The exploitation of two new Microsoft Exchange Servers Zero-Day
As of early August 2022, two zero-day vulnerabilities were hit by attackers. The cybercriminals targeted the two zero-day Exchange Servers as Cybercriminals found a loophole in the unpatched Exchange Server zero-day Vulnerability since inception. The cyber attack was confirmed in a statement by Microsoft dated back to August 2022.
GTSC, a Vietnamese Security Company, is the first security company to discover the vulnerabilities in Microsoft Exchange.
The vulnerabilities which created an entry for the attackers are explained below:
CVE-2022-41040: This is a Server-Side Request Forgery (SSRF) vulnerability with an estimated 8.8 severity score out of 10.
CVE-2022-41082: This vulnerability gives access to Remote Code Execution (RCE) when the PowerShell is accessible to the attacker. This vulnerability has a score of 6.3 out of 10.
With various reports, it is evident that Microsoft is fully informed about the percentage of targeted attacks carried out to bypass users' systems by using advantage of the flaws in the server.
For an attacker to successfully attack either of the two flaws listed above, the attacker would need first-hand access to an Exchange Server, which is already vulnerable.
2013, 2016 and 2019 Microsoft Exchange Servers were all affected by the vulnerabilities, which significantly impacted the on-premises deployments.
With all the attacks from the vulnerability, some may wonder what they stand to gain. With a little study done about the attack, we could also deduce some accomplishments of the attackers, which are:
- Instant access to a web shell and installation.
- Infiltration of any victim's computer.
- Ability to move in different directions on the compromised network.
Going further, Microsoft has announced that they are working on ways to release a fix for the bug as soon as possible. The good news is that the security protections designed in Microsoft Exchange Online protect customers from risks like recent exploitation. Microsoft will adequately respond to the incident as it is seriously observing all the detections for malicious activity to ensure the safety and security of its customers.
There have been some debates for the method for Exchange Server, which involves the addition of a particular blocking rule which does these below:-
IIS Manager -> Default Web Site -> URL Rewrite -> Actions
There has been no disclosure of information about the technical details surrounding the security holes that cybercriminals exploited before the hopeful release. The company refused any comment on the issue. As a result, regular attack patterns have been blocked to prevent them from recurring.