Stop us if you've heard this one before: Exchange Server zero-days actively exploited
Remember this next time Microsoft talks about how seriously it takes security
Updated Infosec experts have warned zero-day flaws in Microsoft’s Exchange server are being actively exploited.
A Vietnamese outfit called GTSC appears to have identified the holes, explaining in an advisory how a pair of security bugs can be exploited together to achieve remote code execution on Exchange installations.
The biz reported its findings to the Zero Day Initiative, which has assigned the ID ZDI-CAN-18333 to one flaw rated 8.8 on the ten-point Common Vulnerability Scoring System (CVSS) severity scale. The second flaw, ZDI-CAN-18802, is rated 6.3 out of 10.
Details of the vulnerabilities are scanty, with GTSC’s post detailing its observations of webshells with Chinese characteristics being dropped onto Exchange servers compromised via these two vulnerabilities. Each webshell “injects malicious DLLs into the memory, drops suspicious files on the attacked servers, and executes these files through the Windows Management Instrumentation Command line (WMIC)."
That effort effectively makes the hijacked machine remote controllable, and that seldom ends well.
- Microsoft Exchange Autodiscover protocol found leaking hundreds of thousands of credentials
- US officials, experts fear China ransacked Exchange servers for data to train AI systems
- The torture garden of Microsoft Exchange: Grant us the serenity to accept what they cannot EOL
- Microsoft patches critical remote-code-exec hole in Exchange Server and others
- It's October 2018, and Microsoft Exchange can be pwned by a plucky eight-year-old... bug
- European Banking Authority restores email service in wake of Microsoft Exchange hack
- NSA helps out Microsoft with critical Exchange Server vulnerability disclosures in an April shower of patches
At this stage a good ending to this story is hard to envision, because while GTSC has outlined mitigations in its post, Microsoft is yet to issue a fix. History tells me that even once Microsoft publishes a patch, many thousands of Exchange users will not implement it promptly.
And to be clear, it appears these flaws are already being exploited in the wild. Infosec watcher Kevin Beaumont tweeted news he’s aware of active attacks, too.
🚨 There’s reports emerging that a new zero day exists in Microsoft Exchange, and is being actively exploited in the wild 🚨— Kevin Beaumont (@GossiTheDog) September 29, 2022
I can confirm significant numbers of Exchange servers have been backdoored - including a honeypot.
Thread to track issue follows:
These security holes are just the latest in a long list of problems with Exchange, Microsoft’s flagship messaging product. The most infamous in recent times was the flaw exploited by China's Hafnium crew. Scarcely a month passes without Microsoft finding other Exchange flaws felt worthy of a Patch Tuesday update, but the software giant has also recently pledged to improve the server’s security by adopting zero-trust principles for connections to the product. ®
Updated to add
Microsoft has confirmed there are two zero-day flaws in Exchange Server: CVE-2022-41040, a server-side request forgery vulnerability, and CVE-2022-41082, a remote-code execution hole.
According to the Windows giant, miscreants are exploiting both in a chain to hijack a vulnerable system and gain control of it via PowerShell. Exploitation requires the intruder to be authenticated, so some credentials or access is needed. According to Redmond:
At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users' systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.
We are working on an accelerated timeline to release a fix.
While we wait for patches, see here for mitigations and advice. Exchange Online has, we're told, already applied these protections. We'll let you know when a fix is available.