Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Microsoft Links Exploitation of Exchange Zero-Days to State-Sponsored Hacker Group

Microsoft has been investigating the attacks exploiting the new Exchange Server zero-day vulnerabilities and believes that a single state-sponsored threat group has been using them in highly targeted attacks.

Microsoft has been investigating the attacks exploiting the new Exchange Server zero-day vulnerabilities and believes that a single state-sponsored threat group has been using them in highly targeted attacks.

The tech giant assesses with medium confidence that a single threat actor has exploited the Exchange zero-days tracked as CVE-2022-41040 and CVE-2022-21082. The company is aware of attacks against fewer than 10 organizations globally.

ProxyNotShell“MSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks. These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration,” Microsoft said.

Vietnamese cybersecurity company GTSC, which informed the vendor about the vulnerabilities and their exploitation through Zero Day Initiative (ZDI), said it saw an attack aimed at critical infrastructure. The security firm believes the attack was launched by a Chinese threat group.

The attackers have chained CVE-2022-41040 and CVE-2022-41082, but Microsoft noted that the flaws can be exploited separately as well.

“Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker,” Microsoft warned.

Patches for the two vulnerabilities have yet to be released, but the vendor has published mitigation guidance and released a script that automates mitigation steps.

Microsoft has also released advisories for each of the flaws, both of which have been rated ‘high severity’. CVE-2022-41040 has been described as a server-side request forgery (SSRF) bug that can allow an attacker to obtain the privileges to run PowerShell in the context of the system. CVE-2022-41082 allows remote code execution in the context of the server’s account through a network call.

Exploitation of both vulnerabilities requires authentication, but standard email user credentials are sufficient, and Microsoft has admitted that these credentials “can be acquired via many different attacks”.

Advertisement. Scroll to continue reading.

Researcher Kevin Beaumont has dubbed the vulnerabilities ProxyNotShell due to their similarity with the ProxyShell flaw, which has been exploited in the wild for more than a year.

Beaumont noted that the new flaws are similar to ProxyShell, but their exploitation requires authentication. “It appears the ProxyShell patches from early 2021 did not fix the issue,” the researcher said.

The vulnerabilities have been found to impact Exchange Server 2013, 2016 and 2019, and Beaumont said there are roughly a quarter million vulnerable servers facing the internet.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added the two flaws to its known exploited vulnerabilities catalog, instructing federal agencies to address them by October 21.

Related: Hackers Deploying Backdoors on Exchange Servers via ProxyShell Vulnerabilities

Related: Zero-Days Under Attack: Microsoft Plugs Exchange Server, Excel Holes

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...