What is the vulnerability?
Two zero-day vulnerabilities – CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) – were first reported by GTSC. The Vietnamese platform reported that these vulnerabilities were being used by hackers to attack Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.
GTSC suspects that the attack came from a Chinese attack group as the attacker uses Antsword – an active Chinese-based open source cross-platform website administration tool.
How are Microsoft Exchange customers affected?
Microsoft confirmed the attack and said that by using these vulnerabilities, hackers were able to gain hands-on-keyboard access, conduct Active Directory reconnaissance and steal sensitive data. The company also says that the actor launched attacks “in fewer than 10 organisations” around the world.
“We are working on an accelerated timeline to release a fix. Until then, we’re providing mitigations and the detections guidance below to help customers protect themselves from these attacks,” the company said. It also recommended Exchange Server customers to “disable remote PowerShell access for non-admin users” in the organisation.
Microsoft’s temporary solution not efficient enough
Vietnam-based security researcher Jang has claimed Microsoft’s solution for preventing the exploitation of the zero-day vulnerabilities is not efficient and can be bypassed with little effort. His thoughts were echoed by vulnerability analyst Will Dormann and cybersecurity expert Kevin Beaumont.
In fact, Jang’s finding has been tested by researchers at GTSC, who also say that Microsoft’s mitigation does not provide sufficient protection against the vulnerabilities.
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
