Exchange Server state-sponsored attacks underway, Microsoft confirms

Microsoft Exchange Server users should implement mitigation measures as attacks begin

Getty Images

Microsoft confirmed on September 30 that it is investigating two zero-day vulnerabilities affecting Exchange Server 2013, 2016 and 2019. Between them, there are more than 200,000 installations in enterprises worldwide. Microsoft goes on to warn that it has been confirmed that a single, possibly state-sponsored, threat group is exploiting both vulnerabilities by linking them together. Microsoft adds that CVE-2022-41040 and CVE-2022-41082 chain attacks facilitated “manual keyboard access, which attackers used to perform Active Directory discovery and data extraction.” While Microsoft says it has observed these attacks against ten organizations so far, given the user base of Exchange Server and the fact that the vulnerabilities are now known, the potential for further attacks is high.

MORE FROM FORBESNew Microsoft Windows Zero-Day Attack Confirmed: Update NowWith Davy Winder

The risk is significant

As such, Mike Walters, the vice president of vulnerability and threat research at Action1, warned that “the risk from these zero days is significant” for many SMEs and businesses with “vast amounts of critical data”. Security researchers at GTSC initially revealed that the attacks were ongoing.

CVE-2022-41040 is a server-side request forgery (SSRF) vulnerability, while CVE-2022-41082 allows remote code execution (RCE) via PowerShell. The former is used to trigger the latter in an exploit chain if the attacker is authenticated at the user level on the Exchange Server.

CISA advises Exchange Server users and administrators to act now

Indeed, the Cyber Security and Infrastructure Security Agency (CISA) issued a statement urging both users and administrators to implement mitigation measures pending an official patch from Microsoft. Microsoft is working on releasing it as soon as possible, although no timeline has been given yet. Microsoft further confirmed that this affects on-premises Exchange Server installations and that Exchange Online users are not affected by the vulnerabilities.

Microsoft released a script for on-premises users that will mitigate the exploited SSRF vector and released an automatic URL rewrite mitigation for users of the Exchange Server Disaster Mitigation Service.

MORE FROM FORBESGoogle Confirms 20 New Chrome Security Issues, 5 Highly Rated: Update NowWith Davy Winder

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

The risk is significant

CISA advises Exchange Server users and administrators to act now

admin

You might also like

Former Revolut employees launch Solvo, an app that simplifies crypto investing • TechCrunch

Samsung gets a one-year exemption from new US chip restrictions in China

Tether, the world’s largest stablecoin, reduces trading paper to zero

Leave a Reply Cancel reply