Cybercriminals are exploiting a novel zero day vulnerability in Microsoft Exchange. Three weeks ago, the researchers reported the security flaws to Microsoft privately via Zero Day Initiative.
Abuse of Microsoft zero-day vulnerability
Researchers from GTSC have spotted the attacks taking advantage of the zero day vulnerability for remote code execution. Two of these flaws are tracked as CVE-2022-41040 and CVE-2022-41082.
- The attackers have chained the Microsoft zero-day flaws to drop China Chopper web shells on infected servers for persistence, data theft, and move laterally to other systems on the networks.
- The researchers claimed that a Chinese threat group is behind these recent attacks, based on the web shells' code page using a Microsoft character encoding for simplified Chinese.
- Further, a user agent employed for installing the web shells belongs to a China-based open-source website admin tool with web shell management support, identified as Antsword.
Zero Day Initiative is tracking the bugs as ZDI-CAN-18802 and ZDI-CAN-18333.
How flaws are exploited?
GTSC released only a few details related to the Microsoft zero-day flaws as no patch is available yet.
- Researchers disclosed that the requests used in the zero day exploits chain are similar to those used in attacks targeting the ProxyShell flaws.
- The zero day exploits work in two stages, where the first stage requests a similar format to the ProxyShell flaw.
- The second is the use of the link above to access a component in the backend to implement RCE.
In another update, cybercriminals were seen impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits against Microsoft zero day. Microsoft and GTSC revealed that scammers abused Exchange flaws by creating GitHub repositories for fake exploits.
Mitigation
Microsoft hasn’t released security updates yet to address zero day vulnerability. However, GTSC has shared temporary mitigation which can be done by adding a new IIS server rule using the URL Rewrite Rule module. Organizations are suggested to apply the temporary fix as soon as possible to stay safe.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/1c47_shutterstock_608924117.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/2ee2_shutterstock_2091115930.jpg)
