High-severity Attackers targeting Microsoft Exchange pose a threat to 220,000 servers.

Microsoft stated that it is putting on an expedited plan to release a patch.

 

Late on Thursday, Microsoft acknowledged the presence of two significant flaws in its Exchange application that have already led to the compromising of a number of servers and constitute a serious threat to an estimated 220,000 additional ones worldwide.

 

Since early August, when Vietnam-based security firm GTSC discovered customer networks had been infected with malicious webshells and that the first access point was some form of Exchange vulnerability, the currently unpatched security weaknesses have been actively exploited. The unknown exploit resembled an Exchange zero-day from 2021 called ProxyShell, but all of the client servers were protected against it thanks to a patch, identified as CVE-2021-34473. The researchers eventually learned the unidentified hackers were taking advantage of a fresh Exchange vulnerability.

 

Backdoors, webshells, and bogus websites
The researchers said in a report published on Wednesday that after mastering the exploit, they recorded attacks to gather data and establish a foothold in the victim’s system. “The assault team also employed a variety of tactics to build backdoors on the compromised system and carry out lateral server transfers.”

 

Microsoft acknowledged the vulnerabilities on Thursday night and stated it was working quickly to create and distribute a remedy. The two new flaws are CVE-2022-41040, a server-side request forgery flaw, and CVE-2022-41082, a remote code execution flaw that may be exploited if an attacker has access to PowerShell.

 

Members of the Microsoft Security Response Center team wrote: “At this time, Microsoft is aware of limited targeted attacks leveraging the two vulnerabilities to compromise customers’ PCs.” CVE-2022-41040 in these attacks allows an authorised attacker to remotely trigger CVE-2022-41082. Members of the team emphasised that effective assaults necessitate having correct login information for at least one server-based email user.

 

Microsoft’s hosted Exchange service is not specifically impacted by the vulnerability; rather, it only affects on-premises Exchange servers. The significant caveat is that many businesses employing Microsoft’s cloud service choose for a solution that combines hardware from on-premises and the cloud. Both standalone on-premises environments and hybrid ones are equally susceptible.

 

Shodan searches reveal that there are more than 200,000 on-premises Exchange servers that are now online, along with more than 1,000 hybrid configurations.

 

Exchange servers that are on-premises over time.
Exchange servers located on-site, sorted by region.
Exchange hybrid servers.
SlidePrevious SlideSlideNext

 

According to the GTSC article from Wednesday, the attackers are using the zero-day vulnerability to infect systems with webshells, a text-based command interface. The researchers surmise that the hackers are fluent in Chinese because these webshells contain simplified Chinese characters. The signature of the China Chopper, a webshell frequently used by Chinese-speaking threat actors, including numerous advanced persistent threat organisations alleged to be supported by the People’s Republic of China, can also be seen on the commands given.

 

The malware that the threat actors ultimately install, according to GTSC, is an imitation of Microsoft’s Exchange Web Service. Additionally, it establishes a connection to the binary’s hardcoded IP address, 137.184.67.33. According to independent researcher Kevin Beaumont, the URL is home to a phoney website that has only been operational since August and only has one user with a minute of login time.

 

The malware then uses an RC4 encryption key that is produced at runtime to send and receive data that has been encrypted. According to Beaumont, this is the first time the backdoor malware has been utilised in the field and it appears to be innovative.

 

On-premises Exchange server administrators should act right away. They should specifically implement a blocking rule that stops servers from accepting well-known attack vectors. By going to “IIS Manager -> Default Web Site -> URL Rewrite -> Actions,” the rule can be applied. Microsoft also advises blocking HTTP port 5985 and HTTPS port 5986 for the time being, as these are the ports that attackers need to use CVE-2022-41082.

 

There are numerous further recommendations in Microsoft’s alert for detecting infections and avoiding exploits until a patch is ready.