Connect with us

Hi, what are you looking for?



Microsoft Links Exploitation of Exchange Zero-Days to State-Sponsored Hacker Group

Microsoft has been investigating the attacks exploiting the new Exchange Server zero-day vulnerabilities and believes that a single state-sponsored threat group has been using them in highly targeted attacks.

Microsoft has been investigating the attacks exploiting the new Exchange Server zero-day vulnerabilities and believes that a single state-sponsored threat group has been using them in highly targeted attacks.

The tech giant assesses with medium confidence that a single threat actor has exploited the Exchange zero-days tracked as CVE-2022-41040 and CVE-2022-21082. The company is aware of attacks against fewer than 10 organizations globally.

ProxyNotShell“MSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks. These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration,” Microsoft said.

Vietnamese cybersecurity company GTSC, which informed the vendor about the vulnerabilities and their exploitation through Zero Day Initiative (ZDI), said it saw an attack aimed at critical infrastructure. The security firm believes the attack was launched by a Chinese threat group.

The attackers have chained CVE-2022-41040 and CVE-2022-41082, but Microsoft noted that the flaws can be exploited separately as well.

“Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker,” Microsoft warned.

Patches for the two vulnerabilities have yet to be released, but the vendor has published mitigation guidance and released a script that automates mitigation steps.

Microsoft has also released advisories for each of the flaws, both of which have been rated ‘high severity’. CVE-2022-41040 has been described as a server-side request forgery (SSRF) bug that can allow an attacker to obtain the privileges to run PowerShell in the context of the system. CVE-2022-41082 allows remote code execution in the context of the server’s account through a network call.

Advertisement. Scroll to continue reading.

Exploitation of both vulnerabilities requires authentication, but standard email user credentials are sufficient, and Microsoft has admitted that these credentials “can be acquired via many different attacks”.

Researcher Kevin Beaumont has dubbed the vulnerabilities ProxyNotShell due to their similarity with the ProxyShell flaw, which has been exploited in the wild for more than a year.

Beaumont noted that the new flaws are similar to ProxyShell, but their exploitation requires authentication. “It appears the ProxyShell patches from early 2021 did not fix the issue,” the researcher said.

The vulnerabilities have been found to impact Exchange Server 2013, 2016 and 2019, and Beaumont said there are roughly a quarter million vulnerable servers facing the internet.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added the two flaws to its known exploited vulnerabilities catalog, instructing federal agencies to address them by October 21.

Related: Hackers Deploying Backdoors on Exchange Servers via ProxyShell Vulnerabilities

Related: Zero-Days Under Attack: Microsoft Plugs Exchange Server, Excel Holes

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.