Microsoft has been investigating the attacks exploiting the new Exchange Server zero-day vulnerabilities and believes that a single state-sponsored threat group has been using them in highly targeted attacks.
The tech giant assesses with medium confidence that a single threat actor has exploited the Exchange zero-days tracked as CVE-2022-41040 and CVE-2022-21082. The company is aware of attacks against fewer than 10 organizations globally.
“MSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks. These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration,” Microsoft said.
Vietnamese cybersecurity company GTSC, which informed the vendor about the vulnerabilities and their exploitation through Zero Day Initiative (ZDI), said it saw an attack aimed at critical infrastructure. The security firm believes the attack was launched by a Chinese threat group.
The attackers have chained CVE-2022-41040 and CVE-2022-41082, but Microsoft noted that the flaws can be exploited separately as well.
“Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker,” Microsoft warned.
Patches for the two vulnerabilities have yet to be released, but the vendor has published mitigation guidance and released a script that automates mitigation steps.
Microsoft has also released advisories for each of the flaws, both of which have been rated ‘high severity’. CVE-2022-41040 has been described as a server-side request forgery (SSRF) bug that can allow an attacker to obtain the privileges to run PowerShell in the context of the system. CVE-2022-41082 allows remote code execution in the context of the server’s account through a network call.
Exploitation of both vulnerabilities requires authentication, but standard email user credentials are sufficient, and Microsoft has admitted that these credentials “can be acquired via many different attacks”.
Researcher Kevin Beaumont has dubbed the vulnerabilities ProxyNotShell due to their similarity with the ProxyShell flaw, which has been exploited in the wild for more than a year.
Beaumont noted that the new flaws are similar to ProxyShell, but their exploitation requires authentication. “It appears the ProxyShell patches from early 2021 did not fix the issue,” the researcher said.
The vulnerabilities have been found to impact Exchange Server 2013, 2016 and 2019, and Beaumont said there are roughly a quarter million vulnerable servers facing the internet.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added the two flaws to its known exploited vulnerabilities catalog, instructing federal agencies to address them by October 21.
Related: Hackers Deploying Backdoors on Exchange Servers via ProxyShell Vulnerabilities
Related: Zero-Days Under Attack: Microsoft Plugs Exchange Server, Excel Holes