First design
site theme
Register or log in to register for discussions!
Microsoft on Thursday night showed off the lifestyles of two critical vulnerabilities in its Exchange application that have already compromised several servers and pose a serious threat to another 220,000 people worldwide.
The recently unpatched security flaws have been actively exploited since early August, when Vietnamese security firm GTSC discovered that consumer networks had been inflamed with malicious webshells and that the initial access point had some sort of Exchange vulnerability. The mysterious exploit looked almost the same as a 2021 zero-day Exchange called ProxyShell, however, all consumer servers had been patched against the vulnerability, which follows CVE-2021-34473. Eventually, researchers discovered that unknown hackers were exploiting a new Exchange vulnerability.
“After effectively mastering the exploit, we logged attacks to collect data and create a foothold in the victim’s formula,” the researchers wrote in a paper published Wednesday. “The attack team also used techniques to create backdoors in the affected formula and make lateral movements. to other servers in the formula. “
On Thursday night, Microsoft showed the vulnerabilities were new and said it was running to expand and release a patch. The new vulnerabilities are: CVE-2022-41040, a server-side request forgery vulnerability, and CVE-2022-41082, which allows remote code execution when PowerShell is available to the attacker.
“At this time, Microsoft is aware of limited targeted attacks that use vulnerabilities to penetrate users’ systems,” the Microsoft Security Response Center team members wrote. “In those attacks, CVE-2022-41040 would possibly allow an authenticated attacker to cause CVE-2022-41082. ” Team members noted that a successful attack requires valid credentials for at least one email user on the server.
The vulnerability affects on-premises Exchange servers and, strictly speaking, not Microsoft’s hosted Exchange service. The big caveat is that many organizations that offer the Microsoft cloud decide on an option that uses a combination of on-premises and cloud hardware. These hybrid environments are as vulnerable as standalone on-premises environments.
Research Shodan that lately there are more than 200,000 on-premises Exchange servers exposed to the Internet and more than 1000 hybrid configurations.
GTSC’s message Wednesday said attackers were exploiting day zero to infect servers with webshells, a text interface that allows them to factor commands. China’s firm Chopper, a webshell used through Chinese-language venture actors, adding several complex persistent risk teams known to be supported by the People’s Republic of China.
GTSC went on to say that the malware being installed by risk actors emulates Microsoft’s Internet Exchange service. It also establishes a connection to the IP address with 137[. ] 184[. ] 67[. ] 33, which is encoded in The Binary Researcher. Independent Kevin Beaumont said the address hosts a fake website with a single user with one minute of login time and has only been active since August.
The malware then sends and receives information encrypted with an RC4 encryption key generated at runtime. Beaumont went on to say that backdoor malware appears to be new, meaning it’s the first time it’s been used in the wild.
People running exchange servers on-premises take immediate action. Specifically, they will need to enforce a blocking rule that prevents servers from accepting known attack patterns. The rule can be implemented by going to “IIS Manager -> Default Web Site -> URL Rewrite -> Actions”. At this time, Microsoft also recommends blocking HTTP port 5985 and HTTPS port 5986, which attackers want to exploit CVE-2022-41082.
Microsoft’s advisory offers a host of other tips for detecting infections and preventing vulnerabilities until a fix is available.
Join the Ars Orbital Transmission email to get weekly updates to your inbox.