How An Unpatched Microsoft Exchange 0-Day Likely Caused One Of The UK’s Biggest Hacks Ever

Building with Microsoft logo.
Enlarge / Building with Microsoft logo.
Getty Images

It’s looking more and more likely that a critical zero-day vulnerability that went unfixed for more than a month in Microsoft Exchange was the cause of one of the UK’s biggest hacks ever—the breach of the country’s Electoral Commission, which exposed data for as many as 40 million residents.

Electoral Commission officials disclosed the breach on Tuesday. They said that they discovered the intrusion last October when they found “suspicious activity” on their networks and that “hostile actors had first accessed the systems in August 2021.” That means the attackers were in the network for 14 months before finally being driven out. The Commission waited nine months after that to notify the public.

The compromise gave the attackers access to a host of personal information, including names and addresses of people registered to vote from 2014 to 2022. Spokespeople for the Commission said the number of affected voters could be as high as 40 million. The Commission has not yet said what the cause of the breach or the means of initial entry was.

Some online sleuthing independently done by TechCrunch reporter Zack Whittaker and researcher Kevin Beaumont suggests that a pair of critical vulnerabilities in Microsoft Exchange Server, which large organizations use to manage email accounts, was the cause. Tracked as CVE-2022-41080 and CVE-2022-41082, the remote code execution chain came to light on September 30, 2022, after it had already been actively exploited for more than a month in attacks that installed malicious webshells on vulnerable servers. Microsoft issued guidance for mitigating the threat but didn’t patch the vulnerabilities until November 8, six weeks after confirming the existence of the actively exploited zero-day vulnerability chain.

In the weeks following the discovery of the zero-days, Beaumont reported that the mitigation measures Microsoft recommended could be bypassed. On Wednesday, he once again faulted Microsoft, first for providing faulty guidance and again for taking three months to release patches.

“At the time Microsoft released temporary mitigations rather than a security patch—it took until November 2022 for a security update to appear to fully resolve the problem,” the researcher wrote. “This was a significant delay. In the meantime, the security mitigations Microsoft provided were repeatedly bypassed.” Later in the post, he added, “Microsoft needs to ship security patches for Microsoft Exchange Server faster. It needs some kind of emergency patch pipeline.”

Citing results returned by the Shodan search engine for Internet-connected devices, both Beaumont and Whittaker said that the Commission ran an Internet-exposed on-premises Exchange Server with Outlook Web App until late September 2020, when it suddenly stopped responding. The searches show that Commission staff had last updated the server software in August. As already noted, August was the same month active exploits of vulnerabilities began.

“To be clear, this means the Electoral Commission (or their IT supplier) did the right thing—they were applying security patches quickly during this time in 2022,” the researcher wrote.

Better known as ProxyNotShell, CVE-2022-41082 and CVE-2022-41080 affect on-premises Exchange servers. Microsoft said in early October that it was aware of only a single threat actor exploiting the vulnerabilities and that the actor had targeted fewer than 10 organizations. The threat actor is fluent in Simplified Chinese, suggesting it has a nexus to China.

In December, cloud host Rackspace disclosed a breach that it later said was caused by the exploitation of a zero-day “associated with” CVE-2022-41080. By that point, the patches Microsoft released had been available for four weeks. The latter post, which attributed the attacks to a ransomware syndicate tracked as Play, went on to criticize Microsoft’s initial disclosure of the vulnerability.

“Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a Remote Code Execution chain that was exploitable,” Rackspace officials wrote.

The hack of the Commission’s Exchange server is a potent reminder of the damage that can result when the software is abused. It also underscores the harm that can happen when vendors fail to provide updates in a timely manner or issue faulty security guidance. Microsoft representatives didn’t respond to an email seeking comment.

READ MORE HERE