A Vietnam-based cybersecurity company reported that cybercriminals are actively eyeing Microsoft zero-day vulnerabilities, particularly CVE-2022-41040 and CVE-2022-41082, to target MS Exchange servers. The company observed attacks exploiting these vulnerabilities.
New Attack Campaign Targeting Exchange Servers
GTSC is a Vietnamese firm that disclosed how attackers leverage previously known Microsoft Exchange vulnerabilities, allowing an authenticated attacker to execute arbitrary code, even those with low-level privilege escalation.
The campaign was discovered in early August, and its main target was critical infrastructure. The company sent the vulnerability details to the Zero-Day Initiative (ZDI), which verified the flaws.
Cybersecurity researcher Kevin Beaumont’s tweets confirmed GTSC’s story, claiming that attackers are backdooring Exchange servers and even using a honeypot. Beaumont also noted that Microsoft is probably aware of the new vulnerability. It is, however, yet to inform its customers.
Two New Flaws Identified
Research reveals that the latest attack against Exchange servers utilized at least two new flaws (CVE-2022-41040, CVE-2022-41082) that have been assigned CVSS scores of 6.3 and 8.8.
“After careful testing, we confirmed that those systems were being attacked using this 0-day vulnerability. To help the community temporarily stop the attack before an official patch from Microsoft is available, we publish this article aiming at those organizations who are using the Microsoft Exchange email system.”
GTSC
The resemblance with the ProxyShell Vulnerability
The newly discovered vulnerability is suspected of resembling the ProxyShell flaw for which Microsoft released updates in May-July 2021. But, in their report, GTSC researchers noted that they checked several logs and learned that the attacker could execute commands on the targeted system. The Exchange servers’ version number showed that the latest update was installed.
This means it was impossible to exploit ProxyShell vulnerability. But, Kevin Beaumont states that it is possible if someone created an effective ProxyShell exploit and targeted unpatched Exchange servers. Hence, this activity was named ProxyNotShell by Beaumont. Conversely, GTCS believes a zero-day is involved.
Nevertheless, Microsoft has acknowledged the issue and is working on issuing security patches. The technical blog post published by Microsoft Security Response Center today is available here.
More Microsoft Security News
- Conti affiliates hit Exchange Servers with ProxyShell exploits
- Scammers Leveraging Microsoft Team GIFs in Phishing Attacks
- Unpatched MS Exchange Servers abused in new phishing scam
- Spam Attack Abusing OAuth Apps to Target MS Exchange Servers
- Nitrokod Crypto Miner in Fake Microsoft and Google Translate Apps
