Heimdal
article featured image

Contents:

Two 0-day vulnerabilities have been identified in fully patched Microsoft Exchange servers.

Security experts warn that the flaws are exploited by threat actors to perform remote code execution on affected systems and could be used to gain an entry into the victim’s systems, dropping webshells and executing lateral movements across the network.

Details about the Vulnerabilities

GTSC experts discovered the problem in August 2022 while doing security monitoring and incident response activities.

Microsoft Exchange Zero-Day Vulnerabilities Discovered Microsoft Exchange Zero-Day Vulnerabilities Discovered

Source

“Exploitation requests in IIS logs are said to appear in the same format as the ProxyShell Exchange Server vulnerabilities, with GTSC noting that the targeted servers had already been patched against the flaws that came to light in March 2021”, according to The Hacker News.

One theory is that the origin of the attacks is a Chinese hacking group, as the webshells are encoded in simplified Chinese. Also in the attacks was used China Chopper webshell, a backdoor that can grant remote access and allows hackers to reconnect to the infected system any time in the future.

The same type of webshell was used by the Hafnium hacking group last year while exploiting ProxyShell vulnerabilities.

Researchers observed a number of post-exploitation actions like injecting malicious DLLs into memory and deploying additional malicious code using the WMI command-line (WMIC) utility.

Microsoft Statement

Microsoft is investigating the problem and confirmed that the two vulnerabilities can be weaponized, but only using authenticated access to the vulnerable Exchange Server.

 The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.

Source

The tech giant also said that the two bugs are linked in the exploit chain, SSRF allowing any authenticated cybercriminal to trigger code execution remotely.

How to Stay Safe

It appears that more than one company has been a victim of an attack leveraging these 0-day vulnerabilities, but further details are not available due to the active exploitation.

An official patch from Microsoft is expected, but until then organizations can avoid these attacks “by adding a rule to block requests with indicators of attack through the URL Rewrite Rule module on IIS server”, according to GTSC.

  • In Autodiscover at FrontEnd, select tab URL Rewrite, and then select Request Blocking
  • Add string “.*autodiscover\.json.*\@.*Powershell.*” to the URL Path, and
  • Condition input: Choose {REQUEST_URI}

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE