More Microsoft Exchange zero-days exploited in the wild

Scott Marlette

2 years ago

Two more zero-day vulnerabilities found in different versions of Microsoft Exchange Server are being exploited in the wild, the company has confirmed.

According to recent customer guidance that Microsoft released for reported zero days, a server-side request forgery (SSRF) flaw, and remote code execution (RCE) flaw, were identified as being used by threat actors.

The vulnerabilities were present in Microsoft Exchange Server 2013, 2016, and 2019 endpoints (opens in new tab).

Chained flaws

“The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker,” Microsoft explained. “At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.”

Exploiting the SSRF flaw isn’t as easy, though, as the attack can only be pulled off by attackers that were authenticated by the target system. Only then can they exploit the RCE flaw, too.

What’s more, Exchange Online users are not exposed to any risks, the company confirmed, as its security team already placed detections and mitigations.

“Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers,” the company added. “We are working on an accelerated timeline to release a fix.”

While Microsoft did not say who might be exploiting these flaws right now, BleepingComputer found GTSC, a Vietnamese cybersecurity firm, laying the blame on a Chinese threat actor. Apparently, the zero-days were being used to deploy China Chopper web shells for persistence, as well as data exfiltration. The same company also published mitigation measures that Microsoft subsequently confirmed.

“On premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports,” Microsoft said. “The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.”

Via: BleepingComputer (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – abuse@technewsboy.com. The content will be deleted within 24 hours.