Zero Day Microsoft Exchange Server Vulnerabilities Being Actively Exploited
Microsoft was warned that two zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited in the wild and has shared mitigations ahead of the vulnerabilities being patched.
The two flaws are being chained together and are being exploited by a Chinese threat actor. The attacks have been limited so far, but the healthcare and public health sector in the United States could potentially be a target.
The flaws affect Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability that can be exploited for initial access, after which the second vulnerability can be exploited – A Remote Code Execution vulnerability thacked as CVE-2022-41082. The second vulnerability can only be exploited if PowerShell is available to the attacker.
Microsoft has confirmed that the flaws cannot be exploited by an unauthenticated attacker. Both vulnerabilities require authenticated access to a vulnerable Microsoft Exchange Server to be exploited, such as if an attacker had valid stolen credentials. The first vulnerability has been assigned a CVSS severity score of 8.8 out of 10 and the second vulnerability has a CVSS score of 6.3. If the flaws are exploited, a threat actor could deploy a backdoor for persistent access. The attackers have deployed the China Chopper web shell for persistent access in some of the attacks, which suggests the flaws are being exploited by a state-sponsored Chinese hacking group.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Microsoft is it is working on patches for the flaws on an accelerated timeline and has shared mitigations that can be implemented by users of on-premises Microsoft Exchange Servers ahead of the patches being released. Microsoft said it has implemented detection rules for Microsoft Exchange Online and has mitigations in place to protect customers, so Exchange Online customers do not need to take any actions to prevent exploitation of the flaws.
Customers with on-premises Microsoft Exchange Servers or hybrid setups are vulnerable. Microsft suggests they add a blocking rule to ‘IIS Manager -> Default Web Site -> URL Rewrite -> Actions’ which will block the known attack patterns, the details of which have been detailed in the Microsoft Security Response Center blog.
However, security researcher Jang (@testanull) claimed on Twitter that the mitigations suggested by Microsoft to block the URL patterns identified from known attacks are too specific and can be easily bypassed. Researchers at GTSC, who reported the vulnerabilities to the Zero Day Initiative, have confirmed that the suggested mitigations are insufficient and will not prevent the exploitation of the flaws.
