Microsoft Exchange Zero-Day Vulnerabilities Discovered
Microsoft Exchange Servers under Active Exploitation.
Last updated on September 30, 2022
Two 0-day vulnerabilities have been identified in fully patched Microsoft Exchange servers.
Security experts warn that the flaws are exploited by threat actors to perform remote code execution on affected systems and could be used to gain an entry into the victim’s systems, dropping webshells and executing lateral movements across the network.
Details about the Vulnerabilities
GTSC experts discovered the problem in August 2022 while doing security monitoring and incident response activities.
“Exploitation requests in IIS logs are said to appear in the same format as the ProxyShell Exchange Server vulnerabilities, with GTSC noting that the targeted servers had already been patched against the flaws that came to light in March 2021”, according to The Hacker News.
One theory is that the origin of the attacks is a Chinese hacking group, as the webshells are encoded in simplified Chinese. Also in the attacks was used China Chopper webshell, a backdoor that can grant remote access and allows hackers to reconnect to the infected system any time in the future.
Researchers observed a number of post-exploitation actions like injecting malicious DLLs into memory and deploying additional malicious code using the WMI command-line (WMIC) utility.
Microsoft is investigating the problem and confirmed that the two vulnerabilities can be weaponized, but only using authenticated access to the vulnerable Exchange Server.
The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.
The tech giant also said that the two bugs are linked in the exploit chain, SSRF allowing any authenticated cybercriminal to trigger code execution remotely.
How to Stay Safe
It appears that more than one company has been a victim of an attack leveraging these 0-day vulnerabilities, but further details are not available due to the active exploitation.
An official patch from Microsoft is expected, but until then organizations can avoid these attacks “by adding a rule to block requests with indicators of attack through the URL Rewrite Rule module on IIS server”, according to GTSC.
In Autodiscover at FrontEnd, select tab URL Rewrite, and then select Request Blocking
Add string “.*autodiscover\.json.*\@.*Powershell.*” to the URL Path, and
Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content. A literature-born cybersecurity enthusiast (through all those SF novels…), she loves to bring her ONG, cultural, and media background to this job.