Microsoft Exchange Server Zero-Days Exploited In New Attacks
Microsoft has warned that attackers are already taking advantage of recently disclosed zero-day exploits to hack into victim’s networks and steal data, and more attacks are likely on the way.
The two new zero-day vulnerabilities in Microsoft Exchange Server (CVE-2022-41040 and CVE-2022-41082) were detailed last week, with warnings that they could allow hackers to remotely gain access to internal services and execute remote code on networks.
Microsoft Exchange Server is Microsoft’s email, calendaring, contact, scheduling and collaboration platform. It is deployed on the Windows Server operating system (OS) for business use.
Now Microsoft has provided more information on how the vulnerabilities have already been used, in attacks that first started in August.The victims haven’t been publicly disclosed.
In what’s described as a “small number of targeted attacks”, the CVE-2022-41040 and CVE-2022-41082 vulnerabilities were chained together to provide attackers with “hands-on-keyboard access”, which was used to perform Active Directory reconnaissance and to steal data.
The attacks require the attacker to be an authenticated user, but it’s possible to gain access to these credentials with phishing attacks, brute force attacks or buying stolen usernames and passwords from underground forums.
While there’s currently no specific indications as to who’s behind these attacks, Microsoft’s Security Threat Intelligence Team (MSTIC) “assesses with medium confidence” that they’re the work of a single activity group connected to a state-sponsored cyber operation.
Microsoft says it’s working on what it describes as an “accelerated timeline” to release a security fix for the vulnerability, although it has yet to emerge.
Since the vulnerability has been publicly disclosed, it’s likely that hacking operations are already moving to take advantage of it before a patch becomes available.
Microsoft warning: “overall exploitation of these vulnerabilities will increase.”
Previous Microsoft Exchange vulnerabilities were featured in a variety of cyberattacks, including state-sponsored cyber-espionage campaigns, ransomware operations and cryptojacking attacks as attackers rushed to exploit the vulnerabilities before organizations had a chance to apply the patch.
The United States Cybersecurity & Infrastructure Security Agency (CISA) has also issued a warning that attackers could exploit the latest Microsoft Exchange Server vulnerabilities.
While a patch is yet to become available, Microsoft has provided guidance on mitigating the threat, including the recommendation that Exchange Server customers disable remote PowerShell access for non-admin users.
CISA encourages users and administrators to review the information from Microsoft and apply the necessary mitigations until patches are made available.