Microsoft is examining multiple reports of a few new zero-day flaws being abused to hack Exchange servers. In at least one case, the servers suffered a LockBit ransomware attack post-compromise.
Abuse of unknown zero-day
- In one instance from July 2022, the attackers used a previously deployed web shell on an Exchange server for privileges escalation to Active Directory admin.
- The attackers had stolen 1.3 TB of data and encrypted the network.
- According to forensic experts, the threat actors had hijacked the AD admin account within one week of leveraging the web shell.
Although, it is not clear whether this flaw was one of the same flaws recently acknowledged by Microsoft.
Other zero-days weaponized
Microsoft recently updated its mitigation measures for these newly revealed zero-day flaws in Exchange Server.
- Recently, two flaws tracked under the moniker ProxyNotShell (CVE-2022-41040 and CVE-2022-41082) were chained by attackers to gain remote code execution on servers with elevated privileges, for the deployment of web shells.
- Additionally, it is said that a single state-sponsored threat group may have already weaponized these zero-day flaws since August 2022 in limited targeted attacks.
- The attackers chained the zero-day flaws to drop China Chopper web shells.
It's not known and clear when Microsoft will release or plan to provide a patch for the two vulnerabilities. However, as a temporary workaround, the firm revised the URL Rewrite rule, which was claimed to be insufficient earlier by a researcher.
Closing lines
Microsoft has added detection signatures for these Exchange zero-days. Last but not the least, admins should follow Microsoft’s guidance on how to stop them until the fixes are released. Moreover, Microsoft has now enabled users to receive notifications about new updates quickly through a new RSS feed for the Security Update Guide.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/f174_shutterstock_2158145035.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/2c4f_shutterstock_1757102030.jpg)
