Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us

News

Home  >  News  >  Vulnerabilities  >  LightNeuron malware targets Exchange servers
NextPrevious

LightNeuron malware targets Exchange servers

News, Vulnerabilities | 9 May, 2019 | 0

LightNeuron is a backdoor specifically designed to target Microsoft Exchange mail servers. It permits attackers to read and reroute all email passing through the server and execute commands on the server hidden in incoming email attachments.

A recent paper published by ESET describes how the malware functions and the risks it poses. The researcher says:

“LightNeuron is a piece of malware specifically designed to target Microsoft Exchange servers. It has two facets: spying on emails and acting as a full-feature backdoor. While rootkits and bootkits have an unmatched stealthiness in the malware domain, LightNeuron is uncommonly stealthy for “regular” malware. To our knowledge, leveraging a Microsoft Exchange Transport Agent for persistence is something unique and never before seen. The Command and Control protocol is fully based on emails and uses Steganography to store data in PDF and JPG attachments. Given that, in the Microsoft Exchange architecture, the malware is installed at the same level as anti-spam and other email security solutions, it allows the malware to bypass them easily. Using a nearly undetectable Command and Control channel allows the malware to stay under the radar for a long period.”

Steganography is the practice of concealing a file or message within another file such as an image, video or PDF document. Because the malware does not use HTTP traffic to communicate with its command and control servers, it is not detected by the usual Intrusion Detection Systems deployed on corporate networks.

LightNeuron functions by acting as a Transport Agent within the Exchange Server. Microsoft Exchange allows its functionality to be extended through Transport Agents supplied by Microsoft and third parties. Typically Transport Agents perform functions such as filtering spam, scanning for malware in attachments and adding disclaimers and signatures to outbound emails.

Malicious Transport Agents can be installed by the execution of PowerShell commands on the Exchange server.

Removal of the LightNeuron malware is not a simple task, as deletion of the malware executable will render the Exchange Server inoperable; the malware must first be removed from the Exchange configuration. Instructions explaining how to remove the LightNeuron malware are provided in the paper from ESET.

The first step in a LightNeuron attack is for the attackers to obtain a foothold in the target network using more common malware tactics such as spear-phishing or malicious email attachments. If a foothold can be established anywhere in the network, this can then be leveraged to explore the network and to eventually gain administrative access to the Exchange server to install LightNeuron.

System Administrators can protect their networks from LightNeuron and similar malware by:

  • Use dedicated accounts (and monitor their use) for the administration of Exchange servers with strong, unique passwords and two-factor authentication.
  • Restrict PowerShell execution.
  • Regularly check that all the installed Transport Agents are signed by a trusted provider by reviewing the contents of: <ExchangeInstallFolder>\TransportRoles\Agents\agents.config.

 

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
Exchange Server, microsoft, patching, vulnerability management

Related Post

  • Microsoft patches critical zero-day

    By Mark Faithfull

    Critical remote code execution and elevation of privilege vulnerabilities were among the 75 total vulnerabilities that have been fixed in Microsoft’s May Patch Tuesday this week. These essential patches include fixes for currently exploited zero-dayRead more

  • February Security Updates

    By Mark Faithfull

    The second Tuesday of February brings the monthly security updates from Microsoft. Microsoft Security Updates – February 2022 February is a relatively modest month for Microsoft with just 51 security patches released. Even though noneRead more

  • Install patches to protect Domain Controllers warns Microsoft

    By Mark Faithfull

    Proof of Concept code has been published showing how to exploit two vulnerabilities that would allow an attacker to obtain domain admin privilege on your Windows Domain Controllers. In the November security patch bundle, MicrosoftRead more

  • December Patch Tuesday updates

    By Mark Faithfull

    This week Microsoft released their last monthly security patch bundle for the year, fixing six zero-day vulnerabilities – and many other companies released security updates as well. Microsoft Updates for December This month Microsoft’s securityRead more

  • Attackers rapidly target Microsoft vulnerabilities

    By Mark Faithfull

    This week there have been several exploits published that target recently published (and patched) vulnerabilities in Microsoft Exchange Server and Windows 10/11 systems. Coming just a week after Microsoft published patches for these vulnerabilities, alreadyRead more

NextPrevious

Recent Posts

  • HTML Phishing on the rise
  • Microsoft patches critical zero-day
  • NCSC offers free email security tool
  • Top 15 Most Exploited Vulnerabilities for 2021
  • NHS Targeted in Phishing Campaign

Tags

Adobe Android Apple blockchain Bluetooth Chrome Cisco credential stuffing cyber crime cyber essentials cyber security cyber security news Data Protection DDoS Dell DNS Exchange Server exim formjacking GDPR Google IoT Linux microsoft Mozilla ncsc npm patching penetration testing phishing ransomware RDP SAP security breach Security operations security testing SIEM software development Spectre supply chain attacks Sysinternals vulnerability management web applications web browsers wireless

Archives

  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • July 2018
  • June 2018
  • April 2018
  • January 2018
  • October 2017
BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
information. secured.
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us
SecureTeam