From security em unicamp.br Thu Aug 7 08:46:55 2025 From: security em unicamp.br (CSIRT Unicamp) Date: Thu, 7 Aug 2025 08:46:55 -0300 Subject: [SECURITY-L] Fwd: Microsoft Releases Guidance on High-Severity Vulnerability (CVE-2025-53786) in Hybrid Exchange Deployments In-Reply-To: <0101019881fb4afd-fe077fac-7b3d-4079-af88-da15d0519706-000000@us-west-2.messagingfabric.com> References: <0101019881fb4afd-fe077fac-7b3d-4079-af88-da15d0519706-000000@us-west-2.messagingfabric.com> Message-ID: [image: Cybersecurity and Infrastructure Security Agency (CISA)] You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information has recently been updated and is now available. Microsoft Releases Guidance on High-Severity Vulnerability (CVE-2025-53786) in Hybrid Exchange Deployments 08/06/2025 8:30 PM EDT *Note:** This Alert may be updated to reflect new guidance issued by CISA or other parties.* CISA is aware of the newly disclosed high-severity vulnerability, CVE-2025-53786 , that allows a cyber threat actor with administrative access to an on-premise Microsoft Exchange server to escalate privileges by exploiting vulnerable hybrid-joined configurations. This vulnerability, if not addressed, could impact the identity integrity of an organization?s Exchange Online service. While Microsoft has stated there is no observed exploitation as of the time of this alert?s publication, CISA strongly urges organizations to implement Microsoft?s Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability guidance outlined below, or risk leaving the organization vulnerable to a hybrid cloud and on-premises total domain compromise. 1. If using Exchange hybrid, review Microsoft?s guidance Exchange Server Security Changes for Hybrid Deployments to determine if your Microsoft hybrid deployments are potentially affected and available for a Cumulative Update (CU). 2. Install Microsoft?s April 2025 Exchange Server Hotfix Updates on the on-premise Exchange server and follow Microsoft?s configuration instructions Deploy dedicated Exchange hybrid app . 3. For organizations using Exchange hybrid (or have previously configured Exchange hybrid but no longer use it), review Microsoft?s Service Principal Clean-Up Mode for guidance on resetting the service principal?s keyCredentials. 4. Upon completion, run the Microsoft Exchange Health Checker to determine if further steps are required. CISA highly recommends entities disconnect public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life (EOL) or end-of-service from the internet. For example, SharePoint Server 2013 and earlier versions are EOL and should be discontinued if still in use. Organizations should review Microsoft?s blog Dedicated Hybrid App: temporary enforcements, new HCW and possible hybrid functionality disruptions for additional guidance as it becomes available. Computer Security Incident Response Team - CSIRT Diretoria Executiva de Tecnologia da Informação e Comunicação - DETIC Universidade Estadual de Campinas - Unicamp GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 ------------------------------ -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Wed Aug 13 09:26:19 2025 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 13 Aug 2025 09:26:19 -0300 Subject: [SECURITY-L] Microsoft Releases Guidance on High-Severity Vulnerability (CVE-2025-53786) in Hybrid Exchange Deployments Message-ID: Informação original: https://www.cisa.gov/news-events/alerts/2025/08/06/microsoft-releases-guidance-high-severity-vulnerability-cve-2025-53786-hybrid-exchange-deployments Last Revised August 12, 2025 *Update (08/12/2025):* CISA has updated this alert to provide clarification on identifying Exchange Servers on an organization?s networks and provided further guidance on running the Microsoft Exchange Health Checker. *Update (08/07/2025):*?CISA issued Emergency Directive (ED) 25-02: Mitigate Microsoft Exchange Vulnerability in response to *CVE-2025-53786* CISA is aware of the newly disclosed high-severity vulnerability, *CVE-2025-53786* , that allows a cyber threat actor with administrative access to an on-premise Microsoft Exchange server to escalate privileges by exploiting vulnerable hybrid-joined configurations. This vulnerability, if not addressed, could impact the identity integrity of an organization?s Exchange Online service. While Microsoft has stated there is no observed exploitation as of the time of this alert?s publication, CISA strongly urges organizations to implement Microsoft?s *Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability* guidance outlined below, or risk leaving the organization vulnerable to a hybrid cloud and on-premises total domain compromise. 1. Organizations should first inventory all Exchange Servers on their networks (organizations should leverage existing visibility tools or publicly available tools, such as NMAP or PowerShell scripts, to accomplish this task). 2. If using Exchange hybrid, review Microsoft?s guidance *Exchange Server Security Changes for Hybrid Deployments* to determine if your Microsoft hybrid deployments are potentially affected and available for a Cumulative Update (CU). 3. Install Microsoft?s *April 2025 Exchange Server Hotfix Updates* on the on-premise Exchange server and follow Microsoft?s configuration instructions *Deploy dedicated Exchange hybrid app* . 4. For organizations using Exchange hybrid (or have previously configured Exchange hybrid but no longer use it), review Microsoft's Service Principal Clean-Up Mode for guidance on resetting the service principal?s keyCredentials. 5. Upon completion, run the *Microsoft Exchange Health Checker* with appropriate permissions to identify the CU level of each Exchange Server identified and to determine if further steps are required. CISA highly recommends entities disconnect public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life (EOL) or end-of-service from the internet. For example, SharePoint Server 2013 and earlier versions are EOL and should be discontinued if still in use. Organizations should review Microsoft?s blog *Dedicated Hybrid App: temporary enforcements, new HCW and possible hybrid functionality disruptions* for additional guidance as it becomes available. *Disclaimer:??* The information in this report is being provided ?as is? for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. - to determine if your Microsoft hybrid deployments are potentially affected and available for a Cumulative Update (CU). - Install Microsoft?s *April 2025 Exchange Server Hotfix Updates* - . - For organizations using Exchange hybrid (or have previously configured Exchange hybrid but no longer use it), review Microsoft's Service Principal Clean-Up Mode - for guidance on resetting the service principal?s keyCredentials. - Upon completion, run the *Microsoft Exchange Health Checker* Computer Security Incident Response Team - CSIRT Diretoria Executiva de Tecnologia da Informação e Comunicação - DETIC Universidade Estadual de Campinas - Unicamp GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Wed Aug 13 16:56:57 2025 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 13 Aug 2025 16:56:57 -0300 Subject: [SECURITY-L] Devil in the Noise: Detecting Advanced Persistent Threats with Backbone Extraction Message-ID: Retransmitindo Convite de Palestra. Prezados membros do CT-MON e comunidade de Redes e Sistemas Distribuídos, Desde o ano passado, o Comitê Técnico de Monitoramento de Redes da RNP vem organizando palestras de pesquisadores convidados e convidando a comunidade brasileira para participar e se engajar às atividades do CT-Mon. Em 2024 tivemos nomes como Mark Crovella (Boston University) e Marco Fiore (IMDEA Espanha). Na segunda-feira, dia 18/08/2025, às 11hs teremos mais uma palestra. Segue abaixo mais informações e convidamos a todos a participarem. Pedimos desculpas por eventuais duplicações e que nos ajudem enviando esse convite aos seus respectivos grupos de pesquisa e pessoas interessadas. Palestrante: Fabrício Murai Instituição: Worcester Polytechnic Institute (WPI) Data e hora: 18/08/2025, às 11hs Link: *https://conferenciaweb.rnp.br/rnp/ct-mon * Título da palestra: Devil in the Noise: Detecting Advanced Persistent Threats with Backbone Extraction Breve resumo da palestra: In the dynamically developing field of cyber security, the detection and differentiated analysis of system attacks represents a constant challenge. While conventional methods primarily analyze raw data to detect anomalies, data provenance shows promising results to advance host intrusion detection systems. However, detecting slow-and-low attacks such as APT campaigns still poses a challenge. Therefore, this work presents backbone extraction as a crucial preprocessing step, filtering out irrelevant edges to detect residuals with distinctive node and edge distributions that indicate security threats. By applying our methodology to state-of-the-art benchmark datasets, we observed an increase in the performance of one-class classifiers by up to 62% on F1-score and 48% on recall in the Streamspot dataset and by up to 40% on F1-score and 33% on recall in the DARPA3 THEIA dataset. Moreover, our results indicate mitigation of the dependency explosion problem and underscore the ability of our methodology to improve the detection landscape by shrinking graph sizes without losing essential aspects capable of characterizing attacks. [image: image.png] Breve CV: Dr. Fabricio Murai is an Assistant Professor in Computer Science, AI and Data Science at WPI. Before joining, Fabricio Murai was a tenured faculty member in the Department of Computer Science at the Universidade Federal de Minas Gerais, Brazil. He received his Ph.D. in Computer Science at University of Massachusetts, Amherst in 2016. Dr. Murai's research focuses on developing innovative AI techniques that (i) leverage the interconnections among real-world entities, (ii) enhance our comprehension of society through the analysis of online data, and (iii) ensure equitable outcomes in high-stakes applications. He has published in top conferences in the field of AI and Data Mining, such as the AAAI Conference on Artificial Intelligence, ACM SIGKDD Conference on Knowledge Discovery and Data Mining, SIAM International Conference on Data Mining, as well as top scientific journals such as Data Mining and Knowledge Discovery, ACM TKDD and PLOS ONE. --- Antonio A. de A. Rocha, Associate Professor Computer Science Department (DCC) Institute of Computing (IC) Fluminense Federal University (UFF) http://www.ic.uff.br/~arocha Computer Security Incident Response Team - CSIRT Diretoria Executiva de Tecnologia da Informação e Comunicação - DETIC Universidade Estadual de Campinas - Unicamp GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: -------------- Próxima Parte ---------- Um anexo não-texto foi limpo... Nome: image.png Tipo: image/png Tamanho: 591970 bytes Descrição: não disponível URL: