Microsoft said that it is moving up its plans to release a patch. Late Thursday, Microsoft confirmed that it’s Exchange application has two critical flaws that have already let hackers into multiple servers and pose a serious threat to an estimated 220,000 more around the world.
Since early August, when Vietnam-based security firm GTSC found that customer networks had been infected with malicious web shells and that the initial entry point was some kind of Exchange vulnerability, the security flaws that haven’t been fixed have been actively exploited.
The mystery exploit looked almost exactly like ProxyShell, an Exchange zero-day from 2021, but all of the customers’ servers had already been patched against the vulnerability, which is known as CVE-2021-34473. The researchers eventually found out that the unknown hackers were taking advantage of a new Exchange vulnerability.
Web shells, Backdoors, And Fake Sites
In a post published on Wednesday, the researchers said, “After successfully mastering the exploit, we recorded attacks to gather information and get a foothold in the victim’s system.” “The attacking team also used different methods to make backdoors on the system that was attacked and to move laterally to other servers in the system.”
On Thursday night, Microsoft confirmed that the holes were new and said that it was working quickly to make a fix. The new bugs are CVE-2022-41040, which is a server-side request forgery bug, and CVE-2022-41082, which lets an attacker run code remotely if PowerShell is available to them.
Members of the Microsoft Security Response Center wrote, “At this time, Microsoft is aware of a small number of targeted attacks that used the two vulnerabilities to get into users’ systems.” “CVE-2022-41040 makes it possible for an authenticated attacker to remotely trigger CVE-2022-41082 in these attacks.” Team members stressed that for an attack to work, at least one email user on the server must have valid credentials.
More Latest Tech News For Our Readers:
- Camera Comparison Iphone 14 Pro Max Vs Iphone13 Pro max! Which One Should You Buy?
- Information Technology Program Makes New Ai Application Minor!
The flaw affects Exchange servers that are hosted on-premises, but not Microsoft’s hosted Exchange service. The big catch is that many organizations that use Microsoft’s cloud service choose an option that uses both on-premises hardware and hardware in the cloud. These environments are just as vulnerable as environments that are only on-premises.
Searches on Shodan show that there are more than 200,000 on-premises Exchange servers that are open to the Internet and more than 1,000 hybrid configurations.
High-severity Microsoft Exchange 0-day under attack threatens 220,000 servers https://t.co/pimSKo7GOA by @dangoodin001
— Ars Technica (@arstechnica) September 30, 2022
Searches on Shodan show that there are more than 200,000 on-premises Exchange servers that are open to the Internet and more than 1,000 hybrid configurations.
In a post on Wednesday, GTSC said that attackers are using the zero-day to infect servers with web shells, which are text interfaces that let them send commands. Researchers think the hackers are fluent in Chinese because these web shells use simplified Chinese characters.
The China Chopper is a web shell that is often used by Chinese-speaking threat actors, including several advanced persistent threat groups that are known to be backed by the People’s Republic of China. Its signature is also on the commands that are sent.
GTSC said that the malware that the threat actors end up installing is a copy of Microsoft’s Exchange Web Service. It also connects to the IP address 137.184.67.33, which is hardcoded into the binary. Kevin Beaumont, an independent researcher, said that the address hosts a fake website that has only one user who has been logged in for one minute. The site has only been up and running since August.
The malware then sends and receives data that is encrypted with an RC4 encryption key that is created at runtime. Beaumont then said that the backdoor malware seems to be new, which means it has never been used in the wild before.
People who run Exchange servers on-premises should act right away. In particular, they should set up a blocking rule that stops servers from accepting known attack patterns. “IIS Manager > Default Web Site > URL Rewrite > Actions” is where the rule can be used. For the time being, Microsoft also recommends that people block HTTP port 5985 and HTTPS port 5986, which attackers need to use CVE-2022-41082.
Microsoft’s advisory has a lot of other tips for finding infections and stopping exploits until a patch is released.
For further information, please continue to visit our homepage. Journalistpr.com
