Microsoft Corp. is examining instances of likely active exploitation of two zero-day (i.e., heretofore unknown) vulnerabilities in its Exchange Server product--the primary email management product in the company's lineup and one which many different organizations rely on to transmit email. Due to the seriousness of the risks associated with these vulnerabilities, Microsoft is expediting the development of software patches to address the security gaps they represent. Meanwhile, it is urging some Exchange customers to enable a configuration option that Microsoft believes will mitigate the risks posed by current attacks.
Its customer guidance released Thursday indicated Microsoft is investigating two reported zero-day flaws affecting Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040, a Server-Side Request Forgery (SSRF) vulnerability, allows bad actors that have authorized or unauthorized access at a lower privilege level to remotely trigger the second zero-day flaw — CVE-2022-41082 — which allows remote code execution (RCE) so long as PowerShell is accessible to the attacker.
Microsoft stated that its Exchange Online product already has detections and mitigations in place. It is the customers which are using on-premises Microsoft Exchange servers that are urged to review the mitigations recommended in the security advisory.
Security firm GTSC (based in Vietnam) on Thursday published an analysis of the two Exchange zero-day flaws, saying it has observed attacks against systems through these flaws starting in early August. The attackers were installing “web shells,” which are web-based backdoors that offer attackers a globally usable -- and easy-to-use -- password-protected hacking tool that can be accessed from any browser.
“We detected webshells, mostly obfuscated, being dropped to Exchange servers. Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based opensource cross-platform website administration tool that supports webshell management. We suspect that these come from a Chinese attack group because the webshell codepage is 936, which is a Microsoft character encoding for simplified Chinese,” explained GTSC.
Just over a year ago (in March 2021), hundreds of thousands of organizations around the world saw their emails stolen and multiple backdoor webshells installed due to four zero-day vulnerabilities in Exchange Server that had not been publicly published prior to that time.
The current vulnerabilities are far less potent, but part of what made last year’s security event so damaging was the fact that organization were not made aware of the flaws before multiple threat actors having significant resources and plenty of time had already taken advantage of the opportunity to compromise target systems.
Though Microsoft is calling attention to the fact that these zero-day flaws require an attacker to have a valid username and password for an Exchange user, that may not be such a tall order for the hackers behind the latest Exchange Server attacks.
Volexity, the Virginia-based security firm that was among the first to raise awareness of the 2021 Exchange zero-days, said GTSC’s description of the current issue states that an Internet Protocol (IP) address used by the attackers is one for which Volexity has high confidence it is associated with a China-based hacking group--China being widely believed to have performed a significant number of the 2021 compromises. That same Chinese organization has recently been observed phishing Exchange users for their credentials.
If your organization runs Exchange Server, it is highly recommended that you review the mitigations Microsoft described in their advisory. The response activities following notifications about these types of security advisories is best managed by a cyber security expert through a well-designed security program. It is this type of service that Webcheck Security offers its clients, contracting for either one-off consultations or continual security leadership from Fractional Information Security Officer (FISO)--experienced Chief Information Security Officers (CISOs) who act as consultants to many organizations. Contact Webcheck now to receive more information.