microsoft Exchange allows its functionality to be extended through Transport Agents supplied by Microsoft and third parties. Typically Transport Agents perform functions such as filtering spam, scanning for malware in attachments and adding disclaimers and signatures to outbound emails.

Malicious Transport Agents can be installed by the execution of PowerShell commands on the Exchange server.

Removal of the LightNeuron malware is not a simple task, as deletion of the malware executable will render the Exchange Server inoperable; the malware must first be removed from the Exchange configuration. Instructions explaining how to remove the LightNeuron malware are provided in the paper from ESET.

The first step in a LightNeuron attack is for the attackers to obtain a foothold in the target network using more common malware tactics such as spear-phishing or malicious email attachments. If a foothold can be established anywhere in the network, this can then be leveraged to explore the network and to eventually gain administrative access to the Exchange server to install LightNeuron.

System Administrators can protect their networks from LightNeuron and similar malware by:

  • Use dedicated accounts (and monitor their use) for the administration of Exchange servers with strong, unique passwords and two-factor authentication.
  • Restrict PowerShell execution.
  • Regularly check that all the installed Transport Agents are signed by a trusted provider by reviewing the contents of: <ExchangeInstallFolder>\TransportRoles\Agents\agents.config.

 

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
Exchange Server, microsoft, patching, vulnerability management

Related Post

  • Exchange 0-day exploits need patching today

    By Mark Faithfull

    Microsoft has published details and out of cycle patches for several 0-day Exchange exploits under active attack. Microsoft Security Response Center advises: Due to the critical nature of these vulnerabilities, we recommend that customers apply the updates to affectedRead more

  • Critical Windows Fax Server Vulnerability Patched – and Why You Should Care

    By Mark Faithfull

    In the February 2021 Patch Tuesday security update Microsoft fixed 56 flaws, one zero-day vulnerability and two remote code execution vulnerabilities in the Windows Fax Service.  That’s right, someone can send you a fax andRead more

  • November Patch Tuesday fixes 12 RCE vulnerabilities

    By Mark Faithfull

    The November security patch bundle from Microsoft fixes 112 security vulnerabilities in their products, including 12 Remote Code Execution vulnerabilities. Noteworthy vulnerabilities fixed this month include:   Windows Kernel Local Elevation of Privilege:  CVE-2020-17087 ObservedRead more

  • October Patch Tuesday includes critical Windows TCP/IP vulnerability

    By Mark Faithfull

    October’s security patch bundle from Microsoft resolves 87 vulnerabilities, 12 rated as critical.  One of these is a flaw in the Windows TCP/IP stack which can result in a server crash or remote code executionRead more

  • Microsoft Defender now updates OS image files

    By Mark Faithfull

    Whenever a new Windows device is booted from an image, there is a period of time when the machine is live and on the network, but it is missing operating system security patches and MicrosoftRead more

NextPrevious

Recent Posts

  • Rockwell Automation Critical Vulnerability in PLC
  • Exchange 0-day exploits need patching today
  • What is a pass the hash attack?
  • VMware patches critical RCE in vCenter Server
  • What is a dependency confusion attack?

Tags

Android Apple Bluetooth Chrome Cisco credential stuffing cyber crime cyber essentials cyber security cyber security news Data Protection DDoS DNS Exchange Server exim fileless formjacking GDPR Intel IoT Linux MacOS Meltdown microsoft ncsc patching penetration testing phishing ransomware RDP security breach Security operations security testing SIEM software development Spectre supply chain attacks Sysinternals Tomcat TPM Unix vulnerability management web applications web browsers wireless

Archives

  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • July 2018
  • June 2018
  • April 2018
  • January 2018
  • October 2017
BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
information. secured.
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us
SecureTeam