Microsoft Exchange Server targeted with zero-day vulnerabilities

Two zero-day vulnerabilities in Microsoft Exchange Server are being exploited within the wild, practically two years after comparable assaults on the e-mail server software program affected a broad vary of organizations.

In a weblog publish Thursday night time, Microsoft confirmed it was investigating reported Exchange Server vulnerabilities and was “conscious of restricted targeted assaults.” While the software program large continues to be engaged on safety patches for the zero days, it did present mitigation steps for on-premises clients.

The server-side-request forgery flaw (SSRF) is being tracked as CVE-2022-41040 and the remote code execution (RCE) vulnerability was assigned CVE-2022-41082. Similarly to ProxyShell vulnerabilities in Exchange Server disclosed final 12 months, attackers are chaining the vulnerabilities to entry customers’ techniques, although they solely have an effect on Microsoft Exchange Servers 2013, 2016 and 2019.

“In these assaults, CVE-2022-41040 can allow an authenticated attacker to remotely set off CVE-2022-41082. It ought to be famous that authenticated entry to the susceptible Exchange Server is important to efficiently exploit both of the 2 vulnerabilities,” Microsoft Security Response Center wrote within the blog post.

Additionally, Microsoft mentioned profitable assaults require PowerShell entry.

While no patch is at the moment obtainable, Microsoft is urging clients to use URL Rewrite directions that block the exploitation chain and to dam uncovered distant PowerShell ports. Blocking these ports can stop authenticated attackers who can entry PowerShell from triggering the RCE flaw, in line with the weblog.

TechTarget Editorial requested Microsoft for extra remark, however the firm declined and referred to the weblog publish.

Even when a repair turns into obtainable, problems with Exchange Servers previously confirmed organizations are gradual to patch which might trigger dire penalties.

ProxyLogon similarities

Vietnamese-based cybersecurity firm GTSC first noticed the flaw final month whereas conducting incident response providers. Once researchers found it was essential resulting from its RCE nature, GTSC submitted it to Zero Day Initiative (ZDI), which categorized it as two distinct CVEs, with CVSS scores of 6.6 and eight.8.

GTSC reported the failings to ZDI on Sept. 8, previous to the present zero-day attacksn. However, the cybersecurity firm printed the data in a weblog publish Thursday after detecting exploitation exercise within the wild towards clients.

The timeline shares similarities to ProxyLogon, one other set of 4 vulnerabilities that affected Exchange servers final 12 months. The flaws enabled risk actors to entry e mail accounts and extra considerably, preserve extended presence on sufferer environments by means of backdoors.

In each instances, exploitation started after the vulnerabilities had been reported however earlier than they had been publicly disclosed and patched. In the case of ProxyLogon, risk actors, together with a Chinese nation-state group often known as Hafnium, used the zero-day vulnerabilities for assaults on a large number of organizations earlier than Microsoft launched safety patches. Numbers confirmed as much as 60,000 or extra, Exchange Servers could have been susceptible.

Additionally, Chinese risk actors have been linked to the currentzero days as nicely. . GTSC mentioned it adopted a path of largely obfuscated net shells to Antsword, “an energetic Chinese-based open supply cross-platform web site administration device,” which led to additional evaluation.

“We suspect that these come from a Chinese assault group as a result of the webshell codepage is 936, which is a Microsoft character encoding for simplified Chinese,” GTSC wrote in its blog post.

Independent safety analysis Kevin Beaumont, shared extra similarities on Twitter and in a blog post Thursday the place he referred to the failings as “ProxyNotShell.” He confirmed that “vital numbers of Exchange servers have been backdoored—together with a honeypot.” Beaumont additionally highlighted a number of ProxyShell comparisons, together with the trail and the identical SSRF/RCE chain, besides {that a} person have to be authenticated to take advantage of the newest flaws.

Another commonality he found was the request string, which mirrors ProxyShell from 2021. “It seems the ProxyShell patches from early 2021 didn’t repair the difficulty,” Beaumont wrote within the weblog, including that the mitigation for the present zero days is similar because the ProxyShell PowerShell RCE situation.

Additionally, he questioned Microsoft’s mitigation, which said that Exchange Online clients needn’t take motion. “Even if you happen to’re Exchange Online, if you happen to migrated and saved a hybrid server (a requirement till very just lately) you might be impacted,” Beaumont wrote on Twitter.