Organizations should patch Exchange servers to protect against CVE-2021-26855, actively hunt for modified service DLLs using file system checks, and monitor the Service Control Manager for unexpected configurations, such as unauthorized changes to MSDTC service credentials. The injector targets four critical services like, Themes Service (UXInit), SessionEnv (Remote Desktop Configuration), IKEEXT (IKE/AuthIP Keying Modules), and MSDTC (Distributed Transaction Coordinator). The six core plugins are File System Manipulator, Remote Access Manager, Network Enumerator, Service Controller, Process Explorer, Data Exfiltrator. Cybersecurity authorities urge immediate review of service configurations and memory analysis for detection, as EagerBee leaves minimal disk artifacts. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. A sophisticated malware framework dubbed EagerBee is actively targeting government agencies and Internet Service Providers (ISPs). The malware employs a multi-stage injection process beginning with the tsvipsrv.dll service injector, which abuses legitimate Windows services through DLL hijacking. Attackers exploited the ProxyLogon vulnerability (CVE-2021-26855) in Microsoft Exchange servers to deploy web shells, with subsequent commands downloading EagerBee components. The UAE Cyber Security Council advises critical mitigation steps to defend against cyber threats. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The security analysts at SOCRadar has linked the campaign to the Chinese-aligned CoughingDown threat group (APT27) through C2 infrastructure overlaps and code similarities.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 18 Feb 2025 12:10:12 +0000