Microsoft Exchange zero-day flaws expose 22,000 servers
Microsoft has announced that two critical vulnerabilities in its Exchange application are being exploited by attackers. The company also explained that more than 22,000 servers worldwide are affected.
“At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users” systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082,”members of the Microsoft Security Response Center team wrote.
The new vulnerabilities include CVE-2022-41040, a server-side request forgery vulnerability, and CVE-2022-41082, which allows remote code execution when PowerShell is accessible to the attacker.
The vulnerability affects on-premises Exchange servers and not Microsoft Exchange service. However, many companies use Microsoft’s cloud offering with an offering that uses a mix of on-premise and cloud hardware.
According to o GSTC, attackers exploit zero-day to infect servers with webshells, a text interface that allows them to issue commands. The company webshells contain simplified Chinese characters suggesting that the hackers are fluent in Chinese.
Commands issued also bear the signature of the China Chopper, a webshell commonly used by Chinese-speaking threat actors, including advanced, persistent threat groups supported by the People’s Republic of China.
The installed malware emulates Microsoft’s Exchange Web Service and also connects to IP address 137[.]184[.]67[.]33, which is binary encrypted.
The malware then sends and receives data encrypted with an RC4 encryption key, which is generated at runtime.
Everyone running on-premises Exchange servers are advised to take immediate action by applying a lock rule that prevents servers from accepting known attack patterns. The rule can be applied by going to ‘IIS Manager > Default Web Site > URL Rewrite > Actions.”
Microsoft also recommends that users block HTTP port 5986, which attackers must exploit to use CVE-2022-41082. It is important that companies adopt other security measures to prevent their servers from being exploited by attackers.
The sources for this piece include an article in ArsTechnica.