Security news that informs and inspires

Attackers Exploiting Two Microsoft Exchange Zero Days

UPDATE--Microsoft and researchers across the community are investigating reports of a pair of possible zero day vulnerabilities in Microsoft Exchange that may have been exploited by attackers in at least one intrusion. The vulnerabilities emerged publicly on Thursday and Microsoft is still in the process of investigating them, but some researchers have confirmed that they are both exploitable and have been used in the wild.

The two flaws (CVE-2022-41040 and CVE-2022-41082) are similar to the notorious ProxyShell vulnerability from 2021 and the path to exploitation is similar. The first bug is a same-site request forgery (SSRF) flaw, while the second is a remote code execution flaw that an attacker can use when PowerShell is available. The end result of exploiting these bugs would be control of the target Exchange server. The main difference between the new bugs and ProxyShell is that an attacker needs to be authenticated to the Exchange server to exploit the new flaws.

Microsoft Exchange 2013, 2016, and 2019 are all affected by these vulnerabilities. The attacks targeting these vulnerabilities have been ongoing for several weeks already. Organizations that run Exchange Online may still be affected if they still have a hybrid Exchange server online as part of a migration from on-premises Exchange.

“At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities,” Microsoft Security Response Center said in a blog post Thursday night.

Researchers at GTSC Cyber Security, a Vietnamese security firm, discovered the exploitation attempts of the new bugs and published details of the attacks and the post-exploitation behavior. The researchers observed attackers in multiple customer environments exploiting the bugs and installing webshells on compromised servers.

“After successfully exploiting the vulnerability, we recorded attacks to collect information and create a foothold in the victim's system. The attack group also used various techniques to create backdoors on the affected system and perform lateral movements to other servers in the system,” GTSC said in a post explaining the activity.

“We suspect these exploits come from Chinese attack groups, based on the webshell codepage of 936, a Microsoft character encoding for simplified Chinese.”

GTSC submitted the bugs to the Trend Micro Zero Day Initiative on Sept. 8. Microsoft said it observed attacks exploiting these flaws in August and was in the process of researching them when ZDI disclosed them to the company in September.

“Exploitation has been happening for at least one month in the wild, with the security vendor report accepted by ZDI 22 days ago. MS will be frustrated with the vendor going public… but it’s better customers know about a threat like this,” security researcher Kevin Beaumont said on Twitter.

“Also, another small detail - the issue is at the AutoDiscover phase, which doesn’t have MFA protection.”

There are a significant number of Exchange servers that are vulnerable to these flaws, and researchers recommend that organizations stop exposing Exchange servers to the Internet until a patch is available. Microsoft has published some mitigations, including blocking the use of PowerShell.

“Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks,” Microsoft said.

Microsoft recommends that organizations disable remote PowerShell access for normal, non-admin, users. The company said that although exploitaton requires authentication, that may not be much a hurdle for advanced attackers.

"While these vulnerabilities require authentication, the authentication needed for exploitation can be that of a standard user. Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy. Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker," Microsoft Security Threat Intelligence said in a post Friday.

This story was updated on Oct. 3 to add new guidance from Microsoft.