In a nutshell: A couple of new security vulnerabilities are threatening more than 200,000 Exchange servers worldwide. The culprits, likely Chinese-based, are trying to spread a remotely-controlled encrypted backdoor.
Microsoft Exchange is again experiencing a security risk involving hundreds of thousands of servers worldwide. Unknown bad actors are exploiting two new vulnerabilities intending to install an encrypted backdoor never before seen in the wild. The hackers are suspected to be China-based.
The new zero-day flaws were first discovered by Vietnamese security company GTSC when researchers detected malicious webshells on customers' networks related to a vulnerability in the Exchange software. At first, the exploit looked similar to the infamous ProxyShell zero-day from 2021 (CVE-2021-34473), but researchers later discovered that the new flaw was still unknown.
Microsoft later confirmed the GTSC analysis highlighting two new flaws in the company's popular mailing platform: CVE-2022-41040, a server-side forgery vulnerability, and CVE-2022-41082, which allows remote code execution through PowerShell. Microsoft recorded "limited activity" related to targeted attacks exploiting the two zero-day flaws. The hackers are exploiting CVE-2022-41040 to remotely trigger CVE-2022-41082, even though Redmond assures a successful intrusion needs valid credentials for at least one email user on the affected server.
Ars Technica notes that more than 200,000 Exchange servers could be vulnerable to the new attacks, plus one thousand more in hybrid configurations. The threats are to on-premise versions of Exchange server, while servers hosted on Microsoft's cloud platform should be safe. Hybrid setups, where clients employ a mix of on-premise and remote servers, are as vulnerable as stand-alone ones but comprise only a fraction of affected devices.
The webshells found by GTSC on compromised servers contain simplified Chinese characters, so the researchers speculate that the unknown cyber-criminals could be Beijing-based hackers sponsored by China's dictatorship. Ultimately, the hackers use the zero-day flaws to install a novel backdoor designed to emulate Exchange Web Service.
Considering the high-severity risk and the vast number of potential targets, Microsoft is already working on a possible out-of-band patch to close the new flaws as soon as possible. Meanwhile, Redmond strongly recommends Exchange customers apply mitigations, including a block on Internet traffic through HTTP port 5985 and HTTPS port 5986.
"Exchange Online customers do not need to take any action," the company stated.