Microsoft disclosed on Friday that in August 2022, a single activity group exploited Exchange servers using a limited set of attacks targeting fewer than ten global organizations by chaining the two recently disclosed zero-day flaws.
Using “hands-on-keyboard access,” attackers were able to perform Active Directory reconnaissance and data exfiltration, according to a report published on Friday by the Microsoft Threat Intelligence Center (MSTIC).
Microsoft added that the vulnerabilities will likely become more widely exploited as malicious actors, including those employing ransomware, add them to their toolkits due to the “highly privileged access Exchange systems confer upon an attacker.”
A report of the vulnerabilities was sent to Microsoft’s Security Response Center (MSRC) by the Zero Day Initiative earlier this month (September 8-9, 2022). Microsoft said it was already investigating the attacks at the time. The tech giant has moderate confidence that a state-sponsored organization is behind the ongoing attacks.
ProxyNotShell is the name given to two vulnerabilities, one of which is a partial patch for ProxyShell because “it is the same path and SSRF/RCE pair” as ProxyShell but with authentication.
Issues related to remote code execution are as follows.
Server-side request forgery in Microsoft Exchange Server (CVE-2022-41040)
Remote Code Execution Flaw in Microsoft Exchange Server (CVE-2022-41082)
Microsoft has stated that standard user authentication can be used to exploit these vulnerabilities. Password spraying and buying them on the dark web are just two examples of attacks that can be used to acquire standard user credentials.
VNGTSC, a Vietnamese cybersecurity firm, discovered the flaws in August 2022 while conducting an incident response for a customer. It is believed that a Chinese threat actor was responsible for the intrusions.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two zero-day vulnerabilities in Microsoft Exchange Server to the Known Exploited Vulnerabilities (KEV) catalog, mandating patches by October 21, 2022, for federal agencies.
Microsoft has promised an “accelerated timeline” for the release of a patch to address the issues. They have also released a script that automates the following URL Rewrite mitigation steps, which they say “successfully break current attack chains”:
The Internet Information Services Manager Must Be Opened.
To set a default website, click Default Website.
The URL Rewrite option can be found in the Feature View.
Select Add Rule(s) in the right pane’s Actions section to create new rules.
To disable requests, choose this option and confirm with OK.
Incorporate the text “.*autodiscover.json.*@.*Powershell.*” (without quotation marks)
Choose Regular Expression under the Use drop-down menu.
Then, from the drop-down menu labeled “How to block,” choose Abort Request, and hit OK.
To find the rule with the pattern, expand the rule and click on it.
.*autodiscover.json.*@. *Powershell.*, then select Edit from the Conditions menu.
Substitute ‘REQUEST URI’ for ‘URL’ in the Condition input.
The firm recommends further preventative measures, including the use of multi-factor authentication (MFA), the elimination of legacy authentication, and the training of end users to ignore unexpected requests for two-factor authentication (2FA).
Vice President of Malware Threat Research at Qualys Travis Smith said, “Microsoft Exchange is a juicy target for threat actors to exploit for two main reasons.”
To start, the global nature of the internet means that any attacker can potentially gain access to Exchange. Second, Exchange is an absolutely essential part of running a business; companies can’t afford to simply stop using email.