Microsoft was warned that two zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited in the wild and has shared mitigations ahead of the vulnerabilities being patched.
The two flaws are being chained together and are being exploited by a Chinese threat actor. The attacks have been limited so far, but the healthcare and public health sector in the United States could potentially be a target.
The flaws affect Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability that can be exploited for initial access, after which the second vulnerability can be exploited – A Remote Code Execution vulnerability thacked as CVE-2022-41082. The second vulnerability can only be exploited if PowerShell is available to the attacker.
Microsoft has confirmed that the flaws cannot be exploited by an unauthenticated attacker. Both vulnerabilities require authenticated access to a vulnerable Microsoft Exchange Server to be exploited, such as if an attacker had valid stolen credentials. The first vulnerability has been assigned a CVSS severity score of 8.8 out of 10 and the second vulnerability has a CVSS score of 6.3. If the flaws are exploited, a threat actor could deploy a backdoor for persistent access. The attackers have deployed the China Chopper web shell for persistent access in some of the attacks, which suggests the flaws are being exploited by a state-sponsored Chinese hacking group.
Microsoft is it is working on patches for the flaws on an accelerated timeline and has shared mitigations that can be implemented by users of on-premises Microsoft Exchange Servers ahead of the patches being released. Microsoft said it has implemented detection rules for Microsoft Exchange Online and has mitigations in place to protect customers, so Exchange Online customers do not need to take any actions to prevent exploitation of the flaws.
Customers with on-premises Microsoft Exchange Servers can add a blocking rule to ‘IIS Manager -> Default Web Site -> URL Rewrite -> Actions’ which will block the known attack patterns, the details of which have been detailed in the Microsoft Security Response Center blog.
The post Zero Day Microsoft Exchange Server Vulnerabilities Being Actively Exploited appeared first on HIPAA Journal.