Cybercriminals are exploiting two new zero-day bugs in Microsoft Exchange. Three weeks ago, the researchers reported the security flaws to Microsoft privately via Zero Day Initiative.
Abuse of zero-day flaws
Researchers from GTSC have spotted the attacks taking advantage of the zero-day flaw for remote code execution. Two of these flaws are tracked as CVE-2022-41040 and CVE-2022-41082.
The attackers have chained the zero-day flaws to drop China Chopper web shells on infected servers for persistence, data theft, and move laterally to other systems on the networks.
The researchers claimed that a Chinese threat group is behind these recent attacks, based on the web shells' code page using a Microsoft character encoding for simplified Chinese.
Further, a user agent employed for installing the web shells belongs to a China-based open-source website admin tool with web shell management support, identified as Antsword.
Zero Day Initiative is tracking the bugs as ZDI-CAN-18802 and ZDI-CAN-18333.
How flaws are exploited?
GTSC released only a few details related to the zero-day flaws as no patch is available yet.
Researchers disclosed that the requests used in the exploit chain are similar to those used in attacks targeting the ProxyShell flaws.
The exploit works in two stages, where the first stage requests a similar format to the ProxyShell flaw.
The second is the use of the link above to access a component in the backend to implement RCE.
Microsoft hasn’t released security updates yet to address zero-days. However, GTSC has shared temporary mitigation which can be done by adding a new IIS server rule using the URL Rewrite Rule module. Organizations are suggested to apply the temporary fix as soon as possible to stay safe.