You are currently viewing State-Sponsored Hackers Likely Exploited MS Exchange 0-Days Against ~10 Organizations

State-Sponsored Hackers Likely Exploited MS Exchange 0-Days Against ~10 Organizations

Microsoft on Friday disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining the two newly disclosed zero-day flaws in a limited set of attacks aimed at less than 10 organizations globally.

“These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration,” the Microsoft Threat Intelligence Center (MSTIC) said in a new analysis.

The weaponization of the vulnerabilities is expected to ramp up in the coming days, Microsoft further warned, as malicious actors co-opt the exploits into their toolkits, including deploying ransomware, due to the “highly privileged access Exchange systems confer onto an attacker.”

The tech giant attributed the ongoing attacks with medium confidence to a state-sponsored organization, adding it was already investigating these attacks when the Zero Day Initiative disclosed the flaws to Microsoft Security Response Center (MSRC) earlier last month on September 8-9, 2022.

The two vulnerabilities have been collectively dubbed ProxyNotShell, owing to the fact that “it is the same path and SSRF/RCE pair” as ProxyShell but with authentication, suggesting an incomplete patch.

The issues, which are strung together to achieve remote code execution, are listed below –

  • CVE-2022-41040 (CVSS score: 8.8) – Microsoft Exchange Server Elevation of Privilege Vulnerability
  • CVE-2022-41082 (CVSS score: 8.8) – Microsoft Exchange Server Remote Code Execution Vulnerability

“While these vulnerabilities require authentication, the authentication needed for exploitation can be that of a standard user,” Microsoft said. “Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy.”

MS Exchange 0-Days

The vulnerabilities were first discovered by Vietnamese cybersecurity company GTSC as part of its incident response efforts for an unnamed customer in August 2022. A Chinese threat actor is suspected to be behind the intrusions.

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the two Microsoft Exchange Server zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patches by October 21, 2022.

Microsoft said that it’s working on an “accelerated timeline” to release a fix for the shortcomings. It has also published a script for the following URL Rewrite mitigation steps that it said is “successful in breaking current attack chains” –

  • Open IIS Manager
  • Select Default Web Site
  • In the Feature View, click URL Rewrite
  • In the Actions pane on the right-hand side, click Add Rule(s)…
  • Select Request Blocking and click OK
  • Add the string “.*autodiscover.json.*@.*Powershell.*” (excluding quotes)
  • Select Regular Expression under Using
  • Select Abort Request under How to block and then click OK
  • Expand the rule and select the rule with the pattern .*autodiscover.json.*@.*Powershell.* and click Edit under Conditions.
  • Change the Condition input from {URL} to {REQUEST_URI}

As additional prevention measures, the company is urging companies to enforce multi-factor authentication (MFA), disable legacy authentication, and educate users about not accepting unexpected two-factor authentication (2FA) prompts.

Read the full article here

News Room

Cybervizer is a blog and podcast site that focuses on the latest technology and cybersecurity topics that are impacting enterprises, both small and large. Join us to explore the most important trends in enterprise technology and cybersecurity today. Get true insights into the tech and trends that will impact you and your organization.