Microsoft Claims Two New Exchange Zero-Day Vulnerabilities Are Being Actively Targeted, But There Is No Fast Solution
Nearly two years after similar assaults on the email server software hit a wide variety of enterprises, two zero-day vulnerabilities in Microsoft Exchange Server are being targeted in the market.
Microsoft acknowledged in a blog post-Thursday night that it was examining alleged Exchange Server vulnerabilities and was “aware of limited targeted assaults.” While the software giant is still working on zero-day security updates, it has provided mitigating techniques for on-premises clients.
CVE-2022-41040 is assigned to the server-side request forgery flaw (SSRF), while CVE-2022-41082 is related to the remote code execution (RCE) vulnerability. Attackers are chaining the vulnerabilities to access users’ systems, similar to the ProxyShell vulnerabilities in Exchange Server reported last year, however, they only impact Microsoft Exchange Servers 2013, 2016, and 2019.
“CVE-2022-41040 enables an authenticated attacker to remotely trigger CVE-2022-41082 in these attacks. It should be highlighted that in order to properly exploit any of the two vulnerabilities, authorized access to the susceptible Exchange Server is required “The blog post was written by the Microsoft Security Response Center.
Furthermore, Microsoft stated that effective attacks require PowerShell access.
While no solution is presently available, Microsoft recommends that clients use URL Rewrite instructions to prevent the exploitation chain and to block exposed remote PowerShell ports. According to the site, blocking certain ports can prevent authorized attackers with PowerShell access from exploiting the RCE bug.
TechTarget Editorial requested more comments from Microsoft, but the firm declined and referred to the blog article.
Even when a fix is available, previous issues with Exchange Servers demonstrated that corporations are slow to patch, which can have disastrous implications.
ProxyLogon Similarities
GTSC, a Vietnamese cybersecurity firm, discovered the weakness last month while doing incident response services. When researchers realized the bug was severe owing to its RCE nature, GTSC reported it to the Zero Day Initiative (ZDI), which categorized it as two separate CVEs with CVSS scores of 6.6 and 8.8.
The issues were reported to ZDI by GTSC on September 8, prior to the current zero-day attacks. However, the cybersecurity firm disclosed the information in a blog post on Thursday after seeing exploitation activities against clients in the wild.
The chronology is comparable to ProxyLogon, a group of four vulnerabilities that plagued Exchange servers last year. The weaknesses allowed threat actors to access email accounts and, more importantly, to retain a long-term presence on victim systems via backdoors.
Exploitation began in both cases after the vulnerabilities were identified but before they were publicly acknowledged and corrected. In the instance of ProxyLogon, threat actors, including a Chinese nation-state outfit known as Hafnium, exploited zero-day vulnerabilities before Microsoft published security updates. It is possible that 60,000 or more Exchange Servers were exposed.
Furthermore, Chinese threat actors have been linked to the current zero days. According to GTSC, it tracked a trail of primarily obfuscated web shells to AntSword, “an active Chinese-based open-source cross-platform website management tool,” which led to more investigation.
“The webshell codepage is 936, which is a Microsoft character encoding for simplified Chinese,” GTSC noted in a blog post.
Kevin Beaumont, an independent security researcher, detailed further similarities on Twitter and in a blog post Thursday, referring to the issues as “ProxyNotShell.” He acknowledged that “large numbers of Exchange servers – including a honeypot – had been backdoored.” Beaumont also noted other ProxyShell parallels, including the route and the identical SSRF/RCE chain, except that the most current issues need authentication.
Another commonality he discovered was the request string, which mirrors ProxyShell from 2021. “It appears the ProxyShell patches from early 2021 did not fix the issue,” Beaumont wrote in the blog, adding that the mitigation for the current zero days is the same as the ProxyShell PowerShell RCE issue.
Additionally, he questioned Microsoft’s mitigation, which said that Exchange Online subscribers are not required to take any action. “Even if you’re Exchange Online, you’re impacted if you moved and retained a hybrid server (a necessity until very recently),” Beaumont wrote on Twitter.