State-sponsored hackers likely exploited MS Exchange 0-Days against around 10 organizations

Microsoft revealed on Friday that a single business group in August 2022 gained initial access and breached Exchange servers by chaining together the two recently disclosed zero-day flaws in a limited set of attacks targeting fewer than 10 organizations worldwide. .

“These attacks installed the Web Chopper shell to facilitate direct keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration,” the Microsoft Threat Intelligence Center (MSTIC) said in a new analysis.

The weaponization of vulnerabilities is expected to intensify in the coming days, Microsoft further warned, as malicious actors co-opt exploits into their toolkits, including by deploying ransomware, due to “the highly privileged access that Exchange systems confer on an attacker”.

The tech giant attributed the ongoing attacks with medium confidence to a state-sponsored organization, adding that it was already investigating the attacks when the Zero Day Initiative disclosed the flaws to the Microsoft Security Response Center (MSRC ) earlier last month, September 8-9, 2022. .

cyber security

The two vulnerabilities have been collectively dubbed ProxyNotShellbecause “it’s the same path and the same SSRF/RCE pair” as ProxyShell but with authentication, suggesting an incomplete patch.

The issues, which chain together to get Remote Code Execution are listed below –

  • CVE-2022-41040 (CVSS Score: 8.8) – Microsoft Exchange Server Elevation of Privilege Vulnerability
  • CVE-2022-41082 (CVSS Score: 8.8) – Microsoft Exchange Server Remote Code Execution Vulnerability

“Although these vulnerabilities require authentication, the authentication needed for exploitation may be that of a standard user,” Microsoft said. “Standard user credentials can be acquired through many different attacks, such as password spraying or buying through the cybercriminal economy.”

MS Exchange 0 days

The vulnerabilities were first discovered by Vietnamese cybersecurity firm GTSC as part of its incident response efforts for an anonymous client in August 2022. A Chinese threat actor is believed to be behind the intrusions.

The development comes as the US Cybersecurity and Infrastructure Security Agency (CISA) added the two Microsoft Exchange Server zero-day vulnerabilities to its catalog of known exploited vulnerabilities (KEVs), requiring federal agencies to apply patches to here on October 21, 2022.

cyber security

Microsoft said it was working on an “accelerated schedule” to release a fix for the shortcomings. He also posted a script for the following URL rewrite mitigation steps which he says are “successful in breaking the current attack chains” –

  • Open IIS Manager
  • Select default website
  • In the features view, click URL Rewrite
  • In the Actions pane on the right side, click Add one or more rules…
  • Select Request blocking and click OK
  • Add the string “.*autodiscover.json.*@.*Powershell.*” (without quotes)
  • Select Regular Expression under Usage
  • Select Drop request under How to block, then click OK
  • Expand the rule and select the rule with pattern .*autodiscover.json.*@.*Powershell.* and click Edit under Conditions.
  • Change the condition entry from {URL} to {REQUEST_URI}

As additional preventative measures, the company urges enterprises to enforce multi-factor authentication (MFA), disable legacy authentication, and instruct users not to accept unexpected two-factor authentication (2FA) prompts. ).

“Microsoft Exchange is a juicy target for threat actors to exploit for two main reasons,” Travis Smith, vice president of malware threat research at Qualys, told The Hacker News.

“First, the exchange […] being directly connected to the Internet creates an attack surface accessible from anywhere in the world, greatly increasing the risk of being attacked. Second, Exchange is a mission-critical function: organizations cannot simply unplug or disable email without having a significant negative impact on their business. »

Comments are closed.