Stop us if you’ve heard this one before: Exchange Server zero-days actively exploited
Updated Infosec experts have warned zero-day flaws in Microsoft’s Exchange server are being actively exploited.
A Vietnamese outfit called GTSC appears to have identified the holes, explaining in an advisory how a pair of security bugs can be exploited together to achieve remote code execution on Exchange installations.
The biz reported its findings to the Zero Day Initiative, which has assigned the ID ZDI-CAN-18333 to one flaw rated 8.8 on the ten-point Common Vulnerability Scoring System (CVSS) severity scale. The second flaw, ZDI-CAN-18802, is rated 6.3 out of 10.
Details of the vulnerabilities are scanty, with GTSC’s post detailing its observations of webshells with Chinese characteristics being dropped onto Exchange servers compromised via these two vulnerabilities. Each webshell “injects malicious DLLs into the memory, drops suspicious files on the attacked servers, and executes these files through the Windows Management Instrumentation Command line (WMIC).”
That effort effectively makes the hijacked machine remote controllable, and that seldom ends well.
At this stage a good ending to this story is hard to envision, because while GTSC has outlined mitigations in its post, Microsoft is yet to issue a fix. History tells me that even once Microsoft publishes a patch, many thousands of Exchange users will not implement it promptly.
And to be clear, it appears these flaws are already being exploited in the wild. Infosec watcher Kevin Beaumont tweeted news he’s aware of active attacks, too.
? There’s reports emerging that a new zero day exists in Microsoft Exchange, and is being actively exploited in the wild ?
I can confirm significant numbers of Exchange servers have been backdoored – including a honeypot.
Thread to track issue follows:
— Kevin Beaumont (@GossiTheDog) September 29, 2022
These security holes are just the latest in a long list of problems with Exchange, Microsoft’s flagship messaging product. The most infamous in recent times was the flaw exploited by China’s Hafnium crew. Scarcely a month passes without Microsoft finding other Exchange flaws felt worthy of a Patch Tuesday update, but the software giant has also recently pledged to improve the server’s security by adopting zero-trust principles for connections to the product. ®
Updated to add
Microsoft has confirmed there are two zero-day flaws in Exchange Server: CVE-2022-41040, a server-side request forgery vulnerability, and CVE-2022-41082, a remote-code execution hole.
According to the Windows giant, miscreants are exploiting both in a chain to hijack a vulnerable system and gain control of it via PowerShell. Exploitation requires the intruder to be authenticated, so some credentials or access is needed. According to Redmond:
While we wait for patches, see here for mitigations and advice. Exchange Online has, we’re told, already applied these protections. We’ll let you know when a fix is available.
READ MORE HERE