Two more zero-day vulnerabilities found in different versions of Microsoft Exchange Server are being exploited in the wild, the company has confirmed.
According to recent customer guidance that Microsoft released for reported zero days, a server-side request forgery (SSRF) flaw, and remote code execution (RCE) flaw, were identified as being used by threat actors.
The vulnerabilities were present in Microsoft Exchange Server 2013, 2016, and 2019 endpoints (opens in new tab).
Chained flaws
“The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker,” Microsoft explained. “At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.”
Exploiting the SSRF flaw isn’t as easy, though, as the attack can only be pulled off by attackers that were authenticated by the target system. Only then can they exploit the RCE flaw, too.
What’s more, Exchange Online users are not exposed to any risks, the company confirmed, as its security team already placed detections and mitigations.
“Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers,” the company added. “We are working on an accelerated timeline to release a fix.”
While Microsoft did not say who might be exploiting these flaws right now, BleepingComputer found GTSC, a Vietnamese cybersecurity firm, laying the blame on a Chinese threat actor. Apparently, the zero-days were being used to deploy China Chopper web shells for persistence, as well as data exfiltration. The same company also published mitigation measures that Microsoft subsequently confirmed.
“On premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports,” Microsoft said. “The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.”
Via: BleepingComputer (opens in new tab)
