Microsoft Exchange under 0-day attack, hundreds of thousands of servers at risk

Alfonso Maruccia

Posts: 87   +41
Staff
In a nutshell: A couple of new security vulnerabilities are threatening more than 200,000 Exchange servers worldwide. The culprits, likely Chinese-based, are trying to spread a remotely-controlled encrypted backdoor.

Microsoft Exchange is again experiencing a security risk involving hundreds of thousands of servers worldwide. Unknown bad actors are exploiting two new vulnerabilities intending to install an encrypted backdoor never before seen in the wild. The hackers are suspected to be China-based.

The new zero-day flaws were first discovered by Vietnamese security company GTSC when researchers detected malicious webshells on customers' networks related to a vulnerability in the Exchange software. At first, the exploit looked similar to the infamous ProxyShell zero-day from 2021 (CVE-2021-34473), but researchers later discovered that the new flaw was still unknown.

Microsoft later confirmed the GTSC analysis highlighting two new flaws in the company's popular mailing platform: CVE-2022-41040, a server-side forgery vulnerability, and CVE-2022-41082, which allows remote code execution through PowerShell. Microsoft recorded "limited activity" related to targeted attacks exploiting the two zero-day flaws. The hackers are exploiting CVE-2022-41040 to remotely trigger CVE-2022-41082, even though Redmond assures a successful intrusion needs valid credentials for at least one email user on the affected server.

Ars Technica notes that more than 200,000 Exchange servers could be vulnerable to the new attacks, plus one thousand more in hybrid configurations. The threats are to on-premise versions of Exchange server, while servers hosted on Microsoft's cloud platform should be safe. Hybrid setups, where clients employ a mix of on-premise and remote servers, are as vulnerable as stand-alone ones but comprise only a fraction of affected devices.

The webshells found by GTSC on compromised servers contain simplified Chinese characters, so the researchers speculate that the unknown cyber-criminals could be Beijing-based hackers sponsored by China's dictatorship. Ultimately, the hackers use the zero-day flaws to install a novel backdoor designed to emulate Exchange Web Service.

Considering the high-severity risk and the vast number of potential targets, Microsoft is already working on a possible out-of-band patch to close the new flaws as soon as possible. Meanwhile, Redmond strongly recommends Exchange customers apply mitigations, including a block on Internet traffic through HTTP port 5985 and HTTPS port 5986.

"Exchange Online customers do not need to take any action," the company stated.

Permalink to story.

 

Impudicus

Posts: 277   +293
The threats are to on-premise versions of Exchange server, while servers hosted on Microsoft's cloud platform should be safe... Is someone trying to promote their cloud platform?
 

Uncle Al

Posts: 9,323   +8,522
Sounds line once again MicroSludge is way behind the power curve. They have had lots of time to have this resolved BEFORE the deadline .... good thing Linux runs servers .....
 

bviktor

Posts: 1,061   +1,543
Sounds line once again MicroSludge is way behind the power curve. They have had lots of time to have this resolved BEFORE the deadline .... good thing Linux runs servers .....
What are you even talking about? What deadline? Do you even know what 0day is? Apparently not.
 

waclark

Posts: 707   +451
The threats are to on-premise versions of Exchange server, while servers hosted on Microsoft's cloud platform should be safe.

I'm not so sure this is true. I had an incident yesterday using M365. When I clicked on legitimate emails it tried to take me to a malicious web site. I have malware detection on my Mac which caught the issue so, as far as I can tell, no damage was done.

After reading this article, I'm wondering if there is not a connection to the issue? Maybe this is companion malware that is trying to get those credentials that the article indicates are necessary to hack the Exchange server.
 

Sir Sparkles

Posts: 126   +66
Another day, another Exchange 0Day... or was it 365 outage?... or was it Office 0Day...

It's all so confusing, just let the next feature update be the one to finally stop it all.