Microsoft: Two new 0-Day flaws in Exchange Server


Microsoft Corp. investigating reports of attackers exploiting two previously unknown vulnerabilities in Exchange server, a technology many organizations rely on to send and receive email. Microsoft says it is accelerating work on software patches to close security vulnerabilities. In the meantime, he’s urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.

In Client orientation published on Thursday, Microsoft said it is investigating two reported zero-day flaws affecting Microsoft Exchange Server 2013, 2016 and 2019. CVE-2022-41040is a Server-Side Request Forgery (SSRF) vulnerability that can allow an authenticated attacker to remotely trigger the second zero-day vulnerability — CVE-2022-41082 — which enables remote code execution (RCE) when PowerShell is accessible to the attacker.

Microsoft said Online exchange has detections and mitigations in place to protect customers. Customers using on the site Microsoft Exchange servers are urged to review the mitigations suggested in the security advisory, which Microsoft says should block known attack patterns.

Vietnamese security company GTC Thursday published an article on Exchange’s two zero-day flaws, claiming to have observed for the first time that attacks in early August were used to drop “webshells”. These web-based backdoors provide attackers with an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser.

“We detected abandoned, mostly obfuscated webshells on Exchange servers,” GTSC wrote. “Using the user agent, we detected that the attacker is using Antsword, an active China-based cross-platform open-source website administration tool that supports webshell management. We suspect that these come from a Chinese attack group because the Webshell code page is 936, which is a Microsoft character encoding for Simplified Chinese.

GTSC’s advisory includes details about post-compromise activity and associated malware, as well as steps taken to help customers respond to active compromises in their Exchange Server environment. But the company said it would withhold more technical details about the vulnerabilities for now.

In March 2021, hundreds of thousands of organizations around the world had their emails stolen and several backdoor webshells were installed, all thanks to four zero-day vulnerabilities in Exchange Server.

Admittedly, the zero-day flaws that fueled this debacle were far more critical than the two detailed this week, and there is no indication yet that the exploit code has been made public (that will likely change soon). But part of what made last year’s mass Exchange Server hack so widespread was that vulnerable organizations had little or no notice of what to look for before their Exchange Server environments were breached. fully held by multiple attackers.

Microsoft is quick to point out that these zero-day flaws require an attacker to have a valid username and password for an Exchange user, but that might not be so difficult for hackers to do. origin of these latest exploits against Exchange Server.

Steven Adair is president of Volexitythe Virginia-based cybersecurity firm that was among the first to sound the alarm about the Exchange zero days targeted in the 2021 mass hack. Adair said GTSC’s editorial staff includes an internet address used by attackers that Volexity has linked with great confidence to a China-based hacking group that was recently observed phishing Exchange users for their credentials.

In February 2022, Volexity warned that this same Chinese hacking group was behind the massive exploitation of a zero-day vulnerability in the Zimbra Collaborative Suitewhich is a competitor to Microsoft Exchange which many companies use to manage email and other forms of messaging.

If your organization is running Exchange Server, please consider reviewing Microsoft’s mitigations and GTSC autopsy on their investigations.

*** This is a syndicated blog from the Security Bloggers Network of Krebs on security written by Brian Krebs. Read the original post at:

Source link