On Friday, Microsoft reported a significant security incident involving the exploitation of two zero-day vulnerabilities in Microsoft Exchange servers by a single threat actor group as far back as August 2022. This group successfully gained initial access through coordinated attacks targeting fewer than ten organizations worldwide.
The compromises facilitated the installation of a web shell known as Chopper, allowing attackers to maintain direct access to the systems. These intruders leveraged the access for critical tasks, such as Active Directory reconnaissance and data exfiltration, as highlighted in an analysis by the Microsoft Threat Intelligence Center (MSTIC).
Microsoft has indicated that the exploitation of these vulnerabilities is likely to escalate, as malicious actors increasingly incorporate these exploits into their toolkit. The company noted the high level of access that Exchange systems provide attackers, particularly emphasizing the increased risks associated with deploying ransomware.
Attributing the ongoing attacks to a state-sponsored group, Microsoft stated that they were already actively investigating these incidents when the Zero Day Initiative alerted the Microsoft Security Response Center (MSRC) about the vulnerabilities earlier that month.
Collectively termed “ProxyNotShell,” these vulnerabilities share an attack path with the well-known ProxyShell vulnerabilities, but require authenticated access, indicating potential issues with the existing patches. These vulnerabilities allow for remote code execution, listed as:
CVE-2022-41040, a privilege escalation weakness with a CVSS score of 8.8, and CVE-2022-41082, which enables remote code execution, also rated at 8.8. Microsoft emphasized that while authentication is necessary, standard user credentials can be exploited through various means, including credential stuffing or purchase via underground markets.
The initial discovery of these vulnerabilities was made by Vietnamese cybersecurity firm GTSC during an incident response engagement for an undisclosed client. Intelligence suggests that a Chinese threat actor may be involved in these intrusions.
In response to this growing threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities catalog, mandating that federal agencies apply patches by October 21, 2022.
To address these vulnerabilities proactively, Microsoft announced an expedited timeline for releasing a fix and provided guidelines for implementing URL Rewrite mitigation steps to disrupt attack vectors. The guidance outlines specific steps for configuring Internet Information Services (IIS) Manager to block requests that exploit these vulnerabilities.
In addition to immediate technical measures, Microsoft urges organizations to adopt multifactor authentication (MFA), deactivate legacy authentication methods, and educate users to recognize suspicious two-factor authentication (2FA) prompts. The potential for such vast access makes Microsoft Exchange a standout target for cyber adversaries, given its prominence in organizational infrastructure.
Expert analysis aligns the tactics utilized in these attacks with the MITRE ATT&CK framework, particularly emphasizing initial access and privilege escalation. This multidimensional approach underscores the importance of robust cybersecurity measures to safeguard against evolving threats.
As businesses navigate these challenging cybersecurity landscapes, remaining vigilant and responsive will be crucial in protecting sensitive information from increasingly sophisticated cyber adversaries.