Microsoft Exchange Servers ’Under Active Exploitation’
Zero days are not good days, nor are they days at all. A zero day is a security vulnerability with an active exploit, which means someone, somewhere knows how to use the security flaw against other users. Luckily, most zero days are patched quickly, allowing users a chance to protect themselves right away. However, this isn’t always the case, as we see with this latest Microsoft Exchange vulnerability.
According to Tech Monitor, two vulnerabilities, known as CVE-2022-41040 and CVE-2022-41082, are being actively exploited in the wild. These exploits are resulting in cyberattacks that could allow hackers to infiltrate a “compromised network.”
Microsoft, for its part, says these attacks are limited. A hacker needs a user’s credentials (username and password) in order to properly exploit the vulnerability, meaning the scale of attack is capped. That said, it’s not difficult for hackers to obtain this type of information, especially if they have real-world access to the network, or to its users.
The current theory is these hackers are based in China: The webshells used in the attack were allegedly encoded in Chinese, and uses the China chopper web shell, a backdoor that allows hackers to keep accessing a system without being locked out or otherwise blocked in due time.
According to cybersecurity expert Kevin Beaumont, “organizations not running Exchange on site and which don’t have the web app facing the internet won’t be impacted by the exploit.” Exchange Online users are not affected. If you are running Exchange on site you will need to apply a URL rewrite to block the exposed remote PowerShell ports. Microsoft says, “The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns,” and “Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks.” Tech Monitor confirms for HTTP block port 5985 and for HTTPS block 5986.
Microsoft is working on a patch on an “accelerated timeline.” Keep an eye out for any new updates and install them ASAP.