Microsoft confirms hackers are actively exploiting Exchange zero-day flaws

Were you unable to attend Transform 2022? Check out the entire summit classes in our on-demand library now! Watch here.

Microsoft Exchange server is a type of enterprise staples, however it’s additionally a key goal for cybercriminals. Last week, GTSC reported assaults had begun chaining two-new zero day Exchange exploits as a part of coordinated assaults. 

While data is restricted, Microsoft has confirmed in a blog post that these exploits have been utilized by a suspected state-sponsored threat actor to focus on fewer than 10 organizations and efficiently exfiltrate knowledge. 

The vulnerabilities themselves have an effect on Exchange Server 2013, 2016, and 2019. The first, CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, and the second CVE-2022-41082 allows distant code execution if the attacker has entry to PowerShell. 

When mixed collectively, an attacker can use the SSRF flag to remotely deploy malicious code to a goal community. 


MetaBeat 2022

MetaBeat will convey collectively thought leaders to provide steerage on how metaverse expertise will rework the best way all industries talk and do enterprise on October 4 in San Francisco, CA.

Register Here

On-premises Exchange servers: An irresistible goal 

Given that 65,000 firms use Microsoft Exchange, enterprises have to be ready for different risk actors to use these vulnerabilities. After all, this isn’t the primary time on-premise Exchange servers have been focused as a part of an assault. 

In March final yr, a Chinese risk actor known as Hafnium exploited 4 zero-day vulnerabilities in on-premises variations of Exchange Server, and efficiently hacked at the very least 30,000 US organizations.

During these assaults, Hafnium stole person credentials to achieve entry to enterprise’s trade servers and deployed malicious code to attain distant admin entry, and start harvesting delicate knowledge. 

While solely a handful of organizations have been focused by this unknown state-sponsored risk actor, Exchange is a high-value goal for cybercriminals as a result of it offers a gateway to a lot of helpful data. 

“Exchange is a juicy goal for risk actors to use for 2 major causes,” mentioned Vice President of Malware Threat Research at Qualys, Travis Smith. 

“First, Exchange is an e-mail server so it have to be linked on to the web. And being straight linked to the web creates an assault floor which is accessible from wherever on this planet, drastically growing its danger of being attacked,” Smith mentioned. 

Secondly, Exchange is a mission crucial operate – organizations can’t simply unplug or flip off e-mail with out severely impacting their enterprise in a unfavorable means,” Smith mentioned. 

So how dangerous is it? 

One of the principle limitations of those vulnerabilities from an attacker’s perspective is that they should have authenticated entry to an Exchange server to leverage the exploits. 

While it is a barrier, the truth is that login credentials are straightforward for risk actors to reap, whether or not via buying one of many 15 billion passwords uncovered on the darkish internet, or tricking workers into handing them over by way of phishing emails or social engineering assaults. 

At this stage, Microsoft anticipates that there will probably be an uptick in exercise across the risk. 

In a blog launched on the thirtieth September, Microsoft famous “it’s anticipated that related threats and total exploitation of those vulnerabilities will enhance, as safety researchers and cybercriminals undertake the revealed analysis into their toolkits and proof of idea code turns into accessible.” 

How to cut back the chance 

Although there’s no patch accessible for the updates but, Microsoft has launched a listing of remediation actions that enterprises can take to safe their environments. 

Microsoft recommends that enterprises ought to assessment and apply the URL Rewrite Instructions in its Microsoft Security Response heart put up, and has launched a script to mitigate the SSRF vulnerability. 

The group additionally means that organizations utilizing Microsoft 365 Defender take the next actions: 

  • Activate cloud-delivered safety in Microsoft Defender Antivirus, 
  • Turn on tamper safety, 
  • Run EDR in block mode, 
  • Enable community safety
  • Enable investigation and remediation in full automated mode, and 
  • Enable community safety to forestall customers and apps from accessing malicious domains

Indirectly, organizations also can look to cut back the chance of exploitation by emphasizing safety consciousness, and educating workers about social engineering threats, and the significance of correct password administration to cut back the prospect of a cyber felony gaining administrative entry to Exchange. 

Lastly, it’s perhaps time for organizations to contemplate whether or not operating an on-premises Exchange server is critical.

VentureBeat’s mission is to be a digital city sq. for technical decision-makers to achieve data about transformative enterprise expertise and transact. Discover our Briefings.

Related Posts