Connect with us
X
Categories:

Technology

Microsoft confirms zero-day exploits against Exchange Server in limited attacks

Published

on

Microsoft confirms zero-day exploits against Exchange Server in limited attacks
Share this post:

Microsoft is developing a patch for two actively exploited zero-day vulnerabilities in Microsoft Exchange Server.

The flaws, tracked as CVE-2022-41040 and CVE-2022-41082, were discovered in Microsoft’s enterprise mail server by Vietnamese cybersecurity firm GTSC. Microsoft said it is aware of “a small number of targeted attacks” exploiting the flaws, which impact on-prem Microsoft Exchange Server versions 2013, 2016, and 2019.

The bugs appear to be less dangerous variants – on account of authentication to PowerShell being required – of the critical ProxyShell vulnerabilities that were widely abused in 2021.

RCE chain

In GTSC’s original security advisory, researchers said they discovered an attack on “critical” infrastructure made through Exchange Server in August.

The first vulnerability, CVE-2022-41040 (CVSS 8.8), is a server-side request forgery (SSRF) issue. When triggered remotely to launch CVE-2022-41082 (CVSS 6.3), the bug could result in remote code execution (RCE).

As the vulnerabilities are yet to be patched, the full technical details have not been released – but proof-of-concept (PoC) code is expected to appear soon.

GTSC informed Trend Micro’s Zero Day Initiative (ZDI) of its findings. After ZDI verified the flaws and reached out to the Microsoft Security Response Center (MSRC), the Redmond giant confirmed the report and published an analysis of attacks exploiting the flaws.

“Authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability, and they can be used separately,” Microsoft noted.

Unfortunately, the authentication required is nothing more than a standard user. As a result, cybercriminals could obtain these credentials via theft, credential stuffing, and brute-force attacks.

State-sponsored attacks

According to Microsoft, fewer than 10 organizations worldwide have been targeted by what is likely a “state-sponsored organization”.

GTSC researchers said there are indicators that a Chinese threat group is leveraging Antsword, a Chinese cross-platform website management suite with web shell functionality.

China Chopper, a web shell, has apparently been used to perform Active Directory reconnaissance and data exfiltration. If this sounds familiar, the same web shell was used in attacks exploiting Exchange Server zero-day vulnerabilities in 2021. These attacks were attributed to the state-sponsored Chinese threat group HAFNIUM.

RECOMMENDED  Adversarial attacks can cause DNS amplification, fool network defense systems, machine learning study finds

Security researcher Kevin Beaumont has noted similarities between the paths used by the new bugs, which he has dubbed ‘ProxyNotShell’, and the zero days from last year.

Devcore researcher Orange Tsai, who discovered the original, ProxyShell flaws, suggested in a talk at Black Hat USA (PDF) last year that fundamental path confusion issues could see further ProxyShell variants emerge – a prediction that has now come to pass.

Mitigation advice

Microsoft has released customer guidance for mitigating the new bugs while it works on a patch.

The company is urging customers to disable remote PowerShell access for non-administrators immediately. If the Exchange Emergency Mitigation Service (EEMS) is enabled, further mitigations will be applied automatically.

According to the tech giant, Exchange Online customers do not need to take any action. However, Beaumont has queried the wisdom of this statement, given that Microsoft Exchange Online migration involves using hybrid, internet-facing Exchange servers.

“It is expected that similar threats and overall exploitation of these vulnerabilities will increase, as security researchers and cybercriminals adopt the published research into their toolkits and proof of concept code becomes available,” Microsoft commented.

CISA has added the two zero-days to the Known Exploited Vulnerabilities Catalog.

Microsoft told Daily Swig that the company has nothing further to share beyond the published advisories.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
General7 hours ago

Skylar Grey – Everything I Need [LYRICS]

General7 hours ago

[Music] Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey

General7 hours ago

Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey [LYRICS]

General7 hours ago

[Music] African China – Amen

General7 hours ago

[Music] African China – Baba God

General7 hours ago

African China – Baba God [LYRICS]

General7 hours ago

Machine Gun Kelly (MGK) “Home” Feat X Ambassadors & Bebe Rexha [LYRICS]

General7 hours ago

Passenger – Let Her Go [LYRICS]

General7 hours ago

[Music] Eminem – “No Love” Feat. Lil Wayne

General7 hours ago

Eminem – “No Love” Feat. Lil Wayne [LYRICS]

Music8 hours ago

[Music] Tatiana Manaois – Buzz Kill

General8 hours ago

Tatiana Manaois – Buzz Kill [LYRICS]

General8 hours ago

James Blunt – Goodbye My Lover [LYRICS]

General8 hours ago

Major Lazer – “Particula” Feat. Nasty C , Ice Prince, Patoranking & Jidenna [LYRICS]

General8 hours ago

James Blunt – You’re Beautiful [LYRICS]

General8 hours ago

Justin Timberlake – Mirrors [LYRICS]

General8 hours ago

[Music] Darey – “Pray For Me” feat. Soweto Gospel Choir

General8 hours ago

Eminem – “Love The Way You Lie” Feat. Rihanna [LYRICS]

General8 hours ago

Goldlink ft. Miguel – Got Friends [LYRICS]

General8 hours ago

Sia – I’m Still Here [LYRICS]

General8 hours ago

Yo Gotti ft. Nicki Minaj – Rake It Up [LYRICS]

General8 hours ago

Shane McMahon – Here Comes The Money [LYRICS]

General8 hours ago

Journey – Faithfully [LYRICS]

General9 hours ago

[Music] Journey – Faithfully

General9 hours ago

Eminem – Not Afraid [LYRICS]

General9 hours ago

[Music] Journey – Don’t Stop Believin’

General9 hours ago

Journey – Don’t Stop Believin’ [LYRICS]

General9 hours ago

21 Savage – Bank Account [LYRICS]

General9 hours ago

Demi Lovato – Sober [LYRICS]

General9 hours ago

Beyonce ft. Jay-Z – Apeshit [LYRICS]

General9 hours ago

Nasty C ft. ASAP Ferg – King [LYRICS]

General9 hours ago

Lil Wayne – Uproar [LYRICS]

Ed Sheeran
Lyrics10 hours ago

Ed Sheeran – Perfect [LYRICS]

General10 hours ago

[Music] Mo’Hits All Star – Close To You

General10 hours ago

Lil Dicky ft. Chris Brown – Freaky Friday [LYRICS]

Michael Jackson
Lyrics10 hours ago

Michael Jackson – Stranger In Moscow [LYRICS]

General10 hours ago

[Music] Celine Dion – I Drove All Night

General10 hours ago

Celine Dion – I Drove All Night [LYRICS]

General10 hours ago

Tatiana Manaois – Hey Little Lady [LYRICS]

Music10 hours ago

[Music] Tatiana Manaois – Live Better

Gnash (singer)
Music4 days ago

[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you

John Legend
Music1 day ago

[INSTRUMENTAL] John Legend – All Of Me

Alan Walker
Music5 days ago

Alan Walker – Faded [INSTRUMENTAL]

21 Savage
Music2 days ago

[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me

Wiz Khalifa
Music4 days ago

[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth

General7 days ago

[Music] Sapientdream – Pastlives

Salvation Ministry Choir Amen
Lyrics2 days ago

Salvation Ministry Choir – Amen [LYRICS]

General7 days ago

[Music] Don Omar – Danza Kuduro (feat. Lucenzo)

General5 days ago

[Music] The Chainsmokers – ‘Don’t Let Me Down’ Feat. Daya

General7 days ago

Ladé – Adulthood Anthem (Adulthood Na Scam) [Lyrics]

General7 days ago

[Music] Timbaland – Apologize ft. OneRepublic

Powfu (singer)
Music4 days ago

[Music] Powfu – Death Bed (Coffee for Your Head) Feat. Beabadoobee

General5 days ago

[Music] Wyclef Jean – “Sweetest Girl (Dollar Bill)” Feat. Akon, Lil Wayne, Niia

General3 days ago

[Music] Zayn Malik – Entertainer

Wiz Khalifa - See You Again ft. Charlie Puth
Music4 days ago

[Music] Wiz Khalifa – See You Again ft. Charlie Puth

Music3 days ago

[Music] Exalted Tribe (HICC) – We Dey Halla

Anna Kendrick
Music4 days ago

[Music] Anna Kendrick – Cups (Pitch Perfect’s “When I’m Gone”)

General7 hours ago

[Music] Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey

General1 day ago

[Music] John Legend – Love Me Now

Right Said Fred
Music4 days ago

[Music] Right Said Fred – Stand Up (For the Champions)

Salvation Ministries Mass Choir
Music2 days ago

[Music] Salvation Ministries Choir – Chioma Me Eh(Good God)

General12 hours ago

[Music] Celine Dion – If That’s What It Takes

Salvation Ministries Mass Choir
Lyrics2 days ago

Salvation Ministries Choir – Chioma Me Eh(Good God) [LYRICS]

General12 hours ago

[Music] P!nk – Try

General6 days ago

[Music] Shaggy – Strength Of A Woman

General2 days ago

[Music] Jaden Smith – Goku

Music4 days ago

[Music] Wiz Khalifa – See You Again (Remix) Feat Charlie Puth, Eminem, Tyga, & Chris Brown

R. Kelly
Music4 days ago

[Music] R. Kelly – World’s Greatest

General1 day ago

Magic! — Rude [LYRICS]

General9 hours ago

[Music] Journey – Don’t Stop Believin’

General6 days ago

[Music] Justin Bieber – Love Me

General2 days ago

[Music] Cardi B – Bartier Cardi ft. 21 Savage

General7 days ago

[Music] Lionel Richie – Angel

General3 days ago

[Music] Tyga ft. Offset – Taste

General13 hours ago

[Music] P!nk – “Just Give Me A Reason” Feat. Nate Ruess

General7 days ago

[Music] BIG SHAQ – Man’s Not Hot

General3 days ago

[Music] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me

General7 days ago

[Music] Shayne Ward – Breathless

General6 days ago

[Music] Post Malone – Candy Paint

General5 days ago

[Music] R Kelly – When A Woman Loves

ANE Billboard Hots



Join "ANE sabi" clique

Don't miss a thing, get ogbonge ANE latest updates to fuel your conversation daily.