Oct 3 — Microsoft is working to role out a patch for a high-severity set of 0-day vulnerabilities, which threaten 220,000 servers.
These security flaws have been under active exploit for more than a month, when a security expert discovered that an organization’s networks were infected with malicious webshells, and that the initial point of entry was an Exchange vulnerability.
The mysterious exploit appeared nearly identical to an Exchange zero-day from 2021, known as ProxyShell. However, the organization in question’s servers had already been patched for that vulnerability. Eventually, researchers found that unknown hackers were exploiting a new Exchange vulnerability.
How it works
“After successfully mastering the exploit, we recorded attacks to collect information and create a foothold in the victim’s system,” said cyber security researchers. “The attack team also used various techniques to create backdoors on the affected system and to perform lateral movements to other servers in the system.”
Last week, Microsoft confirmed that the vulnerabilities had not been seen before. The company devised a plan to quickly come up with a patch. The new vulnerabilities are known as CVE-2022-41040 (a server-request forgery vulnerability) and CVE-2022-41082 (allows remote code execution when PowerShell is accessible to the attacker).
Microsoft’s Security Response Center team noted that within these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. The staff member also stated that successful attacks require valid credentials for at least one email user on the server.
The vulnerability only impacts on-premises Exchange servers. Microsoft’s hosted Exchange service remains unaffected. However, one issue is that many organizations using Microsoft’s cloud offering selected an option that relies on a mix of on-premises and cloud hardware. According to the company, these hybrid environments are vulnerable.