UPDATED 12:40 EDT / SEPTEMBER 30 2022

SECURITY

Microsoft confirms attackers actively targeting vulnerabilities in Exchange

Microsoft Corp. confirmed late Thursday that two unpatched Exchange Server vulnerabilities exist and that they’re currently being exploited in the wild by unknown attackers.

The attacks were discovered by researchers at Vietnamese cybersecurity company GTSC in August as part of a response to a customer threat incident. The company said the vulnerabilities were being used to infiltrate the customer’s network during early August.

The Microsoft Security Response Center said that it was aware of “limited targeted attacks using the two vulnerabilities.” The affected Microsoft Exchange Server versions were 2013, 2016 and 2019.

The company identified the first vulnerability was identified as CVE-2022-41040, a Server-Side Request Forgery vulnerability, which could allow attackers access to the internal network from the server. The second, identified as CVE-2022-41082, permits the attacker to execute remote code when PowerShell is accessible to the attacker.

Microsoft added that an attacker would need authenticated access to the vulnerable Exchange server in order to trigger either of these vulnerabilities.

“The two flaws appear to be variants of ProxyShell — a chain of vulnerabilities disclosed in late 2021,” said Claire Tills, senior research engineer at Tenable, told SiliconANGLE. “The key difference is that both these latest vulnerabilities … require authentication where ProxyShell did not. Microsoft has confirmed the vulnerabilities but at this time, we’re still waiting on patches. Once those are available, organizations should deploy them with urgency.”

The company said that customers of Microsoft Exchange Online are not vulnerable and don’t need to take any action, but on-premises customers would need to review their internal systems and apply a fix to block exposed Remote PowerShell ports.

“We are working on an accelerated timeline to release a fix,” the MSRC team said about the current state of vulnerability patches. “Until then, we’re providing the mitigations and detections guidance below to help customers protect themselves from these attacks.”

According to the GTSC report, attackers chained the two vulnerabilities to create backdoors into internal systems of the customer that was attacked by first gaining foothold access into the Exchange Server and then using that to attack other services.

The researchers discovered remote access software, mostly obfuscated, placed on the Exchange server matching the signature of the “China Chopper” client, commonly used by Chinese state-sponsored hacking groups.

The ProxyShell vulnerability was implicated widely in historical attacks against Microsoft Exchange in the past two years by the ransomware gangs Conti and Hive to deploy malware. The patch for the vulnerabilities allowing ProxyShell was released in May 2021, but unpatched systems still led to the takeover of more than 2,000 mail servers in just two days in August 2021 — a good reason for organizations to stay on top of security updates.

“ProxyShell was and remains one of the most exploited attack chains released in 2021,” said Tills.

Microsoft Exchange is commonly targeted by attackers because email servers are host to a lot of sensitive information that attackers can use to target employees or sell. They also sit behind company firewalls and allow access to internal systems, allowing them to gain deeper access before being detected.

Image: TheDigitalArtist/Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.