Contents:
Two 0-day vulnerabilities have been identified in fully patched Microsoft Exchange servers.
Security experts warn that the flaws are exploited by threat actors to perform remote code execution on affected systems and could be used to gain an entry into the victim’s systems, dropping webshells and executing lateral movements across the network.
Details about the Vulnerabilities
GTSC experts discovered the problem in August 2022 while doing security monitoring and incident response activities.
“Exploitation requests in IIS logs are said to appear in the same format as the ProxyShell Exchange Server vulnerabilities, with GTSC noting that the targeted servers had already been patched against the flaws that came to light in March 2021”, according to The Hacker News.
One theory is that the origin of the attacks is a Chinese hacking group, as the webshells are encoded in simplified Chinese. Also in the attacks was used China Chopper webshell, a backdoor that can grant remote access and allows hackers to reconnect to the infected system any time in the future.
The same type of webshell was used by the Hafnium hacking group last year while exploiting ProxyShell vulnerabilities.
Researchers observed a number of post-exploitation actions like injecting malicious DLLs into memory and deploying additional malicious code using the WMI command-line (WMIC) utility.
Microsoft Statement
Microsoft is investigating the problem and confirmed that the two vulnerabilities can be weaponized, but only using authenticated access to the vulnerable Exchange Server.
The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.
The tech giant also said that the two bugs are linked in the exploit chain, SSRF allowing any authenticated cybercriminal to trigger code execution remotely.
How to Stay Safe
It appears that more than one company has been a victim of an attack leveraging these 0-day vulnerabilities, but further details are not available due to the active exploitation.
An official patch from Microsoft is expected, but until then organizations can avoid these attacks “by adding a rule to block requests with indicators of attack through the URL Rewrite Rule module on IIS server”, according to GTSC.
- In Autodiscover at FrontEnd, select tab URL Rewrite, and then select Request Blocking
- Add string “.*autodiscover\.json.*\@.*Powershell.*” to the URL Path, and
- Condition input: Choose {REQUEST_URI}
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.