Microsoft Exchange 0-day under attack threatens 220,000 servers

Zoom Getty Images
Microsoft confirmed last Thursday the existence of two critical vulnerabilities in its Exchange application which have already compromised several servers and pose a serious risk to approximately 220,000 others worldwide.

The currently unpatched security vulnerabilities have been actively exploited since early August, when Vietnamese security firm GTSC discovered that customer networks had been infected with malicious webshells and the initial entry point was some kind of vulnerability Exchange. The mysterious exploit appeared almost identical to a 2021 zero-day Exchange called ProxyShell, but customer servers had all been patched against the vulnerability, which is tracked as CVE-2021-34473. Eventually, researchers discovered that the unknown hackers were exploiting a new Exchange vulnerability.
Webshells, backdoors and fake sites
"After successfully mastering the exploit, we recorded attacks to gather information and create a foothold in the victim's system," the researchers wrote in a post published Wednesday. "The attack team also used various techniques to create backdoors on the affected system and perform lateral movements to other servers in the system."

On Thursday night, Microsoft confirmed the vulnerabilities were new and said it was working to develop and release a fix. The new vulnerabilities are: CVE-2022-41040, a server-side request forgery vulnerability, and CVE-2022-41082, which allows remote code execution when PowerShell is accessible to the attacker.

“At this time, Microsoft is aware of limited targeted attacks using both vulnerabilities to penetrate user systems,” wrote members of the Microsoft Security Response Center team. "In these attacks, CVE-2022-41040 may allow an authenticated attacker to remotely trigger CVE-2022-41082." Team members pointed out that successful attacks require valid credentials for at least one mail user on the server.

The vulnerability affects on-premises Exchange servers and, strictly speaking, not Microsoft's hosted Exchange service. The huge caveat is that many organizations using Microsoft's cloud offering choose an option that uses a combination of on-premises and cloud hardware. These hybrid environments are as vulnerable as on-premise standalone environments.

Research on Shodan indicates that there are currently over 200,000 on-premises Exchange servers exposed to the Internet and over 1,000 hybrid configurations.

On-premises Exchange servers over time.
On-premises Exchange servers by geography.
Hybrid Exchange Servers.
Wednesday's GTSC post says attackers are exploiting day zero to infect servers with webshells, a text-based interface that allows them to issue commands. These webshells contain simplified Chinese characters, leading researchers to assume that the hackers are fluent in Chinese. The commands issued also bear the signature of the China Chopper, a webshell commonly used by Chinese-speaking threat actors, including several advanced persistent threats...

Technology Oct 2, 2022 0 59 Add to Reading List

Microsoft Exchange 0-day under attack threatens 220,000 servers

The word ZERO -DAY is hidden in the middle of a screen full of ones and zeros.

Microsoft confirmed last Thursday the existence of two critical vulnerabilities in its Exchange application which have already compromised several servers and pose a serious risk to approximately 220,000 others worldwide.

The currently unpatched security vulnerabilities have been actively exploited since early August, when Vietnamese security firm GTSC discovered that customer networks had been infected with malicious webshells and the initial entry point was some kind of vulnerability Exchange. The mysterious exploit appeared almost identical to a 2021 zero-day Exchange called ProxyShell, but customer servers had all been patched against the vulnerability, which is tracked as CVE-2021-34473. Eventually, researchers discovered that the unknown hackers were exploiting a new Exchange vulnerability.

Webshells, backdoors and fake sites

"After successfully mastering the exploit, we recorded attacks to gather information and create a foothold in the victim's system," the researchers wrote in a post published Wednesday. "The attack team also used various techniques to create backdoors on the affected system and perform lateral movements to other servers in the system."

On Thursday night, Microsoft confirmed the vulnerabilities were new and said it was working to develop and release a fix. The new vulnerabilities are: CVE-2022-41040, a server-side request forgery vulnerability, and CVE-2022-41082, which allows remote code execution when PowerShell is accessible to the attacker.

“At this time, Microsoft is aware of limited targeted attacks using both vulnerabilities to penetrate user systems,” wrote members of the Microsoft Security Response Center team. "In these attacks, CVE-2022-41040 may allow an authenticated attacker to remotely trigger CVE-2022-41082." Team members pointed out that successful attacks require valid credentials for at least one mail user on the server.

The vulnerability affects on-premises Exchange servers and, strictly speaking, not Microsoft's hosted Exchange service. The huge caveat is that many organizations using Microsoft's cloud offering choose an option that uses a combination of on-premises and cloud hardware. These hybrid environments are as vulnerable as on-premise standalone environments.

Research on Shodan indicates that there are currently over 200,000 on-premises Exchange servers exposed to the Internet and over 1,000 hybrid configurations.